The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 33

Tuesday 4 November 2014

Contents

Online voting rife with hazards
Barbara Simons
Risks of assuming votes are accurate
John Long
Open Surveillance
Bryan Ford
Smart Televisions are highly susceptible to hacking by radio transmission
robert schaefer
"Cyber espionage group launches sophisticated phishing attacks against Outlook Web App users"
Lucian Constantin via Gene Wirchenko
"Tor Project flags Russian 'exit node' server delivering malware"
Jeremy Kirk
"Advisory says to assume all Drupal 7 websites are compromised"
Steve Ragan
"Drupal sites, assume you've been hacked"
Serdar Yegulalp
How a dumb software glitch kept thousands from reaching 911
Brian Fung
Verizon, AT&T tracking their users with 'supercookies'
Craig Timberg
Somebody's Already Using Verizon's ID to Track Users
Angwin and Larson
Cell carrier was weakest link in hack of Google, Instagram accounts
Sean Gallagher
Critics chafe as Macs send sensitive docs to iCloud without warning
Dan Goodin
AT&T's outdated unlock policies cost it a loyal customer: me
Lee Hutchinson
With School Ban Nearing End, New York City Works on How and When to Allow Cellphones
NYT
"Have we gotten so pathetically lame that you need to be notified by email that your laundry is done?" *Matthew Kruk)
????
Why Adobe got away with monitoring users
Kurt Seifried
Windows Update intentionally destroys chips
Michael Kohne
Re: The NSA has no interest in protecting you & me
Gene Spafford
Did anyone call a taxi?
Ed Ravin
The 7th annual Underhanded C Contest is now open
robert schaefer
Info on RISKS (comp.risks)

Online voting rife with hazards (Barbara Simons)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 4 Nov 2014 10:22:43 PST
  [It's Election Day in the U.S. today.  Stand by for possible RISKS items
  in the next few days, with several critical runoffs expected to delay the
  outcomes.  PGN]

Barbara Simons, *USA Today* (op-ed), 4 Nov 2014
Casting ballots on Internet may be a new trend, but it is neither secure nor trustworthy.
http://www.usatoday.com/story/opinion/2014/11/04/barbara-simons-online-voting-problems/18461679/

Today Americans are voting in an election that could shift control of the
U.S. Senate and significantly impact the direction our nation will take in
the next few years. Yet, 31 states will allow over 3 million voters to cast
ballots over the Internet in this election, a practice that computer
security experts in both the federal government and the private sector have
warned is neither secure nor trustworthy.

Most states' online voting is limited to military and overseas voters, but
Alaska now permits all voters to vote over the Internet. With a hotly
contested Senate seat in Alaska, the use of an online voting system raises
serious concerns about the integrity of Alaska's election results. Alaska's
State Election Division has even acknowledged that its "secure online voting
solution" may not be all that secure by posting this disclaimer on its
website: "When returning the ballot through the secure online voting
solution, your are [sic] voluntarily waving [sic] your right to a secret
ballot and are assuming the risk that a faulty transmission may occur."

Unfortunately, faulty transmission is only one of the risks of Internet
voting. There are countless ways ballots cast over the Internet can be
hacked and modified by cyber criminals. The National Institute of Standards
and Technology, at the direction of Congress, has conducted extensive
research into Internet voting in the last decade and published several
reports that outline all the ways votes sent over the Internet can be
manipulated without detection. After warning that there are many possible
attacks that could have an undiscovered large-scale impact, the institute
concluded that secure Internet voting is not yet achievable.

Securing transactions online is a major national challenge, as demonstrated
by nearly daily reports of new cyber intrusions into networks of some of our
largest financial institutions, corporations and government
agencies. Election are even more difficult to protect, because unlike other
online transactions, elections are especially vulnerable to undetectable
hacking.

Since we vote by secret ballot, there is no way to reconcile electronic
images of ballots received with the version the voter intended to send. In
other words, it is impossible to know if voter choices have been tampered
with somewhere between the voter's computer and election official's machine,
thereby making it virtually impossible to confirm an attack on an online
election system.

Nonetheless online voting is expanding around the country. Vendors of
commercial online voting systems are exploiting the understandable desire to
help remote voters by exhorting well-meaning state legislators and election
officials to forge ahead with online voting. Aggressive marketing practices
in an unregulated market have created a perfect storm.

We cannot afford to continue putting our elections at risk by allowing the
use of insecure Internet voting systems. Alaska's online voting system is
vulnerable to hackers from anywhere in the world. If this election is
attacked, the outcome may be determined by the attackers and Alaskans (and
the rest of us) may never even know. It's time for state leaders to reject
online voting unless and until it is secure.

Barbara Simons is chair of the Board of Directors of Verified Voting and a
member of the Board of Advisers of the U.S. Election Assistance
Commission. She is a former computer researcher for IBM and past-president
of the Association for Computing Machinery.


Risks of assuming votes are accurate

John Long <j1long@mindspring.com>
Sat, 01 Nov 2014 23:03:22 -0400
After many years of concerns on RISKS about fraud concerning voting
machines, it appears that it has come true. In two states, voting machines
have been observed switching a vote from a Republican candidate to the
Democratic candidate.  [Again?  This is hardly new.  PGN]  The interesting
thing is that the voter could actually observe the fraud taking place. Makes
you wonder what is actually happening in those situations where the voter
could not observe the fraud.

http://www.foxnews.com/on-air/fox-and-friends/blog/2014/10/30/expert-confirms-voting-machines-illinois-and-maryland-rigged-democrats

In addition, there seemed to have been a false assumption that allowing
illegal immigrants to get drivers licenses would not have any deleterious
effects. In fact, obtaining a driver's license allowed those individuals to
also register to vote. All one had to do to register was show a driver's
license. No one actually checked to see whether they were, in fact,
citizens.

http://www.nationalreview.com/article/391474/non-citizens-are-voting-john-fund


Open Surveillance (Bryan Ford)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 3 Nov 2014 15:09:09 PST
Bryan Ford (Yale)
Cryptography could keep electronic investigations under control
*MIT Technology Review*, page 11. vol 117, no 6, November-December 2014.
http://www.technologyreview.com/view/531681/open-surveillance/

There's also a nice short item from Dave Farber in the same section,
The Wrong Fix: Want regulations to preserve the open Internet?  Be careful
what you wish for.

Also in that issue, George Anders, The Right Way to Fix the Internet: We
need to let go of Network Neutrality... pp. 28--34.


Smart Televisions are highly susceptible to hacking by radio transmission

robert schaefer <rps@haystack.mit.edu>
Mon, 3 Nov 2014 11:46:10 -0500
“Researchers discover a massive security flaw in smart TV's that allow
hackers to intercept data broadcasts, insert malicious code, and transform
the TV into an antenna that infects all other Internet-connected devices in
the household.  Once the television is infected, it seeks out all other
devices connected to the router. The attacks are untraceable as no source IP
address or DNS server is ever presented, instead, hackers perform a classic
man-in-the-middle attack using radio transmissions. "

http://www.electronicproducts.com/Analog_Mixed_Signal_ICs/Communications/Smart_Televisions_are_highly_susceptible_to_hacking_by_radio_transmission.aspx

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886 http://www.haystack.mit.edu  781-981-5767


"Cyber espionage group launches sophisticated phishing attacks against Outlook Web App users" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Mon, 03 Nov 2014 12:13:14 -0800
Lucian Constantin, Infoworld, 24 Oct 2014
Pawn Storm attacks target military agencies, embassies, defense
contractors, and media organizations, Trend Micro says
http://www.infoworld.com/article/2838223/security/cyber-espionage-group-launches-sophisticated-phishing-attacks-against-outlook-web-app-users.html

opening text:

A cyberespionage group has been using advanced spear-phishing techniques to
steal email log-in credentials from the employees of military agencies,
embassies, defense contractors and international media outlets that use
Office 365's Outlook Web App.


"Tor Project flags Russian 'exit node' server delivering malware" (Jeremy Kirk)

Gene Wirchenko <genew@telus.net>
Mon, 03 Nov 2014 12:11:21 -0800
Jeremy Kirk, Infoworld, 27 Oct 2014
The server used a technique to append malware to legitimate code
http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html

opening text:
The Tor Project has flagged a server in Russia after a security researcher
found it slipped in malware when users were downloading files.


"Advisory says to assume all Drupal 7 websites are compromised" (Steve Ragan)

Gene Wirchenko <genew@telus.net>
Mon, 03 Nov 2014 12:25:15 -0800
Steve Ragan, CSO, 30 Oct 2014
Drupal urged users to apply an update on Oct. 13, but only those who
patched within seven hours may be in the clear
http://www.infoworld.com/article/2840939/security/advisory-says-to-assume-all-drupal-7-websites-are-compromised.html

opening text:

If your organization uses Drupal, you might have a serious problem on your
hands. On Oct. 15, Drupal urged users to apply an update that fixed a SQL
Injection flaw. However, unless that patch was installed within seven hours,
Drupal now says it's best to assume the website was completely compromised.


"Drupal sites, assume you've been hacked" (Serdar Yegulalp)

Gene Wirchenko <genew@telus.net>
Mon, 03 Nov 2014 12:27:02 -0800
Serdar Yegulalp, InfoWorld, 30 Oct 2014
SQL injection bug threatens the websites of enterprises, governments,
and many other institutions using the open source Drupal CMS
http://www.infoworld.com/article/2841068/application-security/drupal-bug-leaves-enterprise-content-management-vulnerable.html

opening text:

Word broke yesterday of a major-league security issue involving Drupal, the
open source content management system (CMS) used widely in enterprises and
government. Come to think of it, "major league" doesn't begin to cover it:
Drupal developers have admitted that if your installation wasn't patched
before Oct. 15, 11 p.m. UTC, it's best to consider the entire site
compromised.


How a dumb software glitch kept thousands from reaching 911 (Brian Fung)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 12:51:09 -0500
Brian Fung, *The Washington Post*, 20 Oct 2014

Who ever thinks that their call to 911 would go unanswered? But in a
terrifying incident this spring, thousands of Americans found themselves in
need of help - and got none.

For six hours, emergency services went dark for more than 11 million people
across seven states. The entire state of Washington found itself
disconnected from 911. The outage may have gone unnoticed by some, but for
the more than 6,000 people trying to reach help, April 9 may well have been
the scariest time of their lives.

Now a study from the Federal Communications Commission offers the most
in-depth explanation of the outage and why it occurred. In a 40-page report,
the FCC found that an entirely preventable software error was responsible
for causing 911 service to drop. The incident affected 81 call dispatch
centers, rendering emergency services inoperable in all of Washington and
parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota
and Florida. ...

http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/20/how-a-dumb-software-glitch-kept-6600-calls-from-getting-to-911/


Verizon, AT&T tracking their users with 'supercookies' (Craig Timberg)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 12:53:48 -0500
Craig Timberg, *The Washington Post*, 3 Nov 2014

Verizon and AT&T have been quietly tracking the Internet activity of more
than 100 million cellular customers with what critics have dubbed
"supercookies" - markers so powerful that it's difficult for even savvy
users to escape them.

The technology has allowed the companies to monitor which sites their
customers visit, cataloging their tastes and interests. Consumers cannot
erase these supercookies or evade them by using browser settings, such as
the "private" or "incognito" modes that are popular among users wary of
corporate or government surveillance.

Verizon and AT&T say they have taken steps to alert their customers to the
tracking and to protect customer privacy as the companies develop programs
intended to help advertisers hone their pitches based on individual Internet
behavior. But as word has spread about the supercookies in recent days,
privacy advocates have reacted with alarm, saying the tracking could expose
user Internet behavior to a wide range of outsiders - including intelligence
services - and may also violate federal telecommunications and wiretapping
laws. ...

http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html

Robert Lemos, Ars Technica, 24 Oct 2014
Verizon Wireless injects identifiers that link its users to Web requests
The provider adds cookie-like tokens to alert advertisers to users' interests.
http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-link-its-users-to-web-requests/


Somebody's Already Using Verizon's ID to Track Users (Angwin and Larson)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 12:56:59 -0500
Julia Angwin and Jeff Larson, ProPublica, 30 Oct 2014
Twitter is using a newly discovered hidden code that the telecom carriers
are adding to every page you visit - and it's very hard to opt out.

http://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users


Cell carrier was weakest link in hack of Google, Instagram accounts (Sean Gallagher)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 12:58:51 -0500
Sean Gallagher, 3 Nov 2014, Ars Technica
Carrier was social-engineered by hacker to steal man's two-letter Instagram
name.

If you think the two-factor authentication offered by Google and other cloud
services will keep your account out of the hands of an attacker, think
again. One developer found out this weekend the hard way; Google's account
protection scheme can be bypassed by going after something most people would
consider an even harder target-the user's cell phone account. ...

http://arstechnica.com/security/2014/11/cell-carrier-was-weakest-link-in-hack-of-google-instagram-accounts/


Critics chafe as Macs send sensitive docs to iCloud without warning (Dan Goodin)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 12:55:19 -0500
PSA: Turn off autosave of in-progress documents containing sensitive data.

Dan Goodin, Ars Technica,3 Nov 2014

Representing a potential privacy snare for some users, Mac OS X Yosemite
uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers
by default, even if the files are later closed without ever having been
saved.

The behavior, as noted in an article from Slate, is documented in a
Knowledge Base article from December. But it nonetheless came as a surprise
to researcher Jeffrey Paul, who said he was alarmed to recently discover a
cache of in-progress files he intended to serve as "temporary Post-It notes"
that had been silently uploaded to his iCloud account even though he never
intended or wished them to be. ...

http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/


AT&T's outdated unlock policies cost it a loyal customer: me (Lee Hutchinson)

Monty Solomon <monty@roscom.com>
Tue, 4 Nov 2014 13:07:10 -0500
Lee Hutchinson, 3 Nov 2014, Ars Technica
Refuse to unlock my device for international travel? Goodbye forever.
http://arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/


With School Ban Nearing End, New York City Works on How and When to Allow Cellphones

Monty Solomon <monty@roscom.com>
Sat, 1 Nov 2014 00:43:17 -0400
http://www.nytimes.com/2014/11/01/nyregion/with-school-ban-nearing-end-new-york-city-works-on-how-and-when-to-allow-cellphones.html


"Have we gotten so pathetically lame that you need to be notified by an email that your laundry is done?"

"Matthew Kruk" <mkrukg@gmail.com>
Sun, 2 Nov 2014 18:29:47 -0700
http://www.smh.com.au/technology/technology-news/why-whirlpools-smart-washing-machine-was-a-dumb-idea-20141101-11flym.html

  [The Internet of Thinks?  PGN]


Why Adobe got away with monitoring users

Kurt Seifried <kurt@seifried.org>
Fri, 31 Oct 2014 19:29:32 -0600
I asked Mitre to assign a CVE for this issue, it seems pretty clearly to
be a security issue.  One thing I've noticed over the last decade is
increasingly "if no CVE, then not a security issue" due to CVE's being used
to track issues/act as a name (I've literally never seen a customer/client
make a big deal about a security flaw if it doesn't have a CVE). Mitre's
response:
  http://seclists.org/oss-sec/2014/q4/206

== =
So, for example, the
http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html article
would indicate to me that this is CVE worthy under #4.

Currently not; Adobe has a statement quoted at:
  http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
indicating that the information disclosure is intentional, and is
(from their point of view) useful to them. This is just an example of
a behavior that might also occur in an open-source product. The Adobe
issue itself is off-topic for this list.

== =
So I guess vendors can avoid security flaws by saying "we meant to do
that, sending your information back to us without informed consent,
and doing it insecurely is ok, because we meant to."

I am disappointed to say the least.


Windows Update intentionally destroys chips (Baker, RISKS-28.32))

Michael Kohne <mhkohne@kohne.org>
Sat, 1 Nov 2014 09:17:45 -0400
I just want to clarify one point here: The device is NOT 'useless forever'.
The ability to change the PID/VID/etc is an intentional feature of the
original FTDI chips, which is duplicated in the clones in question. As far
as I can tell from what I've read, FTDI simply used the appropriate calls to
change the PID. Anyone with an older (non-destructive) version of the FTDI
drivers and tools can use them to change the PID back to something sensible.

Secondly, has there been any legal action against FTDI over this? While FTDI
clearly has the right to make their driver reject other company's hardware,
actually trying to break end-users' equipment seems to me to be an
actionable offense. I'd hope that this is something that would in fact rise
to the level of a criminal complaint, not just civil. Am I wrong that
breaking people's stuff without notice is kind of against the law here?


Re: The NSA has no interest in protecting you & me (Baker, RISKS-28.32)

Gene Spafford <spaf@purdue.edu>
Sun, 2 Nov 2014 12:07:42 -0500
I don't think Henry Baker's contribution to RISKS 28.32 sounds insane,
although I am unsure of the amount of contribution of MAD to the madness.

There is a clear issue involved here, however, of the government putting too
much emphasis on a military solution to cyber security issues, and the
military once again focusing on fighting the last war.

I've spoken about this in invited talks over the last decade, and summarized
it (and related thoughts) in the CERIAS blog a while ago:
https://ceri.as/9er1z


Did anyone call a taxi? (Re: Maziuk, RISKS-28.32)

Ed Ravin <eravin@panix.com>
Sat, 1 Nov 2014 11:24:39 -0400
> I'd be more worried about taxi drivers perusing the google's location
> history URL, finding areas where most destinations are, and staying
> there.  The risk is then you can't get a cab anywhere else.

This already happened in New York City, no computer technology needed.  Over
the last 40-50 years, the places where you could pick up a yellow cab have
contracted to Manhattan below 125th St, the airports, and a few outer
borough neighborhoods that are either near Manhattan or on the way to/from
the yellow taxi base stations.  As yellow taxis were the only cabs allowed
to answer street hails, outer borough residents had to either reserve a cab
with a local taxi service or find a cabbie on the street that would
illegally pick them up (which might have been an unlicensed or "gypsy" cab
with no insurance).

The city recently created a new fleet of apple-green taxis that are
authorized to do street hails, but only in the areas that the yellow taxis
abandoned.  Other than the color and the restrictions, they are pretty much
the same service as the yellow taxis.  The map on this site shows the
Manhattan-centricity of where yellow cabs pick up fares:
http://www.nyc.gov/html/tlc/html/passenger/shl_passenger_background.shtml

  [Also noted very similarly by John Levine.  PGN]


The 7th annual Underhanded C Contest is now open.

robert schaefer <rps@haystack.mit.edu>
Mon, 3 Nov 2014 12:32:00 -0500
“The goal of the contest is to write code that is as readable, clear,
innocent and straightforward as possible, and yet it must fail to perform at
its apparent function. To be more specific, it should do something subtly
evil.''

http://www.underhanded-c.org

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886 http://www.haystack.mit.edu  781-981-5767

Please report problems with the web pages to the maintainer

Top