The RISKS Digest
Volume 28 Issue 05

Thursday, 26th June 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Norway abandons Internet voting experiments

PGN

Re: Hong Kong electronic voting system cyber-attacked

Steve Lamont

Major Ruling Shields Privacy of Cellphones

Adam Liptak

High Court Ruling On Search Warrants Is Broader Than Cellphones

NPR via NNSquad

Researchers Find/Decode Spy Tools Governments Use to Hijack Phones

Kim Zetter via Dewayne Hendricks

"Foolproof" system to authenticate bank customers by their voice

Michael Bacon

Did you know Equifax buys and sells real-time employment data?

Deborah Peel

"Privacy concerns loom over 'new' Google domain registration service"

Woody Leonhard via Gene Wirchenko

"Two months later, 300K servers still vulnerable to Heartbleed"

Ian Paul via Gene Wirchenko

Google Glass Snoopers Can Steal Your Passcode With a Glance

Andy Greenberg

"Researchers expect large wave of rootkits targeting 64-bit systems"

Gene Wirchenko

Re: Trouble with firefox updates

Dimitri Maziuk

Info on RISKS (comp.risks)

Norway abandons Internet voting experiments

The Norwegian goverment is ceasing their experiments to conduct elections
using the Internet.  Apparently they have realized that security and privacy
are inadequate.  Earlier experiments have shown major flaws in cryptographic
implementations, poor software engineering (e.g., `spaghetti code', which
was noted as a problem in a voting machine by Eva Waskell in 1986!!!), lack
of contemporary system security/integrity evaluations, and more—in the
Scytl software.

http://www.tu.no/it/2014/06/25/regjeringen-vraker-e-valget?fb_action_ids`0096603443541&fb_action_types=og.recommends&fb_source=other_multiline&action_object_map=%5B711062558952360%5D&action_type_map=%5B%22og.recommends%22%5D&action_ref_map=%5B%5D

  [In this URL, I removed the `3D' used to encode the equal sign, but I have
  no idea what the `%5B' and `%5D' might be encoding in Norwegian.  Sorry.
  PGN]

Re: Hong Kong electronic voting system cyber-attacked

> The FATAL flaw of online voting systems (and one for which there is *no*
> technological solution whatsoever) isn't DDoS, identification, or
> communications security.  it's very simply that there is *no* way to
> ensure that the voter isn't voting under duress... with a gun held to
> their head (figuratively, or even literally). . . .

One has to wonder real a threat this might be.  Yes, it's a nice movie of
the week plot but it really doesn't make a lot of sense in that it
influences exactly one vote which would rarely be decisive.  I suppose an
employer might use coercion to force their entire workplace to vote one way
or another but, again, can it be done in numbers significant enough to
influence even a middling size election?  I rather doubt it.

> No way to make sure the voter isn't selling their vote (drugs, sex,
> alcohol, money...). . . .

While this is certainly execrable, again, can it be done on a large enough
scale to dictate a result?

It makes more sense to simply control the way the votes are counted or the
machines which record them.

That seems like a more clear and present danger than influencing votes in
onesies and twosies.

And that's a RISK that's not necessarily restricted to online or
absentee/mail voting.

Major Ruling Shields Privacy of Cellphones (Adam Liptak)

Adam Liptak, *The New York Times*, 25 Jun 2014
Supreme Court Says Phones Can't Be Searched Without a Warrant
http://www.nytimes.com/2014/06/26/us/supreme-court-cellphones-search-privacy.html

Washington—In a major statement on privacy rights in the digital age, the
Supreme Court on Wednesday unanimously ruled that the police need warrants
to search the cellphones of people they arrest.

Chief Justice John G. Roberts Jr., writing for the court, said the vast
amount of data contained on modern cellphones must be protected from routine
inspection.

The old rules, Chief Justice Roberts said, cannot be applied to “modern
cellphones, which are now such a pervasive and insistent part of daily life
that the proverbial visitor from Mars might conclude they were an important
feature of human anatomy.''

The courts have long allowed warrantless searches in connection with
arrests, saying they are justified by the need to protect police officers
and to prevent the destruction of evidence.

But Chief Justice Roberts said neither justification made much sense in the
context of cellphones. On the other side of the balance, he said, is the
data contained on the typical cellphone. Ninety percent of Americans have
them, he wrote, and they contain “a digital record of nearly every aspect
of their lives—from the mundane to the intimate.''

Even the word `cellphone' is a misnomer, he said. “They could just as
easily be called cameras, video players, Rolodexes, calendars, tape
recorders, libraries, diaries, albums, televisions, maps or newspapers,'' he
wrote.

Chief Justice Roberts acknowledged that the decision would make law
enforcement more difficult.

“Cellphones have become important tools in facilitating coordination and
communication among members of criminal enterprises, and can provide
valuable incriminating information about dangerous criminals.  Privacy comes
at a cost.''

The court heard arguments in April in two cases on the issue, but issued a
single decision.

The first case, Riley v. California, No. 13-132, arose from the arrest of
David L. Riley, who was pulled over in San Diego in 2009 for having an
expired auto registration. The police found loaded guns in his car and, on
inspecting Mr. Riley's smartphone, entries they associated with a street
gang.

A more comprehensive search of the phone led to information that linked
Mr. Riley to a shooting. He was later convicted of attempted murder and
sentenced to 15 years to life in prison. A California appeals court said
neither search had required a warrant.

The second case, United States v. Wurie, No. 13-212, involved a search of
the call log of the flip phone of Brima Wurie, who was arrested in 2007 in
Boston and charged with gun and drug crimes. The federal appeals court in
Boston last year threw out the evidence found on Mr. Wurie's phone.

News organizations, including The New York Times, filed a brief supporting
Mr. Riley and Mr. Wurie in which they argued that cellphone searches can
compromise news gathering.

The Justice Department, in its Supreme Court briefs, said cellphones are not
materially different from wallets, purses and address books. Chief Justice
Roberts disagreed: “That is like saying a ride on horseback is not
materially indistinguishable from a flight to the moon.''

High Court Ruling On Search Warrants Is Broader Than Cellphones

NPR via NNSquad
http://www.npr.org/2014/06/25/325608295/high-court-ruling-on-search-warrants-is-broader-than-cellphones?ft=1&f01

  "This is not just a phone case," said Mark Eckenwiler, former deputy chief
  of the Computer Crime Section at the Department of Justice.  "This is
  really a digital evidence case." The decision applies to laptops, tablets
  and all manner of electronic devices. This was a pretty sweeping decision,
  leaving little wiggle room for law enforcement. "There's not a lot of
  ambiguity there," he said.

Researchers Find/Decode Spy Tools Governments Use to Hijack Phones (Kim Zetter)

Kim Zetter, *WiReD*, Jun 24 2014 (via Dave Farber)
<http://www.wired.com/2014/06/remote-control-system-phone-surveillance/>

Newly uncovered components of a digital surveillance tool used by more than
60 governments worldwide provide a rare glimpse at the extensive ways law
enforcement and intelligence agencies use the tool to surreptitiously record
and steal data from mobile phones.

The modules, made by the Italian company Hacking Team, were uncovered by
researchers working independently of each other at Kaspersky Lab in Russia
and the Citizen Lab in Canada, who say the findings provide great insight
into the trade craft behind Hacking Team's tools.

The new components target Android, iOS, Windows Mobile, and BlackBerry users
and are part of Hacking Team's larger suite of tools used for targeting
desktop computers and laptops. But the iOS and Android modules provide cops
and spooks with a robust menu of features to give them complete dominion
over targeted phones.

They allow, for example, for covert collection of emails, text messages,
call history and address books, and they can be used to log keystrokes and
obtain search history data. They can take screenshots, record audio from the
phones to monitor calls or ambient conversations, hijack the phone's camera
to snap pictures or piggyback on the phone's GPS system to monitor the
user's location. The Android version can qlso enable the phone's Wi-Fi
function to siphon data from the phone wirelessly instead of using the cell
network to transmit it. The latter would incur data charges and raise the
phone owner's suspicion.

“Secretly activating the microphone and taking regular camera shots
provides constant surveillance of the target—which is much more powerful
than traditional cloak and dagger operations,'' notes Kaspersky researcher
Sergey Golovanov in a blog post about the findings.

It's long been known that law enforcement and intelligence agencies world
wide use Hacking Team's tools to spy on computer and mobile phone users --
including, in some countries, to spy on political dissidents, journalist s
and human rights advocates. This is the first time, however, that the
modules used to spy on mobile phone users have been uncovered in the wild
and reverse-engineered.

Kaspersky and Citizens Lab discovered them after developing new methods to
search for code fragments and digital certificates used by Hacking Team's
tools.

The modules work in conjunction with Hacking Team's core surveillance tool,
known as the Remote Control System, which the company markets under the
names Da Vinci and Galileo. [...]

"Foolproof" system to authenticate bank customers by their voice

Barclays Bank is rolling out voice biometrics technology at its call centres
that recognises customers when they start talking.  Customers who call
Barclays currently have to share their passcodes or 16-digit debit card
numbers in order to verify themselves.

With the new system, customers can choose to have their voice recorded and
held on file by the bank.  Then, when the call to access their account, they
engage in a few seconds of conversation with a staffer.

During that time, Nuance FreeSpeech voice biometrics technology is used to
compare the customer's voice to their unique voiceprint on file, and
silently signals to the employee when the customer's identity has been
verified.

Barclays began using the Nuance system at its wealth management arm last
year but is set to introduce it for normal retail customers early next year.

Ashok Vaswani, chief executive, Barclays personal and corporate banking,
told the Sunday Telegraph that the technology is "foolproof" and cuts the
time it takes to verify customers from 90 seconds to 10 seconds.

"Foolproof", eh?  So that's all right, then. Being a fool, I can trust it
 implicitly.  Odd, though, that my Nuance Dragon system still fails to
 recognise common words when I have been using it almost daily for nigh on
 two years.  Barclays' system must be far, far superior.

Did you know Equifax buys and sells real-time employment data?

How does Equifax obtain this sensitive and secret information?
http://redtape.nbcnews.com/_news/2013/01/30/16762661-exclusive-your-employer-may-share-your-salary-and-equifax-might-sell-that-data?lite

Quote: "With the willing aid of thousands of U.S. businesses, including many
of the Fortune 500. Government agencies—representing 85 percent of the
federal civilian population, including workers at the Department of Defense,
according to Equifax—and schools also work with The Work Number. Many of
them let Equifax tap directly into their data so the credit bureau can
always have the latest employment information. In fact, these organizations
actually pay Equifax for the privilege of giving away their employees'
personal information."

The story claims: "It's the biggest privacy breach in our time, and it's
legal and no one knows it's going on," said Robert Mather, who runs a small
employment background company named Pre-Employ.com. "It's like a secret
CIA."

BUT the story is wrong: the greatest privacy breach of our time is the
collection, aggregation and sale of ALL health data (inside and outside the
healthcare system by companies like IMS Health Holdings.

IMS Health Holdings buys sells and trades personal health data of 500
million people (including electronic health records, prescriptions, claims
data and health info in social media) with "100,00 health data suppliers
covering 780,000 daily data feeds" to create "anonymous" longitudinal,
real-time profiles it sells to "5,000 customers" including the US
government.  See:
http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm

The health data broker industry sells far more damaging personal data than
Equifax.

Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights
www.patientprivacyrights.org<http://www.patientprivacyrights.org/>
http://patientprivacyrights.org/trust-framework/  (512) 732-0033

"Privacy concerns loom over 'new' Google domain registration service" (Woody Leonhard)

Woody Leonhard | InfoWorld, 24 Jun 2014
Google's invitation-only Domains name registration service works a
lot like the old one but raises new questions about privacy and ad scraping
http://www.infoworld.com/t/internet-privacy/privacy-concerns-loom-over-new-google-domain-registration-service-244927

"Two months later, 300K servers still vulnerable to Heartbleed" (Ian Paul)

http://www.infoworld.com/d/security/two-months-later-300k-servers-still-vulnerable-heartbleed-244850

Ian Paul, PC World/InfoWorld, 23 Jun 2014
A large number of websites are still vulnerable to the OpenSSL flaw,
but it's unlikely they'll be patched anytime soon.

selected text:

Currently, there are about 309,197 systems still vulnerable to Heartbleed,
which is a slight drop from the 318,239 Graham discovered in early May. The
slow drop indicates that Heartbleed patching has more or less ended.

As widespread and devastating as Heartbleed is, it's easily one of the
scariest security stories of 2014—and doubly so if hundreds of thousands
of servers are likely to remain vulnerable for the foreseeable future.

Google Glass Snoopers Can Steal Your Passcode With a Glance (Andy Greenberg)

Andy Greenberg, *WiReD News* 24 Jun 2014, via ACM TechNews, June 25, 2014

University of Massachusetts (UMass) Lowell researchers have developed
software that uses video from wearable devices such as Google Glass and
smartwatches to read four-digit PIN codes typed onto an iPad from almost 10
feet away, and from almost 150 feet with a high-definition camcorder.  The
software involves a custom-coded video-recognition algorithm that tracks the
shadows from finger taps and could recognize the codes even when the video
did not capture any images on the target devices' displays.  "I think of
this as a kind of alert about Google Glass, smartwatches, all these
devices," says UMass Lowell professor Xinwen Fu.  "If someone can take a
video of you typing on the screen, you lose everything."  The researchers
found that Google Glass identified the four-digit PIN from three meters away
with 83 percent accuracy, while webcam video revealed the code 92 percent of
the time.  The software also can identify passcodes even when the screen is
unreadable based on the iPad's geometry and the position of the user's
fingers.  The software maps an image of the angled iPad onto a "reference"
image of the device, then looks for the abrupt down and up movements of the
dark crescents that represent the fingers' shadows.  Fu plans to present the
findings with his students at the Black Hat security conference in August.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-bad3x2b4c3x060206&

"Researchers expect large wave of rootkits targeting 64-bit systems"

http://www.pcworld.com/article/2367400/researchers-expect-large-wave-of-rootkits-targeting-64bit-systems.html

selected text:

Following a downward trend during the past two years, the number of new
rootkit samples rose in the first quarter of this year to a level not seen
since 2011, according to statistics from security vendor McAfee.

"The roadblocks set in place by 64-bit systems now appear to be mere speed
bumps for well-organized attackers, who have already found ways to gain
entry at the kernel level," the McAfee researchers said.

Re: Trouble with firefox updates (Durusau, RISKS-28.04)

> A more definitive way of customizing Firefox is to simply download the
> source code from ftp.mozilla.org, and change it however you wish.

I find this mantra in the Open Sores sales pitch particularly annoying:
everyone capable of actually doing that knows that

a) The amount of effort required to understand (and subsequently change
in a meaningful and non-disruptive way) somebody else's code is 80% of
that of writing your own from scratch. With a codebase size of mozilla's
that a plain crack pipe dream.

b) Even if you can fix the code, you'll still have to build it. With
something size and complexity of firefox I bet it's not entirely trivial
even on freenix where you can fetch the "source package" and all its
pre-requisites. On systems without source package management, with
for-pay development tools, etc., it's basically not worth the trouble.

So who are you preaching to: those who can't do it or those who know why
they can't do it?

Dimitri Maziuk, Programmer/sysadmin  BioMagResBank, UW-Madison
http://www.bmrb.wisc.edu

Please report problems with the web pages to the maintainer