Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Robert Lemos, *InfoWorld*, 18 Nov 2011 Update: U.S. water plants reportedly hit by cyber attacks In separate incidents, hackers allegedly caused a water pump failure at an Illinois utility and showed off purported access to water supply systems for a Texas city http://www.infoworld.com/t/network-security/us-water-plants-reportedly-hit-cyber-attacks-179456 opening text: Security experts have long worried that a knowledgeable hacker could damage the critical infrastructure that supplies power, water, and other utilities to U.S. citizens. The few incidents of cyber attacks on utilities, where details became public, have underscored the danger while at the same time signaling that such attacks may not be common. Two events this week may change that perception.
Bruce Schneier, Chief Security Technology Officer, BT, schneier@schneier.com http://www.schneier.com, PGN-excerpted from CRYPTO-GRAM, 15 Nov 2011, Researchers have found a vulnerability in computer-controlled prison-door systems that allows them to be remotely opened over the Internet. This assumes that they're connected to the Internet in the first place, which some of them are. The weirdest part of the article was this last paragraph. "You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner. I guess that's a threat. But the *greatest* threat? http://arstechnica.com/business/news/2011/11/vulnerabilities-give-hackers-ability-to-open-prison-cells-from-afar.ars or http://tinyurl.com/7533eze The original paper: http://www.google.co.uk/url?sa=t&rct=j&q=tiffany%20rad%2C%20teague%20newman%2C%20and%20john%20strauchs&source=web&cd=2&ved=0CCMQFjAB&url=http%3A%2F%2Fwww.exploit-db.com%2Fdownload_pdf%2F17979%2F&ei=iznBTtzMLsew8gPLxNSfBA&usg=AFQjCNFwfgrkcWZC2Cg5R2FgNpSLd24orQ&sig2=Oz90YVa4SCdCeErXfKc_EQ or http://tinyurl.com/ccvjl7q
In Grand Forks, BC, Canada, Dion Nordick saw a camera flash outside his home, and found two surveillance cameras on poles overlooking the place. They belong to the RCMP (Royal Canadian Mounted Police), who Nordick thinks suspect him of graffiti and/or drug offenses. Nordick took the cameras down and looked at the pictures taken. And he found that one camera held large numbers of photos related to unrelated incidents, taken before it was placed there. Among other things, there were photos of a woman in her underwear, showing her bruise-covered body; also drug busts and suicides. Even if the RCMP is right when they say that the cameras were legally placed on public property and Nordick's action is a theft, it still seems as though they could have done a better job as regards protecting the privacy of those photos. http://www.cbc.ca/news/canada/british-columbia/story/2011/11/15/bc-rcmp-surveillance-cameras-found.html
(Vint Cerf) Vint Cerf: The government is going overboard in Internet copyright control http://j.mp/vwooUt (VentureBeat) "When asked what he would tell the developer of the Next Big Thing, the technology that could replace the Internet, Cerf said, "Shoot the patent lawyer." The room, which was full of chief information officers for large, proprietary companies, burst into both laughter and applause. Cerf continued, "Bob [Kahn] and I knew we could not succeed if we tried to protect the Internet's design. As it turns out that worked out really well, and I think that's still pretty good advice." Cerf also spoke out against the Department of Homeland Security's recent seizures of websites, such as last year's seizure of scores of music sites and communities for copyright violations, which he called "a blunt instrument that can and should be exercised much more carefully."
"As the Internet becomes the place for all kinds of transactions, from buying shoes to overthrowing despots, an increasingly vital debate is emerging over how people represent and reveal themselves on the Web sites they visit. One side envisions a system in which you use a sort of digital passport, bearing your real name and issued by a company like Facebook, to travel across the Internet. Another side believes in the right to don different hats - and sometimes masks - so you can consume and express what you want, without fear of offline repercussions. The argument over pseudonyms - known online as the "nym wars" - goes to the heart of how the Internet might be organized in the future. Major Internet companies like Google, Facebook and Twitter have a valuable stake in this debate - and, in some cases, vastly different corporate philosophies on the issue that signal their own ambitions." http://j.mp/s9UcL0 [This quote is excerpted from a long article by Somini Sengupta, *The New York Times*, 14 Nov 2011, entitled Rushdie Runs Afoul of Web's Real-Name Police, which google headlines as "Rushdie Wins Facebook Fight Over Identity". PGN]
Facebook's tracking of other Web site visits under fire http://j.mp/rPOKmj (USA Today) "Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason."
"It is also a case study of how Google, by voluntarily implementing facial blurring in its relatively new but hugely popular Street View automated 360-degree panoramas, created norms in the minds of regulators that they are now eager to set in stone legally." Why don't they also blur pets while they are at it? http://dliberation.org/2011/11/11/in-slovenia-panoramic-photography-comes-under-regulatory-attack/
Robert Lemos, *InfoWorld*, 17 Nov 2011 Coming conundrum: Malware signed by a legitimate developer Cyber criminals are stealing code-signing certificates, allowing their malware to get by some defenses http://www.infoworld.com/t/application-security/coming-conundrum-malware-signed-legitimate-developer-179376 selected text: Signed code has become one of the common measures used to secure various computing platforms. Yet cyber criminals and other attackers are starting to use signed code to evade security measures by stealing legitimate certificates from software developers, then using the certificates to sign their malicious programs. In 2009, the company [AVG] detected about 30,000 malicious programs signed with legitimate—albeit stolen or fraudulently issued—certificates. The next year, that number increased by a third and is on track to triple in 2011.
You've probably received submissions about the incident last week when it appeared, due to a technical error, that Standard and Poor's had downgraded France's national credit rating. Here's what happened: http://online.wsj.com/article/BT-CO-20111111-712287.html In case the link does not remain valid, the key part reads: | Friday, S&P said the mistake arose because it had placed France's banking | industry country risk assessment, which is not a credit rating, in its | online portal last December to test a method of displaying the information | on individual pages. The ratings service used France's banking risk | assessment to test the change but did not enter the other 85 country | rankings in the same way. | | That difference prompted the item on France's status to display N/A, or | not available, on S&P's Global Credit Portal page when it went live | Thursday, which triggered its system to interpret the change as a | downgrade.
"Bring It On!" Lauren Weinstein's Blog Update: Congress Declares War on the Global Internet - Internet Replies "Bring It On!", 16 Nov 2011 http://lauren.vortex.com/archive/000912.html In my previous posting, The Coming Fascist Internet, I explained how government moves to control and censor the Internet, including hypocritically by the U.S.—are pointing to an Internet future that can quite reasonably be equated with fascism. Strong words I know, but unfortunately true ones. If you needed more proof, you only needed to observe today's Congressional hearing on SOPA (Stop Online Privacy Act), which was much more akin to a lynch mob, or a scene from dictator's kangaroo court, than a honest attempt to explore the issues. The hearing was stacked with SOPA proponents whose goal is simple—get the entire Internet around the world under the boot of U.S.-ordered censorship and total control. The only real anti-SOPA witness the House Judiciary Committee permitted was Katherine Oyama of Google, and the Committee overall treated her with the kind of unfairness and contempt ( http://arstechnica.com/tech-policy/news/2011/11/at-web-censorship-hearing-congress-guns-for-pro-pirate-google.ars ) that make everyday bullies and criminals look like rank amateurs. It was a disgusting display by Congress, and a clear signal of how our leaders (from both parties) are hellbent on destroying Internet freedoms as we know them today. If this all weren't so deadly serious, there would almost be comical aspects. The MPAA, faced with complaints that SOPA (and the similar legislation on the Senate side—PIPA [PROTECT IP]) would break DNSSEC, merrily suggested that it simply should be rewritten so that government censorship orders could be easily implemented. That the MPAA would make asinine comments like that is actually easy to understand. After all, they view the entire world as simply a film script to be sent out for rewrites on demand. And since their real goal (along with various of their brethren) is to rewrite technology to protect their traditional profit centers—civil rights be damned—we should not be surprised when they treat the entire planet like extras to be ordered around like slaves. So Congress wants to declare War. Judging from my email, the Internet is champing at the bit for battle. I have never before seen such a flood of messages ranging from "I'm terrified for our future" to "What can we do?" to "Here are my ideas for fighting back." It's certain that this war could bring with it many causalities. Network fragmentation in various forms is an obvious example, since the rest of the world seems unwilling (surprise!) to allow the U.S. to keep dictating Internet policy forever, especially when the U.S. want to use its skewed control over the DNS (Domain Name System) as a judge, jury, and executioner baton to beat other countries' sensibilities to a pulp. All manner of "workarounds" to such censorship are being proposed, many extremely intriguing, most of which would actually be illicit under the anti-circumvention provisions of SOPA. There's been a massive increase in queries regarding my proposed distributed Internet naming system IDONS ( http://lauren.vortex.com/archive/000787.html ), but this is a long-term proposal, not a weapon for the immediate battles at hand. Still, it is apparent that if Congress proceeds along their current path of trying to dictatorially censor sites, search engines, and other aspects of Internet operations, they will be setting loose the technological dogs of war in ways that are beyond the scope of their darkest nightmares, and that make "Anonymous" and the "Occupy" movement look like fleas on an elephant by comparison. That isn't a threat. It's a prediction. It's a prediction made with the hope (though admittedly not the expectation) that Congress will step back from the precipice that leads to the destruction of the Internet in the form that has brought freedom of communication to the world, to a degree and in manners never before imagined. Congress' approach to dealing with the issues of piracy is to figuratively use hydrogen bombs as a palliative measure—cities reduced to rubble won't have much of a piracy problem. But in the real world of the Net, the technological means to fight such a war are remarkably well distributed among Internet users at large. It seems as if the Congressional push for SOPA/PIPA reveals an utter cluelessness by Congress regarding what is actually about to be unleashed. If Congress really wants to go to war against the Internet, they'll have their war. But it will be like nothing the world has ever seen before. You can count on it.
Michael Lee, ZDNet, 17 Nov 2011, ZDNet.com.au <http://ZDNet.com.au> http://www.zdnet.com.au/wealthy-staff-not-hackers-often-thieves-339326370.htm [Item thanks to Jeremy Epstein. PGN] Companies are being duped more by their own employees than by external hackers when it comes to cyber fraud, according to KPMG Forensic associate director Stan Gallo, and those employees are often high earners. Gallo presented his talk on corporate identity theft and fraud at Attachmate Group's A Powerful Connection 2011 event today in Sydney, revealing that the typical fraudster isn't your average, scruffy-looking bedroom hacker, but more likely an insider within the corporation. In 65 per cent of all fraud cases, insiders tap into an organisation's IT systems, secretly siphoning off money from the company, or selling intellectual property. One example that Gallo provided was a mother who helped herself to $1.2 million on top of her $40,000 salary by gaming the company's invoicing system. Working in the accounts-payable department of the company, she noticed that payment details were being stored on a shared network drive. After editing the file to fill her own account, she would wait until repeat invoices would be issued, and then abuse her position to approve the payment, hiding it among the other several thousand payments that the company made to cover her tracks. Although the average amount stolen in Australia was $229,000 per incident, Gallo said that women tended to steal much more than men. Yet, in general, the thefts were more likely to have been perpetrated by a man. [...]
Pete Disdale <risks@papadelta.co.uk>writes > I ... find this astonishing. I had always believed that flight deck controls (knobs, levers etc.) were required to be "different" - i.e. different colours, shapes - in order to avoid or minimise any confusion by the pilot." In fact, the two knobs are distinctly different in size and shape. You can see a photo at http://www.tinyurl.com/humanfactorsblog . The flightdeck illustrated has the two controls adjacent. I believe that on the ANA control pedestal the knobs are slightly further apart, but still pretty close. The pilot has to reach behind him to access the control, it's effectively out of his line of sight. Distinguishing the control is probably done by feel most of the time. Incident waiting to happen really. As has been pointed out, the cabin door lock may be a retrofit or post-original design. It would have been better to use a different 'affordance' for the door lock and also to make the rudder control something like a 'push and twist'. Ahh, the benefit of hindsight. Tony Atkinson, Process Safety Consultant (Human Factors)
It seems to me there are some competing interests here. Just to focus on the intellectual property issue, I note two clauses in the Universal Declaration of Human Rights (http://www.un.org/en/documents/udhr/): Article 19: Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers. Article 27(2): Everyone has the right to the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author. Does Article 19 give one the right to receive and impart someone else's scientific, literary or artistic productions without regard to the author's moral and material interests? That seems to be what Lauren is advocating. I'm not so sure. And if governments and other entities that operate the communications media are not to provide the protection to which authors of bit-based products are entitled under 27(2), then who is? How about Article 29(2)?: In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society. Ah. There are legitimate reasons for passing laws to limit certain rights in order to protect other rights. We can debate the extent of those limitations, but not that some limitations are, in fact, necessary. Mike Smith, CISSP, Senior IT Security Engineer, AEPOS Technologies Corporation (613) 237-3022 www.aepos.com
[(Smørgrav, RISKS-26.61)] > replacing text buttons with non-obvious icons Every day, all over the Internet, like some kind of game. Fortunately being a computer wiz, I can look into the HTML source of such web pages to find what the names of the icons being used are, e.g., YES.gif, NO.gif. Wouldn't want to click on Mr. WRONG.
Please report problems with the web pages to the maintainer