Prev

RISKS Digest 28.9

Tuesday 22 July 2014

New online tracking method difficult to block

ProPublica via Suzanne Johnson <fuhn@pobox.com>

Date: Jul 21, 2014 9:59 AM

[Via Dave Farber]

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com. https://securehomes.esat.kuleuven.be/%7Egacar/persistent/index.html> by researchers at Princeton <https://www.princeton.edu/main/> University and KU Leuven <http://www.kuleuven.be/english> University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. [...]

Travis County Developing Electronic Voting System With a Paper Trail

Andra Lim <technews@hq.acm.org>

Date: Mon, 21 Jul 2014 11:47:12 -0400 (EDT)

Andra Lim, Austin American-Statesman (TX), 15 Jul 2014 [via ACM TechNews, 21 Jul 2014]

An electronic-voting system that prints out a paper copy of the ballot and a take-home receipt to confirm the vote was tallied is under development in Travis County, Texas, and could be in operation within three years. The system would likely have voters use a tablet computer to fill out an electronic ballot and then produce a print version, and the e-ballot would not be counted until voters deposited the print copy into a ballot box that scans a serial number. The take-home receipt would have a code that voters can enter online to verify the vote was counted. The county's initiative in creating its own voting system rather than handing the job over to one of a small cluster of voting machine vendors has never been attempted before, notes Travis County clerk Dana DeBeauvoir. The system came about from a 2009 study of election issues organized by DeBeauvoir, which concluded a paper trail was highly desirable. Adding urgency to the effort is the fact that some county voting machines are reaching the end of their life spans, and there is no longer any federal funding to pay for new systems. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c334x2b734x060830&

Racy Photos Were Often Shared at NSA

Michael S. Schmidt <neumann@csl.sri.com>

Date: Tue, 22 Jul 2014 07:12:13 PDT

Michael S. Schmidt, *The New York Times*, 21 Jul 2014

"The former National Security Agency contractor Edward J. Snowden said in a wide-ranging interview published on Sunday that the oversight of surveillance programs was so weak that members of the United States military working at the spy agency sometimes shared sexually explicit photos they intercepted."

http://lists.readersupportednews.org/ss/link.php?M5726&N939&C

NASDAQ Network Intrusion Installed Attack Malware

Bob Gezelter <gezelter@rlgsc.com>

Date: Fri, 18 Jul 2014 08:09:24 -0700

Apparently, the reported intrusion at NASDAQ was more dangerous than previously reported, Bloomburg Businessweek reports. Among the new findings:

* Attack malware was installed by the attackers.
* The investigation was hampered by the insufficient logs and overall security state.

A signal warning to all [regarding] the importance of security and maintaining activity logs.

www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq

Bob Gezelter, http://www.rlgsc.com

How to Flawlessly Predict Anything on the Internet

Lauren Weinstein <lauren@vortex.com>

Date: Sun, 20 Jul 2014 07:55:26 -0700

Medium via NNSquad https://medium.com/message/how-to-always-be-right-on-the-internet-delete-your-mistakes-519a595da2f5

"This is a modern update to a classic confidence game—find a risky scenario with limited possibilities, bet on every single combination, and then hide your failures. The result is that you look like you're either psychic or a goddamned genius. Variations of this scam have been used for centuries in finance, magic, and gambling. Mutual fund companies bring new funds to market by incubating new funds outside of the public eye for years, then actively market the strongest performers with the highest returns. Poof! You're an overnight Warren Buffett!"

- - -

"Columbo" demonstrated this con in the 1976 episode "Now You See Him" (available on Netflix).

Exec. Order 12333: Yet another rule that lets NSA spy on Americans

John Napier Tye via Henry Baker <hbaker1@pipeline.com>

Date: Mon, 21 Jul 2014 11:40:07 -0700

[Long item, very well worth reading in its entirety. PGN]

FYI—In the NSA's version of the "shell game", there's a pea underneath
*all* of the shells, so that the NSA can continue spying, no matter which shell the press/Congress/the courts turn over. What if the NSA secretly copies Internet data onto a private fiber to the GCHQ? Since the UK is outside the US, bingo!—EO#12333 now apples!

Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans John Napier Tye, *The Washington Post*, 18 Jul 2014 http://www.washingtonpost.com/opinions/meet-executive-order-12333-the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html

John Napier Tye served as section chief for Internet freedom in the State Department's Bureau of Democracy, Human Rights and Labor from January 2011 to April 2014. He is now a legal director of Avaaz, a global advocacy organization.

All your Apple iOS data is still available unencrypted

Dennis Fisher via Henry Baker <hbaker1@pipeline.com>

Date: Mon, 21 Jul 2014 12:01:14 -0700

Dennis Fisher, Researcher Identifies Hidden Data-Acquisition Services in iOS, 21 Jul 2014 https://threatpost.com/researcher-identifies-hidden-data-acquisition-services-in-ios/107335

There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data.

Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called `mobile file_relay', can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said.

http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

Zdziarski: “Between this tool and other services, you can get almost the same information you could get from a complete backup What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.''

Using the hidden services that bypass the encrypted backup protection don't require the use of developer mode and many of them have been present in iOS for five years. Zdziarski, who designed many of the initial methods for acquiring forensic data from iOS devices, said there also is a *packet capture tool* present on every iOS device that has the ability to dump all of the inbound and outbound HTTP data and runs in the background without and notification to the user.

“It's installed by default and they don't prompt the user. If you're going to start packet sniffing every device that's out there, you really should be prompting the user,'' Zdziarski said.

Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device.

There's also a component of the file_relay service called HFSMeta that appeared in iOS 7 and can create a complete metadata image of the device's file system. The data it provides includes metadata on all files, such as timestamps, sizes and dates of creation, all of the apps installed on the device, filenames of all of the email attachments on the device and all of the email accounts configured on the device. It also can provide a copy of the keyboard's autocorrect cache, all of the photos in the user's album and the user's voicemail database.

Zdziarski: “Some of this data shouldn't be on the phone. HFSMeta creates a disk image of everything that's on the phone, not the content but the metadata. There's not even an engineering use for that.''

Some of the undocumented services and features in iOS map pretty closely to capabilities attributed to some of the NSA's tools, specifically DROPOUTJEEP, which was revealed by documents leaked by Edward Snowden. Zdziarski said that he is not pointing to these services as intentional backdoors for the intelligence community, but he believes there is evidence that the agency may be using them, nonetheless. “I'm not saying at all that Apple is working with the NSA. But at the very least, there's a very strong case to say that the NSA knows about and exploits these capabilities.''

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

Domain Registry Of America Suspended By ICANN

Lauren Weinstein <lauren@vortex.com>

Date: Sun, 20 Jul 2014 10:53:05 -0700

Internet News via NNSQUAD

http://www.internetnews.me/2014/07/19/domain-registry-america-suspended-icann/

"Since at least 2009, ICANN has received numerous complaints from Registered Name Holders, registrars, and various ICANN Supporting Organizations and Advisory Committees regarding the business solicitation practices of Brandon Gray's resellers. Such practices were not specifically prohibited under the 2001 and 2009 RAAs. Section 3.12 of the 2013 RAA, however, requires registrars to ensure its reseller's actions comply with the RAA, as well as the Registrants' Benefits and Responsibilities Specification, which protects Registered Name Holders from false or deceptive practices. Brandon Gray's reseller Registration Services Inc. ("RSI") conducts business through the brands Domain Registry of America ("DROA"), Domain Registry Services ("DRS"), Domain Registry of Canada ("DROC"), and Domain Renewal Group ("DRG"). As detailed below, the domain renewal notices sent by RSI through its brands deceive Registered Name Holders to transfer domain names to Brandon Gray."

- - -

Only took ICANN five years to act.

Routing around insanity & mendacity

Henry Baker <hbaker1@pipeline.com>

Date: Fri, 18 Jul 2014 12:05:09 -0700

FYI—Verizon and other telcos have made most of their money over the past century by manufacturing artificial bandwidth scarcity, and then paying lawyers & lobbyists to get the FCC to enforce this artificial scarcity. However, it is getting harder and harder to hide behind this artificially manufactured scarcity, as this article demonstrates.

http://iamnotaprogrammer.com/Verizon-Fios-Netflix-Vyprvpn.html

Colin Nederkoorn's Blog

Verizon made an enemy tonight

On a flight back to New York I read Level 3's assessment of the latest round of the Netflix vs Internet Provider debacle.

The summarized version is that basically Netflix is slow because Verizon refuses to add capacity to peer with Level 3. Fixing the situation would cost Verizon on the order of a few thousand (that's right thousand) dollars. Level 3 is even willing to foot the bill. But Verizon refuses.

Is Netflix actually slow on Verizon Fios?

I wasn't sure how to test my Netflix speed. After a bit of googling I found an article by Wired on how to test your Netflix streaming speed. I followed their steps and I was shocked.

The video on netflix actually shows you how fast it is streaming to you, which is helpful for diagnostics.

Here's the test video on Netflix for quick reference.

Keep in mind, I pay Verizon for 75 mbps down, 35 mbps up on my Fios connection.

This Netflix video streams at 375 kbps (or 0.375 mbps—0.5% of the speed I pay for) at the fastest. I was shocked. Then I decided to try connecting to a VPN service to compare.

Can a VPN make streaming Netflix faster?

My hypothesis here was that by connecting to a VPN, my traffic might end up getting routed through uncongested tubes. Basically, if Verizon is not upgrading the tubes that go to Netflix, maybe I can connect to a different location (via VPN) first where Verizon will have good performance and there will be no congestion between location 2 and and Netflix.

Was I successful?

Here's a recording of my test:

Watch the video to feel the full pain. What you'll see is that on Fios it streams at 375 kbps at the fastest. The experience sucks. It takes an eternity to buffer.

Then I connect to a VPN (in this case VyprVPN) and I quickly get up to full speed at 3000 kbps (the max on Netflix), about 10x the speed I was getting connecting directly via Verizon.

The bastards!

It seems absurd to me that adding another hop via a VPN actually improves streaming speed.

Clearly it's not Netflix that doesn't have the capacity. It seems that Verizon is deliberately dragging their feet and failing to provide service that people have paid for. Verizon, tonight you made an enemy, and doing my own tests have proven (at least to me) that you're in the wrong here.

But, luckily I'm resourceful and can usually solve my own problems.

How to keep the VPN connection open

We sometimes watch netflix on the TV, sometimes on the iPad. I didn't want to have to think about how we connected, so I wanted to find a way to connect the router to the VPN so it would be always on.

I bought an Asus RT-AC66U. I really like this router and it works a lot better than my old Airport Extreme. However, in order to connect it to a VPN, I had to flash it with a custom firmware from some wizard named Merlin.

After updating the router, you'll now have a screen where you can connect to a VPN and tell the router to always be connected.

Asus Router Config

Your router might be different, and there's also Tomato and DD-WRT as alternative firmware.

Problem solved

So in the space of about an hour, I got furious at Verizon, found a way around the problem, and then fixed it for good (for my household).

Nothing quite motivates me like when something shouldn't be the way that it is.

Netflix subscribers: What happens when you do the Netflix test?. Do you max out at 3000 kbps? Or struggle to even play the video?

I'd love to know in the comments.

Re: Unix "*" wildcards considered harmful

Lindsay Harris <lindsay@bluegum.com>

Date: Sat, 19 Jul 2014 14:41:00 +1000

This is not an easy bug to fix properly. The issue is that the shell does the filename expansion, so the program is unaware as to whether any given parameter is intended to be a flag or non-flag.

A mostly effective solution is to check each file name against any possible parameter, and ignore it as a flag, and perhaps as a file name too. But then, how do you delete a file called -rf, for instance?

This may require the return of the dsw command—delete from switch register. It's logically the equivalent of rm -i, but without flags and thus immune from the wildcard expansion issue.

Any (recent) mentions of program names/parameters that have terminal control codes to alter the display when running ps? That arose in the early 1980s, from memory. I think screen capture was one possibility.

P.S. I looked up the dsw command to verify my recollection. The first search item was at http://man.cat-v.org I chuckled over the URL's reference to the paper "Cat -v considered harmful", a paper by Rob Pike at the 1983 Usenix conference, after Dijkstra's CACM note "Goto Considered Harmful"

Re: Disk-sniffing dogs find thumb drives, DVD's?

Barry Gold <BarryDGold@ca.rr.com>

Date: Sun, 20 Jul 2014 02:29:09 -0700

> State Police Detective Adam Houston takes Thoreau from his cruiser. The > yellow lab, 2, is trained to sniff out devices such as thumb drives and > hard drives that child porn traffickers use to store photos of children.

07 Jul 2014? Are you sure you have the date right? Are you, perhaps, off by 3 months and 3 days?

Okay, so you've located a thumb drive, DVD, or hard drive. Now... where's your Probable Cause to believe it has child porn (or any other "contraband" information) instead of perfectly innocent photos of the family dog playing Frisbee?

And besides the legal problems, they are rewarding the dog with food.

You do _not_ reward any working dog with food. This has been known since they started training guide dogs if not before.

1. After a certain point, the value of food to the dog decreases (once the stomach is full...)

2. Rewarding the dog with food means that "bad guys" can distract the dog with food.

3. Even in the absence of intent to create trouble, random passersby with food in their hands may distract the dog. Or children may offer the dog food, thinking "good doggie, let me feed the good doggie."

You reward the dog with a particular ball whose scent he knows. Or something else that is not easily available and doesn't depend on the dog's appetite.

What is this? An episode of Beavis and Butthead?

Re: Lethal Weapon: The Self Driving Car

John Mainwaring <john@mhn.org>

Date: Mon, 21 Jul 2014 15:38:12 -0400

The submission raises the frightful prospect that suspected criminals would be able to fire weapons at pursuing police cars.

Two gangsters can manage this astonishing feat today, as long as one drives drives and the other wields the gat. On the other hand, the self-driving car would be likely to obey the speed limit. Its collision avoidance features should make it fairly easy for the police to stop it at a road block. In the gangster movies of the 1992s, the live driver would have plowed through the road block at incredible speed on two wheels, in truly spectacular fashion.

I can

Risks of apps versus web browsers, deja vu

Rex Sanders <rsanders@usgs.gov>

Date: Mon, 21 Jul 2014 10:14:58 -0700

Sean Gallagher at ArsTechnica watched what his iOS and Android apps were doing for a while, and was shocked, shocked by the private information these apps transmitted:

http://arstechnica.com/security/2014/07/mobile-apps-cookies-leave-a-data-trail-behind-you/

On December 6, 2010, I sent this message to RISKS, but it was not published.

Many online media outlets, social networking sites, and other web sites, are pushing smart phone apps, in place of standard web browsers. Many of these apps are nothing more than re-skinned web browsers. Some apps offer expanded content or other features which are not available through standard browsers.

TANSTAAFL.

With web browsers, you have some limited control over cookies, history, caching, and other privacy or security features.

You have none of those controls with dedicated apps.

On the other hand, sidejacking your credentials, and similar attacks, could be much more difficult.

I would rather have some control over my privacy, than worry about sidejacking low value credentials.

Your risk analysis might be different.

But you should think before using that app.

"New variant of malware, Gyges, can quietly exfiltrate government data"

Candice So via Gene Wirchenko <genew@telus.net>

Date: Mon, 21 Jul 2014 11:07:54 -0700

Candice So, *IT Business*, 18 July 2014 http://www.itbusiness.ca/news/new-variant-of-malware-gyges-can-quietly-exfiltrate-government-data/50066

Calling All Hackers: Help Us Build an Open Wireless Router

David Farber <ip@listbox.com>

Date: Sun, 20 Jul 2014 13:22:08 -0400

EFF is releasing an experimental hacker alpha release of wireless router software specifically designed to support secure, shareable Open Wireless networks. We will be officially launching the Open Wireless Router today at the HOPE X (Hackers on Planet...

https://www.eff.org/deeplinks/2014/07/building-open-wireless-router

Stop Sneaky Online Tracking with EFF's Privacy Badger

EFF <press@eff.org>

Date: Jul 21, 2014 10:11 AM

Electronic Frontier Foundation Media Release For Immediate Release: Monday, July 21, 2014

Contact:

Peter Eckersley Technology Projects Director Electronic Frontier Foundation pde@eff.org
+1 415 436-9333 x131

Stop Sneaky Online Tracking with EFF's Privacy Badger

Add-On for Firefox and Chrome Prevents Spying by Ads, Social Widgets, and Hidden Trackers

San Francisco - The Electronic Frontier Foundation (EFF) has released a beta version of Privacy Badger, a browser extension for Firefox and Chrome that detects and blocks online advertising and other embedded content that tracks you without your permission.

Privacy Badger was launched in an alpha version less than three months ago, and already more than 150,000 users have installed the extension. Today's beta release includes a feature that automatically limits the tracking function of social media widgets, like the Facebook "Like" button, replacing them with a stand-in version that allows you to "like" something but prevents the social media tool from tracking your reading habits.

"Widgets that say 'Like this page on Facebook' or 'Tweet this' often allow those companies to see what webpages you are visiting, even if you never click the widget's button," said EFF Technology Projects Director Peter Eckersley. "The Privacy Badger alpha would detect that, and block those widgets outright. But now Privacy Badger's beta version has gotten smarter: it can block the tracking while still giving you the option to see and click on those buttons if you so choose."

EFF created Privacy Badger to fight intrusive and objectionable practices in the online advertising industry. Merely visiting a website with certain kinds of embedded images, scripts, or advertising can open the door to a third-party tracker, which can then collect a record of the page you are visiting and merge that with a database of what you did beforehand and afterward. If Privacy Badger spots a tracker following you without your permission, it will either block all content from that tracker or screen out the tracking cookies.

Privacy Badger is one way that Internet users can fight the decision that many companies have made to ignore Do Not Track requests, the universal Web tracking opt-out you can enable in your browser. Privacy Badger enforces users' preferences whether these companies respect your Do Not Track choice or not. Advertisers and other third-party domains that are blocked in Privacy Badger can unblock themselves by making a formal commitment to respect their users' Do Not Track requests.

"Users who install Privacy Badger aren't just getting more privacy and a better browsing experience for themselves--they are providing incentives for improved privacy practices and respect for Do Not Track choices across the Internet," said Eckersley. "Using Privacy Badger helps to make the Web as a whole better for everyone."

EFF wishes to thank Professor Franziska Roesner at the University of Washington for exceptional work in enhancing Privacy Badger's widget-handling algorithms.

To install the beta version of Privacy Badger: https://www.eff.org/privacybadger

For this release: https://www.eff.org/press/releases/stop-sneaky-online-tracking-effs-privacy-badger

[...]

Silver Bullet 100 launches 23 Jul 2014

Gary McGraw <gem@cigital.com>

Date: Fri, 18 Jul 2014 18:19:29 -0400

Believe it or not, we've produced Silver Bullet Security Podcasts for 100 months in a row without fail! To celebrate this accomplishment, we produced a video for episode 100 that will debut next Wednesday morning. To date we have almost 1,000,000 podcast downloads (an average episode has about 10,000 listens).

Keep your eye on twitter (@cigitalgem) and the Silver Bullet website: http://www.cigital.com/silverbullet

p.s. http://www.cigital.com/silver-bullet/show-014/