Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
(Ornstein/Weber) Patient Died at New York VA Hospital After Alarm Was Ignored Charles Ornstein and Tracy Weber, ProPublica, 15 May 2012 Registered nurses at a Manhattan Veterans Affairs hospital failed to notice a patient had become disconnected from a cardiac monitor until after his heart had stopped and he could not be revived, according to a report Monday from the VA inspector general. The incident from last June was the second such death at the hospital involving a patient connected to a monitor in a six-month period. The first, along with two earlier deaths at a Denver VA hospital, raised questions about nursing competency in the VA system, ProPublica reported last month. The deaths also prompted a broader review of skills and training of VA nurses. Only half of 29 VA facilities surveyed by the inspector general in a recent report had adequately documented that their nurses had skills to perform their duties. Even though some nurses "did not demonstrate competency in one or more required skills," the government report stated, there was no evidence of retraining. ... http://www.propublica.org/article/patient-died-at-new-york-va-hospital-after-alarm-was-ignored
http://www.bbc.co.uk/news/technology-18248841 A convoy of self-driven cars has completed a 200km (125-mile) journey on a Spanish motorway, in the first public test of such vehicles. ... The cars are fitted with special features such as cameras, radar and laser sensors - allowing the vehicle to monitor the lead vehicle and also other vehicles in their immediate vicinity. Using wireless communication, the vehicles in the platoon "mimic" the lead vehicle using autonomous control - accelerating, braking and turning in exactly the same way as the leader. The vehicles drove at 85kph (52mph) with the gap between each vehicle just 6m (19ft). People think that autonomous driving is science fiction, but the fact is that the technology is already here. From the purely conceptual viewpoint, it works fine and road train will be around in one form or another in the future," says Ms Wahlstroem. "We've focused really hard on changing as little as possible in existing systems. Everything should function without any infrastructure changes to the roads or expensive additional components in the cars. Apart from the software developed as part of the project, it is really only the wireless network installed between the cars that set them apart from other cars available in showrooms today." The project aims to herald a new age of relaxed driving. According to Volvo, drivers "can now work on their laptops, read a book or sit back and enjoy a relaxed lunch" while driving. What could possibly go wrong ...? [See Peter Houppermans's item in RISKS-26.83. PGN]
(Nancy Trejos) Nancy Trejos, *USA Today*, 15 May 2012 Delta Air Lines says a computer glitch caused inconsistencies in airfares between fliers who were logged into the airline's website and those who were not. Delta spokesman Paul Skrbec told *Today in the Sky* that fares were higher for some passengers and lower for others. The carrier has not yet determined how many customers were affected, he said. Minneapolis' WCCO first reported on the discrepancies after business executives Patrick Smith and Steve Lisle, who happened to be booking flights side-by-side from Minneapolis to St. Louis a few weeks ago, were given two different prices for an economy seat. Lisle was not logged into his SkyMiles account and was offered a ticket for $300 less. ... http://travel.usatoday.com/flights/post/2012/05/delta-overcharges-some-fliers-because-of-computer-glitch/695130/1 2 Same Flights, 2 Different Prices: Frequent Flyer Discrepancies May 15, 2012 http://minnesota.cbslocal.com/2012/05/15/2-same-flights-2-different-prices-frequent-flyer-discrepancies/
[From David Farber's IP distribution. PGN] Your readers may like to see this Japanese documentary report on Fukushima Daiichi Spent Fuel Pool 4 (click the the closed caption button at the bottom to view English translation) that lays out how if supports fail in one building it can precipitate a world-wide radio-active contamination event. At 23:00: Shin-ichi Sano, Author: The world had not choice but to pay attention. Q: People have said that we must gather expertises from around the world in order to solve the current problem. Regarding Fukushima, this has to happen, don't you think? A: Indeed. As you say, there is no time for silly arguments. If anything happens, this is not just about the end of Japan, probably start of the end of the world. I would like them to realize that we are in such crisis situation. A Hidden Danger of the Fukushima Daiichi Spent Fuel Pool 4 http://www.youtube.com/watch?v=zuxFQewzPjk# Published on May 29, 2012 by Goldieluvmj IP Archives: https://www.listbox.com/member/archive/247/=now
Chris Kanaracus, *IT Business*, 25 May 2012 Intuit says it has restored all customers, but angry sentiments linger. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67640 Intuit's Quickbook on-demand accounting system was switched over to its backup center to maintain continuity of service with continued data replication, while upgrading the primary system to fix a detected performance problem. However, during this process, an unspecified error introduced a `synchronization gap', requiring both the primary and backup systems to be taken off-line. 5700 customers were reportedly affected, with varying degrees of delay and difficulty. [PGN-ed]
"Father of the Internet" Vint Cerf on Monday warned that Internet freedom is under threat from governments around the world, including the United States. Cerf, a computer scientist who was instrumental in the Internet's creation, now employed by Google as its "Internet evangelist," said officials in the United States, United Kingdom and Europe are using intellectual property and cybersecurity issues "as an excuse for constraining what we can and can't do on the 'net." http://j.mp/KFXskP (The Hill)
[Thanks to Gene Spafford. PGN] http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks One argument in favor of regulation because companies won't do it themselves.
http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html> (Errata Security) "Today's big news is that researchers have found proof of Chinese manufacturers putting backdoors in American chips that the military uses. This is false. While they did find a backdoor in a popular FPGA chip, there is no evidence the Chinese put it there, or even that it was intentionally malicious." [I agree with this article's analysis. The original story was cyber-scaremongering. LW] [See a lengthy blog item, Bogus story: no Chinese backdoor in military chip. PGN] http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html
The folks at RSA are at it again. SensePost's blog discussed how to derive the device serial number of RSA's Windows SecureID software token. "...the device serial number is dependent on the system's host name and current user's windows security identifier (SID). An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the [RSA SecureID] protection." http://www.sensepost.com/blog/7045.html
Yahoo! today released its Axis extension for Chrome—and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/ [Thanks to Phil Porras. PGN] There are signs that the Axis release was just a *bit* rushed. Users have found chunks of the development environment in the released code, and Yahoo appears to have accidentally included their *private* crypto signing key as well: http://j.mp/Jpgmw2 (Google+) And their Terms of Service link at the moment leads to a placeholder: http://j.mp/JpfKX8 (Google+) [Thanks to Lauren Weinstein. PGN]
Brian Prince, eWeek, 24 May 2012 [via ACM TechNews, Wednesday, May 30, 2012] Security researchers Moxie Marlinspike and Trevor Perrin say an extension to the transport layer security (TLS) protocol could help address spoofing attacks on the Secure Sockets Layer certificate ecosystem. They have proposed an approach called Trust Assertions for Certificate Keys (TACK), which enables a Web site to sign its TLS server's public keys with a TACK key. Clients can pin a hostname to the TACK key without requiring sites to make changes to their existing certificate chains or limiting their ability to deploy different certificate chains on different servers or change certificate chains at any time. Marlinspike and Perrin note that inside the TACK is a public key and signature. "Once a client has seen the same [hostname, TACK public key] pair multiple times, the client will 'activate' a pin between the hostname and TACK key for a period equal to the length of time the pair has been observed for," the researchers say. "This 'pin activation' process limits the impact of bad pins resulting from transient network attacks or operator error." The browser will reject the session and alert the user when it comes across a fraudulent certificate on a pinned site. http://www.eweek.com/c/a/Security/Researchers-Propose-Way-to-Thwart-Fraudulent-Digital-Certificates-121509/
(Karen Haslam) http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=67617 Karen Haslam, *IT Business*, 24 May 2012 Stolen iPhone beams back photos, displayed in Facebook album
(John Leyden) WHMCS calls the Feds after credit-card megaleak John Leyden, 22 May 2012 WHMCS, which provides billing and customer support tech to many web hosts, was comprehensively hacked on Monday and remains offline. Hackers tricked WHMCS's own hosting firm into handing over admin credentials to its servers. The group that carried out the hack, UGNazi, subsequently extracted the billing company's database before deleting files, essentially trashing the server and leaving services unavailable in the process. The compromised server hosted WHCMS's main website and supported customers' installations of its technology. UGNazi also gained access to WHMCS's Twitter account, which it used to publicise a series of posts on Pastebin that contained links to locations from which the billing firm's customer records and other sensitive data might be downloaded. A total of 500,000 records, including customer credit card details, were leaked as a result of the hack. ... http://www.theregister.co.uk/2012/05/22/whmcs_breach/ Hacker group UGNazi leaks and deletes billing service's database The group used social engineering to access WHMCS's customer database, then leaked 500,000 records online May 22, 2012 http://www.infoworld.com/t/hacking/hacker-group-ugnazi-leaks-and-deletes-billing-services-database-193867 Hackers Impersonate Web Billing Firm's Staff To Spill 500,000 Users' Passwords And Credit Cards May 22, 2012 http://www.forbes.com/sites/andygreenberg/2012/05/22/hackers-impersonate-web-billing-firms-staff-to-spill-500000-users-passwords-and-credit-cards/
Antone Gonsalves, The Tatanga Trojan was first spotted by German banks, cybersecurity firm Trusteer says. *IT Business*, 22 May 2012 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67572
Thomas Fuller and Kevin Drew, *The New York Times*, 30 May 2012 "Google and human rights groups reacted strongly on Wednesday to a Thai court's decision to convict the webmaster of an Internet message board for comments posted by users that insulted the Thai royal family." http://j.mp/KwEzjC Unfortunately, an entirely predictable development. Ultimately, governments want to control Internet content. They vary in their approaches and degrees, but free expression of the sort the Internet enables, fundamentally undermines traditional information control regimes. [Unblessed be the Thai that blinds. PGN]
Did you hear the one about New York state lawmakers who forgot about the First Amendment in the name of combating cyberbullying and "baseless political attacks"? Proposed legislation in both chambers would require New York-based websites, such as blogs and newspapers, to "remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post." ... David Kravels, WiReD, 22 May 2012http://j.mp/KwmzAX Probability that the legislators involved are opportunists and/or clueless? = 100% Probability that such legislation could pass Constitutional muster? = 0% Infuriating that they even waste time on this nonsense.
"British officials have given their word: "We won't read your emails." But experts say the government's proposed new surveillance program will gather so much data that spooks won't have to read your messages to guess what you're up to." http://j.mp/LeF0dS (AP / Quad City Times) The seriously disingenuous aspect of Kane's comments is his equating government collection of mass header and traffic analysis data on an involuntary basis—with voluntary usage of Web-based services. Trying to equate the two in the privacy realm is fundamentally dishonest.
More than two dozen states will accept some form of electronic or faxed ballots in the U.S. 2012 elections, according to the Verified Voting Foundation. However, computer security experts contend that any system can be hacked or manipulated, which poses a big threat to online voting systems. "You have computer systems such as those of Google, the Pentagon, and Facebook, which have all fallen victim to intrusion," notes University of Michigan computer scientist J. Alex Halderman. Meanwhile, other countries are moving forward with Internet voting plans. For example, French citizens living abroad this year will be able to vote on the Internet in a parliamentary election. In Estonia, a record 25 percent of voters cast Internet ballots in 2011. In the United States, election officials are examining the costs of the technology while struggling with how to make voting more accessible, says Ohio deputy election administrator Matt Masterson. He notes online voting can help boost participation and address the issue of voters who cannot get to a polling station. The U.S. National Institute of Standards and Technology recently concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling stations. [Agence France-Presse, 24 May 2012] http://www.turkishpress.com/news.asp?id=382334
Robert McMillan, 22 May 2012 If you work for IBM, you can bring your iPhone to work, but forget about using the phone's voice-activated digital assistant. Siri isn't welcome on Big Blue's networks. The reason? Siri ships everything you say to her to a big data center in Maiden, North Carolina. And the story of what really happens to all of your Siri-launched searches, e-mail messages and inappropriate jokes is a bit of a black box. IBM CIO Jeanette Horan told MIT's Technology Review this week that her company has banned Siri outright because, according to the magazine, "The company worries that the spoken queries might be stored somewhere." It turns out that Horan is right to worry. In fact, Apple's iPhone Software License Agreement spells this out: "When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text," Apple says. Siri collects a bunch of other information - names of people from your address book and other unspecified user data, all to help Siri do a better job. How long does Apple store all of this stuff, and who gets a look at it? Well, the company doesn't actually say. Again, from the user agreement: "By using Siri or Dictation, you agree and consent to Apple's and its subsidiaries' and agents' transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and other Apple products and services." Because some of the data that Siri collects can be very personal, the American Civil Liberties Union put out a warning about Siri just a couple of months ago. ... http://www.wired.com/wiredenterprise/2012/05/ibm-bans-siri/ Note to Self: Siri Not Just Working for Me, Working Full-Time for Apple, Too By Nicole Ozer, ACLU of Northern California (Mar 12, 2012 at 10:00 am) https://www.aclunc.org/issues/technology/blog/note_to_self_siri_not_just_working_for_me,_working_full-time_for_apple,_too.shtml
Ted Samson, InfoWorld, InfoWorld Tech Watch, 25 May 2012 Should you care that Siri is taking notes? IBM blocks Siri on networked devices even as it acknowledges it sees no threat in Apple capturing voice commands from users http://www.infoworld.com/t/data-security/should-you-care-siri-taking-notes-194136 opening paragraph: If you ask Siri, the iPhone's voice-controlled personal assistant, to schedule a sales meeting with a potential new client at a restaurant across town, Siri will dutifully carry out your command (barring any service hiccups)—and send that information to server farm in North Carolina to be converted into text and saved. That revelation has bubbled up in the tech world after IBM CIO Jeanette Horan recently told MIT's Technology Review that Big Blue blocks Siri on employees' iOS devices because Apple stores potentially sensitive voice-inputted data.
As a cruising sailor of some years experience, I'd like to point out that there is a simpler explanation for the sad accident than the one where experienced sailors fail to use electronic charts sensibly. The maximum hull speed of a Hunter 376 (the boat in the incident) is 7.6 knots (8.75 mph / 14.1kph). Enough to hit the rocks, but not at car-crash speeds. People sailing or motoring at this speed try to take the quickest course. If there is an obstruction, common practice is to set a GPS waypoint close to it (good) or even on it (bad) with an alarm, so that on reaching it you are prompted to change course to go round. These alarms aren't loud, they're only intended to alert someone in the cockpit, not wake the whole boat. If there is only one person on watch, and they fail to respond and change course, depending on the boat's electronic systems it is entirely possible that it will just keep going on the current course. If the crew member on watch has fallen overboard, maybe trying to fix a problem or (if male) is relieving himself over the side and loses his balance - a depressingly common occurrence - that is what will happen. Reports say the middle-aged male skipper was found separate from the others. Unless the rest of the crew are alerted quickly, the casualty is left behind and the boat sails on potentially unsupervised. In this scenario there are still RISKS of course. Firstly making it easy to have a single point of failure. Technology helps people sail more short-handed than was once the case. The racing yachts would more likely have a number of people active on board, who would notice if someone fell off and hear an alert even one crew member down. Secondly technology's inability to operate beyond the world it is designed for, to recognise when it is outside its competence.
> http://www.youtube.com/watch?v=IFe9wiDfb0E That link doesn't seem to work any more. [It does. I failed to delete two extra `3D' strings that your mail system coerces. Now fixed. PGN] Here's the original: http://www.tomscott.com/life/ I should have probably have provided a summary: the video is an artist's impression of what you'd see if your consciousness was uploaded to silicon upon your death. It includes a sequence where the system edits the subject's memories to remove all occurrences of copyrighted works because the subject's estate can't afford the $19,000 monthly licensing fee.
There are several variations on this phone call phishing, which I think is a great risk to unsophisticated PC users. I have had several calls where I suspect this criminal underworld now has a data base of info they elicited from me in prior scam calls, to try to refine their technique. They now know I have two PCs in my house, and can tell me which one they are calling about. Internet Storm Center (ISC of SANS) is now tracking those Phishing phone calls, in Indian accent, which say they are from Microsoft Support, or some such variation. If you get one, you can now add your experiences to their statistics. https://isc.sans.edu/reportfakecall.html
Please report problems with the web pages to the maintainer