The RISKS Digest
Volume 28 Issue 9

Tuesday, 22nd July 2014

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

New online tracking method difficult to block
ProPublica via Suzanne Johnson
Travis County Developing Electronic Voting System With a Paper Trail
Andra Lim
Racy Photos Were Often Shared at NSA
Michael S. Schmidt
NASDAQ Network Intrusion Installed Attack Malware
Bob Gezelter
How to Flawlessly Predict Anything on the Internet
Lauren Weinstein
Exec. Order 12333: Yet another rule that lets NSA spy on Americans
John Napier Tye via Henry Baker
All your Apple iOS data is still available unencrypted
Dennis Fisher via Henry Baker
Domain Registry Of America Suspended By ICANN
Lauren Weinstein
Routing around insanity & mendacity
Henry Baker
Re: Unix "*" wildcards considered harmful
Lindsay Harris
Re: Disk-sniffing dogs find thumb drives, DVD's?
Barry Gold
Re: Lethal Weapon: The Self Driving Car
John Mainwaring
Risks of apps versus web browsers, deja vu
Rex Sanders
"New variant of malware, Gyges, can quietly exfiltrate government data"
Candice So via Gene Wirchenko
Calling All Hackers: Help Us Build an Open Wireless Router
David Farber
Stop Sneaky Online Tracking with EFF's Privacy Badger
EFF
Silver Bullet 100 launches 23 Jul 2014
Gary McGraw
Info on RISKS (comp.risks)

New online tracking method difficult to block (ProPublica)

"Suzanne Johnson" <fuhn@pobox.com>
Jul 21, 2014 9:59 AM
  [Via Dave Farber]

A new, extremely persistent type of online tracking is shadowing visitors
to thousands of top websites, from WhiteHouse.gov to YouPorn.com.
http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block

First documented in a forthcoming paper
<https://securehomes.esat.kuleuven.be/%7Egacar/persistent/index.html> by
researchers at Princeton <https://www.princeton.edu/main/> University and KU
Leuven <http://www.kuleuven.be/english> University in Belgium, this type of
tracking, called canvas fingerprinting, works by instructing the visitor's
Web browser to draw a hidden image. Because each computer draws the image
slightly differently, the images can be used to assign each user's device a
number that uniquely identifies it. [...]


Travis County Developing Electronic Voting System With a Paper Trail (Andra Lim)

"ACM TechNews" <technews@hq.acm.org>
Mon, 21 Jul 2014 11:47:12 -0400 (EDT)
Andra Lim, Austin American-Statesman (TX), 15 Jul 2014
  [via ACM TechNews, 21 Jul 2014]

An electronic-voting system that prints out a paper copy of the ballot and a
take-home receipt to confirm the vote was tallied is under development in
Travis County, Texas, and could be in operation within three years.  The
system would likely have voters use a tablet computer to fill out an
electronic ballot and then produce a print version, and the e-ballot would
not be counted until voters deposited the print copy into a ballot box that
scans a serial number.  The take-home receipt would have a code that voters
can enter online to verify the vote was counted.  The county's initiative in
creating its own voting system rather than handing the job over to one of a
small cluster of voting machine vendors has never been attempted before,
notes Travis County clerk Dana DeBeauvoir.  The system came about from a
2009 study of election issues organized by DeBeauvoir, which concluded a
paper trail was highly desirable.  Adding urgency to the effort is the fact
that some county voting machines are reaching the end of their life spans,
and there is no longer any federal funding to pay for new systems.
http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c334x2b734x060830&


Racy Photos Were Often Shared at NSA (Michael S. Schmidt)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 22 Jul 2014 07:12:13 PDT
Michael S. Schmidt, *The New York Times*,  21 Jul 2014

"The former National Security Agency contractor Edward J. Snowden said in a
wide-ranging interview published on Sunday that the oversight of
surveillance programs was so weak that members of the United States military
working at the spy agency sometimes shared sexually explicit photos they
intercepted."
http://readersupportednews.org/news-section2/318-66/24894-snowden-sexually-explicit-photos-intercepted-shared-by-nsa-workers


NASDAQ Network Intrusion Installed Attack Malware

"Bob Gezelter" <gezelter@rlgsc.com>
Fri, 18 Jul 2014 08:09:24 -0700
Apparently, the reported intrusion at NASDAQ was more dangerous than
previously reported, Bloomburg Businessweek reports.  Among the new
findings:

 * Attack malware was installed by the attackers.
 * The investigation was hampered by the insufficient logs and overall
   security state.

A signal warning to all [regarding] the importance of security and
maintaining activity logs.

www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq

Bob Gezelter, http://www.rlgsc.com


How to Flawlessly Predict Anything on the Internet

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Jul 2014 07:55:26 -0700
Medium via NNSquad
https://medium.com/message/how-to-always-be-right-on-the-internet-delete-your-mistakes-519a595da2f5

  "This is a modern update to a classic confidence game—find a risky
  scenario with limited possibilities, bet on every single combination, and
  then hide your failures. The result is that you look like you're either
  psychic or a goddamned genius.  Variations of this scam have been used for
  centuries in finance, magic, and gambling.  Mutual fund companies bring
  new funds to market by incubating new funds outside of the public eye for
  years, then actively market the strongest performers with the highest
  returns. Poof! You're an overnight Warren Buffett!"

  - - -

"Columbo" demonstrated this con in the 1976 episode "Now You See Him"
(available on Netflix).


Exec. Order 12333: Yet another rule that lets NSA spy on Americans (John Napier Tye)

Henry Baker <hbaker1@pipeline.com>
Mon, 21 Jul 2014 11:40:07 -0700
  [Long item, very well worth reading in its entirety.  PGN]

FYI—In the NSA's version of the "shell game", there's a pea underneath
*all* of the shells, so that the NSA can continue spying, no matter which
shell the press/Congress/the courts turn over.  What if the NSA secretly
copies Internet data onto a private fiber to the GCHQ?  Since the UK is
outside the US, bingo!—EO#12333 now apples!

Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans
John Napier Tye, *The Washington Post*, 18 Jul 2014
http://www.washingtonpost.com/opinions/meet-executive-order-12333-the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html

John Napier Tye served as section chief for Internet freedom in the State
Department's Bureau of Democracy, Human Rights and Labor from January 2011
to April 2014.  He is now a legal director of Avaaz, a global advocacy
organization.


All your Apple iOS data is still available unencrypted (Dennis Fisher)

Henry Baker <hbaker1@pipeline.com>
Mon, 21 Jul 2014 12:01:14 -0700
Dennis Fisher, Researcher Identifies Hidden Data-Acquisition Services in
iOS, 21 Jul 2014
https://threatpost.com/researcher-identifies-hidden-data-acquisition-services-in-ios/107335

There are a number of undocumented and hidden features and services in Apple
iOS that can be used to bypass the backup encryption on iOS devices and
remove large amounts of users' personal data. Several of these features
began as benign services but have evolved in recent years to become powerful
tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked
extensively with law enforcement and intelligence agencies, has spent quite
a bit of time looking at the capabilities and services available in iOS for
data acquisition and found that some of the services have no real reason to
be on these devices and that several have the ability to bypass the iOS
backup encryption.  One of the services in iOS, called `mobile file_relay',
can be accessed remotely or through a USB connection can be used to bypass
the backup encryption.  If the device has not been rebooted since the last
time the user entered the PIN, all of the data encrypted via data protection
can be accessed, whether by an attacker or law enforcement, Zdziarski said.

http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

Zdziarski: “Between this tool and other services, you can get almost the
same information you could get from a complete backup What concerns me the
most is that this all bypasses the consumer backup encryption. When you
click that button to encrypt the backup, Apple has made a promise that the
data that comes off the device will be encrypted.''

Using the hidden services that bypass the encrypted backup protection don't
require the use of developer mode and many of them have been present in iOS
for five years.  Zdziarski, who designed many of the initial methods for
acquiring forensic data from iOS devices, said there also is a *packet
capture tool* present on every iOS device that has the ability to dump all
of the inbound and outbound HTTP data and runs in the background without and
notification to the user.

“It's installed by default and they don't prompt the user.  If you're going
to start packet sniffing every device that's out there, you really should be
prompting the user,'' Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently
and published the slides and paper, as well.  The file_relay service has
been in iOS for some time and originally was benign, but Zdziarski said that
in recent versions it has turned into a tool that can dump loads of user
data on command.  The file_relay tool can dump a list of the email and
social media accounts, the address book, the user cache folder, which
contains screenshots, offline content, copy/paste data, keyboard typing
cache and other personal data.  The tool can also provide a log of periodic
location snapshots from the device.

There's also a component of the file_relay service called HFSMeta that
appeared in iOS 7 and can create a complete metadata image of the device's
file system.  The data it provides includes metadata on all files, such as
timestamps, sizes and dates of creation, all of the apps installed on the
device, filenames of all of the email attachments on the device and all of
the email accounts configured on the device.  It also can provide a copy of
the keyboard's autocorrect cache, all of the photos in the user's album and
the user's voicemail database.

Zdziarski: “Some of this data shouldn't be on the phone.  HFSMeta creates a
disk image of everything that's on the phone, not the content but the
metadata.  There's not even an engineering use for that.''

Some of the undocumented services and features in iOS map pretty closely to
capabilities attributed to some of the NSA's tools, specifically
DROPOUTJEEP, which was revealed by documents leaked by Edward Snowden.
Zdziarski said that he is not pointing to these services as intentional
backdoors for the intelligence community, but he believes there is evidence
that the agency may be using them, nonetheless.  “I'm not saying at all
that Apple is working with the NSA.  But at the very least, there's a very
strong case to say that the NSA knows about and exploits these
capabilities.''

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering
information security.


Domain Registry Of America Suspended By ICANN

Lauren Weinstein <lauren@vortex.com>
Sun, 20 Jul 2014 10:53:05 -0700
Internet News via NNSQUAD

http://www.internetnews.me/2014/07/19/domain-registry-america-suspended-icann/

  "Since at least 2009, ICANN has received numerous complaints from
  Registered Name Holders, registrars, and various ICANN Supporting
  Organizations and Advisory Committees regarding the business solicitation
  practices of Brandon Gray's resellers.  Such practices were not
  specifically prohibited under the 2001 and 2009 RAAs.  Section 3.12 of the
  2013 RAA, however, requires registrars to ensure its reseller's actions
  comply with the RAA, as well as the Registrants' Benefits and
  Responsibilities Specification, which protects Registered Name Holders
  from false or deceptive practices.  Brandon Gray's reseller Registration
  Services Inc. ("RSI") conducts business through the brands Domain Registry
  of America ("DROA"), Domain Registry Services ("DRS"), Domain Registry of
  Canada ("DROC"), and Domain Renewal Group ("DRG").  As detailed below, the
  domain renewal notices sent by RSI through its brands deceive Registered
  Name Holders to transfer domain names to Brandon Gray."

 - - -

Only took ICANN five years to act.


Routing around insanity & mendacity

Henry Baker <hbaker1@pipeline.com>
Fri, 18 Jul 2014 12:05:09 -0700
FYI—Verizon and other telcos have made most of their money over the past
century by manufacturing artificial bandwidth scarcity, and then paying
lawyers & lobbyists to get the FCC to enforce this artificial scarcity.
However, it is getting harder and harder to hide behind this artificially
manufactured scarcity, as this article demonstrates.

http://iamnotaprogrammer.com/Verizon-Fios-Netflix-Vyprvpn.html

Colin Nederkoorn's Blog

Verizon made an enemy tonight

On a flight back to New York I read Level 3's assessment of the latest round
of the Netflix vs Internet Provider debacle.

The summarized version is that basically Netflix is slow because Verizon
refuses to add capacity to peer with Level 3.  Fixing the situation would
cost Verizon on the order of a few thousand (that's right thousand) dollars.
Level 3 is even willing to foot the bill.  But Verizon refuses.

Is Netflix actually slow on Verizon Fios?

I wasn't sure how to test my Netflix speed.  After a bit of googling I found
an article by Wired on how to test your Netflix streaming speed.  I followed
their steps and I was shocked.

The video on netflix actually shows you how fast it is streaming to you,
which is helpful for diagnostics.

Here's the test video on Netflix for quick reference.

Keep in mind, I pay Verizon for 75 mbps down, 35 mbps up on my Fios
connection.

This Netflix video streams at 375 kbps (or 0.375 mbps—0.5% of the speed
I pay for) at the fastest.  I was shocked.  Then I decided to try connecting
to a VPN service to compare.

Can a VPN make streaming Netflix faster?

My hypothesis here was that by connecting to a VPN, my traffic might end up
getting routed through uncongested tubes.  Basically, if Verizon is not
upgrading the tubes that go to Netflix, maybe I can connect to a different
location (via VPN) first where Verizon will have good performance and there
will be no congestion between location 2 and and Netflix.

Was I successful?

Here's a recording of my test:

Watch the video to feel the full pain.  What you'll see is that on Fios it
streams at 375 kbps at the fastest.  The experience sucks.  It takes an
eternity to buffer.

Then I connect to a VPN (in this case VyprVPN) and I quickly get up to full
speed at 3000 kbps (the max on Netflix), about 10x the speed I was getting
connecting directly via Verizon.

The bastards!

It seems absurd to me that adding another hop via a VPN actually improves
streaming speed.

Clearly it's not Netflix that doesn't have the capacity.  It seems that
Verizon is deliberately dragging their feet and failing to provide service
that people have paid for.  Verizon, tonight you made an enemy, and doing my
own tests have proven (at least to me) that you're in the wrong here.

But, luckily I'm resourceful and can usually solve my own problems.

How to keep the VPN connection open

We sometimes watch netflix on the TV, sometimes on the iPad.  I didn't want
to have to think about how we connected, so I wanted to find a way to
connect the router to the VPN so it would be always on.

I bought an Asus RT-AC66U.  I really like this router and it works a lot
better than my old Airport Extreme.  However, in order to connect it to a
VPN, I had to flash it with a custom firmware from some wizard named Merlin.

After updating the router, you'll now have a screen where you can connect
to a VPN and tell the router to always be connected.

Asus Router Config

Your router might be different, and there's also Tomato and DD-WRT as
alternative firmware.

Problem solved

So in the space of about an hour, I got furious at Verizon, found a way
around the problem, and then fixed it for good (for my household).

Nothing quite motivates me like when something shouldn't be the way that it
is.

Netflix subscribers: What happens when you do the Netflix test?.  Do you max
out at 3000 kbps?  Or struggle to even play the video?

I'd love to know in the comments.


Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.07)

Lindsay Harris <lindsay@bluegum.com>
Sat, 19 Jul 2014 14:41:00 +1000
This is not an easy bug to fix properly.  The issue is that the shell does
the filename expansion, so the program is unaware as to whether any given
parameter is intended to be a flag or non-flag.

A mostly effective solution is to check each file name against any possible
parameter, and ignore it as a flag, and perhaps as a file name too.  But
then, how do you delete a file called -rf, for instance?

This may require the return of the dsw command—delete from switch
register.  It's logically the equivalent of rm -i, but without flags and
thus immune from the wildcard expansion issue.

Any (recent) mentions of program names/parameters that have terminal control
codes to alter the display when running ps?  That arose in the early 1980s,
from memory.  I think screen capture was one possibility.

P.S.  I looked up the dsw command to verify my recollection.  The first
search item was at http://man.cat-v.org I chuckled over the URL's reference
to the paper "Cat -v considered harmful", a paper by Rob Pike at the 1983
Usenix conference, after Dijkstra's CACM note "Goto Considered Harmful"


Re: Disk-sniffing dogs find thumb drives, DVD's?

Barry Gold <BarryDGold@ca.rr.com>
Sun, 20 Jul 2014 02:29:09 -0700
> State Police Detective Adam Houston takes Thoreau from his cruiser.  The
> yellow lab, 2, is trained to sniff out devices such as thumb drives and
> hard drives that child porn traffickers use to store photos of children.

07 Jul 2014?  Are you sure you have the date right?  Are you, perhaps, off
by 3 months and 3 days?

Okay, so you've located a thumb drive, DVD, or hard drive.  Now...  where's
your Probable Cause to believe it has child porn (or any other "contraband"
information) instead of perfectly innocent photos of the family dog playing
Frisbee?

And besides the legal problems, they are rewarding the dog with food.

You do _not_ reward any working dog with food.  This has been known since
they started training guide dogs if not before.

1. After a certain point, the value of food to the dog decreases (once the
   stomach is full...)

2. Rewarding the dog with food means that "bad guys" can distract the dog
   with food.

3. Even in the absence of intent to create trouble, random passersby with
   food in their hands may distract the dog. Or children may offer the dog
   food, thinking "good doggie, let me feed the good doggie."

You reward the dog with a particular ball whose scent he knows.  Or
something else that is not easily available and doesn't depend on the dog's
appetite.

What is this?  An episode of Beavis and Butthead?


Re: Lethal Weapon: The Self Driving Car (RISKS-28.08)

John Mainwaring <john@mhn.org>
Mon, 21 Jul 2014 15:38:12 -0400
The submission raises the frightful prospect that suspected criminals would
be able to fire weapons at pursuing police cars.

Two gangsters can manage this astonishing feat today, as long as one drives
drives and the other wields the gat.  On the other hand, the self-driving
car would be likely to obey the speed limit.  Its collision avoidance
features should make it fairly easy for the police to stop it at a road
block.  In the gangster movies of the 1992s, the live driver would have
plowed through the road block at incredible speed on two wheels, in truly
spectacular fashion.

I can't see see self-drive making for really good action movies, but they might make the drove to and from the multi-screen safer, and possibly even allow for some canoodling in the back seat on the way...  I knew there must be a way they'd be illegal, immoral or a shame.


Risks of apps versus web browsers, deja vu

Rex Sanders <rsanders@usgs.gov>
Mon, 21 Jul 2014 10:14:58 -0700
Sean Gallagher at ArsTechnica watched what his iOS and Android apps were
doing for a while, and was shocked, shocked by the private information these
apps transmitted:

http://arstechnica.com/security/2014/07/mobile-apps-cookies-leave-a-data-trail-behind-you/

On December 6, 2010, I sent this message to RISKS, but it was not published.

Many online media outlets, social networking sites, and other web sites, are
pushing smart phone apps, in place of standard web browsers.  Many of these
apps are nothing more than re-skinned web browsers.  Some apps offer
expanded content or other features which are not available through standard
browsers.

TANSTAAFL.

With web browsers, you have some limited control over cookies, history,
caching, and other privacy or security features.

You have none of those controls with dedicated apps.

On the other hand, sidejacking your credentials, and similar attacks, could
be much more difficult.

I would rather have some control over my privacy, than worry about
sidejacking low value credentials.

Your risk analysis might be different.

But you should think before using that app.


"New variant of malware, Gyges, can quietly exfiltrate government data" (Candice So)

Gene Wirchenko <genew@telus.net>
Mon, 21 Jul 2014 11:07:54 -0700
Candice So, *IT Business*, 18 July 2014
http://www.itbusiness.ca/news/new-variant-of-malware-gyges-can-quietly-exfiltrate-government-data/50066


Calling All Hackers: Help Us Build an Open Wireless Router

"David Farber via ip" <ip@listbox.com>
Sun, 20 Jul 2014 13:22:08 -0400
EFF is releasing an experimental hacker alpha release of wireless router
software specifically designed to support secure, shareable Open Wireless
networks.  We will be officially launching the Open Wireless Router today at
the HOPE X (Hackers on Planet...

https://www.eff.org/deeplinks/2014/07/building-open-wireless-router


Stop Sneaky Online Tracking with EFF's Privacy Badger

"EFF Press" <press@eff.org>
Jul 21, 2014 10:11 AM
Electronic Frontier Foundation Media Release
For Immediate Release: Monday, July 21, 2014

Contact:

Peter Eckersley
  Technology Projects Director
  Electronic Frontier Foundation
  pde@eff.org
  +1 415 436-9333 x131

Stop Sneaky Online Tracking with EFF's Privacy Badger

Add-On for Firefox and Chrome Prevents Spying by Ads, Social Widgets, and
Hidden Trackers

San Francisco - The Electronic Frontier Foundation (EFF) has released a beta
version of Privacy Badger, a browser extension for Firefox and Chrome that
detects and blocks online advertising and other embedded content that tracks
you without your permission.

Privacy Badger was launched in an alpha version less than three months ago,
and already more than 150,000 users have installed the extension.  Today's
beta release includes a feature that automatically limits the tracking
function of social media widgets, like the Facebook "Like" button, replacing
them with a stand-in version that allows you to "like" something but
prevents the social media tool from tracking your reading habits.

"Widgets that say 'Like this page on Facebook' or 'Tweet this' often allow
those companies to see what webpages you are visiting, even if you never
click the widget's button," said EFF Technology Projects Director Peter
Eckersley.  "The Privacy Badger alpha would detect that, and block those
widgets outright.  But now Privacy Badger's beta version has gotten smarter:
it can block the tracking while still giving you the option to see and click
on those buttons if you so choose."

EFF created Privacy Badger to fight intrusive and objectionable practices in
the online advertising industry.  Merely visiting a website with certain
kinds of embedded images, scripts, or advertising can open the door to a
third-party tracker, which can then collect a record of the page you are
visiting and merge that with a database of what you did beforehand and
afterward.  If Privacy Badger spots a tracker following you without your
permission, it will either block all content from that tracker or screen out
the tracking cookies.

Privacy Badger is one way that Internet users can fight the decision that
many companies have made to ignore Do Not Track requests, the universal Web
tracking opt-out you can enable in your browser.  Privacy Badger enforces
users' preferences whether these companies respect your Do Not Track choice
or not.  Advertisers and other third-party domains that are blocked in
Privacy Badger can unblock themselves by making a formal commitment to
respect their users' Do Not Track requests.

"Users who install Privacy Badger aren't just getting more privacy and a
better browsing experience for themselves--they are providing incentives for
improved privacy practices and respect for Do Not Track choices across the
Internet," said Eckersley.  "Using Privacy Badger helps to make the Web as a
whole better for everyone."

EFF wishes to thank Professor Franziska Roesner at the University of
Washington for exceptional work in enhancing Privacy Badger's
widget-handling algorithms.

To install the beta version of Privacy Badger:
https://www.eff.org/privacybadger

For this release:
https://www.eff.org/press/releases/stop-sneaky-online-tracking-effs-privacy-badger

  [...]


Silver Bullet 100 launches 23 Jul 2014

Gary McGraw <gem@cigital.com>
Fri, 18 Jul 2014 18:19:29 -0400
Believe it or not, we've produced Silver Bullet Security Podcasts for 100
months in a row without fail!  To celebrate this accomplishment, we produced
a video for episode 100 that will debut next Wednesday morning.  To date we
have almost 1,000,000 podcast downloads (an average episode has about 10,000
listens).

Keep your eye on twitter (@cigitalgem) and the Silver Bullet website:
http://www.cigital.com/silverbullet

p.s. http://www.cigital.com/silver-bullet/show-014/

Please report problems with the web pages to the maintainer

x
Top