The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 39

Friday 28 November 2014

Contents

Now, Anyone Can Buy a Drone. Heaven Help Us.
Monty Solomon
USPS Played Cat And Mouse With Cyber Attacker
InformationWeek via Gabe Goldberg
The branded bug: Meet the people who name vulnerabilities
Gabe Goldberg
FBI Phone Hacks Could Hurt Intelligence Gathering
Patrick Tucker via Henry Baker
Happy Tracksgiving!
Craig Timberg via Henry Baker
Uber's Underhanded App reporting data back w/o permission
Loz Blain via Henry Baker
Recent RISKS Problematic Posts
Fred Cohen
PGN
Re: safest computers
Dimitri Maziuk
Info on RISKS (comp.risks)

Now, Anyone Can Buy a Drone. Heaven Help Us.

Monty Solomon <monty@roscom.com>
Thu, 27 Nov 2014 17:49:34 -0500
Pranksters' antics are forcing public safety officials to look at the air
above them, generally thought safe and secure, as a place for potential
trouble.

http://www.nytimes.com/2014/11/27/technology/personaltech/as-drones-swoop-above-skies-thrill-seeking-stunts-elicit-safety-concerns.html


USPS Played Cat And Mouse With Cyber Attacker - InformationWeek

Gabe Goldberg <gabe@gabegold.com>
Wed, 26 Nov 2014 13:49:58 -0500
When US Postal Service (USPS) officials received word about a major network
intrusion earlier this year, one of its first instructions was to take no
immediate action.

http://www.informationweek.com/government/cybersecurity/usps-played-cat-and-mouse-with-cyber-attacker/d/d-id/1317684


The branded bug: Meet the people who name vulnerabilities

Gabe Goldberg <gabe@gabegold.com>
Wed, 26 Nov 2014 13:42:28 -0500
If the bug is dangerous enough, it gets a name. Heartbleed's branding
changed the way we talk about security, but did giving a bug a logo make it
frivolous... or is this the evolution of infosec?

https://www.yahoo.com/tech/s/branded-bug-meet-people-name-143305883.html


FBI Phone Hacks Could Hurt Intelligence Gathering (Patrick Tucker)

Henry Baker <hbaker1@pipeline.com>
Thu, 27 Nov 2014 09:16:09 -0800
Patrick Tucker, Defense One, 23 Nov 2014
White House Push To Allow FBI Phone Hacks Could Hurt Intelligence Gathering
http://www.defenseone.com/technology/2014/11/white-house-push-allow-fbi-phone-hacks-could-hurt-intelligence-gathering/99743/

Through public speeches and secret meetings, FBI Director James Comey has
been pushing to stop companies like Apple and Google from encrypting users'
phone data.  Two former Navy SEALs say that the policy that the FBI and the
Justice Department are pursuing would hurt men and women in uniform and
possibly even our allies by forcing them to use insecure devices and
services for communication.

Here's how the fight over encryption took form.  In September, Apple
announced that its most recent operating system update for the iPhone, the
iOS 8, would encrypt phone data.

  On devices running iOS 8, your personal data such as photos, messages
  (including attachments), email, contacts, call history, iTunes content,
  notes and reminders is placed under the protection of your passcode.
  Unlike our competitors, Apple cannot bypass your passcode and therefore
  cannot access this data.  So it's not technically feasible for us to
  respond to government warrants, Apple says in a notice on the privacy
  portion of its website.

Google followed, announcing an encryption update for its Android 5.0
Lollipop operating system.  As Yahoo Tech's Rob Pegoraro reports, that will
affect the Nexus 6 first and other phones soon after.

Upon news of the announcement, Comey responded by condemning encryption,
first speaking out at a Brookings Institution event, saying that Apple and
Google's decision was going to take the country to a `very dark place' where
law enforcement `misses out' on crucial evidence to stop terrorists and
gather evidence against criminals.  Comey approached the president and,
along with representatives from the Justice Department, briefed members of
the House in a classified session.  Legislatively, the lawmakers could
easily block Apple and Google from offering encryption by updating the
Communications Assistance for Law Enforcement Act, which mandates that
telephone companies like AT&T and Verizon build backdoors into their
networks to allow taping.  But the 1994 law doesn't apply to companies like
Google and Apple or other newer networks, so an update to the law could
force the companies to allow law enforcement easier access to user data.

How do lawmakers feel about that?  Despite widespread public concern about
government electronic spying on the public, on 18 Nov the Senate effectively
killed the only NSA reform measure to come out of the Snowden scandal, the
so-called Freedom Act. [...]

  [Lots more on Mitch McConnell, the two former seals, Phil Zimmermann,
  Skype. etc. Truncated for RISKS.  PGN]


Happy Tracksgiving! (Craig Timberg)

Henry Baker <hbaker1@pipeline.com>
Thu, 27 Nov 2014 12:32:59 -0800
#HappyTracksgiving : How your travels are tracked this holiday season

Craig Timberg, *The Washington Post*, 26 Nov 2016
http://www.washingtonpost.com/blogs/the-switch/wp/2014/11/26/happytracksgiving-a-guide-to-how-your-travels-are-tracked-this-holiday-season/

It's that time again.  We're on the move—feasting, sharing, shopping,
giving thanks.  And we are being tracked every step of the way.  So here's a
quick guide to the state of the unblinking electronic eye, 2014 Holiday
Edition.

  [Long item, on planes, trains, Uber and Lyft, driving, walking, staying
  home and using your phones and computers, and more, truncated for RISKS.
  PGN]


Uber's Underhanded App reporting data back w/o permission (Loz Blain)

Henry Baker <hbaker1@pipeline.com>
Thu, 27 Nov 2014 09:29:40 -0800
Loz Blain, Gizmag, 26 Nov 2014
http://www.gizmag.com/uber-app-malware-android/34962/

Uber's Android app is acting like malware, reporting personal data back to
the company that it doesn't have permissions for.

Security researcher GironSec has pulled Uber's Android app apart and
discovered that it's sending a huge amount of personal data back to base --
including your call logs, what apps you've got installed, whether your phone
is vulnerable to certain malware, whether your phone is rooted, and your SMS
and MMS logs, which it explicitly doesn't have permission to do.  It's the
latest in a series of big-time missteps for a company whose core business
model is, frankly, illegal in most of its markets as well.

Taxi-busting ride share app Uber might have an operating model that suits
customers better than traditional, regulated taxi services—but the
company's aggressively disruptive (and frequently illegal) business
practices don't seem to stop at harming the taxi industry.

Its vicious attacks on competitors have included ordering and canceling more
than five and a half thousand rides through its chief competitor Lyft.  Its
senior Vice President of Business, Emil Michael, casually mentioned at a
dinner that maybe Uber could start digging up personal dirt on journalists
critical of the company.

These kinds of stories, of course, should be taken with a grain of salt --
they're certainly very beneficial to competing services like Lyft.

But there doesn't seem to be a lot of grey area in these latest revelations
that Uber is collecting a stack of personal data from users who have its
Android app installed, including SMS data that its permissions list doesn't
allow.

Security researcher GironSec decompiled the code of the Uber Android app and
found it to be collecting and sending the following information back to
Uber:

http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/

* Accounts log (Email)
* App Activity (Name, PackageName, Process Number of activity, Processed id)
* App Data Usage (Cache size, code size, data size, name, package name)
* App Install (installed at, name, package name, unknown sources enabled,
  version code, version name)
* Battery (health, level, plugged, present, scale, status, technology,
  temperature, voltage)
* Device Info (board, brand, build version, cell number, device, device
  type, display, fingerprint, ip, mac address, manufacturer, model, os
  platform, product, sdk code, total disk space, unknown sources enabled)
* GPS (accuracy, altitude, latitude, longitude, provider, speed)
* MMS (from number, mms at, mmss type, service number, to number)
* NetData (bytes received, bytes sent, connection type, interface type)
* PhoneCall (call duration, called at, from number, phone call type, to number)
* SMS (from number, service number, sms at, sms type, to number)
* TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude,
  imei, iso country code, local area code, meid, mobile country code, mobile
  network code, network name, network type, phone type, sim serial number,
  sim state, subscriber id)
* WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
* WifiNeighbors (bssid, capabilities, frequency, level, ssid)
* Root Check (root status code, root status reason code, root version, sig
  file version)
* Malware Info (algorithm confidence, app list, found malware, malware sdk
  version, package list, reason code, service list, sigfile version)

While some people are suggesting it might be an anti-fraud measure to help
Uber detect and combat fake accounts set up by its competitors, the fact
remains—collecting data without appropriate permission constitutes
malware and compromises users' personal data.

It's not yet clear whether the iPhone app does the same level of reporting
on its users.  As for whether Google will move to pull the Uber app from the
Play store, that seems unlikely given that Google's US$258 million dollar
stake in Uber represents the biggest deal Google Ventures has ever done.

This is the new world we're living in, folks, and if you think Uber's the
only one building fat files out of your personal information, you're mad.


Recent RISKS Problematic Posts

Fred Cohen <fc@all.net>
Fri, 28 Nov 2014 06:46:29 -0800
I have been noticing a lack of clear reasoning in RISKS posts lately,
and I think this is a risk risks should describe. Examples:

> Subject: House Republicans just passed a bill forbidding scientists from
> advising the EPA on their own research (Lindsay Abrams)

While I don't doubt that politicians do things for disingenuous purposes, it
is not anti-science to have independent peer review and advice. The
government should seek and require peer review of funding done by people
that aren't funded to do that research by the government.  The reviewers
should also have expertise in the relevant fields, of course.

> Subject: The safest computers are iPhones and iPads (Galen Gruman)
> But rarely do you see smartphones and tablets in these reports. Why?
> Because they're more secure than computers and data centers.

Bingo - the jackpot in in poor reasoning.

1) Privacy breaches identified are only a subset of "security" issues -
so the conclusion is drawn based on only an unquantified subset of the
relevant facts.

2) Could it be that these reports center around data centers, USBs, and
unencrypted computers because that's where the data is?

3) Even if the above two were not correct, that does not support a
causal link between more secure smartphones and tablets and rarity of
presence in reports.

4) Rarity of presence in reports does not imply (and you should not
infer) rarity in fact.

5) There are lots of other similar fallacies in the argument provided.

> But it's true: Mobile devices are safer than PCs and servers.

With no supporting evidence at all - and "safety" is not "security" -
and all servers are not the same - and are non-"PC" computers even safer
than  any of these?

> ... Still, the clear reality is that mobile devices are more secure than
> PCs and servers, because—outside of Android—they are less open.

Not being open is the cause of increased security?  Except for more than 50%
of the population of these devices, they are less open?  It is clear based
on the above unsound arguments?

> For example, we hear of a handful of security threats in iOS each year
> versus a handful every week in Windows.

What "we" hear of may or may not reflect the underlying reality. Also,
an example does not constitute an adequate basis for the broad conclusion.

> BlackBerry phones have the strongest security, but they're not able to act
> as replacement computers as an iPad can. After BlackBerry, the highest
> security comes from Apple's iOS.

I have a correlation to point out. According to the claims of the author,
the devices that are less used have fewer bad outcomes.  I know that
correlation is not causality, but on the other hand, given the lack of
correlation in the alternative, I propose an alternative hypothesis:

Cause: Bad actors are more motivated by larger volumes of content to
leak and/or sell.

Mechanism: Bad actors seek to break into and exploit things that are
more often used for storing larger volumes of content.

Effect: Things used more often to store larger volumes of content are
more often attacked by bad actors.

> If you're concerned about endpoint security, you should replace as many
> PCs as you can with iPads and iPhones.

An alternative viewpoint: If you don't want people to take large volumes
of content, don't store it.

> Subject: `Bug' spies on computers

> A leading computer security company says it has discovered one of the most
> sophisticated pieces of malicious software ever seen.

Leading computer security companies often make such claims. Is it hyperbole?
A lack of having seen things that exist? The lack of a metric for
"sophistication"? A poor definition of "malicious"?

> Symantec says the bug, named Regin,

Now it is a "bug". I thought "bug" was a term we used for something
naturally occurring - not intentionally malicious.
was probably created by a government.

Last time I heard it was "probably written by someone associated with a
government". Is there any actual evidence here? What is it? What is the
probability they speak of? How was it calculated?  and has been used for six
years against a range of targets around the world.

How exactly do you know this?

> http://www.bbc.com/news/technology-30171614
So much for the BBC being the most trusted source for such news.

The risk of RISKS being viewed as if it were a sound source of facts or
valid reasoning has now (assuming this makes it to print) been reduced -
assuming the readers read this and act upon it...

Fred Cohen - 925-454-0171 http://all.net/ PO Box 811 Pebble Beach, CA 93953


Recent RISKS Problematic Posts

"Peter G. Neumann" <neumann@csl.sri.com>
Fri, 28 Nov 2014 8:31:12 PST
Thanks to Fred for trying to keep RISKS intellectually sound.
Unfortunately, we are at the mercy of the material that is submitted, and
rely on Fred and others to respond as needed to contradict some of the hype
and blather that emerges in the computer world.  I try to be a sensible
arbiter of what is acceptable for RISKS, but cannot guarantee accuracy.
That is ultimately the responsibility of readers who in certain cases know
much more than the unvetted source material indicated.  Do some readers
actually believe everything they read in RISKS?  I doubt it, because we do
receive and include contrary responses and follow-up items.  Perhaps Fred
believes that RISKS is worse than others, or is he just trying to keep us on
the straight and narrow?  Perhaps RISKS is actually be a less biased source
of relevant information than many other sources, in that we continually try
to have equal opportunity for reasonable dissenting positions—including
Fred's.  But many issues rapidly become politically or ideologically or
otherwise biased, and we do try to minimize those.  PLEASE keep submitting
dissenting opinions and factual corrections where appropriate.  PGN


Re: safest computers (Gruman, RISKS-28.38)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Tue, 25 Nov 2014 18:03:40 -0600
... if your definition of "computer" is "I can barely use iWorks". Or
Stallman's definition, that works too.

Reminds me of the Amiga lab my university maintained for years after Amiga
went bankrupt: they taught assembly language on the "proper CPU"—the 68K,
-- at the time when the only company that used them in a computer was
Apple. According to our professor, "if we used those, we'd have to first
spend another semester teaching you how to get past Mac OS to where you can
program in assembly."

I'm a bit surprised every time I see an obvious advertorial like that in
RISKS.

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu

  [I try to keep advertorials out as much as I can, but sometimes the
  contrast between different positions is worth bringing to the fore.  For
  example, see Fred Cohen's note, which precedes this item in the
  RISKS-28.39 issue of the Risks Forum digest.  PGN]

Please report problems with the web pages to the maintainer

Top