The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 14

Thursday 7 August 2014

Contents

Computer Programming Is a Trade; Let's Act Like It
Christopher Mims
Expanding the Breadth and Impact of Cybersecurity and Privacy Research (NSF via ACM TechNews
????
If you like NSA, Facebook & Google, you're gonna love Singapore
Shane Harris via Henry Baker
"User beware: That mobile app is spying on you"
Bill Snyder via Gene Wirchenko
"Network-attached storage devices more vulnerable than home routers"
Lucian Constantin via Gene Wirchenko
"Most USB thumb drives can be reprogrammed to infect computers"
Lucian Constantin via Gene Wirchenko
"The battle against stupid software patents is on"
Bill Snyder via Gene Wirchenko
Smart Meters / Sask Power / BC Hydro
Mark Fraser
Change your passwords- big data breach: Russian Gang Amasses Over a Billion Internet Passwords
geoff goodfellow
"Is your Dropcam live feed being watched by someone else?"
Jeremy Kirk via Gene Wirchenko
Wikipedia announces a page detailing Wikipedia pages censored by EU Right To Be Forgotten
Lauren Weinstein
Re: Google scans your e-mail for child porn and reports to law enforcement when it finds same
Alister Wm Macintyre
Re: Fouling the NEST; Who's roo(s)ting in your home?
Eric Sosman
Info on RISKS (comp.risks)

Computer Programming Is a Trade; Let's Act Like It (Christopher Mims)

"ACM TechNews" <technews@hq.acm.org>
Wed, 6 Aug 2014 12:09:37 -0400 (EDT)
Christopher Mims, *The Wall Street Journal*, 3 Aug 2014
via ACM TechNews, 6 Aug 2014

One million programming jobs in the United States could go unfilled by 2020
due to the enormous mismatch between the supply and demand for computer
programmers, according to the U.S. Bureau of Labor Statistics.  Fortunately,
a computer science degree is not necessary to get a job in programming.
University courses in computer science favor theory rather than making
websites, services, and apps that companies care about, writes Christopher
Mims.  Code-school founders say committed programming students are finding
jobs whether or not they have a college degree.  Computer programming is now
a trade that someone can develop a basic proficiency in within weeks or
months, secure a first job, and get onto the same path to upward mobility
offered to in-demand, highly-paid peers, Mims says.  He contends we have
entered an age in which demanding that every programmer has a degree is like
asking every bricklayer to have a background in architectural engineering.
Anecdotal evidence also indicates that coding schools are more inclusive of
women and people of color.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c4ccx2b873x060863&


Expanding the Breadth and Impact of Cybersecurity and Privacy Research

"ACM TechNews" <technews@hq.acm.org>
Wed, 6 Aug 2014 12:09:37 -0400 (EDT)
National Science Foundation, 31 July 2014, via ACM TechNews, 6 Aug 2014

The U.S. National Science Foundation's Secure and Trustworthy Cyberspace
program has announced two new center-scale Frontier awards that will support
large, multi-institution projects addressing grand challenges in cyber
security and computer science.  Frontier awards already support some 225
projects in 39 states with more than $74 million in funding.  These projects
include education and training initiatives, and both basic and practical
computer science research.  The first of the new awards will go towards the
establishment of the Center for Encrypted Functionalities (CEF), a
collaboration between the University of California Los Angeles (UCLA),
Stanford University, Columbia University, the University of Texas at Austin,
and Johns Hopkins University.  CEF is led by UCLA's Amid Sahai and based on
research by his team that discovered the first mathematically sound approach
to encrypting functionalities, with the specific goal of achieving program
obfuscation.  The second award will establish the Modular Approach to Cloud
Security project, which seeks to build a modular, multi-layered cloud
security system.  The project is a collaboration of Boston University,
Massachusetts Institute of Technology, University of Connecticut, and
Northeastern University researchers, and will use the Massachusetts Open
Cloud as a testbed for its research.  Both new projects also will help
create new education and training programs focused on cybersecurity and
computer science.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c4ccx2b877x060863&


If you like NSA, Facebook & Google, you're gonna love Singapore (Shane Harris)

Henry Baker <hbaker1@pipeline.com>
Wed, 06 Aug 2014 11:51:23 -0700
FYI—Singapore has become John Poindexter's wet dream of a surveillance
state.  If it weren't for the public privacy outcry, Poindexter would have
done TIA in the USA.  What to do, what to do, ...  I know, I'll do it
anyway, but in secret!

The Social Laboratory

Shane Harris, *Foreign Policy*, Jul 2014
[The original is a very long item, which has been pruned for RISKS.  PGN]
http://www.foreignpolicy.com/articles/2014/07/29/the_social_laboratory_singapore_surveillance_state

In October 2002, Peter Ho, the permanent secretary of defense for the tiny
island city-state of Singapore, paid a visit to the offices of the Defense
Advanced Research Projects Agency (DARPA), the U.S. Defense Department's R&D
outfit best known for developing the M16 rifle, stealth aircraft technology,
and the Internet.  Ho didn't want to talk about military hardware. Rather,
he had made the daylong plane trip to meet with retired Navy Rear Adm. John
Poindexter, one of DARPA's then-senior program directors and a former
national security advisor to President Ronald Reagan.  Ho had heard that
Poindexter was running a novel experiment to harness enormous amounts of
electronic information and analyze it for patterns of suspicious activity --
mainly potential terrorist attacks.

The two men met in Poindexter's small office in Virginia, and on a
whiteboard, Poindexter sketched out for Ho the core concepts of his imagined
system, which Poindexter called Total Information Awareness (TIA).  It would
gather up all manner of electronic records—emails, phone logs, Internet
searches, airline reservations, hotel bookings, credit card transactions,
medical reports—and then, based on predetermined scenarios of possible
terrorist plots, look for the digital "signatures" or footprints that
would-be attackers might have left in the data space.  The idea was to spot
the bad guys in the planning stages and to alert law enforcement and
intelligence officials to intervene.

"I was impressed with the sheer audacity of the concept: that by connecting
a vast number of databases, that we could find the proverbial needle in the
haystack," Ho later recalled.  He wanted to know whether the system, which
was not yet deployed in the United States, could be used in Singapore to
detect the warning signs of terrorism.  It was a matter of some urgency.
Just 10 days earlier, terrorists had bombed a nightclub, a bar, and the
U.S. consular office on the Indonesian island of Bali, killing 202 people
and raising the specter of Islamist terrorism in Southeast Asia.

Ho returned home inspired that Singapore could put a TIA-like system to good
use.  Four months later he got his chance, when an outbreak of severe acute
respiratory syndrome (SARS) swept through the country, killing 33,
dramatically slowing the economy, and shaking the tiny island nation to its
core.  Using Poindexter's design, the government soon established the Risk
Assessment and Horizon Scanning program (RAHS, pronounced "roz") inside a
Defense Ministry agency responsible for preventing terrorist attacks and
"nonconventional" strikes, such as those using chemical or biological
weapons—an effort to see how Singapore could avoid or better manage
"future shocks."  Singaporean officials gave speeches and interviews about
how they were deploying big data in the service of national defense—a
pitch that jibed perfectly with the country's technophilic culture.

   [Entire middle section omitted. ... I recommend digging up the rest. PGN]

The officials running RAHS today are tight-lipped about exactly what data
they monitor, though they acknowledge that a significant portion of
"articles" in their databases come from publicly available information,
including news reports, blog posts, Facebook updates, and Twitter messages.
("These articles have been trawled in by robots or uploaded manually" by
analysts, says one program document.)  But RAHS doesn't need to rely only on
open-source material or even the sorts of intelligence that most governments
routinely collect: In Singapore, electronic surveillance of residents and
visitors is pervasive and widely accepted.

"In Singapore, the threshold for surveillance is deemed relatively higher,"
according to one RAHS study, with the majority of citizens having accepted
the "surveillance situation" as necessary for deterring terrorism and
"self-radicalization."  Singaporeans speak, often reverently, of the "social
contract" between the people and their government.  They have consciously
chosen to surrender certain civil liberties and individual freedoms in
exchange for fundamental guarantees: security, education, affordable
housing, health care.

But the social contract is negotiable and "should not be taken for granted,"
the RAHS team warns.  "Nor should it be expected to be perpetual.
Surveillance measures considered acceptable today may not be tolerable by
future generations of Singaporeans."  At least not if those measures are
applied only to them.  One future study that examined "surveillance from
below" concluded that the proliferation of smartphones and social media is
turning the watched into the watchers.  These new technologies "have
empowered citizens to intensely scrutinise government elites, corporations
and law enforcement officials—increasing their exposure to reputational
risks," the study found.  From the angry citizen who takes a photo of a
policeman sleeping in his car and posts it to Twitter to an opposition
blogger who challenges party orthodoxy, Singapore's leaders cannot escape
the watch of their own citizens.

Shane Harris is a senior staff writer at Foreign Policy and the author of
the forthcoming book @War: The Rise of the Military-Internet Complex, which
will be published in November 2014.


"User beware: That mobile app is spying on you" (Bill Snyder)

Gene Wirchenko <genew@telus.net>
Thu, 07 Aug 2014 14:08:20 -0700
Bill Snyder, CIO.com via InfoWorld, 06 Aug 2014
A recent study of the 400 most popular iOS and Android apps reveals
that nearly all free apps collect users' personal data
http://www.infoworld.com/d/mobile-technology/user-beware-mobile-app-spying-you-247713

selected text:

The vast majority of the most popular iOS and Android mobile apps collect a
variety of personal data from users, including location details, address
book contacts, and calendar information, according to a just-released survey
by Appthority, a company that advises businesses on security.

Here's a breakdown of the most frequently collected data:

* 82 percent of the top Android free apps and 49 percent of the top Android
  paid apps track user location.

* 50 percent of the top iOS free apps and 24 percent of the top iOS paid
  apps track user location

You might not expect a flashlight app or a calculator to track your
location, but many do.


"Network-attached storage devices more vulnerable than home routers" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 07 Aug 2014 14:12:12 -0700
Lucian Constantin, InfoWorld, 07 Aug 2014
Network-attached storage devices more vulnerable than home routers
A security review found serious vulnerabilities in 10 popular NAS
systems from multiple manufacturers
http://www.infoworld.com/d/security/network-attached-storage-devices-more-vulnerable-home-routers-247875

selected text:

Jacob Holcomb, a security analyst at Baltimore-based Independent Security
Evaluators, is in the process of analyzing NAS devices from 10 manufacturers
and has so far found vulnerabilities that could lead to a complete
compromise in all of them.

"There wasn't one device that I literally couldn't take over," Holcomb said
Wednesday during a talk at the Black Hat security conference in Las Vegas,
where he presented some of his preliminary findings. "At least 50 percent of
them can be exploited without authentication," he said.

Researchers from Dell SecureWorks reported in June that a hacker made over
$600,000 by hacking into Synology NAS devices and using them to mine
Dogecoin, a type of cryptocurrency. More recently, some Synology NAS device
owners reported that their systems had been infected by a file-encrypting
malware program called SynoLocker.

A big concern is that many NAS vendors use the same code base for their
high-end and low-end devices, the researcher said. That means the same
vulnerabilities in a low-cost NAS device designed for home use could exist
in a much more expensive NAS system designed for enterprise environments.


"Most USB thumb drives can be reprogrammed to infect computers" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Tue, 05 Aug 2014 13:28:08 -0700
   (A little more on the USB item in RISKS-28.12.  PGN)

Lucian Constantin, InfoWorld, 01 Aug 2014
The firmware in such devices is unprotected and can be easily
overwritten by malware, researchers from Security Research Labs said
http://www.infoworld.com/d/security/most-usb-thumb-drives-can-be-reprogrammed-infect-computers-247489

selected text:

Researchers from Security Research Labs have developed several
proof-of-concept attacks that they plan to present at the Black Hat security
conference in Las Vegas next week.

One of the attacks involves a USB stick that acts as three separate devices
-- two thumb drives and a keyboard. When the device is first plugged into a
computer and is detected by the OS, it acts as a regular storage device.
However, when the computer is restarted and the device detects that it's
talking to the BIOS, it switches on the hidden storage device and also
emulates the keyboard, Nohl said.

Acting as a keyboard, the device sends the necessary button presses to bring
up the boot menu and boots a minimal Linux system from the hidden thumb
drive. The Linux system then infects the bootloader of the computer's hard
disk drive, essentially acting like a boot virus, he said.

Another proof-of-concept attack developed by Security Research Labs involves
reprogramming a USB drive to act as a fast Gigabit network card.

As Nohl explained, OSes prefer a wired network controller over a wireless
one and a Gigabit ethernet controller over a slower one.  This means the OS
will use the new spoofed Gigabit controller as the default network card.


"The battle against stupid software patents is on" (Bill Snyder)

Gene Wirchenko <genew@telus.net>
Thu, 07 Aug 2014 10:19:27 -0700
Bill Snyder, InfoWorld, 07 Aug 2014
Patent trolls extort millions from developers and entrepreneurs, but
help is on the way from the EFF and the Supreme Court
http://www.infoworld.com/d/the-industry-standard/the-battle-against-stupid-software-patents-247841

selected text:

Those patents are so silly it's hard to take them seriously. But you
should. Predatory trolls holding preposterous patents suck millions of
dollars from the pockets of entrepreneurs who don't have the time or the
money to fight in court. So Ranieri, a young lawyer with a degree in math
and computer science, has launched a humorous blog entitled "The Stupid
Patent of the Month," in an effort to make an arcane, and frankly boring,
subject more accessible to the nonlawyering public.  [The link for the blog:
<https://www.eff.org/deeplinks/2014/07/inaugural-stupid-patent-month>]

"We wish we could catalog them all, but with tens of thousands of
low-quality software patents issuing every year, we don't have the time or
resources to undertake that task," she says. Instead she'll poke fun at the
really bad ones while she makes a serious point: the need to continue the
slow process of fixing our broken patent system.

What passes as a patent innovation: 'Do it with a computer'

For August, the EFF has nominated U.S. Patent 8,762,173, titled "Method and
Apparatus for Indirect Medical Consultation," which was granted in
June. Here's how it works:

  1. Take a telephone call from patient.
  2. Record patient info in a patient file.
  3. Send patient information to a doctor, ask the doctor if she
     wants to talk to the patient.
  4. Call the patient back and transfer the call to the doctor.
  5. Record the call.
  6. Add the recorded call to the patient file and send to doctor.
  7. Do steps 1-6 with a computer.

The original patent actually had steps 1-6, and it was rejected. Then step 7
was added, and it was approved. "This is a patent on a doctor's
computer-secretary ... Somehow, something that wasn't patentable became
patentable just by saying 'do it with a computer,'" says Ranieri.


Smart Meters / Sask Power / BC Hydro

Mark Fraser <markotime@shaw.ca>
Tue, 05 Aug 2014 11:31:27 -0700
In British Columbia, the meters presumably report usage data wirelessly,
perhaps forwarding data from one installation to others (nearer a "hub")
using multiple hops.  The 902-928 ISM band is used to carry FH (Frequency
Hopping) spread-spectrum signals generated by the meters.  At least one
hacking approach appears to have allowed relatively inexpensive TV/FM
"dongles" working in conjunction with a PC app to receive and demodulate /
display parts of the data being transmitted.  One approach is documented at
the following URL: http://bemasher.github.io/rtlamr/


change your passwords- big data breach: Russian Gang Amasses Over a Billion Internet Passwords

the keyboard of geoff goodfellow <geoff@iconia.com>
Tue, 5 Aug 2014 17:22:20 -1000
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html

Geoff.Goodfellow@iconia.com http://geoff.livejournal.com


"Is your Dropcam live feed being watched by someone else?" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Tue, 05 Aug 2014 13:25:00 -0700
Jeremy Kirk, InfoWorld, 04 Aug 2014
Two researchers will show at Defcon how a Dropcam monitoring camera
could turn into a Trojan horse
http://www.infoworld.com/d/security/your-dropcam-live-feed-being-watched-someone-else-247566


Wikipedia announces a page detailing Wikipedia pages censored by EU Right To Be Forgotten

Lauren Weinstein <lauren@vortex.com>
Wed, 6 Aug 2014 08:03:01 -0700
Wikimedia via NNSquad
https://wikimediafoundation.org/wiki/Notices_received_from_search_engines

 - - -

Yes!


Re: Google scans your e-mail for child porn and reports to law enforcement when it finds same (Lin, RISKS-28.13)

"Alister Wm Macintyre \(Wow\)" <macwheel99@wowway.com>
Wed, 6 Aug 2014 15:49:02 -0500
Herb Lin wrote: Folks, please think about a fix for this.

I can think of several fix approaches.

We need to hear from the NGOs and GOV agencies.  Do they in fact want to be
receiving notifications of bad stuff from millions of people?  Currently
millions, perhaps even billions, of accounts are receiving unwanted stuff on
a regular basis, and the owners of those accounts are habitually deleting
the bad stuff, without making any reports to any authorities.  We are told
that the Internet is getting clogged.  90% of the traffic is unwanted
advertising, much of it for products and services which involve some kind of
illegality.  Does the law enforcement community want all of this forwarded
to them?  Or do they want a system, where the bad stuff goes into some of
data base which can be analyzed by law enforcement, so they can choose to go
after the most serious crimes, affecting their jurisdictions, and ignore the
rest?

If Google, or any other ISP, is going to report about bad stuff, then report
the whole story:

 * Not only who has it, but also

 * From what address did it come?

 * Was it forwarded via a series of people … identify all of them also

 * Which are the nations and states associated with these accounts, if
known.  Some of them may be places where this is not illegal.

 * What's the date on this?  Was it dated before the date the legal
community says it became illegal?

 * When was the last time the user did anything with his-her Gmail account &
did this arrive since then?

Make it easier to OPT IN OPT OUT of what happens with our unwanted SPAM.

Gmail has a spam filter, to catch suspected spam.  They could add an OPT IN
OPT OUT option for this to automatically notify some anti-spam operation, or
to provide a box beside the subject etc. line, or entire contents of spam
box. REPORT AND THEN DELETE, meaning report this spammer to relevant
authorities, then delete from my e-mail.

Other e-mail software providers could supply a similar feature.

I forward some of my spam to KNUJON (no junk backwards), which combines what
I forward, with other customers, to identify the spammers, and put them in
the slammer, working with different kinds of non-profits for the different
kinds of spam.  I cannot forward all my spam to KNUJON, because my ISP has
flawed security.  They can conclude that I am the bad guy, or that my
computer is infected, just because I am forwarding some problem, that they
did not detect when it was incoming.  Their customer service lacks the
mentality to comprehend the concept of KNUJON service.

Our e-mail and browser software now has aids to help us see suspected spam,
other problems, on arrival, and us have it automatically go to a spam mail
box, or have other actions taken.  The state of art has false positives and
false negatives because there is a constant war between the developers of
this software, and the developers of the badware.  We could ask the
protection developers to add a flag “suspected illegal” into a mail box
by nature of suspicion.  We could then OPT IN OPT OUT do what about this.

 * Report all of it, including false positives

 * Report some of it

 * Report none of it, just delete it

Browsers could get an add-on.  We arrive at some site which seems suspicious
to us.  I have found sites promoting the assassination of political leaders,
selling products I believe illegal for me to buy, promoting all sorts of
hatreds.  In the past, I have screen printed the offending info, including
url, then taken this to my local police station, suggesting-asking that it
be forwarded to the FBI, Secret Service, or whatever agency seems relevant.
I show my id when I do this.

My proposed add-on would have a click on icon associated with the browser
options, where we can oops exit if we did not mean to do that.  Up pops a
screen where we can select what's objectionable from a list of
possibilities, or key in text describing the other, such as:

 * Activity promoted, which I think is illegal … key in text what

 * Child Porn here

 * Nigerian Scam

 * Phishing suspected

 * Stock pump and dump suspected

 * Terrorist site

 * Treason here

 * Virus delivery

Each of the standard possibilities would have a standard NGO or GOV
organization to which the link report would be sent, such as stock swindles
to the SEC, and/or relevant GOV organization in some other nation, if either
the witness, or the site, apparently located in that nation, based on url,
and any street address or phone # involved.

A few years ago, I received an advertisement in the snail mail, trying to
sell me child porn.

I took it to the local post office & tried to have something constructive
done about what I thought was a crime.

Well, this is in the eyes of the beholder, a matter of opinion.  It was not
objectionable material to the local Post Master representative.

An offer was made to me, which I accepted.  The Post Office would notify the
sender address that they were to cease sending anything to my address, and
if they persisted, there would be legal trouble for them.

In consequence of this, I became flooded, for a short time, with exact same
advertising from other from-addresses.

Apparently the first place had sold my address to their peers, since the
postal notification to them had confirmed my address was valid.

Many years ago, before caller-id, I was the recipient of harassing phone
calls.

I contacted my phone service provider to ask what could be done about = it.

I learned that the phone company had a limited budget to deal with this
particular issue, and I was not getting enough of these calls to justify
them doing anything for me.

It was sufficiently annoying to me, that I got my phone # changed.

The phone company charged me a fee, for changing my phone # for no good
reason.

Alister William Macintyre (Al Mac)


Re: Fouling the NEST; Who's roo(s)ting in your home? (RISKS-28.13)

Eric Sosman <esosman@comcast.net>
Tue, 05 Aug 2014 14:46:28 -0400
In RISKS-28.13, Alister Wm Macintyre comments on the NEST matter and asks
the question: "Wasn't the TARGET breach a variation on this?"  Based on the
information at

http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

... I'd have to say the answer to his question is "No."

Please report problems with the web pages to the maintainer

Top