The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 27

Monday 15 September 2014

Contents

Lessons for the Future: Harvard Computer Science intro course
ACM TechNews
Lessons From the Past for a Future in Smart Cars
Monty Solomon
Steve Jobs Was a Low-Tech Parent
Nick Bilton via Monty Solomon
Software glitch sends regular Colorado driver's licenses to immigrants
Kirk Mitchell via Jim Reisert
NFL's finicky WiFi connections frustrate some coaches
David Tarabar
Airlines Take the Bump Out of Turbulence
Monty Solomon
Trying to Hit the Brake on Texting While Driving
Monty Solomon
NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide
Bruce Schneier
The Mystery of Apple Watch's Battery Life
*NYTimes* via Monty Solomon
iPwned: How easy is it to mine Apple services, devices for data?
Ars Technica via Monty Solomon
Banks Did It Apple's Way in Payments by Mobile
Monty Solomon
Senator demands US courts recover 10 years of online public records
David Kravets via Monty Solomon
How the cybercrime industry fueled Target breach
Jeff Marganteen
After e-mail takeover, copycats demand cash to expose Bitcoin's creator
Ars Technica via Monty Solomon
US gov't threatened Yahoo with $250K daily fine if it didn't use PRISM
Ars Technica via Monty Solomon
Supreme Court ruling has wiped out 11 "do it on a computer" patents so far
Ars Technica via NNSquad
Turning the tables on "Windows Support" scammers by compromising their PCs
Ars Technica via Monty Solomon
Google Play and lack of version numbers
Dan Jacobson
Canon printers `Doom'ed
Henry Baker
Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed
TechDirt via Kenneth R. Mayer Jr.
Keep Your Data Yours While Traveling
Monty Solomon
"Privacy Commissioner unearths apps demanding too many permissions"
Candice So via Gene Wirchenko
60 percent of apps fail basic privacy tests, finds international cross-governmental study
geoff goodfellow
Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack
Steven Klein
Re: The Case for Resign Switches for Politicians
Michael Kohne
Re: zero-day bounties
Paul Edwards
Info on RISKS (comp.risks)

Lessons for the Future: Harvard Computer Science intro course

"ACM TechNews" <technews@hq.acm.org>
Mon, 15 Sep 2014 11:55:17 -0400 (EDT)
  [This item is included as perhaps an encouraging harbinger of things to
  come, something that RISKS has always touted from the very beginning --
  pervasively increased awareness of computer literacy, and especially
  computer-related RISKS.  This may be a tip of just one iceberg, but I
  consider it good news.  PGN]

Meg P. Bernhard, Harvard Computer Science Introductory Course Logs
Record-Breaking Enrollment Numbers, *The Harvard Crimson*m 11 Sep 2014
via ACM TechNews, Monday, September 15, 2014

Nearly 12 percent of Harvard College's students have enrolled in the
college's introductory computer science class, Computer Science 50:
"Introduction to Computer Science I."  With a record-breaking total
enrollment of 818 undergraduate students this semester, CS50 is the
college's largest course, followed by "Principles of Economics," the
previous semester's largest course.  Several factors are contributing to the
class's popularity.  Instructor David J. Malan says the boost in enrollment
in part reflects a growing interest among Harvard students and the general
public in computer science.  Professor Eddie Kohler says CS50's growing
popularity also is due to its accessibility, characterizing the course as
more of an experience.  Harry R. Lewis, Harvard's director of undergraduate
studies for computer science, says Harvard students have "figured out that
in pretty much every area of study, computational methods and computational
thinking are going to be important to the future."  Lewis also says he has
seen higher enrollment than ever in other computer science courses this
semester, including "Introduction to the Theory of Computation," which has
153 students enrolled.  The number of computer science concentrators at
Harvard also has increased, nearly doubling between 2008 and 2013.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c8cdx2bacex063367&


Lessons From the Past for a Future in Smart Cars

Monty Solomon <monty@roscom.com>
Mon, 15 Sep 2014 09:28:14 -0400
The slow move toward air bags and seatbelts as standard safety features,
into an era of the computer on wheels.
http://www.nytimes.com/2014/09/15/us/lessons-from-the-past-for-a-future-in-smart-cars.html


Steve Jobs Was a Low-Tech Parent (Nick Bilton)

Monty Solomon <monty@roscom.com>
Thu, 11 Sep 2014 20:09:55 -0400
Nick Bilton, *The New York Times*, 10 Sep 2014

When Steve Jobs was running Apple, he was known to call journalists to
either pat them on the back for a recent article or, more often than not,
explain how they got it wrong. I was on the receiving end of a few of those
calls. But nothing shocked me more than something Mr. Jobs said to me in
late 2010 after he had finished chewing me out for something I had written
about an iPad shortcoming.

"So, your kids must love the iPad?" I asked Mr. Jobs, trying to change the
subject. The company's first tablet was just hitting the shelves. "They
haven't used it," he told me. "We limit how much technology our kids use at
home."

I'm sure I responded with a gasp and dumbfounded silence. I had imagined the
Jobs's household was like a nerd's paradise: that the walls were giant touch
screens, the dining table was made from tiles of iPads and that iPods were
handed out to guests like chocolates on a pillow.

Nope, Mr. Jobs told me, not even close. ...

http://www.nytimes.com/2014/09/11/fashion/steve-jobs-apple-was-a-low-tech-parent.html


Software glitch sends regular Colorado driver's licenses to immigrants (Kirk Mitchell)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Fri, 12 Sep 2014 15:25:42 -0600
Kirk Mitchell, *The Denver Post*, 12 Sep 2014

A software glitch mistakenly sent regular Colorado driver's licenses to
hundreds of immigrants living in the United States illegally, rather than
the special licenses they were supposed to get, officials said Friday.

The special driver's licenses created for the first time this year for
immigrants do not have an intended disclaimer that makes it clear the holder
cannot vote, according to authorities.

Specifically, the cards do not have a black band near the top indicating
that the license does not offer voting privileges and is not for `public
benefit purposes'.  "They didn't have all the security measures they were
supposed to have to make sure they were used correctly," said Daria Serna,
spokeswoman for the Colorado Department of Revenue.

The driver's license cards for people in the country legally with visas and
those living here illegally look *identical* to driver's licenses for
U.S. citizens living in Colorado, according to a news release Friday by John
Raffetto, spokesman for private contractor MorphoTrust.

The glitch resulted in errors that invalidated 524 Colorado driver's
licenses for those living in this country illegally, Raffetto said.

http://www.denverpost.com/news/ci_26521997/


NFL's finicky WiFi connections frustrate some coaches

David Tarabar <dtarabar@acm.org>
Sun, 14 Sep 2014 18:36:37 -0400
A $400 million sponsorship by Microsoft has equipped NFL coaches with
Surface tablets during games. This allows them to review plays and
formations—replacing printed pictures that have been used for decades.
However the connectivity has not been completely reliable. It seems that a
crowded football stadium is not the best environment for reliable Wi-Fi.

... and one more thing

"The partnership with the NFL hasn't worked out ideally for Microsoft,
either. Coaches, players, and TV announcers have repeatedly referred to the
Surface tablets as iPads"

http://www.bostonglobe.com/business/2014/09/12/nfl-finicky-connections-frustrate-some-coaches/c8viq8RB9oMLeHSA9kdWyN/story.html


Airlines Take the Bump Out of Turbulence

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 01:29:16 -0400
Stronger computing power, improved satellite and radar technology and more
sophisticated scientific models give airlines a greater understanding of
flying conditions.

http://www.nytimes.com/2014/09/08/technology/airlines-take-the-bump-out-of-turbulence.html


Trying to Hit the Brake on Texting While Driving

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 01:21:41 -0400
People keep texting when they're behind the wheel, so an engineer has found
 a technological solution. The problem: He can't do it on his own.

http://www.nytimes.com/2014/09/14/business/trying-to-hit-the-brake-on-texting-while-driving.html


NSA/GCHQ/CSEC Infecting Innocent Computers Worldwide

Bruce Schneier <schneier@schneier.com>
Mon, 15 Sep 2014 00:08:11 -0500
Bruce Schneier, CRYPTO-GRAM, 15 Sep 2014, Co3 Systems, Inc.
http://www.schneier.com

There's a new story on the C't Magazin website about a 5-Eyes program to
infect computers around the world for use as launching pads for attacks.
These are not target computers; these are innocent third parties.

The article actually talks about several government programs. HACIENDA is a
GCHQ program to port-scan entire countries, looking for vulnerable computers
to attack. According to the GCHQ slide from 2009, they've completed port
scans of 27 different countries and are prepared to do more.

The point of this is to create ORBs, or Operational Relay Boxes.  Basically,
these are computers that sit between the attacker and the target, and are
designed to obscure the true origins of an attack.  Slides from the Canadian
CSEC talk about how this process is being automated: "2-3 times/year, 1 day
focused effort to acquire as many new ORBs as possible in as many non 5-Eyes
countries as possible." They've automated this process into something
codenamed LANDMARK, and together with a knowledge engine codenamed OLYMPIA,
24 people were able to identify "a list of 3000+ potential ORBs" in 5-8
hours. The presentation does not go on to say whether all of those computers
were actually infected.

Slides from the UK's GCHQ also talk about ORB detection, as part of a
program called MUGSHOT. It, too, is happy with the automatic process:
"Initial ten fold increase in Orb identification rate over manual process."
There are also NSA slides that talk about the hacking process, but there's
not much new in them.

The slides never say how many of the "potential ORBs" CSEC discovers or the
computers that register positive in GCHQ's "Orb identification" are actually
infected, but they're all stored in a database for future use.  The Canadian
slides talk about how some of that information was shared with the NSA.

Increasingly, innocent computers and networks are becoming collateral
damage, as countries use the Internet to conduct espionage and attacks
against each other. This is an example of that. Not only do these
intelligence services want an insecure Internet so they can attack each
other, they want an insecure Internet so they can use innocent third parties
to help facilitate their attacks.

The story contains formerly TOP SECRET documents from the US, UK, and
Canada. Note that Snowden is not mentioned at all in this story.  Usually,
if the documents the story is based on come from Snowden, the reporters say
that. In this case, the reporters have said nothing about where the
documents come from. I don't know if this is an omission—these documents
sure look like the sorts of things that come from the Snowden archive—or
if there is yet another leaker.

http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
or http://tinyurl.com/mevxbq2


The Mystery of Apple Watch's Battery Life

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 02:44:08 -0400
Apple had plenty to brag about at its event earlier this week. So it was
particularly noticeable when Apple left out an important detail about the
brand-new Apple Watch: the battery life.

http://bits.blogs.nytimes.com/2014/09/12/the-mystery-of-apple-watchs-battery-life/


iPwned: How easy is it to mine Apple services, devices for data?

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 10:41:31 -0400
http://arstechnica.com/features/2014/09/ipwned-mining-iphones-icloud-for-personal-data-is-terrifying-simple/


Banks Did It Apple's Way in Payments by Mobile

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 02:45:02 -0400
The eagerness of banks and card companies to work with Apple on its mobile
payment system suggests Apple's clout and the concern financial players have
for their future.

http://dealbook.nytimes.com/2014/09/11/banks-did-it-apples-way-in-payments-by-mobile/


Senator demands US courts recover 10 years of online public records

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 10:22:41 -0400
"Restore access," lawmaker says of docs purged because of computer upgrade
issue.

David Kravets, Ars Technica, 13 Sep 2014

The head of the powerful Senate Judiciary Committee is urging the federal
 bureaucracy to restore a decade's worth of electronic court documents that
 were deleted last month from online viewing because of an upgrade to a
 computer database known as PACER.

Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) said the
removal of the thousands of cases from online review is essentially erasing
history. ...

http://arstechnica.com/tech-policy/2014/09/senator-demands-us-courts-recover-10-years-of-online-public-records/


How the cybercrime industry fueled Target breach (McAfee) (Jeff Marganteen)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 15 Sep 2014 11:17:49 PDT
Jeff Morganteen, CNBC, 10 Mar 2014 <http://twitter.com/jmorganteen>
How the cybercrime industry fueled Target credit card breach: McAfee Labs
http://www.cnbc.com/id/101480102#.

McAfee CTO: Target attack was defendable.  Mike Fey, McAfee worldwide chief
technology officer, discusses Target's data breach, how to best protect
customer information and competition in the cybersecurity space.

The cyberattacks that led to the massive data breach at Target last year
marked the "coming-of-age" for a black-market service industry that caters
to malicious hackers and identity thieves, computer security company McAfee
Labs said in a quarterly report Monday.

That industry allowed the thieves to not only buy custom-made malware for
the theft, but also to quickly sell credit card numbers from 40 million
shoppers affected by the breach. The thieves sold the numbers through
online back-channels that security experts call the "dark web," the company
said.

"Retailers in general took this as a wake-up call," said Mike Fey, chief
technology officer at McAfee, on *Squawk on the Street*.  They saw an
essentially off-the-shelf ... piece of malware modified for a unique
environment, which was Target. A lot of retailers assumed that if they don't
have a standard point-of-sale system, they were somehow safe. And I think
Target showed them that's not the case."

McAfee Labs released its quarterly report on cybersecurity threats on
Monday. The company focused its attention on the dark web malware industry
that fueled the point-of-sale attacks on Target and other retailers late
last year. The high-profile cyberattacks were unsophisticated technologies
that identity thieves bought off the shelf from the cybercrime "service"
community, which customized the software specifically for the attack, McAfee
said.

McAfee researchers discovered that the Target thieves offered credit card
information for sale in batches between 1 million and 4 million numbers, the
cybersecurity company said. What's more, Fey said Target could have defended
against the point-of-sale attacks if it had a cost-effective method of
deploying existing security technology.  "You take a look at the Target
attack," Fey said. "That was defendable by technology that has been
around. It didn't require a new silver bullet"

Last week, Target's chief information officer resigned as the retailer seeks
to overhaul its security protections. [...]


After e-mail takeover, copycats demand cash to expose Bitcoin's creator

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 10:38:56 -0400
http://arstechnica.com/security/2014/09/after-e-mail-takeover-copycats-demand-cash-to-expose-bitcoins-creator/


US gov't threatened Yahoo with $250K daily fine if it didn't use PRISM

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 10:35:03 -0400
http://arstechnica.com/tech-policy/2014/09/us-govt-threatened-yahoo-with-250k-daily-fine-if-it-didnt-use-prism/

  [in 2008, reportedly at least doubling the fine for each day of
  noncompliance.  Gambler's Ruin without having to gamble!??  PGN]


Supreme Court ruling has wiped out 11 "do it on a computer" patents so far (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Sun, 14 Sep 2014 19:07:23 -0700
Ars Technica via NNSquad
http://arstechnica.com/tech-policy/2014/09/supreme-court-ruling-has-wiped-out-11-do-it-on-a-computer-patents-so-far/

  "The courts are sending a pretty clear message: you can't take a
  commonplace human activity, do it with a computer, and call that a
  patentable invention," writes Lee.


Turning the tables on "Windows Support" scammers by compromising their PCs (Ars Technica)

Monty Solomon <monty@roscom.com>
Sun, 14 Sep 2014 10:38:25 -0400
http://arstechnica.com/security/2014/09/turning-the-tables-on-windows-support-scammers-by-compromising-their-pcs/


Google Play and lack of version numbers

Dan Jacobson <jidanni@jidanni.org>
Sun, 14 Sep 2014 20:24:31 +0800
In contrast to Apple's App Store, Google Play, the official app store for
the Android operating system, does not show version numbers for its apps,
only a date. The assumption apparently is no app would have a second version
issued on the same date, so users wouldn't need to bother distinguishing
Trojans...

(Of course I don't actually own a smartphone, so I was only comparing their
websites. Which apparently the problem is only limited to.)


Canon printers `Doom'ed

Henry Baker <hbaker1@pipeline.com>
Mon, 15 Sep 2014 09:30:56 -0700
No authentication or signing for firmware updates; "Who suspects printers?"

http://www.theguardian.com/technology/2014/sep/15/hackers-doom-printer-canon-security

http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/

Hacker puts Doom on a printer to highlight security vulnerabilities

Canon PIXMA printer compromised with vintage first-person shooter game
during 44Con conference

Tom Fox-Brewster, *The Guardian*, theguardian.com, 15 Sep 2014

Running Doom on a printer is more than a gimmick: it's a security concern.

In 1993, first-person shooter Doom was a groundbreaking game.  In 2014, it's
being used by ethical hackers to demonstrate security vulnerabilities in
connected devices.

Specifically: printers.  During his talk at the 44Con conference in London,
Michael Jordon from Context Information Security proved he could easily
compromise the Canon PIXMA printer—popular for homes and small businesses
alike—by making it run Doom.

From the exploitation standpoint, hacking the machine was trivial, as Jordon
discovered that the device has a web interface with no username or password
protecting it.

On initial inspection, this interface was of little interest, only showing
ink levels and printing status.  But it soon became apparent a hacker could
use this interface to trigger an update to the machine's firmware - the
underlying code that is essentially the heart and soul of the printer.

An outsider could thus have changed settings on the printer to convince it
to ask for updates from a malicious server rather than Canon's official
channel.

Jordon took advantage of what he described as `terrible; encryption
protecting the firmware to add some tweaks to its code, enabling him to
control the machine from afar.

A malicious hacker could have discovered what documents the printer was
handling, or started issuing commands to take up resources.  If it belonged
to a business, they would also have had access to the network, on which to
carry out further exploitation.

Doom? Jordon used the first-person shooter as the basis for his presentation
to the white-hat hacker audience at 44Con, to make it more interesting.  The
graphics may have been slightly dodgy, but the game running on the Canon
PIXMA was still, definably, Doom.

The point of the project was to prove that machines most would not normally
expect to be hacked can be valuable to those looking to breach networks.
“If you can run Doom on a printer, you can do a lot more nasty things,''
Jordon told the Guardian.  “In a corporate environment, it would be a good
place to be. Who suspects printers?''

Canon has promised a fix, after working closely with Context.  “We intend
to provide a fix as quickly as is feasible,'' the company said.

  [Truncated for RISKS.  PGN]


Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows Passwords To Be Guessed

*Kenneth R. Mayer Jr.* <mayerjr@yahoo.com>
Saturday, September 13, 2014
  (via Dave Farber)

Excellent article.

*Analysis Of Volunteer's Metadata Stream Reveals His Life In Detail, Allows
Passwords To Be Guessed*
https://www.techdirt.com/articles/20140910/06590828478/analysis-volunteers-metadata-stream-reveals-his-life-detail-allows-passwords-to-be-guessed.shtml

Shared from techdirt <http://flip.it/RKD3u> on Flipboard. Download
Flipboard for free here <http://flpbd.it/now>.


Keep Your Data Yours While Traveling

Monty Solomon <monty@roscom.com>
Fri, 12 Sep 2014 09:15:16 -0400
Experts share methods for maintaining security on electronic devices at
hotels, airports and other places.

http://www.nytimes.com/2014/09/09/business/keep-your-data-yours-while-traveling.html


"Privacy Commissioner unearths apps demanding too many permissions" (Candice So)

Gene Wirchenko <genew@telus.net>
Fri, 12 Sep 2014 13:01:50 -0700
Candice So, *IT Business*, 11 Sep 2014
Privacy Commissioner unearths apps demanding too many permissions
http://www.itbusiness.ca/news/privacy-commissioner-unearths-apps-demanding-too-many-permissions/51030


60 percent of apps fail basic privacy tests, finds international cross-governmental study

geoff goodfellow <geoff@iconia.com>
Sep 12, 2014 1:59 PM
http://9to5mac.com/2014/09/12/60-percent-of-apps-fail-basic-privacy-tests-finds-international-cross-governmental-study/


Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack (Chen, RISKS-28.26)

Steven Klein <steven@yourmacexpert.com>
Sun, 14 Sep 2014 11:47:23 -0400
Kurt Seifried complains (sarcastically) about Apple not "making brute force
attacks harder.  They impose delays after three incorrect password
attempts. Until recently, they only did this on user-facing systems, but
have since fixed this so that the delay kicks in on all known interfaces.

He also strangely claims that there isn't “any way to contact Apple.''

In fact there are many ways to contact them.

Via the iCloud support contact page:
https://www.apple.com/support/icloud/contact/

Via phone (with local numbers in dozens of countries):
http://support.apple.com/kb/HE57

And via a worldwide network of retail stores that offer in-person tech
support. Here's a link to their support reservation page for their US
stores: http://concierge.apple.com/reservation/us/en/techsupport/

I agree that Apple could do a better job, but I don't think the situation is
improved by spreading misinformation.


Re: The Case for Resign Switches for Politicians (Baker, R-28.25)

Michael Kohne <mhkohne@kohne.org>
Fri, 12 Sep 2014 07:33:50 -0400
Amusing as the idea is, I think that you've missed a problem here.  While
this would let the voters get rid of an out of control politician, it would
*also* encourage the politicians to hold ever more firmly to whatever
viewpoint they espoused in their campaign, regardless of facts, new
information, or common sense.

We've already got a problem with politicians who never compromise on
anything, no matter how stupid their stance. I don't think we need to give
them any *more* reasons to be intransigent. They've got that covered
already.


Re: zero-day bounties (Baker, RISKS-28.25)

Paul Edwards <paule@cathicolla.com>
Sat, 13 Sep 2014 06:52:10 +1000
How do you change the widely-used anti-pattern of pushing buggy software out
prematurely?

As an example (one of many, but this time I actually got the figures):

A few years ago I was consulting in at a large company, specifically with
their incident management team. The team manager said that a new version of
an application had been released a few weeks prior. His team had spent four
weeks working to respond to maintain reliability. There were no reports of
customer dissatisfaction with the new version of the product supported by
the application; his team had done a good job. His outcome: a handful of
bugs identified, a tired and disgruntled team, and an overtime bill of
~$10K.

I did some further research and spoke to a few key people. I found that the
additional 5 weeks of testing estimated to eliminate the bugs would have
cost ~$40K, and delaying the new features would have forgone about $500K in
revenue (they were expecting a 10% uplift in $1 million per week revenue --
that estimate was later found to be spot on)

From the perspective of the organization as a whole: it will not forgo
$500K in revenue and add $40K to a project cost in order to save $10K in
overtime—especially when there has been no downturn in customer sat or
brand.

Using Henry's terms, in this case the bounty is small ($10K), compared to
the cost of formal methods ($540K[1]).

* Will contextualizing the bug as a zero-day vulnerability change the
  behaviour seen above?

* Will changing the relative difference between the bounty and the cost of
  applying formal methods change the behaviour?

* Can you somehow quantify brand, customer sat, and the like as contributing
  to the bounty, to tip the scales?

I don't know. It's an interesting discussion to be had though.

[1] The organization would see the forgone revenue as a cost of formal
methods.

Please report problems with the web pages to the maintainer

Top