The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 20

Sunday 24 August 2014

Contents

A Better Credit Card
NYT
U.S. finds hacker tool "Backoff" widespread
Nicole Perlroth
Re: Cyberattack that hit Target affecting 1,000 US businesses
Bob Frankston
The New Editors of the Internet
Dan Gillmor via Dewayne Hendricks
Reverse-engineering censorship in China: Randomized experimentation and participant observation
David Farber
CyberSec Coordinator Tells Why Lack of Tech Know-How Helps
Henry Baker
Asimov's Three Laws of Robotics Supplemented for 21st Century Care Robots
Peter Dunn via ACM TechNews
Read This: "How Verizon lets its copper network decay to force phone customers onto fiber"
Ars Technica
Re: Hacking Traffic Lights is Amazingly Really Easy
Edward Vielmetti
"Many Chrome browser extensions do sneaky things"
Jeremy Kirk via Gene Wirchenko
Hands On with the HTC One M8 for Windows: The first OS-agnostic phone
Ars Technica via Bob Frankston
Farooq Butt
Google: "That's not the download you're looking for..."
Lauren Weinstein
Re: Google Map Tracks Your Every Move ...
Dimitri Maziuk
Jonas M Luster
Re: Vote! You Just Might Win $50,000
Mark Thorson
Info on RISKS (comp.risks)

A Better Credit Card (NYT)

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 24 Aug 2014 11:42:58 PDT
The Editorial Board, *The New York Times*, 23 Aug 2014
http://www.nytimes.com/2014/08/24/opinion/sunday/a-better-credit-card.html?rref=opinion

American banks and retailers are finally embracing credit card technology
that has been shown to minimize fraudulent transactions in the rest of the
world Given recent data breaches in which hackers stole the card numbers of
millions of consumers from cash register systems at retailers like Target
and Supervalu the change can't come soon enough.

The new cards, which contain computer chips, are standard in Europe and more
secure against hacking than the magnetic-stripe cards widely used in the
United States. Users of chip-based cards in Europe have to enter a
four-digit code on a keypad to complete purchases, adding another layer of
security. Industry groups in Britain and Canada have reported that credit
card fraud dropped sharply after banks and merchants switched to such
cards.

American credit card companies plan to issue more than 575 million
chip-based cards by the end of 2015, and retailers like Walmart and Target
are installing thousands of registers where the new cards can be used. But
some banks will initially only require customers to sign for purchases when
using chip-based cards rather than requiring the extra step of entering a
secure code. The banks say they will add the code step once consumers become
accustomed to using the new cards.

One reason for the delay in conversion to chip-based cards is that banks
were not willing to upgrade their systems until retailers did the same.  But
the publicity surrounding the data breaches changed a lot of minds, as did
the fact that stricter rules governing liability for fraud-related losses
will take effect a little over a year from now.  Under the new rules, if one
entity, the retailer or the credit card firm, is using the less-secure
system, it will be held liable for losses.

One big problem that chip-based cards will not address is fraud linked to
purchases made over the Internet. Industry officials say they are working on
various approaches to making online purchases more secure.  For example,
credit card companies could verify the identity of online shoppers by
sending a text message to their cellphones with a unique code when they try
to buy something on, say, Amazon. The customer would then have to enter that
code on Amazon to complete the transaction.  Some companies like MasterCard
are already offering such features, but they are not in wide use.

No technology can eliminate fraud. But chip-based cards can make it harder
for criminals to profit.

See also:
Q&A: The Shift to Safer Chip-and-PIN Credit Cards, 9 Jun 2014
http://www.nytimes.com/2014/06/06/technology/personaltech/the-shift-to-safer-chip-and-pin-credit-cards.html

  [Also see the article by Ross Anderson and Steven Murdoch, EMV: Why
  Payment Systems Fail: What lessons might we learn from the chip cards used
  for payments in Europe, now that the U.S. is adopting them too?  Inside
  Risks column in the June CACM:
    http://www.csl.sri.com/neumann/insiderisks.html#233
  PGN]


U.S. finds hacker tool "Backoff" widespread (Nicole Perlroth)

"Peter G. Neumann" <neumann@csl.sri.com>
Sat, 23 Aug 2014 13:19:12 PDT
In an article by Nicole Perlroth in this morning's business section of *The
New York Times*, more than a thousand U.S. businesses have been compromised
by malware called Backoff (because that appears in its code).  Target (an
early victim) and UPS Stores (recently) were perhaps the most publicized.
Typically, the companies had no idea they had been hacked.  Seven companies
that sell and manage in-store cash register systems have confirmed that
their clients had been affected.  The Department of Homeland Security has
suggested searching for "Backoff", and ratcheting up their security in
limiting access by insiders, locking out would-be attackers after multiple
failed login attempts, and increasing the length of their passwords.  [Once
again, the fundamental weaknesses of commercial system software strikes
again.]  *TNYT* National Edition, 23 Aug 2014, C1/C6 (PGN-ed).  [Also noted
by Bob Gezelter.]


Re: Cyberattack that hit Target affecting 1,000 US businesses

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
23 Aug 2014 12:27:47 -0400
*The Boston Globe*, 22 Aug 2014
http://www.bostonglobe.com/business/2014/08/22/cyberattack-that-hit-target-affecting-businesses/AmsccErTlI4vLhQpUfSorL/story.html

Implicit in the suggestions is the assumption of perimeter security for
networks—but I see that assumption as the real vulnerability. I'd like to
see a more sophisticated approach which would focus on making systems such
as cash registers safer by having trust that doesn't rely on such
perimeters.  Perhaps we need a term such as VPC - Virtual Private
Communities to emphasize that trust is among devices or, more to the point,
applications rather than dependent upon protecting a physical network.

  [Please remember: `Perimeter security' is a complete myth.  There is
  typically no definable perimeter other than everything on the Internet,
  and overall there is no adequate security more or less anywhere!  PGN]


The New Editors of the Internet (Dan Gillmor)

*Dewayne Hendricks* <dewayne@warpspeed.com>
Saturday, August 23, 2014
Dan Gillmor, *The Atlantic*, 22 Aug 2014
http://www.theatlantic.com/technology/archive/2014/08/the-new-editors-of-the-internet/378983/

In a small number of Silicon Valley conference rooms, decisions are being
made about what people should and shouldn't see online—without the
accountability or culture that has long accompanied that responsibility.

Bowing to their better civic natures, and the pleas of James Foley's family,
Twitter and YouTube have pulled down videos and photos of his murder. They
had every right to do so, and in my view they did the right thing.

So why am I so uncomfortable with this? Because it's not clear what's too
vile to host. And, even more, because Twitter and YouTube are among a tiny
group of giant companies with greater and greater power—and less and less
accountability—over what we read, hear, and watch online.

Who gave them this power? We did. And if we don't take back what we've given
away—and what's being taken away—we'll deserve what we get: a
concentration of media power that will damage, if not eviscerate, our
tradition of free expression.

For the moment, it's reasonable to dismiss the widely repeated accusation
that removing the Foley videos was an act of censorship. When Twitter worked
with the Turkish regime to remove certain accounts, that was censorship, if
by proxy, because it was done on the orders of a government.  And, of
course, when governments directly block Twitter, YouTube, Facebook, and
other services, as some do, that is direct censorship. But when Twitter and
YouTube took down a murder-as-propaganda video, that was editing. (Show me
evidence that the U.S. government persuaded Twitter and YouTube to do this,
as it almost certainly did when the major payment systems cut off Wikileaks'
funding several years ago, and I'll revise that view.)

Editing, yes, but on an epic scale—and critics are absolutely right to
raise some stark questions. What precedent does this set? What actual
policies are at work? Are the policies being applied consistently? If it's
appropriate to take down these videos and pictures, why not the images of so
many others who've been the victims of ISIS and other criminals?

All are important questions, but the reason they're so important, again, is
the clout these services exert in the information marketplace. There was
little uproar, after all, when the anything-goes LiveLeak—which hosts
videos that most others find beyond the pale—vowed not to post any ISIS
beheading videos, on the reasonable grounds that it's wrong to help
murderers do public relations.

What makes so many free-speech protectors fret in the current situation,
again, is not the instinct to protect an unwary public from encountering the
worst of humanity, or to avoid helping barbarian propagandists. It is the
slippery slope issue, and this is getting more worrisome every day with the
growing domination of Facebook, Google, and Twitter over our media flow.

They're dominant not because they've taken control, but because we've given
them control—and not for all bad reasons. These services are enormously
useful and convenient. But because we aren't paying for these services, we
users are, as the saying goes, the products being sold to advertisers. We
have no rights beyond what the companies give us in their terms of service,
where quaint ideas like the First Amendment have no application. When
Facebook decides what you see in your timeline, you have no recourse --
because you *agreed* to terms of service that are grossly one-sided and not
constrained by the Bill of Rights.

I'm a frequent Twitter user, in part because the company has for the most
part been a strong protector of free speech. I confess to some misgivings
about my own tendency to put so much of what I do into a proprietary service
that increasingly makes clear that it controls the experience. Even as it
was taking down the Foley videos, Twitter was expanding its unilateral
tweaking of users' timelines,inserting posts that the users did not ask for
-- a major breach in the bargain Twitter made with us from its early
days. (I don't trust Facebook at all, and use it rarely, and have been using
DuckDuckGo, which doesn't track users, as an alternative search engine --
though I do use some Google services.)

Journalists have been especially short-sighted in their eagerness to use
social networks, feeding enormous amounts of content into third-party
services they do not in any way control and which get, by far, the best of
the bargain in the long run. Guess what, journalism companies? Facebook is
going to be your biggest competitor in the long run. Twitter is a media
company, too. And Google's eating your lunch every day. [..]


Reverse-engineering censorship in China: Randomized experimentation and participant observation

"David Farber via ip" <ip@listbox.com>
Sat, 23 Aug 2014 10:00:34 -0400
http://www.sciencemag.org/content/345/6199/1251722

Conclusion

Censorship in China is used to muzzle those outside government who attempt
to spur the creation of crowds for any reason—in opposition to, in support
of, or unrelated to the government. The government allows the Chinese people
to say whatever they like about the state, its leaders, or their policies,
because talk about any subject unconnected to collective action is not
censored. The value that Chinese leaders find in allowing and then measuring
criticism by hundreds of millions of Chinese people creates actionable
information for them and, as a result, also for academic scholars and public
policy analysts.


CyberSec Coordinator Tells Why Lack of Tech Know-How Helps

Henry Baker <hbaker1@pipeline.com>
Fri, 22 Aug 2014 11:03:05 -0700
FYI—Technical ignorance is an advantage?  Perhaps Michael Daniel should
start doing brain surgery tomorrow?

I thought that the Dems always valued expertise over politics...

Michael Daniel exhibits the hubris of those whose VerbalSAT >> MathSAT.

http://www.govinfosecurity.com/interviews/michael-daniels-path-to-white-house-i-2422

Eric Chabrow, August 21, 2014
Michael Daniel's Path to the White House
CyberSec Coordinator Tells Why Lack of Tech Know-How Helps

Michael Daniel sees his lack of technical expertise in IT security as an
asset in his job as White House cybersecurity coordinator.

"Being too down in the weeds at the technical level could actually be a
little bit of a distraction," Daniel, a special assistant to the president,
says in an interview with Information Security Media Group.

"You can get enamored with the very detailed aspects of some of the
technical solutions," he says.  "And, particularly here at the White House
... the real issue is to look at the broad, strategic picture and the impact
that technology will have."

Daniel came out of obscurity in the federal bureaucracy in May 2012 - he was
serving as the intelligence branch chief at the White House Office of
Management and Budget - when President Obama tapped him to replace the
administration's first cybersecurity coordinator, Howard Schmidt (see Who Is
Michael Daniel?).

In discussing his role, Daniel says understanding the economics and
psychology of cybersecurity is a big challenge.  "At a very fundamental
level, cybersecurity isn't just about the technology but it's also about the
economics of cybersecurity," he says.

"Intruders get in through those holes that we know about that we could fix,"
he says.  "The question is, 'Why don't we do that?'  That clearly leads me
to the conclusion that we really don't understand all of those economics and
psychology [situations] well enough."

In the interview, which was interrupted when he was called to the West Wing,
Daniel discusses:
  How his academic career and experience at OMB prepared him to become the
  president's top adviser on cybersecurity; The range of talents needed in
  government to boost the nation's cyberdefense; and His adeptness at
  martial arts - he holds a black belt - and how he applies that to
  cybersecurity.

Daniel holds a bachelor's degree in public policy from Princeton University,
a master of public policy degree from the Harvard Kennedy School of
Government and a master in national resource planning degree from the
National Defense University.  After graduating from Princeton in 1992,
Daniel took a job as a research assistant at the Southern Center for
International Studies, a think tank in Atlanta.  Upon receiving his master's
degree from Harvard, he joined OMB as a program examiner in the operations
and personnel branch, covering the Navy, Marine Corps and contingency
operations programs.


Asimov's Three Laws of Robotics Supplemented for 21st Century Care Robots (Peter Dunn)

"ACM TechNews" <technews@hq.acm.org>
Fri, 22 Aug 2014 12:27:22 -0400 (EDT)
Peter Dunn, University of Warwick, 14 Aug 2014
via ACM TechNews, Friday, August 22, 2014

Inspired by the Three Laws of Robotics first described by science fiction
author Isaac Asimov in his story "Runaround" and as part of a European
Commission (EC) project, University of Warwick philosopher Tom Sorell and
University of Birmingham professor Heather Draper have created a set of six
values that should be used to governor the behavior of robots created for
the care of the elderly.  The six values center around the circumstances of
the older person in need of support and are designed to be built into the
robot's hardware and software.  The six proposed values are autonomy,
independence, enablement, safety, privacy, and social connectedness.  Sorell
says just as Asimov's laws influenced one another, with some taking
precedence over the others, autonomy should be considered the paramount
value for elder care robots.  The six values were conceived of as part of
the EC ACCOMPANY project, and Sorell and Draper note they will continue to
be tweaked in collaboration with engineers.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c6a6x2b90bx061522&


Read This: "How Verizon lets its copper network decay to force phone customers onto fiber" (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Aug 2014 18:50:41 -0700
Ars Technica via NNSquad
: http://arstechnica.com/information-technology/2014/08/why-verizon-is-trying-very-hard-to-force-fiber-on-its-customers/

 "But the FCC is on course to let Verizon, AT&T, and other phone companies
 stop maintaining the old Public Switched Telephone Network (PSTN) by around
 2020, eventually moving everyone to Voice over Internet Protocol (VoIP)
 phone service. This shift could come with a loss of consumer protection
 rules such as price caps and "carrier of last resort" obligations to
 provide wireline phone service to anyone who asks for it. AT&T wants to
 substitute wireless for wired access in about 25 percent of its territory."

 - - -

I'll put it more bluntly. Verizon and AT&T—and their slimy third-party
agents who call and call trying to convince you to switch—are liars of
the first degree. Plain and simple. They care not about service levels, or
power during emergencies (during the last earthquake here in L.A., the
*only* thing that kept working through prolonged power outages was copper --
everything else including wireless was dead, dead, dead in a couple of
hours). They don't want to be simple access provider ISPs, they don't want
to provide reliable phone service, their whole profit model now is about
giant mergers and controlling Internet content—and charging you up the
gazoo for services and channels you don't want. Meanwhile, thanks to their
friendly captured FCC and state governments, they'll push everyone over to
unreliable phone service that'll fall flat on its face the next time there's
a serious emergency. But hey, they'll be freed from rate controls and public
utilities boards and anything else that would slow down their rush to the
ultimate goal—enriching their management and mollifying their
shareholders, while treating all of us and the Internet at large as their
personal fiefdoms. And you know what that makes all of us.


Re: Hacking Traffic Lights is Amazingly Really Easy

Edward Vielmetti <edward.vielmetti@gmail.com>
August 22, 2014 at 1:46:10 PM EDT
  (Re: RISKS-28.19, via Dave Farber)

The paper in question was presented at Usenix WOOT14 and is available in its
entirety here. Thanks to the USENIX Association for its enlightened
copyright policies that allow researchers to publish the full text of their
papers on their own websites without interference.

https://jhalderm.com/pub/papers/traffic-woot14.pdf

This paper appeared in Proceedings of the 8th USENIX Workshop on Offensive
Technologies (WOOT14), August 2014.  Green Lights Forever: Analyzing the
Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen
Hillaker, Jonathan Pevarnek, and J. Alex Halderman Electrical Engineering
and Computer Science Department University of Michigan {brghena, wbeyer,
hillaker, jpevarne, jhalderm}@umich.edu

Abstract

The safety critical nature of traffic infrastructure requires that it be
secure against computer-based attacks, but this is not always the case. We
investigate a networked traffic signal system currently deployed in the
United States and discover a number of security flaws that exist due to
systemic failures by the designers. We leverage these flaws to create
attacks which gain control of the system, and we successfully demonstrate
them on the deployment in coordination with authorities. Our attacks show
that an adversary can control traffic infrastructure to cause disruption,
degrade safety, or gain an unfair advantage.  We make recommendations on how
to improve existing systems and discuss the lessons learned for embedded
systems security in general.


"Many Chrome browser extensions do sneaky things" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Fri, 22 Aug 2014 14:41:27 -0700
Jeremy Kirk, InfoWorld, 20 Aug 2014
A study of 48,000 Chrome extensions uncovers ad fraud, data theft,
and other misdeeds
http://www.infoworld.com/d/security/many-chrome-browser-extensions-do-sneaky-things-248775


Hands On with the HTC One M8 for Windows: The first OS-agnostic phone | Ars Technica

"Bob Frankston" <Bob19-0501@bobf.frankston.com>
August 22, 2014 at 9:39:37 AM EDT
  (via Dave Farber)

http://arstechnica.com/gadgets/2014/08/hands-on-with-the-htc-one-m8-for-windows-the-first-os-agnostic-phone/

Is it too much to hope for a day when we can buy the OS independent of the
hardware? There was a time when you couldn't buy an IBM mainframe—you
had to just lease it with their software. In the 1970s IBM was forced to
sell the hardware independent of the software and, I contend, it made the
hardware more valuable for society as a whole even if less was captured by
IBM.

There is a lot of useful hardware in those portable device (as I wrote in my
column, http://rmf.vc/IEEESmart last year)—it's a shame to waste it all
by making them just phones or mobile delivery devices for app stores.

The brouhaha over unlocking phones is important but it doesn't go far enough
in giving us access to a valuable resource.


Re: Hands On with the HTC One M8 for Windows: The first OS-agnostic phone

Farooq Butt <farooq@farooqbutt.com>
August 23, 2014 at 10:51:07 AM EDT
OS agnosticism is not a phone issue. It's all got to do with phone subsidies
and operator economics.  But an even deeper level it's all about ownership.

If you don't have any phone subsidies you generally will get unlocked retail
phones on which you could potentially install whatever OS you want. Just
look at the phone market in southern China for example. Lots of handsets,
lots of weird operating systems.

In the US market the presence of phone subsidies means that you can never
have truly unlocked subsidized phones, which means you will never get many
OS agnostic phones.  They generally all come with software preinstalled and
locked by the operator including crapware.  This is like IBM renting you a
mainframe.

The rub is that if you want a truly unlocked phone you have to settle for
  paying upwards of $400 at retail for a modern high performance smartphone.
  Americans consistently vote with their wallets that that is not what they
  want. We seem to really love our $99 locked down (and "rented")
  smartphones.  Uber geeks of course spend their $$$ to buy unlocked phones.

The bottom line is in order to have operating system agnostic handsets
become real, you need a lot of unlocked handsets out there as a
precondition.  Given the $99 vs $400+ cost, I doubt this will happen very
quickly.


Google: "That's not the download you're looking for..."

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Aug 2014 15:07:48 -0700
Google via NNSquad
... for instance, switching your homepage or other browser settings to ones you
don't want
http://googleonlinesecurity.blogspot.com/2014/08/thats-not-download-youre-looking-for.htm

  "Starting next week, we'll be expanding Safe Browsing protection against
  additional kinds of deceptive software: programs disguised as a helpful
  download that actually make unexpected changes to your computer—for
  instance, switching your homepage or other browser settings to ones you
  don't want.  We'll show a warning in Chrome whenever an attempt is made to
  trick you into downloading and installing such software. (If you still
  wish to proceed despite the warning, you can access it from your Downloads
  list.)"


Re: Google Map Tracks Your Every Move ... (R-28.19)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Thu, 21 Aug 2014 17:35:43 -0500
Google tracks your android smartphone's location *if* you have location
services turned on. And if you care to look it'll show you on the map
exactly what location data it has collected.

And it's only news if you've never posted to a social media site from your
android smartphone. Because if you have, you know your posts show up with
location tags attached and if you cared to think about it for a second,
you've figured out where that location information comes from.

In the meantime cellphone companies could triangulate on your cellphone
location since long before android. And allegedly have been doing just that,
apparently upon a mere say so from various agencies (try typing "warrantless
metadata searches" into google), Who presumably shared the "metadata" they
collected with other unspecified agencies as they saw fit (try "EU-US PNR
data sharing"). And now it is all sitting in an unknown number of excel
spreadsheets on no longer patched windows xp pcs.

> GOOGLE TRACKS YOU EVERYWHERE YOU GO.

Yes, indeed, google is the one you should worry about.

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Re: Google Map Tracks Your Every Move ... (R-28.19)

Jonas M Luster <jluster@jluster.org>
Friday, August 22, 2014
I am sorry, but this recent hyperbole is getting a little bit too much for
comfort.  *That* Google tracks location data is a well known opt-in
functionality of every device running Google Maps. Yes, opt-in, because the
"would you like submit location data to Google for tracking and
recommendation purposes" check-box is unchecked in iOS and only the "use
Google servers" one is checked in Android by default.

It really takes a conscious effort on the device owners' side to enable
this.

Once enabled there's also a link text and a help line that links to
https://www.google.com/settings/dashboard which allows every Google user to
see what Google knows about them, what they track, and to export, limit,
disallow, and delete data.

The uproar seems to be about Google making available a set of amazing data
visualization and export tools. A query like
https://maps.google.com/locationhistory/b/0/kml?startTime08703935&endTime08703935
will download your known location data for the past month in KML. This is
useful in many regards, for example to reverse geotag images taken with
cameras without GPS module or to verify gas mileage.

Unlike Facebook, OKCupid, and all those other services collecting this data,
Google is open about the collection, allows use, export, and deletion, and
gives the user a choice of trading privacy for functionality and useful
data.

Why there is such an uproar over a well communicated opt-in feature (I
checked Blackberry, Windows Mobile, Android, and iOS, all ask for permission
and explain what's happening) is beyond me.


Re: Vote! You Just Might Win $50,000

Mark Thorson <eee@sonic.net>
Thu, 21 Aug 2014 19:44:02 -0700
 > "Wouldn't we get a lot of people who know nothing about
 > politics or the candidates jumping in and voting and just
 > checking the box so they could get a million bucks?"

If this passes, I'm moving to LA, changing my name to Mr. Lucky Ticket, and
running in their elections.  My platform is we need many more and much
larger prizes.

Please report problems with the web pages to the maintainer

Top