The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 48

Thursday 29 January 2015

Contents

Lack of encryption makes official NFL mobile app spearphisher's dream
Ars via Lauren Weinstein
plofkraak, or blowing up ATMs for fun and profit
Ed Ravin
Verizon's Mobile Supercookies Seen as Threat to Privacy
Natasha Singer and Brian X Chen via Dave Farber
France wants to make Google and Facebook accountable for hate speech
The Verge via Lauren Weinstein
IETF promotes ARPANET RFC 20 /ASCII format/ to Internet Standard!
Lauren Weinstein
Being clever vs. being smart
Geoff Kuenning
U.S. Spies on Millions of Cars
Devlin Barrett via Dewayne Hendricks
Lauren Weinstein
David S. H. Rosenthal
Rich Kulawiec
Re: Who owns your computer?
Anthony Thorn
Kaspersky: Regin malware likely from 5Eyes
Henry Baker
Re: Schneider ... hardcoded credentials
Dimitri Maziuk
Wols
Re: People upset that the E-911 folk want to use GLONASS
Richard I. Cook
Info on RISKS (comp.risks)

Lack of encryption makes official NFL mobile app spearphisher's dream

Lauren Weinstein <lauren@vortex.com>
Tue, 27 Jan 2015 08:45:48 -0800
Ars via NNSquad
http://arstechnica.com/security/2015/01/lack-of-encryption-makes-official-nfl-mobile-app-a-spear-phishers-dream/

  "The National Football League's official app for both iOS and Android puts
  users at risk by leaking their usernames, passwords, and e-mail addresses
  in plaintext to anyone who may be monitoring the traffic, according to a
  report published just five days before Superbowl LXIX, traditionally one
  of the world's most popular sporting events."

    [I hope it cannot be blamed for leaking footballs?  PGN]


plofkraak, or blowing up ATMs for fun and profit

Ed Ravin <eravin@panix.com>
Tue, 27 Jan 2015 22:43:14 -0500
Europe's relatively good credit card security (i.e., Chip & Pin) is
suspected as the cause of the increase in "plofkraak" attacks on ATM
machines where the interior of the ATM is filled with explosive gas in order
to breach its cash drawer:

  http://www.bloomberg.com/graphics/2015-atm-bombers/

So far this hasn't happened yet in the USA, but it stands to reason that if
all the harder ways of stealing money from ATMs get fixed, the technique
will spread there as well, just like carjacking became more popular as cars
got harder to hot-wire or otherwise break into.

  [Can we do something with "The Love Song of J. Alfred Plofkraak"?  ER]
  [Maybe its a spoonerism on ProfKlaak?  PGN]


Verizon's Mobile Supercookies Seen as Threat to Privacy (Natasha Singer and Brian X Chen)

"David Farber via ip" <ip@listbox.com>
Mon, 26 Jan 2015 10:14:10 -0500
Natasha Singer and Brian X Chen, *The New York Times*,, 26 Jan 2015
http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?ref=technology&_r=0

For the last several months, cybersecurity experts have been warning Verizon
Wireless that it was putting the privacy of its customers at risk. The
computer codes the company uses to tag and follow its mobile subscribers
around the web, they said, could make those consumers vulnerable to covert
tracking and profiling.

It looks as if there was reason to worry.

This month Jonathan Mayer, a lawyer and computer science graduate student at
Stanford University, reported on his blog that Turn, an advertising software
company, was using Verizon's unique customer codes to regenerate its own
tracking tags after consumers had chosen to delete what is called a cookie
-- a little bit of code that can stick with your web browser after you have
visited a site. In effect, Turn found a way to keep tracking visitors even
after they tried to delete their digital footprints.

The episode shined a spotlight on a privacy issue that is particularly
pronounced at Verizon. The company's customer codes, called unique ID
headers, have troubled some data security and privacy experts who say
Verizon has introduced a persistent, hidden tracking mechanism into apps and
browsers that third parties could easily exploit.

While Internet users can choose to delete their regular cookies, Verizon
Wireless users cannot delete the company's so-called supercookies. [...
Long article truncated for RISKS.  PGN]

  [Also noted by Matthew Kruk.  PGN]


France wants to make Google and Facebook accountable for hate speech

Lauren Weinstein <lauren@vortex.com>
Tue, 27 Jan 2015 23:17:04 -0800
The Verge via NNSquad
http://www.theverge.com/2015/1/27/7921463/google-facebook-accountable-for-hate-speech-france

  The French government announced today a plan to hold web companies
  accountable for any extremist messages they may host, Bloomberg
  reports. French president Francois Hollande wants to introduce a law that
  would make companies like Google and Facebook "accomplices" in crimes of
  hate speech if users post content the government deems extremist.

 - - -

Apparently, Europe wants to censor the world.


IETF promotes ARPANET RFC 20 /ASCII format/ to Internet Standard!

Lauren Weinstein <lauren@vortex.com>
Tue, 27 Jan 2015 22:06:27 -0800
Meanwhile, in other news, the IETF has promoted ARPANET Request For
Comments 20 ("ASCII format for network interchange" - Author Vint Cerf
of UCLA - October 16, 1969 - http://datatracker.ietf.org/doc/rfc20/ )
to full Internet Standards status:
http://datatracker.ietf.org/doc/status-change-rfc20-ascii-format-to-standard/
(2015-01-12)

Now, no more complaints about slow standards tracks!


Being clever vs. being smart

Geoff Kuenning <geoff@cs.hmc.edu>
Tue, 27 Jan 2015 20:43:22 -0800
A colleague of mine likes to distinguish being "clever" (e.g., trying to
outguess the stock market) from being "smart" (e.g., buying a low-overhead
index fund).

A couple of years ago our college built a new classroom building.  It was
outfitted with state-of-the-art A/V technology.  Naturally, it had what were
called "glitches" (e.g., a blackboard blocked by a screen that wouldn't go
up because the projector's bulb had burned out) but most of those were
eventually squashed.

One of the shiny new features is cross-classroom broadcast.  The idea is
that if the main lecture hall fills up, the overflow crowd can be seated in
another room and watch the show on video.  The broadcast system is very
flexible in terms of who can be a source or a sink.  Of course it all goes
through a centralized control system so that the A/V people can configure it
without leaving their desks.

Last night I rehearsed a presentation with a team of students; everything
went smoothly.  Today in the same hall, the audio refused to work properly.
The students' voices cut in and out as if somebody were randomly flipping
the power switch; nothing we or the A/V people in the sound booth could do
seemed to fix the problem.  Eventually we gave up and just asked the
students to speak loudly.

It turns out that the fancy cross-broadcast software was the culprit.  A
presentation in another room was being fed into the central control system,
and somehow that audio interfered with ours (perhaps a priority system was
choosing one or the other based on which was louder at the moment?).

Clever, but not smart.  The cross-broadcast feature is almost never used.
Nor is there a real requirement for centralized control (which takes power
out of the hands of the people in the sound booth, who can hear what is
going on).  But the people who designed the system went for shininess over
robustness.

    Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/

One could not be a successful scientist without realizing that, in contrast to
the popular conception supported by newspapers and mothers of scientists, a
goodly number of scientists are not only narrow-minded and dull, but also just
stupid.—James Watson


U.S. Spies on Millions of Cars (Devlin Barrett)

*Hendricks Dewayne* <dewayne@warpspeed.com>
Tuesday, January 27, 2015
Devlin Barrett, *Wall Street Journal*, 26 Jan 2015 (via Dave Farber)
DEA Uses License-Plate Readers to Build Database for Federal, Local
Authorities
http://www.wsj.com/articles/u-s-spies-on-millions-of-cars-1422314779

WASHINGTON—The Justice Department has been building a national database
to track in real time the movement of vehicles around the U.S., a secret
domestic intelligence-gathering program that scans and stores hundreds of
millions of records about motorists, according to current and former
officials and government documents.

The primary goal of the license-plate tracking program, run by the Drug
Enforcement Administration, is to seize cars, cash and other assets to
combat drug trafficking, according to one government document. But the
database's use has expanded to hunt for vehicles associated with numerous
other potential crimes, from kidnappings to killings to rape suspects, say
people familiar with the matter.

Officials have publicly said that they track vehicles near the border with
Mexico to help fight drug cartels. What hasn't been previously disclosed is
that the DEA has spent years working to expand the database “throughout the
United States,'' according to one email reviewed by The Wall Street Journal.

Many state and local law-enforcement agencies are accessing the database
for a variety of investigations, according to people familiar with the
program, putting a wealth of information in the hands of local officials
who can track vehicles in real time on major roadways.

The database raises new questions about privacy and the scope of government
surveillance. The existence of the program and its expansion were described
in interviews with current and former government officials, and in
documents obtained by the American Civil Liberties Union through a Freedom
of Information Act request and reviewed by The Wall Street Journal. It is
unclear if any court oversees or approves the intelligence-gathering.

A spokesman for Justice Department, which includes the DEA, said the
program complies with federal law. “It is not new that the DEA uses the
license-plate reader program to arrest criminals and stop the flow of drugs
in areas of high trafficking intensity,'' the spokesman said.

Sen. Patrick Leahy, senior Democrat on the Senate Judiciary Committee, said
the government's use of license-plate readers “raises significant privacy
concerns. The fact that this intrusive technology is potentially being used
to expand the reach of the government's asset-forfeiture efforts is of even
greater concern.''

The senator called for “additional accountability'' and said Americans
shouldn't have to fear “their locations and movements are constantly being
tracked and stored in a massive government database.''  [...]


Re: U.S. Spies on Millions of Cars

Lauren Weinstein <lauren@vortex.com>
Mon, 26 Jan 2015 18:04:04 -0800
FOIA Documents Reveal Massive DEA Program to Record American's
Whereabouts With License Plate Readers

ACLU via NNSquad
https://www.aclu.org/blog/technology-and-liberty-criminal-law-reform/foia-documents-reveal-massive-dea-program-record-ame

  "The Drug Enforcement Administration has initiated a massive national
  license plate reader program with major civil liberties concerns but
  disclosed very few details, according to new DEA documents obtained by the
  ACLU through the Freedom of Information Act.  The DEA is currently
  operating a National License Plate Recognition initiative that connects
  DEA license plate readers with those of other law enforcement agencies
  around the country."


Re: U.S. Spies on Millions of Cars

"David S. H. Rosenthal" <dshr@abitare.org>
January 27, 2015 at 13:22:25 EST
 (via DLH and Dave Farber)

And here's why they're doing it - as Deep Throat said "follow the money":

<https://www.emptywheel.net/2015/01/27/double-duty-dragnets/>


Re: U.S. Spies on Millions of Cars (via Dave Farber)

"Rich Kulawiec" <rsk@gsp.org>
Jan 27, 2015 3:24 PM
There are many objectionable things about this program, but one that's
(perhaps) less than obvious is that the databases being constructed by it
are *enormously* tempting targets for third parties.  To stalkers,
kidnappers, spies, pedophiles, rapists, blackmailers, extortionists and
other people, this is a motherlode just waiting to be mined.  (And the best
part?  They don't have to spend the money to compile it.  It's already been
paid for by US citizens.)

I'm sure we'll be told that it's being gathered, stored, and searched
securely.  And that it will never be misused.  And that it will never be
breached or leaked.  And that it's completely immune from this:

  New report: DHS is a mess of cybersecurity incompetence

http://www.zdnet.com/article/new-report-the-dhs-is-a-mess-of-cybersecurity-incompetence/


Re: Who owns your computer? (RISKS-28.47)

Anthony Thorn <anthony.thorn@atss.ch>
Tue, 27 Jan 2015 10:19:15 +0100
Henry Baker is right that our computers (and routers etc.)  are owned by the
manufacturers and their suppliers (and anyone who hacks them), but the
proposed test "can I reflash its operating system with contents of my
choosing" does not go far enough.

Code in the BIOS can be used to insert backdoors in a subsequently reloaded
operating system, and logically the BIOS updating mechanism and credentials
must also be trusted.

We never believed in 100% security, did we?


Kaspersky: Regin malware likely from 5Eyes

Henry Baker <hbaker1@pipeline.com>
Tue, 27 Jan 2015 07:01:34 -0800
FYI—Security researchers are shocked, shocked...

Michael Mimoso, ThreatPost,  27 Jan 2015
Researchers Link Regin to Malware Disclosed in Recent Snowden Documents
https://threatpost.com/researchers-link-regin-to-malware-disclosed-in-recent-snowden-documents/110667

Researchers at Kaspersky Lab have discovered shared code and functionality
between the Regin malware platform and a similar platform described in a
newly disclosed set of Edward Snowden documents 10 days ago by Germany's Der
Spiegel.

The link, found in a keylogger called QWERTY allegedly used by the so-called
Five Eyes, leads them to conclude that the developers of each platform are
either the same, or work closely together.

“Considering the extreme complexity of the Regin platform and little chance
that it can be duplicated by somebody without having access to its source
codes, we conclude the QWERTY malware developers and the Regin developers
are the same or working together,'' wrote Kaspersky Lab researchers Costin
Raiu and Igor Soumenkov today in a published report.

The Der Spiegel article describes how the U.S National Security Agency, the
U.K.'s GCHQ and the rest of the Five Eyes are allegedly developing offensive
Internet-based capabilities to attack computer networks managing the
critical infrastructure of its adversaries.

The new Snowden documents, disclosed by Laura Poitras and a collection of
eight security and privacy technologists and experts, also include an
overview of a malware platform called WARRIORPRIDE.  Within WARRIORPRIDE is
QWERTY, a module that logs keystrokes from compromised Windows machines; Der
Spiegel said the malware is likely several years old and has likely already
been replaced.

The magazine released QWERTY to the public upon publication of its article.
It describes QWERTY's structure as `simple' and said there is a core driver
called QWERTYKM that interacts with the Windows keyboard manager, and a
QWERTYLP library which logs and stores keystrokes for analysis.  Der Spiegel
said after its examination of binary files, various components and libraries
it's likely there's a connection between WARRIORPRIDE and the Australian
Signals Directorate, an Aussie government intelligence agency.

Kaspersky researchers Raiu and Soumenkov said after analysis that the QWERTY
malware is identical in functionality to a particular Regin plugin.

Raiu and Soumenkov said researchers took apart the QWERTY module and found
three binaries and configuration files.  One binary called 20123.sys is a
kernel mode component of the QWERTY keylogger that was built from source
code also found in a Regin module, a plug-in called 50251.

In a report published today, side-by-side comparisons of the respective
source code shows they are close to identical, sharing large chunks of code.
The researchers said that one piece of code in particular references
plug-ins from the Regin platform and is used in QWERTY and its Regin
counterpart.  It addresses a Regin plug-in, called 50225, that is
responsible for kernel-mode hooking, the Kaspersky researchers said.

“This is solid proof that the QWERTY plugin can only operate as part of the
Regin platform, leveraging the kernel hooking functions from plugin 50225,''
Raiu and Soumenkov wrote.

“As an additional proof that both modules use the same software platform,
we can take a look at functions exported by ordinal 1 of both modules.  They
contain the startup code that can be found in any other plugin of Regin, and
include the actual plugin number that is registered within the platform to
allow further addressing of the module.  This only makes sense if the
modules are used with the Regin platform orchestrator.''

The Regin malware platform was disclosed in late November by Kaspersky Lab
and it was quickly labeled one of the most advanced espionage malware
platforms ever studied, surpassing even Stuxnet and Flame in complexity.
The platform is used to steal secrets from government agencies, research
institutions, banks and can even be tweaked to attack GSM telecom network
operators.

Last week, Kaspersky researchers published another Regin report, this one
describing two standalone modules used for lateral movement and to establish
a backdoor in order to move data off compromised machines. The modules,
named Hopscotch and Legspin, have also likely been retired given they were
developed perhaps more than a decade ago.


Re: Schneider ... hardcoded credentials (Gezelter, RISKS-28.47)

Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>
Mon, 26 Jan 2015 17:57:33 -0600
Yeah, well. You can have a SAFE brick or the UNSAFE built-in hardcoded
credentials.  You choose.  Consider getting locks that ensure nobody will be
able to get into the house, ever, after you lose the key.

Sadly, "encased in concrete and dropped to the bottom of the sea" still
applies.

Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu


Re: Schneider ... contains hardcoded credentials (Baker)

Wols Lists <antlists@youngman.org.uk>
Tue, 27 Jan 2015 15:57:48 +0000
I am [re]minded of the Dick Feynman story (part of his safe-cracker legend)
where he was called in, shortly after the war, to try and get into some
general's top secret safe, said general having left the service.

Recalling that many safes shipped with an initial combination of 0000 or
01234, he tried them, and opened the safe at the first attempt.
Considerably enhancing his reputation as a safe cracker in the process.


Re: People upset that the E-911 folk want to use GLONASS (RISKS 28.47)

"Richard I. Cook, MD" <ricookmd@gmail.com>
Tue, 27 Jan 2015 09:15:37 +0100
http://www.nena.org/news/news.asp?id!2385

NENA Responds to Unfounded GLONASS Concerns
Thursday, January 22, 2015
Posted by: Chris Nussman

Statement of NENA: The 9-1-1 Association

The recently-announced Roadmap for Wireless E9-1-1 Location Accuracy
improvements is not a `carrier plan'.  It is a consensus plan negotiated by
the national associations representing the 9-1-1 and field responder radio
communities, NENA and APCO, and agreed to by the four national wireless
carriers.

The plan does contemplate carrier use of Assisted Global Navigation
Satellite Systems (A-GNSS)—including both the U.S.  NavStar/GPS system
and the Russian GLONASS system—as one aspect of a multi-pronged approach
to improving wireless E9-1-1 location accuracy.

The consensus plan discusses the GLONASS system as a new component of
handset A-GNSS capabilities because it is the only globally-available GNSS,
other than NavStar/GPS that is currently operating.

The consensus plan does not restrict carriers' ability to add or substitute
other GNSSs, such as the European Galileo and Chinese BeiDou constellations,
as those systems come online over the next 5-7 years.  However, neither of
these systems is currently available.

Because handset A-GNSS chips can operate with any combination of satellites
from any supported constellation, adding GLONASS support to existing GPS
capabilities will not provide the Russian Federation with any leverage over
U.S. 911 capabilities: Even if the GLONASS system were shut-down completely,
handsets in locations with clear views of the sky could still calculate
location estimates based solely on measurements of U.S. GPS satellite
signals.

Even if Russia attempted to somehow degrade the performance of its satellite
network, both carrier networks and consumer handsets would be capable of
detecting erroneous signals and rejecting them from a position fix.

The consensus Roadmap makes available the full panoply of rapidly-advancing
commercial location technologies for E9-1-1 use for the first time. In the
event of a GLONASS failure or shut-down, other high-accuracy handset and
network-based technologies—including the ability to return the exact
address (including apartment, suite, or floor number) of the
caller's location—will still be available.

It's true that an NDAA amendment places limits on the proposed construction
of Russian monitoring facilities on U.S. soil. That amendment, however, will
not impact the availability of GLONASS ranging.  Transportation and other
critical life-safety sectors are rapidly adopting multi-constellation GNSS
technology—including GLONASS—because of its ability to improve fix
yield and quality.

Using GLONASS, GPS, or any other A-GNSS system would not give any government
power over consumers' 911 calls: These systems are `receive-only', and no
signals from consumer handsets are ever transmitted to a GNSS satellite.

Please report problems with the web pages to the maintainer

Top