The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 58

Wednesday 1 April 2015

Contents

The Apple zero-button mouse—and related innovations?
PGN
No liability for exchange rate software error by United
Jeremy Epstein
Digital currency risks
William Brodie-Tyrrell
Fraudster escapes jail by forging bail e-mail
Chris Drewe
Manipulating Wikipedia to Promote a Bogus Business School
Newsweek
DDoS against Rutgers University, and perpetrator claims credit
danny burstein
FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act
Gabe Goldberg
"Washington is coming for your personal data"
Caroline Craig
"Dell support tool put PCs at risk of malware infection"
Lucian Constantin
"Cisco IP phones open to remote eavesdropping, calling"
Lucian Constantin
Australia passes data retention into law
Lauren Weinstein
Re: Jurisdictional risks
Doug Montalbano
Re: Kali Linux security is a joke!
Ian Jackson
Re: House Judiciary Committee tries to be cool, fails oh so miserably
Devon McCormick
Re: As We Age, Smartphones Don't Make Us Stupid ...
Rob Slade
Re: "GoDaddy accounts vulnerable to social engineering and Photoshop"
Craig Burton
Re: Software says "'Dr' Must Be Male"!
Thomas Koenig
Risky Business: Virgin Galactic
William Langewiesche
Book: Peter Carey, Amnesia
PGN
Info on RISKS (comp.risks)

The Apple zero-button mouse—and related innovations?

"Peter G. Neumann" <neumann@csl.sri.com>
1 April 2015
I just stumbled on to this item:

  CUPERTINO, CA, April 1, 2015—Apple, Inc. (NASDAQ: AAPL) today announces
  the ultimate refinement in pointer technology: the zero-button mouse. "We
  found that the button was confusing users," said Sir Jonathan Ive, Vice
  President of Design.  The zero-button mouse uses a flexible antenna, which
  Apple calls the tail.  In order to left click, the user grabs the mouse by
  the tail, and swings it to the left.  Right clicking is similar, but
  swinging to the right.  Scrolling is accomplished by swinging the mouse
  towards or away from the user.  The zero-button mouse is available in
  three collections: Apple Zero Mouse Sport in aluminum, Apple Zero Mouse in
  stainless steel, and the Apple Zero Mouse Edition, 18-carat gold.  A white
  rubber tail is standard, but optional tails are available in black and red
  leather, titanium mesh, and carbon fiber.

  Pricing and Availability: All models and tails are available for purchase
  starting today, April 1, 2015.  Pricing for the Zero Mouse Sport is
  $34.95, the Zero Mouse is $49.95, and the Zero Mouse Edition is $995.00.
  The leather tails are $14.95 each, the titanium mesh tail $24.95, and the
  carbon fiber tail is $799.95.

WATCH for this one!!  With this innovation, the era of button-down mice
seems to be ending (somewhat like shirts?), despite seemingly regressively
replacing the one-button, two-button, and three-button mouse.

It is rumored that Microsoft is planning a competing voice-operated
no-button mouse, albeit possibly with a built-in optional keyboard for
people with small fingers.  Google is expected to compete with its own
autonomouse, which can move (autonomousely) *without* user control—or if
a user is particularly gifted, with perceptive mind control—in either
case, proactively anticipating user intent, and automatically avoiding
collisions and interference with any other user's mouse.  The potential
risks are left as an exercise to the reader.  PGN


No liability for exchange rate software error by United

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sun, 29 Mar 2015 16:44:52 -0400
US Department of Transportation has informed United that it's not going to
force them to honor the airfares that were posted on their website, because
it was the fault of a third-party currency conversion site.

This seems to me a dangerous precedent (although airlines have previously
tried to wiggle out of honoring prices on their websites when they've
claimed software or data entry errors).  Will other merchants be able to
retroactively cancel orders (or change prices) if they find software errors
that mean they don't have adequate profit (or cause losses)?  Would United
generously refund overpayments if the software had overcharged people who
paid in particular currencies or particular websites?

"On February 11, 2015, a currency exchange-rate error in 3rd party software
supplied to United affected several thousand bookings on United's
Denmark-facing website. Specifically, this error temporarily caused flights
originating in the United Kingdom and denominated in Danish Kroners (DKK)
to be presented at only a fraction of their intended prices. While United
filed fares correctly, this software error caused amounts charged to be
significantly lower than prices offered through all other distribution
channels or available in any other currency."

http://www.united.com/web/en-US/content/travel/exchange-rate-error.aspx?v_ctrk=HHLN$0-202-7697-1-5798


Digital currency risks

William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Mon, 30 Mar 2015 11:56:32 +1030
Yet another crypto-currency exchange is cracked and emptied, and the usual
causes—a Dunning-Kruger-esque ignorance of security principles applied to
Other People's Money—are to blame.  The interesting part here, other than
that it wasn't a deliberate market exit aka "abscond with the deposits", is
the full disclosure that you'd never see from a larger financial
institution:

https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/

While cryptocurrencies are attractive to some because of their lack of
governmental control, a lack of oversight on exchanges is clearly costing
customers real money.  There are strict financial-services regulations
already in-place throughout the west and maybe they should be enforced.

Here's the worst of both worlds: easily-digitally-stealable cash with the
full backing of a national government.  Not only that, the block-chain
means your cash-transaction history is visible to the issuing government
and probably publicly too.

http://mobile.reuters.com/article/idUSKBN0M82KB20150312?irpc“2

The only upside is that this may be a way to introduce macro-economic
controls (manual control over the minting rate) to cryptocurrencies and
thereby avoid the deflationary nature that makes BTC useless as a unit of
account.

William Brodie-Tyrrell http://www.brodie-tyrrell.org/


Fraudster escapes jail by forging bail e-mail

Chris Drewe <e767pmk@yahoo.co.uk>
Sun, 29 Mar 2015 14:59:24 +0100
RISKS readers will be familiar with phishing attempts using phony but
realistic-looking URLs and e-mail addresses (e.g. "following our computer
upgrade at Midland Bank, you need to go to mid1andbank.com and enter your
credit card details"), but there was an item in yesterday's newspaper (Mar
28th, 2015) about a prisoner who got out of Wandsworth Jail in south London,
UK, by forging correspondence granting him bail in exactly this way:

In summary, the article says that he set up false but official-looking
e-mail addresses, then created his own bail documents.
*The Telegraph*, 28 March 2015
http://www.telegraph.co.uk/news/uknews/crime/11500973/Fraudster-escapes-from-one-of-Britains-most-secure-prisons-by-forging-letter-granting-him-bail.html

 > He set up an email domain imitating Her Majesty's Court Service (HMCTS)
 > that used hyphens instead of 'dots' to say Southwark Crown Court had
 > rubber-stamped his bail on March 10, 2014.  Moore managed to secure his
 > release when staff failed to spot the subtle difference and misspelled
 > court name 'Southwalk'.


Manipulating Wikipedia to Promote a Bogus Business School (Newsweek)

Lauren Weinstein <lauren@vortex.com>
Wed, 25 Mar 2015 08:09:13 -0700
Newsweek via NNSquad
http://www.newsweek.com/2015/04/03/manipulating-wikipedia-promote-bogus-business-school-316133.html

  In 2013, IIPM got an unexpected boost for its page. A new initiative
  launched by Jimmy Wales's Wikimedia Foundation offered free access to
  Wikipedia from mobile phones. The program, Wikipedia Zero, launched in
  India and other parts of the developing world, including Thailand,
  Myanmar, Morocco, Ghana and Malaysia.  "In my opinion, by letting this go
  on for so long, Wikipedia has messed up perhaps 15,000 students' lives,"
  Peri says. "They should have kept track of Wifione and what they were
  doing--they were just so active."  The Wikimedia Foundation is apologetic
  but won't be offering compensation. In a statement, it said, "The
  Wikimedia Foundation was very disappointed to hear of the allegations of
  fraud committed by IIPM and Wifione. If true, it was a tremendous
  violation of the trust and good faith of our editors and readers. We will
  continue to work to support our editors and administrators in serving as a
  vigilant defense against such incidents and in hopes that they can prevent
  future incidents like this from occurring."


DDoS against Rutgers University, and perpetrator claims credit

danny burstein <dannyb@panix.com>
Tue, 31 Mar 2015 08:32:01 -0400 (EDT)
Rutgers network crumples under siege by DDoS attack [Rutgers student newspaper]

The Rutgers network came under a Distributed Denial of Service (DDoS) attack
beginning on March 27 and ending on March 30, according to an email sent by
Don Smith, vice president and chief intelligence officer for the
University's Office of Information Technology.

The incident, which knocked out access to RUWireless and RUWireless Secure,
the school's Internet networks, as well as Sakai, the University's online
learning platform, among other sites, was the third DDoS attack allegedly
committed by an individual hacker since the first occurrence on Nov. 19,
2014. [...]

During the DDoS attack in November, 40,000 web robots, or "bots,"
originating from Eastern Europe and China flooded the network, dismantling
the class web registration system when first-year students were scheduled to
enroll in classes for the upcoming spring semester, according to the
article. [...]

"A while back you had an article that talked about the DDoS attacks on
Rutgers," the email read. "I'm the one who attacked the network [...]

This might make quite an interesting story ... I will be attacking the
network once again at 8:15PM EST. You will see sakai.rutgers.edu offline."

rest:
http://www.dailytargum.com/article/2015/03/rutgers-network-crumples-under-siege-by-ddos-attack


FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act

Gabe Goldberg <gabe@gabegold.com>
Wed, 25 Mar 2015 16:36:26 -0400
The Federal Trade Commission has granted summary decision against the
operators of Jerk.com, a website that billed itself as `the anti-social
network' website. The Commission found that the operators Jerk, LLC and John
Fanning misled consumers by claiming that content on the website was posted
by other users. Instead, most of the content came from Facebook profiles
mined by the operators.

https://www.ftc.gov/news-events/press-releases/2015/03/ftc-rules-jerk-llc-john-fanning-deceived-consumers-violated-ftc?utm_source=govdelivery

It's shocking that someone misused social media information, and that a
website selling bogus "memberships" was stopped. But those are surely unique
events and won't happen again on our always safe and comforting intertubes.

Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042  (703) 204-0433


"Washington is coming for your personal data" (Caroline Craig)

Gene Wirchenko <genew@telus.net>
Fri, 27 Mar 2015 12:05:46 -0700
Caroline Craig, InfoWorld, 27 Mar 2015
Little-noticed change to judicial rules gives the FBI greater powers
to conduct remote searches, and the 'zombie bill': CISA is on the fast
track to a Senate vote.
http://www.infoworld.com/article/2902611/government/washington-is-coming-for-your-personal-data.html


"Dell support tool put PCs at risk of malware infection" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 26 Mar 2015 21:36:56 -0700
Lucian Constantin, InfoWorld, 25 Mar 2015
Weak authentication in Dell's System Detect utility could have
enabled drive-by malware attacks
http://www.infoworld.com/article/2901385/security/dell-support-tool-put-pcs-at-risk-of-malware-infection.html


"Cisco IP phones open to remote eavesdropping, calling" (Lucian Constantin)

Gene Wirchenko <genew@telus.net>
Thu, 26 Mar 2015 21:38:09 -0700
Lucian Constantin, InfoWorld, 23 Mar 2015
An authentication flaw allows attackers to listed to audio streams
and make calls from Cisco SPA 300 and 500 IP phones
http://www.infoworld.com/article/2899710/mobile-technology/cisco-ip-phones-open-to-remote-eavesdropping-calling.html


Australia passes data retention into law

Lauren Weinstein <lauren@vortex.com>
Thu, 26 Mar 2015 15:44:55 -0700
IT News AU via NNSquad
http://www.itnews.com.au/News/402127,australia-passes-data-retention-into-law.aspx

  Law enforcement agencies will need to apply for warrants to access a
  journalist's metadata for the purpose of identifying a source.  All other
  citizen metadata will be open to access without a warrant.  Telcos and
  internet service providers will now have 18 months to prepare their
  systems and processes for the scheme, which has been forecast to cost
  between $188.8 million and $319.1 million to set up, and around $4 per
  customer per year to maintain.  They will be required to store the
  non-content data of all customers for a two-year period to aid law
  enforcement agencies in criminal investigations.  Telcos and ISPs are not
  restricted in where they can store the data.  The metadata list will
  include, among other things: names, addresses, birthdates, financial and
  billing information of internet and phone account holders; traffic data
  such as numbers called and texted, as well as times and dates of
  communications; when and where online communications services start and
  end; a user's IP address; type and location of communication equipment;
  and upload and download volumes.

 - - -

Going downhill fast down under.


Re: Jurisdictional risks (RISKS-28.56)

Doug Montalbano <doug_montalbano@yahoo.com>
Thu, 26 Mar 2015 21:31:44 +0000 (UTC)
I understand the political point Brodie-Tyrell is making.  But, as the
section "Policing the Twenty-First Century" in Marc Goodman's Future Crimes
points out, (hypocrisy notwithstanding) how to police in a world that is now
without borders is a major problem.

  [I pointed to Goodman's book (the subtitle of which is Everything is
  Connected) in RISKS-28.43 and 28.53.  PGN]


Re: Kali Linux security is a joke! (RISKS-28.56)

Ian Jackson <ijackson@chiark.greenend.org.uk>
Thu, 26 Mar 2015 17:26:32 +0000
Like most Debian derivatives, Kali relies on the PGP-based archive
signing system built into the Debian package distribution protocols.
Observe:
 http://ftp.hands.com/kali-security/dists/kali/Release
 http://ftp.hands.com/kali-security/dists/kali/Release.gpg

This is a much better arrangement than relying on TLS (https) in almost all
important respects:

The public key used by apt-get on a Debian derivative to verify the software
updates is a dedicated archive signing key, controlled by the Debian
derivative itself.  So unlike TLS, which relies on CAs, the kali archive
signing system cannot be subverted by third parties.  Furthermore, key
rollover is straightforward: the new public key can be distributed in a
software update.  This bespoke arrangement provides much better integrity
protection.

It also has operational advantages: it is much easier to run a mirror
network.  Mirrors do not need to be enrolled into a certificate scheme and
granted authority to subvert users' machines.  Instead, mirrors simply
redistribute the signatures made by the distribution itself.

TLS is a much worse protocol than PGP in general - it is much messier and
has many more opportunities for implementation and configuration errors.

The mirror does have some ability to perform a rollback attack, but the
impact is limited to delaying updates, rather than rewinding target systems,
because the software update mechanism does not downgrade packages unless
specifically asked by the user.

Deploying TLS for mirrors would be useful to help protect the privacy of
users: it would make it harder to for an eavesdropper to discern which
packages a particular computer has installed, and would impede some
network-based rollback attacks.  Debian itself has been discussing these
concerns.

> What's the point of verifying md5 sums against "official values", if Kali
> can't even get the "official values" securely ??

This response seem really knee-jerk.  Rather than immediately assuming the
worst, just because someone isn't using TLS, it would have been worth
double-checking.

It seems that Henry Baker would, if asked to design a software update
mechanism, rely on TLS for the software integrity protection.  For the
reasons explained above this would be a poor decision.

  [Be sure to read the paper by Benjamin Beurdouche et al., A Messy State of
  the Union: Taming the Composite State Machines of TLS, which will be
  presented in the IEEE Symposium on Security and Privacy, 18-20 May, which
  fairly demolishes half a dozen TLS implementations—because they each
  have remarkable unexpected behaviors resulting from the composition of the
  client side and the server side.  Indeed, Everything is Connected, but
  often with nasty results.  (See the previous item.)  PGN]


Re: House Judiciary Committee tries to be cool, fails oh so miserably

Devon McCormick <devonmcc@gmail.com>
Thu, 26 Mar 2015 10:44:54 -0400
The page may look amateurish but consider the sub-text: many images of
pretty, mostly blonde, women on a page about enforcing immigration laws.
What's the real message here?


Re: As We Age, Smartphones Don't Make Us Stupid ... (RISKS-28.57)

Rob Slade <rmslade@shaw.ca>
Wed, 25 Mar 2015 18:34:53 -0700
> In general, the students who did not use computers did better than those
> who did.

This doesn't surprise me in the least.

I used to tell my students that all the exams (in courses I taught for
colleges and universities) were open book.  I don't tell them that any more.

My exams are written to test for understanding, not rote memorization.  You
can't find the answer on page 42.

It just got to be too painful watching the unprepared stagger in with piles
of books, and then spend the entire exam period flipping pages, trying
vainly to find things they'd never bothered to learn during the course.
(Since they'd never bothered to learn them, they had no idea where they were
in the book, either.)

rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org

The dictionary is the only place where success comes before work.
Mark Twain

victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/


Re: "GoDaddy accounts vulnerable to social engineering and Photoshop" (Ragan, RISKS-28.57)

"Craig Burton" <Craig.Burton@vec.vic.gov.au>
Thu, 26 Mar 2015 12:23:10 +1100
I read with interest the GoDaddy social engineering success.  It seems the
missing step is actually something that verifies the ID document content.
My government has fairly recently deployed a central personal information
oracle.
   http://www.dvs.gov.au/Pages/default.aspx

I am sure other such services exist in other countries but I would expect
larger countries than Australia may have more trouble consolidating data.  I
assume if this were available to GoDaddy the call agent would get a DVS fail
on the driver license name and number together.


Re: Software says "'Dr' Must Be Male"!

Thomas Koenig <tkoenig@netcologne.de>
Fri, 27 Mar 2015 08:16:37 +0100
PGN wrote:
>  [In Germany, if her husband were also a Dr, she would be Frau Doktor
>  Doktor Selby, and presumably German software would have no problem
>  with that.  PGN]

This usage was quaint forty years ago, and is non-existent now, except
for a few lame jokes.  It is certainly against the law in Germany to
claim to be a Dr. if you are not entitled to it.

The RISK?  Continuing to rely on outdated assumptions without checking if
they still apply.

  [Similarly noted by Drew Dean, who remarked that Germans have been amused
  that Austrians still observed this `quaint' custom.  Mea Culpa.  Yes, I'm
  remembering fifty-five years ago, when the wife of the Darmstadt lab
  director Herr Dr Professor Alwin Walther was routinely referred to as Frau
  Dr Dr Walther (because she was also a Dr).  I'm happy to know that this
  academic honorific is no longer practiced.  PGN]


Risky Business: Virgin Galactic (William Langewiesche)

"Peter G. Neumann" <neumann@csl.sri.com>
Wed, 25 Mar 2015 9:14:16 PDT
William Langewiesche, "Risky Business", *Vanity Fair*, April 2015, p. 180

  "More than 700 people have paid up to $250,000 for a ride on Richard
  Branson's Virgin Galactic.  In this excerpt from 'Vanity Fair's' April
  2015 article about the mogul's risky business, William Langewiesche
  details the particulars about Virgin Galactic's trip to space."

http://www.vanityfair.com/news/2015/03/what-is-it-like-to-fly-virgin-galactic


Book: Peter Carey, Amnesia

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 29 Mar 2015 10:40:19 PDT
Peter Carey, Amnesia, Alfred A. Knopf, 2015, 307 pp.  (From a publisher blurb)

“The two-time Booker Prize winner now gives us an exceedingly timely,
exhilarating novel—at once dark, suspenseful, and seriously funny—that
journeys to the place where the cyber underworld collides with international
power politics.  ...  Bringing together the world of hackers and radicals
with the `special relationship' between the United States and Australia, and
Australia and the CIA, Amnesia is a novel that speaks powerfully about the
often hidden past, but most urgently about the more and more hidden
present.''

  [It certainly seems timely and topical.  Note: My wife loved it. PGN]

    [Spoiler alert: The plot line in this book automates the get-out-of-jail
    process noted in Chris Drewe's item earlier in this issue, and scales it
    up extensively—ending up with a large-scale remote e-release of
    prisoners.  PGN]

Please report problems with the web pages to the maintainer

Top