Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.airliners.net/aviation-forums/general_aviation/read.main/5266959/ An ANA 737 went nearly belly up during cruise flight after the first officer turned the wrong knob to let the captain back into the cockpit. The knob for the rudder is similar to the knob to unlock the door and both are located in close proximity to each other. Luckily, it was late at night and most passengers were wearing their seat belts.
http://www.infoworld.com/t/security/e-voting-still-insecure-even-paper-trail-177623 InfoWorld Home / InfoWorld Tech Watch October 31, 2011 E-voting remains insecure, despite paper trail Microsoft researchers propose using cryptography technique as temporary Band-Aid for making new e-voting systems more secure By Ted Samson | InfoWorld opening and closing paragraphs: Microsoft Research has revealed a potential flaw in verifiable e-voting machines through which fraudsters could easily use discarded ballot receipts as a guide for altering votes. Fortunately, the researchers also offered a solution—linking new receipts to previous ones with cryptographic hashes -- but that alone won't make e-voting entirely secure, they cautioned. This Microsoft Research report offers a fine example of how electronic-voting systems have improved to a degree, but it also shows that there's a lot of work to be done to make e-voting truly secure and verifiable. The fact that so many lawmakers have continued to drag their feet on this issue, even in light of documented controversies surrounding e-voting over the past several years, suggests at best an abysmally high level of technical ignorance among elected officials. At worst, it implies a general disregard for the democratic process on which this country was founded, a high level of corruption, or some combination thereof.
In Madison County, Florida, 8 residents have been arrested—among them the election supervisor and a school board member—relating to the 2010 school board election in that county. Apparently, the winner in one district was implicated in illegally creating absentee ballots mailed to false addresses, without voters' knowledge. This reminds me of an incident in the 2000 election in Florida, in which the inhabitants of entire rest home had voted 100% for one candidate, although *none* of those residents who had been interviewed by ABC had actually requested an absentee ballot—according to the ABC news reporter recording me. I suspect this is not uncommon.
"A global internet outage took down sites and services across the web on Monday. The outage began shortly after 2pm, and affected telco Time Warner Cable in the US and numerous ISPs in the UK, including Eclipse Internet and Easynet. Several of the affected companies blamed the downtime on a problem with the firmware in Juniper Network routers. "This outage has affected other networks running Juniper routers with the majority of them seeing their devices core dump and reload," affected ISP Phyber Communications said." http://j.mp/sPisRG (Silicon) Time Warner has said their entire Internet network operation was affected by this. I've been having connectivity problems on one of my primary circuits since late yesterday and continuing now that may or may not be related. I'll see if this message makes it out.
The new gmail that apparently is going to be forced on everyone is not an improvement as far as I can see. It has a lot of cosmetic changes that someone liked, but the amazing thing is the way they are introducing it. There is no way to revert to the old version, but they devote special buttons to tell you how nice the new look is and to ask for you for feedback. The feed back section has just two Colbert-like questions: "What do you like about the new version?" and "What, if anything, would you change about the new version?" Colbert would ask something like "Is this awesome or super-awesome?" but he's trying to be ironic. James H. Morris http://www.cs.cmu.edu/~jhm
I just got this e-mail from reception of the building I'm in today: "With the clocks going back by one hour this has caused the security door in the reception area to automatically lock at 17:00 instead of 18:00. Due to our system being down at the moment we are unable to change this. Please can I remind you that you should carry you pass with you at all times for security reasons." So, of the three security systems mentioned, both the automated ones have partially failed, the fallback is to *e-mail* me to remind me to carry a pass so I won't get locked on the landing on my way back from the WC. Hardly a disaster, but annoying none the less. [I was hoping to get this issue out at 11/11/11/11:11. There's still hope to celebrate if you are in Alaska or Hawaii. Cheers! PGN]
http://www.bloomberg.com/news/2011-10-27/chinese-military-suspected-in-hacker-attacks-on-u-s-satellites.html Chinese Military Suspected in Hacker Attacks on U.S. Satellites By Tony Capaccio and Jeff Bliss - Oct 26, 2011 9:01 PM PT Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission. The intrusions on the satellites, used for earth climate and terrain observation, underscore the potential danger posed by hackers, according to excerpts from the final draft of the annual report by the U.S.-China Economic and Security Review Commission. The report is scheduled to be released next month. "Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions," according to the draft. "Access to a satellite's controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite's transmission." A Landsat-7 earth observation satellite system experienced 12 or more minutes of interference in October 2007 and July 2008, according to the report. Hackers interfered with a Terra AM-1 earth observation satellite twice, for two minutes in June 2008 and nine minutes in October that year, the draft says, citing a closed-door U.S. Air Force briefing. The draft report doesn't elaborate on the nature of the hackers' interference with the satellites. Chinese Military Writings U.S. military and intelligence agencies use satellites to communicate, collect intelligence and conduct reconnaissance. The draft doesn't accuse the Chinese government of conducting or sponsoring the four attacks. It says the breaches are consistent with Chinese military writings that advocate disabling an enemy's space systems, and particularly "ground-based infrastructure, such as satellite control facilities." U.S. authorities for years have accused the Chinese government of orchestrating cyber attacks against adversaries and hacking into foreign computer networks to steal military and commercial secrets. Assigning definitive blame is difficult, the draft says, because the perpetrators obscure their involvement. The commission's 2009 report said that "individuals participating in ongoing penetrations of U.S. networks have Chinese language skills and have well established ties with the Chinese underground hacker community," although it acknowledges that "these relationships do not prove any government affiliation." Chinese Denials China this year "conducted and supported a range of malicious cyber activities," this year's draft reports. It says that evidence emerging this year tied the Chinese military to a decade-old cyber attack on a U.S.-based website of the Falun Gong spiritual group. Chinese officials long have denied any role in computer attacks. The commission has "been collecting unproved stories to serve its purpose of vilifying China's international image over the years," said Wang Baodong, a spokesman for the Chinese Embassy in Washington, in a statement. China "never does anything that endangers other countries' security interests." The Chinese government is working with other countries to clamp down on cyber crime, Wang said. Defense Department reports of malicious cyber activity, including incidents in which the Chinese weren't the main suspect, rose to a high of 71,661 in 2009 from 3,651 in 2001, according to the draft. This year, attacks are expected to reach 55,110, compared with 55,812 in 2010. Relying on the Internet In the October 2008 incident with the Terra AM-1, which is managed by the National Aeronautics and Space Administration, "the responsible party achieved all steps required to command the satellite," although the hackers never exercised that control, according to the draft. The U.S. discovered the 2007 cyber attack on the Landsat-7, which is jointly managed by NASA and the U.S. Geological Survey, only after tracking the 2008 breach. The Landsat-7 and Terra AM-1 satellites utilize the commercially operated Svalbard Satellite Station in Spitsbergen, Norway that "routinely relies on the Internet for data access and file transfers," says the commission, quoting a NASA report. The hackers may have used that Internet connection to get into the ground station's information systems, according to the draft. While the perpetrators of the satellite breaches aren't known for sure, other evidence uncovered this year showed the Chinese government's involvement in another cyber attack, according to the draft. TV Report A brief July segment on China Central Television 7, the government's military and agricultural channel, indicated that China's People's Liberation Army engineered an attack on the Falun Gong website, the draft said. The website, which was hosted on a University of Alabama at Birmingham computer network, was attacked in 2001 or earlier, the draft says. The CCTV-7 segment said the People's Liberation Army's Electrical Engineering University wrote the software to carry out the attack against the Falun Gong website, according to the draft. The Falun Gong movement is banned by the Chinese government, which considers it a cult. After initially posting the segment on its website, CCTV-7 removed the footage after media from other countries began to report the story, the congressional draft says. Military Disruption The Chinese military also has been focused on its U.S. counterpart, which it considers too reliant on computers. In a conflict, the Chinese would try to "compromise, disrupt, deny, degrade, deceive or destroy" U.S. space and computer systems, the draft says. "This could critically disrupt the U.S. military's ability to deploy and operate during a military contingency," according to the draft. Other cyber intrusions with possible Chinese involvement included the so-called Night Dragon attacks on energy and petrochemical companies and an effort to compromise the Gmail accounts of U.S. government officials, journalists and Chinese political activists, according to the draft. Often the attacks are found to have come from Chinese Internet-protocol, or IP, addresses. Businesses based in other countries and operating in China think that computer network intrusions are among the "most serious threats to their intellectual property," the draft says. The threat extends to companies not located in China. On March 22, U.S. Internet traffic was "improperly" redirected through a network controlled by Beijing-based China Telecom Corp. Ltd., the state-owned largest provider of broadband Internet connections in the country, the draft said. In its draft of last year's report, the commission highlighted China's ability to direct Internet traffic and exploit "hijacked" data. To contact the reporters on this story: Jeff Bliss in Washington at jbliss@bloomberg.net; Tony Capaccio in Washington at acapaccio@bloomberg.net To contact the editor responsible for this story: Mark Silva in Washington at msilva34@bloomberg.net [See also this article. PGN http://sz0043.wc.mail.comcast.net/zimbra/mail?view=msg&id=879=860#11
Anna Leach: 'Image is so central to Apple's success', says tribunal, *The Register*, 3 Nov 2011 http://www.theregister.co.uk/2011/11/03/apple_employee_fired/ selected text: Apple was right to fire an employee of one of its UK stores for saying rude things about the company on his Facebook wall, an employment tribunal in Bury St Edmunds ruled.* The tribunal judge upheld Apple's dismissal of the man for gross misconduct in a case which sets another precedent for social network users who like to bitch about work online. The Apple Store worker had made derogatory comments about Apple's brand and products on his Facebook wall. Although his posts were not public, one of his unfriendlier "friends"—also a colleague in the store—printed the comments out and showed them to their boss, who fired the man for misconduct. A striking feature of the case was that although the man's Facebook comments were not public - privacy settings had been applied - the judge decided because that the comments could be easily copied and pasted by his friends they did not attract any privacy protection.
> Perhaps this could be exploited by throttling down network traffic during > hazardous driving conditions, such as the first heavy rain of the season, > major holiday evenings, and at the end of large sports events. This bad idea was already tried by BART, with disastrous results. There are many socially beneficial uses for smartphones that don't involve driving. Even interfering with communication inside cars is a bad idea, because it ignores the fact that the passengers might be the ones contacting the babysitter to inform them they're going to be late. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
Good details all, but my concern was with *intentional* interference with the flight systems, e.g., terrorism. It is a question necessarily suggested I think by any concerns re interference by consumer electronics. In the general operation of highly complex, fly-by-wire aircraft, such a deliberate act could be a very bad thing. I have to hope contingency plans are in place, and they probably aren't. There are I must believe alternatives (for example hardened navigation options, like some sort of failsafe gyroscopic or accelerometer control system (the wiser minds here will have better ideas). Flying these large planes is a highly abstract exercise and flight crews unprepared for malfunctions, as apparently with Air France 447, can be rendered suddenly helpless—flying at cruising altitude is itself a flight-critical operation.
> Not quite. The main reason tablets and laptops are banned during takeoff > and landing isn't because of concerns over interference, but because they > might hinder an evacuation, and are potentially dangerous projectiles in > the event of an impact or rapid deceleration. ... That's the first sensible justification that I've heard on this list for prohibiting passengers from using devices that are allowed in the cockpit. Of course, the airlines still don't get it quite right, since many still permit (as only one example) the wearing of noise-canceling headphones that are turned off; those, too, would be unpleasant to encounter at high speed. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
> From Stanley De Jager: > A new threat is getting some press this week and is being touted as "The > next Stuxnet!" or at least a precursor to the next. The W32.Duqu appears > to be written by either the same folks that brought us Stuxnet, or someone > with access to its original source code. But whereas Stuxnet went after > the control components for a device, this new code seems to be > exfiltrating data to find assets for a possible future attack. > It was Aeschylus, the Greek father of tragedy, that once wrote "For the > impious act begets more after it, like to the parent stock." > W32.Duqu: The Precursor to the Next Stuxnet > http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet > And a much deeper public analysis here: > W32.Duqu: The precursor to the next! Stuxnet > http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
... Duqu is intended to steal digital information that may be needed to mount another Stuxnet-like attack. According to Symantec researchers, “Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party, The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.'' Duqu is designed to last 36 days and then remove itself from the system it infected. [Source: John Markoff, The designers of Stuxnet, the computer worm that was used to vandalize an Iranian nuclear site, may have struck again, security researchers say. Israeli Test on Worm Called Crucial in Iran Nuclear Delay William J. Broad, John Markoff, David E. Sanger, *The New York Times*, 16 Oct 2011; PGN-ed]
network spoofing "Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area." http://j.mp/s9aJyb (Guardian) One way to fight this is to focus on using trusted Wi-Fi networks for communications when possible in constrained areas. The details are complex but the principle has promise for special situations.
We've all seen hundreds of cases of PII being lost, stolen, etc. But what happens when an entire country's PII gets released? Is that better or worse - since absolutely everybody is potentially affected, is the government forced to reissue authentication information to everyone, and change all the databases? (Assuming you can identify everyone to ensure that they get the right authenticators, that is.) Does the fact that it affects everyone mean that people will be more cautious of social engineering attacks, since everyone knows that they could be the target? Or does it reduce the value of the lost/stolen information, since everyone will be more on guard against attacks? "The database provides the personal and familial information of all Israeli citizens in the Population Registry—more than nine million people, some of whom are no longer alive. Each citizen's family relations, personal identification number and other private information are contained in the database. [...] At some point, the registry was sold for the paltry sum of only a few thousand shekels [less than US$1000], and it is likely that it was used for malevolent purposes. Since the start of the investigation, Israeli agents have attempted to track down every copy of the registry and remove it from the Internet. " Of course removing "every copy" from the Internet is a fool's errand. I don't have any answers to what the reaction will be, but we may have a case study to watch. The database was leaked several years ago, but I only just read about it in an article about figuring out how the information came to be posted on the web. http://www.haaretz.com/news/national/israel-cracks-case-behind-population-database-illegally-posted-on-web-1.391714
[source: InfoSecNews, InfoSec News <alerts@infosecnews.org>, 24 Oct 2011] http://www.jpost.com/NationalNews/Article.aspx?id=242957 A contract worker from the Ministry of Labor and Welfare was charged with stealing the personal information of over 9 million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted. The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer. The information was also given to another individual who used it to design a software program called "Agron 2006", which exploited the database to allow queries of all Israeli citizens, allowing information to be illegally sold based on various parameters. Those parameters could include familial relationships of the entire Israeli population, over several generations. [...] Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isn
http://www.itbusiness.ca/it/client/en/home/News.asp?id=64617 Jeremy Kirk, Skype flaw allows BitTorrent users to be identified Researchers have demonstrated its possible to link BitTorrent users to Skype account information via IP addresses. It's a possible risk to Skype's user privacy, 21 Oct 2011.
Dan Goodin, *The Register*, 20 Sep 2011 If you use Skype on an iPhone or iPod touch, Phil Purviance can steal your device's address book simply by sending you a chat message. In a video posted over the weekend, the security researcher makes the attack look like child's play. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you'll have a fully-searchable copy of the victim's address book. ... http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/
Please report problems with the web pages to the maintainer