Prev

RISKS Digest 28.58

Wednesday 1 April 2015

The Apple zero-button mouse -- and related innovations?

PGN <neumann@csl.sri.com>

Date: 1 April 2015

I just stumbled on to this item:

CUPERTINO, CA, April 1, 2015—Apple, Inc. (NASDAQ: AAPL) today announces the ultimate refinement in pointer technology: the zero-button mouse. "We found that the button was confusing users," said Sir Jonathan Ive, Vice President of Design. The zero-button mouse uses a flexible antenna, which Apple calls the tail. In order to left click, the user grabs the mouse by the tail, and swings it to the left. Right clicking is similar, but swinging to the right. Scrolling is accomplished by swinging the mouse towards or away from the user. The zero-button mouse is available in three collections: Apple Zero Mouse Sport in aluminum, Apple Zero Mouse in stainless steel, and the Apple Zero Mouse Edition, 18-carat gold. A white rubber tail is standard, but optional tails are available in black and red leather, titanium mesh, and carbon fiber.

Pricing and Availability: All models and tails are available for purchase starting today, April 1, 2015. Pricing for the Zero Mouse Sport is $34.95, the Zero Mouse is $49.95, and the Zero Mouse Edition is $995.00. The leather tails are $14.95 each, the titanium mesh tail $24.95, and the carbon fiber tail is $799.95.

WATCH for this one!! With this innovation, the era of button-down mice seems to be ending (somewhat like shirts?), despite seemingly regressively replacing the one-button, two-button, and three-button mouse.

It is rumored that Microsoft is planning a competing voice-operated no-button mouse, albeit possibly with a built-in optional keyboard for people with small fingers. Google is expected to compete with its own autonomouse, which can move (autonomousely) *without* user control—or if a user is particularly gifted, with perceptive mind control—in either case, proactively anticipating user intent, and automatically avoiding collisions and interference with any other user's mouse. The potential risks are left as an exercise to the reader. PGN

No liability for exchange rate software error by United

Jeremy Epstein <jeremy.j.epstein@gmail.com>

Date: Sun, 29 Mar 2015 16:44:52 -0400

US Department of Transportation has informed United that it's not going to force them to honor the airfares that were posted on their website, because it was the fault of a third-party currency conversion site.

This seems to me a dangerous precedent (although airlines have previously tried to wiggle out of honoring prices on their websites when they've claimed software or data entry errors). Will other merchants be able to retroactively cancel orders (or change prices) if they find software errors that mean they don't have adequate profit (or cause losses)? Would United generously refund overpayments if the software had overcharged people who paid in particular currencies or particular websites?

"On February 11, 2015, a currency exchange-rate error in 3rd party software supplied to United affected several thousand bookings on United's Denmark-facing website. Specifically, this error temporarily caused flights originating in the United Kingdom and denominated in Danish Kroners (DKK) to be presented at only a fraction of their intended prices. While United filed fares correctly, this software error caused amounts charged to be significantly lower than prices offered through all other distribution channels or available in any other currency."

http://www.united.com/web/en-US/content/travel/exchange-rate-error.aspx?v_ctrk=HHLN$0-202-7697-1-5798

Digital currency risks

William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>

Date: Mon, 30 Mar 2015 11:56:32 +1030

Yet another crypto-currency exchange is cracked and emptied, and the usual causes—a Dunning-Kruger-esque ignorance of security principles applied to Other People's Money—are to blame. The interesting part here, other than that it wasn't a deliberate market exit aka "abscond with the deposits", is the full disclosure that you'd never see from a larger financial institution:

https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/

While cryptocurrencies are attractive to some because of their lack of governmental control, a lack of oversight on exchanges is clearly costing customers real money. There are strict financial-services regulations already in-place throughout the west and maybe they should be enforced.

Here's the worst of both worlds: easily-digitally-stealable cash with the full backing of a national government. Not only that, the block-chain means your cash-transaction history is visible to the issuing government and probably publicly too.

http://mobile.reuters.com/article/idUSKBN0M82KB20150312?irpc

Fraudster escapes jail by forging bail e-mail

Chris Drewe <e767pmk@yahoo.co.uk>

Date: Sun, 29 Mar 2015 14:59:24 +0100

RISKS readers will be familiar with phishing attempts using phony but realistic-looking URLs and e-mail addresses (e.g. "following our computer upgrade at Midland Bank, you need to go to mid1andbank.com and enter your credit card details"), but there was an item in yesterday's newspaper (Mar 28th, 2015) about a prisoner who got out of Wandsworth Jail in south London, UK, by forging correspondence granting him bail in exactly this way:

In summary, the article says that he set up false but official-looking e-mail addresses, then created his own bail documents.
*The Telegraph*, 28 March 2015 http://www.telegraph.co.uk/news/uknews/crime/11500973/Fraudster-escapes-from-one-of-Britains-most-secure-prisons-by-forging-letter-granting-him-bail.html

> He set up an email domain imitating Her Majesty's Court Service (HMCTS) > that used hyphens instead of 'dots' to say Southwark Crown Court had > rubber-stamped his bail on March 10, 2014. Moore managed to secure his > release when staff failed to spot the subtle difference and misspelled > court name 'Southwalk'.

Manipulating Wikipedia to Promote a Bogus Business School

Newsweek <lauren@vortex.com>

Date: Wed, 25 Mar 2015 08:09:13 -0700

Newsweek via NNSquad http://www.newsweek.com/2015/04/03/manipulating-wikipedia-promote-bogus-business-school-316133.html

In 2013, IIPM got an unexpected boost for its page. A new initiative launched by Jimmy Wales's Wikimedia Foundation offered free access to Wikipedia from mobile phones. The program, Wikipedia Zero, launched in India and other parts of the developing world, including Thailand, Myanmar, Morocco, Ghana and Malaysia. "In my opinion, by letting this go on for so long, Wikipedia has messed up perhaps 15,000 students' lives," Peri says. "They should have kept track of Wifione and what they were doing--they were just so active." The Wikimedia Foundation is apologetic but won't be offering compensation. In a statement, it said, "The Wikimedia Foundation was very disappointed to hear of the allegations of fraud committed by IIPM and Wifione. If true, it was a tremendous violation of the trust and good faith of our editors and readers. We will continue to work to support our editors and administrators in serving as a vigilant defense against such incidents and in hopes that they can prevent future incidents like this from occurring."

DDoS against Rutgers University, and perpetrator claims credit

danny burstein <dannyb@panix.com>

Date: Tue, 31 Mar 2015 08:32:01 -0400 (EDT)

Rutgers network crumples under siege by DDoS attack [Rutgers student newspaper]

The Rutgers network came under a Distributed Denial of Service (DDoS) attack beginning on March 27 and ending on March 30, according to an email sent by Don Smith, vice president and chief intelligence officer for the University's Office of Information Technology.

The incident, which knocked out access to RUWireless and RUWireless Secure, the school's Internet networks, as well as Sakai, the University's online learning platform, among other sites, was the third DDoS attack allegedly committed by an individual hacker since the first occurrence on Nov. 19, 2014. [...]

During the DDoS attack in November, 40,000 web robots, or "bots," originating from Eastern Europe and China flooded the network, dismantling the class web registration system when first-year students were scheduled to enroll in classes for the upcoming spring semester, according to the article. [...]

"A while back you had an article that talked about the DDoS attacks on Rutgers," the email read. "I'm the one who attacked the network [...]

This might make quite an interesting story ... I will be attacking the network once again at 8:15PM EST. You will see sakai.rutgers.edu offline."

rest: http://www.dailytargum.com/article/2015/03/rutgers-network-crumples-under-siege-by-ddos-attack

FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act

Gabe Goldberg <gabe@gabegold.com>

Date: Wed, 25 Mar 2015 16:36:26 -0400

The Federal Trade Commission has granted summary decision against the operators of Jerk.com, a website that billed itself as `the anti-social network' website. The Commission found that the operators Jerk, LLC and John Fanning misled consumers by claiming that content on the website was posted by other users. Instead, most of the content came from Facebook profiles mined by the operators.

https://www.ftc.gov/news-events/press-releases/2015/03/ftc-rules-jerk-llc-john-fanning-deceived-consumers-violated-ftc?utm_source=govdelivery

It's shocking that someone misused social media information, and that a website selling bogus "memberships" was stopped. But those are surely unique events and won't happen again on our always safe and comforting intertubes.

Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

"Washington is coming for your personal data"

Caroline Craig <genew@telus.net>

Date: Fri, 27 Mar 2015 12:05:46 -0700

Caroline Craig, InfoWorld, 27 Mar 2015 Little-noticed change to judicial rules gives the FBI greater powers to conduct remote searches, and the 'zombie bill': CISA is on the fast track to a Senate vote. http://www.infoworld.com/article/2902611/government/washington-is-coming-for-your-personal-data.html

"Dell support tool put PCs at risk of malware infection"

Lucian Constantin <genew@telus.net>

Date: Thu, 26 Mar 2015 21:36:56 -0700

Lucian Constantin, InfoWorld, 25 Mar 2015 Weak authentication in Dell's System Detect utility could have enabled drive-by malware attacks http://www.infoworld.com/article/2901385/security/dell-support-tool-put-pcs-at-risk-of-malware-infection.html

"Cisco IP phones open to remote eavesdropping, calling"

Lucian Constantin <genew@telus.net>

Date: Thu, 26 Mar 2015 21:38:09 -0700

Lucian Constantin, InfoWorld, 23 Mar 2015 An authentication flaw allows attackers to listed to audio streams and make calls from Cisco SPA 300 and 500 IP phones http://www.infoworld.com/article/2899710/mobile-technology/cisco-ip-phones-open-to-remote-eavesdropping-calling.html

Australia passes data retention into law

Lauren Weinstein <lauren@vortex.com>

Date: Thu, 26 Mar 2015 15:44:55 -0700

IT News AU via NNSquad http://www.itnews.com.au/News/402127,australia-passes-data-retention-into-law.aspx

Law enforcement agencies will need to apply for warrants to access a journalist's metadata for the purpose of identifying a source. All other citizen metadata will be open to access without a warrant. Telcos and internet service providers will now have 18 months to prepare their systems and processes for the scheme, which has been forecast to cost between $188.8 million and $319.1 million to set up, and around $4 per customer per year to maintain. They will be required to store the non-content data of all customers for a two-year period to aid law enforcement agencies in criminal investigations. Telcos and ISPs are not restricted in where they can store the data. The metadata list will include, among other things: names, addresses, birthdates, financial and billing information of internet and phone account holders; traffic data such as numbers called and texted, as well as times and dates of communications; when and where online communications services start and end; a user's IP address; type and location of communication equipment; and upload and download volumes.

- - -

Going downhill fast down under.

Re: Jurisdictional risks

Doug Montalbano <doug_montalbano@yahoo.com>

Date: Thu, 26 Mar 2015 21:31:44 +0000 (UTC)

I understand the political point Brodie-Tyrell is making. But, as the section "Policing the Twenty-First Century" in Marc Goodman's Future Crimes points out, (hypocrisy notwithstanding) how to police in a world that is now without borders is a major problem.

[I pointed to Goodman's book (the subtitle of which is Everything is Connected) in RISKS-28.43 and 28.53. PGN]

Re: Kali Linux security is a joke!

Ian Jackson <ijackson@chiark.greenend.org.uk>

Date: Thu, 26 Mar 2015 17:26:32 +0000

Like most Debian derivatives, Kali relies on the PGP-based archive signing system built into the Debian package distribution protocols. Observe: http://ftp.hands.com/kali-security/dists/kali/Release http://ftp.hands.com/kali-security/dists/kali/Release.gpg

This is a much better arrangement than relying on TLS (https) in almost all important respects:

The public key used by apt-get on a Debian derivative to verify the software updates is a dedicated archive signing key, controlled by the Debian derivative itself. So unlike TLS, which relies on CAs, the kali archive signing system cannot be subverted by third parties. Furthermore, key rollover is straightforward: the new public key can be distributed in a software update. This bespoke arrangement provides much better integrity protection.

It also has operational advantages: it is much easier to run a mirror network. Mirrors do not need to be enrolled into a certificate scheme and granted authority to subvert users' machines. Instead, mirrors simply redistribute the signatures made by the distribution itself.

TLS is a much worse protocol than PGP in general - it is much messier and has many more opportunities for implementation and configuration errors.

The mirror does have some ability to perform a rollback attack, but the impact is limited to delaying updates, rather than rewinding target systems, because the software update mechanism does not downgrade packages unless specifically asked by the user.

Deploying TLS for mirrors would be useful to help protect the privacy of users: it would make it harder to for an eavesdropper to discern which packages a particular computer has installed, and would impede some network-based rollback attacks. Debian itself has been discussing these concerns.

> What's the point of verifying md5 sums against "official values", if Kali > can't even get the "official values" securely ??

This response seem really knee-jerk. Rather than immediately assuming the worst, just because someone isn't using TLS, it would have been worth double-checking.

It seems that Henry Baker would, if asked to design a software update mechanism, rely on TLS for the software integrity protection. For the reasons explained above this would be a poor decision.

[Be sure to read the paper by Benjamin Beurdouche et al., A Messy State of the Union: Taming the Composite State Machines of TLS, which will be presented in the IEEE Symposium on Security and Privacy, 18-20 May, which fairly demolishes half a dozen TLS implementations—because they each have remarkable unexpected behaviors resulting from the composition of the client side and the server side. Indeed, Everything is Connected, but often with nasty results. (See the previous item.) PGN]

Re: House Judiciary Committee tries to be cool, fails oh so miserably

Devon McCormick <devonmcc@gmail.com>

Date: Thu, 26 Mar 2015 10:44:54 -0400

The page may look amateurish but consider the sub-text: many images of pretty, mostly blonde, women on a page about enforcing immigration laws. What's the real message here?

Re: As We Age, Smartphones Don't Make Us Stupid ...

Rob Slade <rmslade@shaw.ca>

Date: Wed, 25 Mar 2015 18:34:53 -0700

> In general, the students who did not use computers did better than those > who did.

This doesn't surprise me in the least.

I used to tell my students that all the exams (in courses I taught for colleges and universities) were open book. I don't tell them that any more.

My exams are written to test for understanding, not rote memorization. You can't find the answer on page 42.

It just got to be too painful watching the unprepared stagger in with piles of books, and then spend the entire exam period flipping pages, trying vainly to find things they'd never bothered to learn during the course. (Since they'd never bothered to learn them, they had no idea where they were in the book, either.)

rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org

The dictionary is the only place where success comes before work. Mark Twain

victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/

Re: "GoDaddy accounts vulnerable to social engineering and Photoshop"

Craig Burton <Craig.Burton@vec.vic.gov.au>

Date: Thu, 26 Mar 2015 12:23:10 +1100

I read with interest the GoDaddy social engineering success. It seems the missing step is actually something that verifies the ID document content. My government has fairly recently deployed a central personal information oracle. http://www.dvs.gov.au/Pages/default.aspx

I am sure other such services exist in other countries but I would expect larger countries than Australia may have more trouble consolidating data. I assume if this were available to GoDaddy the call agent would get a DVS fail on the driver license name and number together.

Re: Software says "'Dr' Must Be Male"!

Thomas Koenig <tkoenig@netcologne.de>

Date: Fri, 27 Mar 2015 08:16:37 +0100

PGN wrote: > [In Germany, if her husband were also a Dr, she would be Frau Doktor > Doktor Selby, and presumably German software would have no problem > with that. PGN]

This usage was quaint forty years ago, and is non-existent now, except for a few lame jokes. It is certainly against the law in Germany to claim to be a Dr. if you are not entitled to it.

The RISK? Continuing to rely on outdated assumptions without checking if they still apply.

[Similarly noted by Drew Dean, who remarked that Germans have been amused that Austrians still observed this `quaint' custom. Mea Culpa. Yes, I'm remembering fifty-five years ago, when the wife of the Darmstadt lab director Herr Dr Professor Alwin Walther was routinely referred to as Frau Dr Dr Walther (because she was also a Dr). I'm happy to know that this academic honorific is no longer practiced. PGN]

Risky Business: Virgin Galactic

William Langewiesche <neumann@csl.sri.com>

Date: Wed, 25 Mar 2015 9:14:16 PDT

William Langewiesche, "Risky Business", *Vanity Fair*, April 2015, p. 180

"More than 700 people have paid up to $250,000 for a ride on Richard Branson's Virgin Galactic. In this excerpt from 'Vanity Fair's' April 2015 article about the mogul's risky business, William Langewiesche details the particulars about Virgin Galactic's trip to space."

http://www.vanityfair.com/news/2015/03/what-is-it-like-to-fly-virgin-galactic

Book: Peter Carey, Amnesia

PGN <neumann@csl.sri.com>

Date: Sun, 29 Mar 2015 10:40:19 PDT

Peter Carey, Amnesia, Alfred A. Knopf, 2015, 307 pp. (From a publisher blurb)

“The two-time Booker Prize winner now gives us an exceedingly timely, exhilarating novel—at once dark, suspenseful, and seriously funny—that journeys to the place where the cyber underworld collides with international power politics. ... Bringing together the world of hackers and radicals with the `special relationship' between the United States and Australia, and Australia and the CIA, Amnesia is a novel that speaks powerfully about the often hidden past, but most urgently about the more and more hidden present.''

[It certainly seems timely and topical. Note: My wife loved it. PGN]

[Spoiler alert: The plot line in this book automates the get-out-of-jail process noted in Chris Drewe's item earlier in this issue, and scales it up extensively—ending up with a large-scale remote e-release of prisoners. PGN]