[27289] in RISKS Forum
Risks Digest 28.58
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Wed Apr 1 02:23:05 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 31 Mar 2015 23:23:01 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Wednesday 1 April 2015 Volume 28 : Issue 58
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.58.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Apple zero-button mouse -- and related innovations? (PGN)
No liability for exchange rate software error by United (Jeremy Epstein)
Digital currency risks (William Brodie-Tyrrell)
Fraudster escapes jail by forging bail e-mail (Chris Drewe)
Manipulating Wikipedia to Promote a Bogus Business School (Newsweek)
DDoS against Rutgers University, and perpetrator claims credit
(danny burstein)
FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated FTC Act
(Gabe Goldberg)
"Washington is coming for your personal data" (Caroline Craig)
"Dell support tool put PCs at risk of malware infection" (Lucian Constantin)
"Cisco IP phones open to remote eavesdropping, calling" (Lucian Constantin)
Australia passes data retention into law (Lauren Weinstein)D
Re: Jurisdictional risks (Doug Montalbano)
Re: Kali Linux security is a joke! (Ian Jackson)
Re: House Judiciary Committee tries to be cool, fails oh so miserably
(Devon McCormick)
Re: As We Age, Smartphones Don't Make Us Stupid ... (Rob Slade)
Re: "GoDaddy accounts vulnerable to social engineering and Photoshop"
(Craig Burton)
Re: Software says "'Dr' Must Be Male"! (Thomas Koenig)
Risky Business: Virgin Galactic (William Langewiesche)
Book: Peter Carey, Amnesia (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: 1 April 2015
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: The Apple zero-button mouse -- and related innovations?
I just stumbled on to this item:
CUPERTINO, CA, April 1, 2015 -- Apple, Inc. (NASDAQ: AAPL) today announces
the ultimate refinement in pointer technology: the zero-button mouse. "We
found that the button was confusing users," said Sir Jonathan Ive, Vice
President of Design. The zero-button mouse uses a flexible antenna, which
Apple calls the tail. In order to left click, the user grabs the mouse by
the tail, and swings it to the left. Right clicking is similar, but
swinging to the right. Scrolling is accomplished by swinging the mouse
towards or away from the user. The zero-button mouse is available in
three collections: Apple Zero Mouse Sport in aluminum, Apple Zero Mouse in
stainless steel, and the Apple Zero Mouse Edition, 18-carat gold. A white
rubber tail is standard, but optional tails are available in black and red
leather, titanium mesh, and carbon fiber.
Pricing and Availability: All models and tails are available for purchase
starting today, April 1, 2015. Pricing for the Zero Mouse Sport is
$34.95, the Zero Mouse is $49.95, and the Zero Mouse Edition is $995.00.
The leather tails are $14.95 each, the titanium mesh tail $24.95, and the
carbon fiber tail is $799.95.
WATCH for this one!! With this innovation, the era of button-down mice
seems to be ending (somewhat like shirts?), despite seemingly regressively
replacing the one-button, two-button, and three-button mouse.
It is rumored that Microsoft is planning a competing voice-operated
no-button mouse, albeit possibly with a built-in optional keyboard for
people with small fingers. Google is expected to compete with its own
autonomouse, which can move (autonomousely) *without* user control -- or if
a user is particularly gifted, with perceptive mind control -- in either
case, proactively anticipating user intent, and automatically avoiding
collisions and interference with any other user's mouse. The potential
risks are left as an exercise to the reader. PGN
------------------------------
Date: Sun, 29 Mar 2015 16:44:52 -0400
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: No liability for exchange rate software error by United
US Department of Transportation has informed United that it's not going to
force them to honor the airfares that were posted on their website, because
it was the fault of a third-party currency conversion site.
This seems to me a dangerous precedent (although airlines have previously
tried to wiggle out of honoring prices on their websites when they've
claimed software or data entry errors). Will other merchants be able to
retroactively cancel orders (or change prices) if they find software errors
that mean they don't have adequate profit (or cause losses)? Would United
generously refund overpayments if the software had overcharged people who
paid in particular currencies or particular websites?
"On February 11, 2015, a currency exchange-rate error in 3rd party software
supplied to United affected several thousand bookings on United's
Denmark-facing website. Specifically, this error temporarily caused flights
originating in the United Kingdom and denominated in Danish Kroners (DKK)
to be presented at only a fraction of their intended prices. While United
filed fares correctly, this software error caused amounts charged to be
significantly lower than prices offered through all other distribution
channels or available in any other currency."
http://www.united.com/web/en-US/content/travel/exchange-rate-error.aspx?v_ctrk=HHLN$0-202-7697-1-5798
------------------------------
Date: Mon, 30 Mar 2015 11:56:32 +1030
From: William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Subject: Digital currency risks
Yet another crypto-currency exchange is cracked and emptied, and the usual
causes -- a Dunning-Kruger-esque ignorance of security principles applied to
Other People's Money -- are to blame. The interesting part here, other than
that it wasn't a deliberate market exit aka "abscond with the deposits", is
the full disclosure that you'd never see from a larger financial
institution:
https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/
While cryptocurrencies are attractive to some because of their lack of
governmental control, a lack of oversight on exchanges is clearly costing
customers real money. There are strict financial-services regulations
already in-place throughout the west and maybe they should be enforced.
Here's the worst of both worlds: easily-digitally-stealable cash with the
full backing of a national government. Not only that, the block-chain
means your cash-transaction history is visible to the issuing government
and probably publicly too.
http://mobile.reuters.com/article/idUSKBN0M82KB20150312?irpc=932
The only upside is that this may be a way to introduce macro-economic
controls (manual control over the minting rate) to cryptocurrencies and
thereby avoid the deflationary nature that makes BTC useless as a unit of
account.
William Brodie-Tyrrell http://www.brodie-tyrrell.org/
------------------------------
Date: Sun, 29 Mar 2015 14:59:24 +0100
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Fraudster escapes jail by forging bail e-mail
RISKS readers will be familiar with phishing attempts using phony but
realistic-looking URLs and e-mail addresses (e.g. "following our computer
upgrade at Midland Bank, you need to go to mid1andbank.com and enter your
credit card details"), but there was an item in yesterday's newspaper (Mar
28th, 2015) about a prisoner who got out of Wandsworth Jail in south London,
UK, by forging correspondence granting him bail in exactly this way:
In summary, the article says that he set up false but official-looking
e-mail addresses, then created his own bail documents.
*The Telegraph*, 28 March 2015
http://www.telegraph.co.uk/news/uknews/crime/11500973/Fraudster-escapes-from-one-of-Britains-most-secure-prisons-by-forging-letter-granting-him-bail.html
> He set up an email domain imitating Her Majesty's Court Service (HMCTS)
> that used hyphens instead of 'dots' to say Southwark Crown Court had
> rubber-stamped his bail on March 10, 2014. Moore managed to secure his
> release when staff failed to spot the subtle difference and misspelled
> court name 'Southwalk'.
------------------------------
Date: Wed, 25 Mar 2015 08:09:13 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Manipulating Wikipedia to Promote a Bogus Business School (Newsweek)
Newsweek via NNSquad
http://www.newsweek.com/2015/04/03/manipulating-wikipedia-promote-bogus-business-school-316133.html
In 2013, IIPM got an unexpected boost for its page. A new initiative
launched by Jimmy Wales's Wikimedia Foundation offered free access to
Wikipedia from mobile phones. The program, Wikipedia Zero, launched in
India and other parts of the developing world, including Thailand,
Myanmar, Morocco, Ghana and Malaysia. "In my opinion, by letting this go
on for so long, Wikipedia has messed up perhaps 15,000 students' lives,"
Peri says. "They should have kept track of Wifione and what they were
doing--they were just so active." The Wikimedia Foundation is apologetic
but won't be offering compensation. In a statement, it said, "The
Wikimedia Foundation was very disappointed to hear of the allegations of
fraud committed by IIPM and Wifione. If true, it was a tremendous
violation of the trust and good faith of our editors and readers. We will
continue to work to support our editors and administrators in serving as a
vigilant defense against such incidents and in hopes that they can prevent
future incidents like this from occurring."
------------------------------
Date: Tue, 31 Mar 2015 08:32:01 -0400 (EDT)
From: danny burstein <dannyb@panix.com>
Subject: DDoS against Rutgers University, and perpetrator claims credit
Rutgers network crumples under siege by DDoS attack [Rutgers student newspaper]
The Rutgers network came under a Distributed Denial of Service (DDoS) attack
beginning on March 27 and ending on March 30, according to an email sent by
Don Smith, vice president and chief intelligence officer for the
University's Office of Information Technology.
The incident, which knocked out access to RUWireless and RUWireless Secure,
the school's Internet networks, as well as Sakai, the University's online
learning platform, among other sites, was the third DDoS attack allegedly
committed by an individual hacker since the first occurrence on Nov. 19,
2014. [...]
During the DDoS attack in November, 40,000 web robots, or "bots,"
originating from Eastern Europe and China flooded the network, dismantling
the class web registration system when first-year students were scheduled to
enroll in classes for the upcoming spring semester, according to the
article. [...]
"A while back you had an article that talked about the DDoS attacks on
Rutgers," the email read. "I'm the one who attacked the network [...]
This might make quite an interesting story ... I will be attacking the
network once again at 8:15PM EST. You will see sakai.rutgers.edu offline."
rest:
http://www.dailytargum.com/article/2015/03/rutgers-network-crumples-under-siege-by-ddos-attack
------------------------------
Date: Wed, 25 Mar 2015 16:36:26 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: FTC Rules Jerk, LLC and John Fanning Deceived Consumers, Violated
FTC Act
The Federal Trade Commission has granted summary decision against the
operators of Jerk.com, a website that billed itself as `the anti-social
network' website. The Commission found that the operators Jerk, LLC and John
Fanning misled consumers by claiming that content on the website was posted
by other users. Instead, most of the content came from Facebook profiles
mined by the operators.
https://www.ftc.gov/news-events/press-releases/2015/03/ftc-rules-jerk-llc-john-fanning-deceived-consumers-violated-ftc?utm_source=govdelivery
It's shocking that someone misused social media information, and that a
website selling bogus "memberships" was stopped. But those are surely unique
events and won't happen again on our always safe and comforting intertubes.
Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
------------------------------
Date: Fri, 27 Mar 2015 12:05:46 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Washington is coming for your personal data" (Caroline Craig)
Caroline Craig, InfoWorld, 27 Mar 2015
Little-noticed change to judicial rules gives the FBI greater powers
to conduct remote searches, and the 'zombie bill': CISA is on the fast
track to a Senate vote.
http://www.infoworld.com/article/2902611/government/washington-is-coming-for-your-personal-data.html
------------------------------
Date: Thu, 26 Mar 2015 21:36:56 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Dell support tool put PCs at risk of malware infection"
(Lucian Constantin)
Lucian Constantin, InfoWorld, 25 Mar 2015
Weak authentication in Dell's System Detect utility could have
enabled drive-by malware attacks
http://www.infoworld.com/article/2901385/security/dell-support-tool-put-pcs-at-risk-of-malware-infection.html
------------------------------
Date: Thu, 26 Mar 2015 21:38:09 -0700
From: Gene Wirchenko <genew@telus.net>
Subject: "Cisco IP phones open to remote eavesdropping, calling"
(Lucian Constantin)
Lucian Constantin, InfoWorld, 23 Mar 2015
An authentication flaw allows attackers to listed to audio streams
and make calls from Cisco SPA 300 and 500 IP phones
http://www.infoworld.com/article/2899710/mobile-technology/cisco-ip-phones-open-to-remote-eavesdropping-calling.html
------------------------------
Date: Thu, 26 Mar 2015 15:44:55 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Australia passes data retention into law
IT News AU via NNSquad
http://www.itnews.com.au/News/402127,australia-passes-data-retention-into-law.aspx
Law enforcement agencies will need to apply for warrants to access a
journalist's metadata for the purpose of identifying a source. All other
citizen metadata will be open to access without a warrant. Telcos and
internet service providers will now have 18 months to prepare their
systems and processes for the scheme, which has been forecast to cost
between $188.8 million and $319.1 million to set up, and around $4 per
customer per year to maintain. They will be required to store the
non-content data of all customers for a two-year period to aid law
enforcement agencies in criminal investigations. Telcos and ISPs are not
restricted in where they can store the data. The metadata list will
include, among other things: names, addresses, birthdates, financial and
billing information of internet and phone account holders; traffic data
such as numbers called and texted, as well as times and dates of
communications; when and where online communications services start and
end; a user's IP address; type and location of communication equipment;
and upload and download volumes.
- - -
Going downhill fast down under.
------------------------------
Date: Thu, 26 Mar 2015 21:31:44 +0000 (UTC)
From: Doug Montalbano <doug_montalbano@yahoo.com>
Subject: Re: Jurisdictional risks (RISKS-28.56)
I understand the political point Brodie-Tyrell is making. But, as the
section "Policing the Twenty-First Century" in Marc Goodman's Future Crimes
points out, (hypocrisy notwithstanding) how to police in a world that is now
without borders is a major problem.
[I pointed to Goodman's book (the subtitle of which is Everything is
Connected) in RISKS-28.43 and 28.53. PGN]
------------------------------
Date: Thu, 26 Mar 2015 17:26:32 +0000
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: Re: Kali Linux security is a joke! (RISKS-28.56)
Like most Debian derivatives, Kali relies on the PGP-based archive
signing system built into the Debian package distribution protocols.
Observe:
http://ftp.hands.com/kali-security/dists/kali/Release
http://ftp.hands.com/kali-security/dists/kali/Release.gpg
This is a much better arrangement than relying on TLS (https) in almost all
important respects:
The public key used by apt-get on a Debian derivative to verify the software
updates is a dedicated archive signing key, controlled by the Debian
derivative itself. So unlike TLS, which relies on CAs, the kali archive
signing system cannot be subverted by third parties. Furthermore, key
rollover is straightforward: the new public key can be distributed in a
software update. This bespoke arrangement provides much better integrity
protection.
It also has operational advantages: it is much easier to run a mirror
network. Mirrors do not need to be enrolled into a certificate scheme and
granted authority to subvert users' machines. Instead, mirrors simply
redistribute the signatures made by the distribution itself.
TLS is a much worse protocol than PGP in general - it is much messier and
has many more opportunities for implementation and configuration errors.
The mirror does have some ability to perform a rollback attack, but the
impact is limited to delaying updates, rather than rewinding target systems,
because the software update mechanism does not downgrade packages unless
specifically asked by the user.
Deploying TLS for mirrors would be useful to help protect the privacy of
users: it would make it harder to for an eavesdropper to discern which
packages a particular computer has installed, and would impede some
network-based rollback attacks. Debian itself has been discussing these
concerns.
> What's the point of verifying md5 sums against "official values", if Kali
> can't even get the "official values" securely ??
This response seem really knee-jerk. Rather than immediately assuming the
worst, just because someone isn't using TLS, it would have been worth
double-checking.
It seems that Henry Baker would, if asked to design a software update
mechanism, rely on TLS for the software integrity protection. For the
reasons explained above this would be a poor decision.
[Be sure to read the paper by Benjamin Beurdouche et al., A Messy State of
the Union: Taming the Composite State Machines of TLS, which will be
presented in the IEEE Symposium on Security and Privacy, 18-20 May, which
fairly demolishes half a dozen TLS implementations -- because they each
have remarkable unexpected behaviors resulting from the composition of the
client side and the server side. Indeed, Everything is Connected, but
often with nasty results. (See the previous item.) PGN]
------------------------------
Date: Thu, 26 Mar 2015 10:44:54 -0400
From: Devon McCormick <devonmcc@gmail.com>
Subject: Re: House Judiciary Committee tries to be cool, fails oh so miserably
The page may look amateurish but consider the sub-text: many images of
pretty, mostly blonde, women on a page about enforcing immigration laws.
What's the real message here?
------------------------------
Date: Wed, 25 Mar 2015 18:34:53 -0700
From: Rob Slade <rmslade@shaw.ca>
Subject: Re: As We Age, Smartphones Don't Make Us Stupid ... (RISKS-28.57)
> In general, the students who did not use computers did better than those
> who did.
This doesn't surprise me in the least.
I used to tell my students that all the exams (in courses I taught for
colleges and universities) were open book. I don't tell them that any more.
My exams are written to test for understanding, not rote memorization. You
can't find the answer on page 42.
It just got to be too painful watching the unprepared stagger in with piles
of books, and then spend the entire exam period flipping pages, trying
vainly to find things they'd never bothered to learn during the course.
(Since they'd never bothered to learn them, they had no idea where they were
in the book, either.)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The dictionary is the only place where success comes before work.
Mark Twain
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
------------------------------
Date: Thu, 26 Mar 2015 12:23:10 +1100
From: "Craig Burton" <Craig.Burton@vec.vic.gov.au>
Subject: Re: "GoDaddy accounts vulnerable to social engineering and Photoshop"
(Ragan, RISKS-28.57)
I read with interest the GoDaddy social engineering success. It seems the
missing step is actually something that verifies the ID document content.
My government has fairly recently deployed a central personal information
oracle.
http://www.dvs.gov.au/Pages/default.aspx
I am sure other such services exist in other countries but I would expect
larger countries than Australia may have more trouble consolidating data. I
assume if this were available to GoDaddy the call agent would get a DVS fail
on the driver license name and number together.
------------------------------
Date: Fri, 27 Mar 2015 08:16:37 +0100
From: Thomas Koenig <tkoenig@netcologne.de>
Subject: Re: Software says "'Dr' Must Be Male"!
PGN wrote:
> [In Germany, if her husband were also a Dr, she would be Frau Doktor
> Doktor Selby, and presumably German software would have no problem
> with that. PGN]
This usage was quaint forty years ago, and is non-existent now, except
for a few lame jokes. It is certainly against the law in Germany to
claim to be a Dr. if you are not entitled to it.
The RISK? Continuing to rely on outdated assumptions without checking if
they still apply.
[Similarly noted by Drew Dean, who remarked that Germans have been amused
that Austrians still observed this `quaint' custom. Mea Culpa. Yes, I'm
remembering fifty-five years ago, when the wife of the Darmstadt lab
director Herr Dr Professor Alwin Walther was routinely referred to as Frau
Dr Dr Walther (because she was also a Dr). I'm happy to know that this
academic honorific is no longer practiced. PGN]
------------------------------
Date: Wed, 25 Mar 2015 9:14:16 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Risky Business: Virgin Galactic (William Langewiesche)
William Langewiesche, "Risky Business", *Vanity Fair*, April 2015, p. 180
"More than 700 people have paid up to $250,000 for a ride on Richard
Branson's Virgin Galactic. In this excerpt from 'Vanity Fair's' April
2015 article about the mogul's risky business, William Langewiesche
details the particulars about Virgin Galactic's trip to space."
http://www.vanityfair.com/news/2015/03/what-is-it-like-to-fly-virgin-galactic
------------------
Date: Sun, 29 Mar 2015 10:40:19 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Book: Peter Carey, Amnesia
Peter Carey, Amnesia, Alfred A. Knopf, 2015, 307 pp. (From a publisher blurb)
``The two-time Booker Prize winner now gives us an exceedingly timely,
exhilarating novel -- at once dark, suspenseful, and seriously funny -- that
journeys to the place where the cyber underworld collides with international
power politics. ... Bringing together the world of hackers and radicals
with the `special relationship' between the United States and Australia, and
Australia and the CIA, Amnesia is a novel that speaks powerfully about the
often hidden past, but most urgently about the more and more hidden
present.''
[It certainly seems timely and topical. Note: My wife loved it. PGN]
[Spoiler alert: The plot line in this book automates the get-out-of-jail
process noted in Chris Drewe's item earlier in this issue, and scales it
up extensively -- ending up with a large-scale remote e-release of
prisoners. PGN]
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.58
************************
