RISKS Forum mailing list archives
Risks Digest 28.05
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 26 Jun 2014 19:16:05 PDT
RISKS-LIST: Risks-Forum Digest Thursday 26 June 2014 Volume 28 : Issue 05 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.05.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Norway abandons Internet voting experiments (PGN) Re: Hong Kong electronic voting system cyber-attacked (Steve Lamont) Major Ruling Shields Privacy of Cellphones (Adam Liptak) High Court Ruling On Search Warrants Is Broader Than Cellphones (NPR via NNSquad) Researchers Find/Decode Spy Tools Governments Use to Hijack Phones (Kim Zetter via Dewayne Hendricks) "Foolproof" system to authenticate bank customers by their voice (Michael Bacon) Did you know Equifax buys and sells real-time employment data? (Deborah Peel) "Privacy concerns loom over 'new' Google domain registration service" (Woody Leonhard via Gene Wirchenko) "Two months later, 300K servers still vulnerable to Heartbleed" (Ian Paul via Gene Wirchenko) Google Glass Snoopers Can Steal Your Passcode With a Glance (Andy Greenberg) "Researchers expect large wave of rootkits targeting 64-bit systems" (Gene Wirchenko) Re: Trouble with firefox updates (Dimitri Maziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 26 Jun 2014 10:16:26 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Norway abandons Internet voting experiments The Norwegian goverment is ceasing their experiments to conduct elections using the Internet. Apparently they have realized that security and privacy are inadequate. Earlier experiments have shown major flaws in cryptographic implementations, poor software engineering (e.g., `spaghetti code', which was noted as a problem in a voting machine by Eva Waskell in 1986!!!), lack of contemporary system security/integrity evaluations, and more -- in the Scytl software. http://www.tu.no/it/2014/06/25/regjeringen-vraker-e-valget?fb_action_ids=600096603443541&fb_action_types=og.recommends&fb_source=other_multiline&action_object_map=%5B711062558952360%5D&action_type_map=%5B%22og.recommends%22%5D&action_ref_map=%5B%5D [In this URL, I removed the `3D' used to encode the equal sign, but I have no idea what the `%5B' and `%5D' might be encoding in Norwegian. Sorry. PGN] ------------------------------ Date: Tue, 24 Jun 2014 14:26:37 -0700 From: spl () tirebiter org (Steve Lamont) Subject: Re: Hong Kong electronic voting system cyber-attacked
The FATAL flaw of online voting systems (and one for which there is *no* technological solution whatsoever) isn't DDoS, identification, or communications security. it's very simply that there is *no* way to ensure that the voter isn't voting under duress... with a gun held to their head (figuratively, or even literally). . . .
One has to wonder real a threat this might be. Yes, it's a nice movie of the week plot but it really doesn't make a lot of sense in that it influences exactly one vote which would rarely be decisive. I suppose an employer might use coercion to force their entire workplace to vote one way or another but, again, can it be done in numbers significant enough to influence even a middling size election? I rather doubt it.
No way to make sure the voter isn't selling their vote (drugs, sex, alcohol, money...). . . .
While this is certainly execrable, again, can it be done on a large enough scale to dictate a result? It makes more sense to simply control the way the votes are counted or the machines which record them. That seems like a more clear and present danger than influencing votes in onesies and twosies. And that's a RISK that's not necessarily restricted to online or absentee/mail voting. ------------------------------ Date: Wed, 25 Jun 2014 17:33:47 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Major Ruling Shields Privacy of Cellphones (Adam Liptak) Adam Liptak, *The New York Times*, 25 Jun 2014 Supreme Court Says Phones Can't Be Searched Without a Warrant http://www.nytimes.com/2014/06/26/us/supreme-court-cellphones-search-privacy.html Washington -- In a major statement on privacy rights in the digital age, the Supreme Court on Wednesday unanimously ruled that the police need warrants to search the cellphones of people they arrest. Chief Justice John G. Roberts Jr., writing for the court, said the vast amount of data contained on modern cellphones must be protected from routine inspection. The old rules, Chief Justice Roberts said, cannot be applied to ``modern cellphones, which are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.'' The courts have long allowed warrantless searches in connection with arrests, saying they are justified by the need to protect police officers and to prevent the destruction of evidence. But Chief Justice Roberts said neither justification made much sense in the context of cellphones. On the other side of the balance, he said, is the data contained on the typical cellphone. Ninety percent of Americans have them, he wrote, and they contain ``a digital record of nearly every aspect of their lives -- from the mundane to the intimate.'' Even the word `cellphone' is a misnomer, he said. ``They could just as easily be called cameras, video players, Rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps or newspapers,'' he wrote. Chief Justice Roberts acknowledged that the decision would make law enforcement more difficult. ``Cellphones have become important tools in facilitating coordination and communication among members of criminal enterprises, and can provide valuable incriminating information about dangerous criminals. Privacy comes at a cost.'' The court heard arguments in April in two cases on the issue, but issued a single decision. The first case, Riley v. California, No. 13-132, arose from the arrest of David L. Riley, who was pulled over in San Diego in 2009 for having an expired auto registration. The police found loaded guns in his car and, on inspecting Mr. Riley's smartphone, entries they associated with a street gang. A more comprehensive search of the phone led to information that linked Mr. Riley to a shooting. He was later convicted of attempted murder and sentenced to 15 years to life in prison. A California appeals court said neither search had required a warrant. The second case, United States v. Wurie, No. 13-212, involved a search of the call log of the flip phone of Brima Wurie, who was arrested in 2007 in Boston and charged with gun and drug crimes. The federal appeals court in Boston last year threw out the evidence found on Mr. Wurie's phone. News organizations, including The New York Times, filed a brief supporting Mr. Riley and Mr. Wurie in which they argued that cellphone searches can compromise news gathering. The Justice Department, in its Supreme Court briefs, said cellphones are not materially different from wallets, purses and address books. Chief Justice Roberts disagreed: ``That is like saying a ride on horseback is not materially indistinguishable from a flight to the moon.'' ------------------------------ Date: Wed, 25 Jun 2014 18:05:35 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: High Court Ruling On Search Warrants Is Broader Than Cellphones NPR via NNSquad http://www.npr.org/2014/06/25/325608295/high-court-ruling-on-search-warrants-is-broader-than-cellphones?ft=1&f=1001 "This is not just a phone case," said Mark Eckenwiler, former deputy chief of the Computer Crime Section at the Department of Justice. "This is really a digital evidence case." The decision applies to laptops, tablets and all manner of electronic devices. This was a pretty sweeping decision, leaving little wiggle room for law enforcement. "There's not a lot of ambiguity there," he said. ------------------------------ Date: June 24, 2014 at 11:27:04 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Researchers Find/Decode Spy Tools Governments Use to Hijack Phones (Kim Zetter) Kim Zetter, *WiReD*, Jun 24 2014 (via Dave Farber) <http://www.wired.com/2014/06/remote-control-system-phone-surveillance/> Newly uncovered components of a digital surveillance tool used by more than 60 governments worldwide provide a rare glimpse at the extensive ways law enforcement and intelligence agencies use the tool to surreptitiously record and steal data from mobile phones. The modules, made by the Italian company Hacking Team, were uncovered by researchers working independently of each other at Kaspersky Lab in Russia and the Citizen Lab in Canada, who say the findings provide great insight into the trade craft behind Hacking Team's tools. The new components target Android, iOS, Windows Mobile, and BlackBerry users and are part of Hacking Team's larger suite of tools used for targeting desktop computers and laptops. But the iOS and Android modules provide cops and spooks with a robust menu of features to give them complete dominion over targeted phones. They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone's camera to snap pictures or piggyback on the phone's GPS system to monitor the user's location. The Android version can qlso enable the phone's Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner's suspicion. ``Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target -- which is much more powerful than traditional cloak and dagger operations,'' notes Kaspersky researcher Sergey Golovanov in a blog post about the findings. It's long been known that law enforcement and intelligence agencies world wide use Hacking Team's tools to spy on computer and mobile phone users -- including, in some countries, to spy on political dissidents, journalist s and human rights advocates. This is the first time, however, that the modules used to spy on mobile phone users have been uncovered in the wild and reverse-engineered. Kaspersky and Citizens Lab discovered them after developing new methods to search for code fragments and digital certificates used by Hacking Team's tools. The modules work in conjunction with Hacking Team's core surveillance tool, known as the Remote Control System, which the company markets under the names Da Vinci and Galileo. [...] ------------------------------ Date: Tue, 24 Jun 2014 17:23:07 +0100 From: Michael Bacon <michaelbacon () tiscali co uk> Subject: "Foolproof" system to authenticate bank customers by their voice Barclays Bank is rolling out voice biometrics technology at its call centres that recognises customers when they start talking. Customers who call Barclays currently have to share their passcodes or 16-digit debit card numbers in order to verify themselves. With the new system, customers can choose to have their voice recorded and held on file by the bank. Then, when the call to access their account, they engage in a few seconds of conversation with a staffer. During that time, Nuance FreeSpeech voice biometrics technology is used to compare the customer's voice to their unique voiceprint on file, and silently signals to the employee when the customer's identity has been verified. Barclays began using the Nuance system at its wealth management arm last year but is set to introduce it for normal retail customers early next year. Ashok Vaswani, chief executive, Barclays personal and corporate banking, told the Sunday Telegraph that the technology is "foolproof" and cuts the time it takes to verify customers from 90 seconds to 10 seconds. "Foolproof", eh? So that's all right, then. Being a fool, I can trust it implicitly. Odd, though, that my Nuance Dragon system still fails to recognise common words when I have been using it almost daily for nigh on two years. Barclays' system must be far, far superior. ------------------------------ Date: Tue, 24 Jun 2014 22:45:19 +0000 From: "Dr. Deborah Peel" <dpeelmd () patientprivacyrights org> Subject: Did you know Equifax buys and sells real-time employment data? How does Equifax obtain this sensitive and secret information? http://redtape.nbcnews.com/_news/2013/01/30/16762661-exclusive-your-employer-may-share-your-salary-and-equifax-might-sell-that-data?lite Quote: "With the willing aid of thousands of U.S. businesses, including many of the Fortune 500. Government agencies -- representing 85 percent of the federal civilian population, including workers at the Department of Defense, according to Equifax -- and schools also work with The Work Number. Many of them let Equifax tap directly into their data so the credit bureau can always have the latest employment information. In fact, these organizations actually pay Equifax for the privilege of giving away their employees' personal information." The story claims: "It's the biggest privacy breach in our time, and it's legal and no one knows it's going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA." BUT the story is wrong: the greatest privacy breach of our time is the collection, aggregation and sale of ALL health data (inside and outside the healthcare system by companies like IMS Health Holdings. IMS Health Holdings buys sells and trades personal health data of 500 million people (including electronic health records, prescriptions, claims data and health info in social media) with "100,00 health data suppliers covering 780,000 daily data feeds" to create "anonymous" longitudinal, real-time profiles it sells to "5,000 customers" including the US government. See: http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm The health data broker industry sells far more damaging personal data than Equifax. Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights www.patientprivacyrights.org<http://www.patientprivacyrights.org/> http://patientprivacyrights.org/trust-framework/ (512) 732-0033 ------------------------------ Date: Tue, 24 Jun 2014 14:06:01 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Privacy concerns loom over 'new' Google domain registration service" (Woody Leonhard) Woody Leonhard | InfoWorld, 24 Jun 2014 Google's invitation-only Domains name registration service works a lot like the old one but raises new questions about privacy and ad scraping http://www.infoworld.com/t/internet-privacy/privacy-concerns-loom-over-new-google-domain-registration-service-244927 ------------------------------ Date: Tue, 24 Jun 2014 11:28:48 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Two months later, 300K servers still vulnerable to Heartbleed" (Ian Paul) http://www.infoworld.com/d/security/two-months-later-300k-servers-still-vulnerable-heartbleed-244850 Ian Paul, PC World/InfoWorld, 23 Jun 2014 A large number of websites are still vulnerable to the OpenSSL flaw, but it's unlikely they'll be patched anytime soon. selected text: Currently, there are about 309,197 systems still vulnerable to Heartbleed, which is a slight drop from the 318,239 Graham discovered in early May. The slow drop indicates that Heartbleed patching has more or less ended. As widespread and devastating as Heartbleed is, it's easily one of the scariest security stories of 2014 -- and doubly so if hundreds of thousands of servers are likely to remain vulnerable for the foreseeable future. ------------------------------ Date: Wed, 25 Jun 2014 12:07:50 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Google Glass Snoopers Can Steal Your Passcode With a Glance (Andy Greenberg) Andy Greenberg, *WiReD News* 24 Jun 2014, via ACM TechNews, June 25, 2014 University of Massachusetts (UMass) Lowell researchers have developed software that uses video from wearable devices such as Google Glass and smartwatches to read four-digit PIN codes typed onto an iPad from almost 10 feet away, and from almost 150 feet with a high-definition camcorder. The software involves a custom-coded video-recognition algorithm that tracks the shadows from finger taps and could recognize the codes even when the video did not capture any images on the target devices' displays. "I think of this as a kind of alert about Google Glass, smartwatches, all these devices," says UMass Lowell professor Xinwen Fu. "If someone can take a video of you typing on the screen, you lose everything." The researchers found that Google Glass identified the four-digit PIN from three meters away with 83 percent accuracy, while webcam video revealed the code 92 percent of the time. The software also can identify passcodes even when the screen is unreadable based on the iPad's geometry and the position of the user's fingers. The software maps an image of the angled iPad onto a "reference" image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers' shadows. Fu plans to present the findings with his students at the Black Hat security conference in August. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-bad3x2b4c3x060206& ------------------------------ Date: Tue, 24 Jun 2014 14:15:04 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Researchers expect large wave of rootkits targeting 64-bit systems" http://www.pcworld.com/article/2367400/researchers-expect-large-wave-of-rootkits-targeting-64bit-systems.html selected text: Following a downward trend during the past two years, the number of new rootkit samples rose in the first quarter of this year to a level not seen since 2011, according to statistics from security vendor McAfee. "The roadblocks set in place by 64-bit systems now appear to be mere speed bumps for well-organized attackers, who have already found ways to gain entry at the kernel level," the McAfee researchers said. ------------------------------ Date: Tue, 24 Jun 2014 14:47:13 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Trouble with firefox updates (Durusau, RISKS-28.04)
A more definitive way of customizing Firefox is to simply download the source code from ftp.mozilla.org, and change it however you wish.
I find this mantra in the Open Sores sales pitch particularly annoying: everyone capable of actually doing that knows that a) The amount of effort required to understand (and subsequently change in a meaningful and non-disruptive way) somebody else's code is 80% of that of writing your own from scratch. With a codebase size of mozilla's that a plain crack pipe dream. b) Even if you can fix the code, you'll still have to build it. With something size and complexity of firefox I bet it's not entirely trivial even on freenix where you can fetch the "source package" and all its pre-requisites. On systems without source package management, with for-pay development tools, etc., it's basically not worth the trouble. So who are you preaching to: those who can't do it or those who know why they can't do it? Dimitri Maziuk, Programmer/sysadmin BioMagResBank, UW-Madison http://www.bmrb.wisc.edu ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.05 ************************
Current thread:
- Risks Digest 28.05 RISKS List Owner (Jun 26)