Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"Drone aircraft, best known for their role in hunting and destroying
terrorist hideouts in Afghanistan and Pakistan, may be coming soon to the
skies near you. Police agencies want drones for air support to find runaway
criminals. Utility companies expect they can help monitor oil, gas and water
pipelines. Farmers believe drones could aid in spraying crops with
pesticides. 'It's going to happen,' said Dan Elwell, vice president of civil
aviation at the Aerospace Industries Association. 'Now it's about figuring
out how to safely assimilate the technology into national airspace.' That's
the job of the Federal Aviation Administration, which plans to propose new
rules for using small drones in January, a first step toward integrating
robotic aircraft into the nation's skyways." [Source: W.J. Hennigan,
*Seattle Times*, 29 Nov 2011]
http://seattletimes.nwsource.com/html/nationworld/2016882681_drones29.html
[Misappropriating Vint Cerf's famous statement on the Internet,
“Drones are for everyone?'' PGN]
Heard on Blacksburg Transit on the way to work yesterday: "Damn you, Angry Birds. I just missed my stop."
"Even though Mimlitz's username was connected to the Russian IP address in the SCADA log, no one from the fusion center bothered to call him to ask if he had logged in to the system from Russia. Instead, the center released a report on Nov. 10 titled "Public Water District Cyber Intrusion" that connected the broken water pump to the Russian log-in five months earlier, inexplicably stating that the intruder from Russia had turned the SCADA system on and off, causing the pump to burn out. "And at that point all hell broke loose," Craven said." [Source: Kim Zetter, *WiReD*] http://j.mp/rvWnEC "Oh Boy! We get to announce a Foreign CYBER-ATTACK! Maybe Terrorists conducting a dry run on a small water system!—That's what the "experts" will say on TV! Don't bother with the reality checks, that could spoil all the fun!"
*The Register*: http://www.theregister.co.uk/2011/12/03/gchq_code_crack_compo_snafu/ I was going to make a 'crack' about security through obscurity, but I'm not sure that this even rises to that level! [Robert, You are a real firecracker! PGN]
In the past, securing SSH on the public Internet has been pretty much as easy as (a) keep your OS patched, (b) don't let root log in with a password, and (c) run fail2ban to stop brute-force attacks. Unfortunately, it looks like the bad guys have finally figured out how to put their bots to work running distributed SSH brute-force attacks. If so, then fail2ban is no longer going to be good enough, and more sophisticated (and inconvenient) measures are going to be needed. Prior to 1 Dec, the five machines I maintain with SSH servers accessible to the public have been probed by an average of 13 different IP addresses per day. On 1 Dec, they were probed by 109 different IP addresses, a 738% increase over the prior average. On 2 and 3 Dec, they were probed by 79 and 72 different IP addresses. Not as high as the first day, but still quite a jump! I saw this increase across the board on five different machines on four distinct networks run by four different network service providers. I've been in correspondence with someone at the SANS Internet Storm Center who says he's seen a similar spike on machines he maintains. It seems clear to me that someone is engaging in a distributed brute-force attack trying to break into servers as root via ssh. Since this particular attack is targeted at the root user, you're safe for the time being as long as you don't allow root to log in with a password. But it's only a matter of time before they start attempting distributed brute-force attacks of non-root accounts. When that happens, blocking individual IP addresses with a series of failed login attempts is no longer going to be sufficient. If you maintain a server whose SSH port is open to the public, please let me know the details if you're seeing a similar attack on your server (you can post a comment on my blog <http://blog.kamens.us/2011/12/04/ongoing-large-scale-distributed-ssh-brute-force-attack/> or email me <mailto:jik@kamens.us>. In case it is useful, here <http://stuff.mit.edu/%7Ejik/software/ssh-logs.pl.txt> is the script I have been using to collect and display data from the machines I maintain.
Joan Goodchild, CSO Online, 1 Dec 2011 A team of researchers has uncovered an issue that imperils Skype users' privacy by putting their location and identity up for grabs Researchers have found a flaw in Skype that can expose your location, identity and the content you're downloading. Microsoft, which owns Skype, says they are working on the problem. The issue was uncovered earlier this year by a team of researchers from Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang, Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin recently at the Internet Measurement Conference 2011 in a paper titled "I know where you are and what you are sharing." The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user's consent. ... http://www.csoonline.com/article/695631/skype-flaw-reveals-users-location-file-downloading-habits - - - - Somini Sengupta, Skype Can Expose Your Location, Researchers Say, *The New York Times* blogs, 29 Nov 2011 http://bits.blogs.nytimes.com/2011/11/29/skype-can-expose-your-location-researchers-say/ Remember when a prankster could make himself a general nuisance by calling your home phone and quickly hanging up? The equivalent of a prank call on Skype, the popular voice-over-Internet-Protocol service, can be much more than a nuisance. If you are logged in to Skype, a prankster - or thief or spy - can effectively track where you are and in some circumstances, what you do and even what you download, according to an experiment led by Keith Ross, a computer science professor at the Polytechnic Institute of New York University in Brooklyn. Mr. Ross, along with his collaborators at the French computer research institute, Inria, followed 10,000 randomly selected Skype users over 16 days. ...
Woody Leonhard | InfoWorld, 29 Nov 2011 Flaw in HP's printer firmware update procedures could expose your company's printers to hackers. Here are the steps you should take to protect them http://www.infoworld.com/t/hacking/security-researchers-say-hp-printers-vulnerable-hackers-180253 selected text: MSNBC released an "exclusive" report quoting two Columbia University researchers as saying that millions of HP printers are open to potentially devastating online hacks. While the security holes appear to be very real, there's a great deal of question about whether the attacks could ever be implemented in a real-world situation—and there are steps you can take at your corporate firewall right now to mitigate the threat. The fundamental problem stems from the way HP printers validate firmware updates prior to applying them. Or more accurately, the way HP printers don't bother to validate firmware updates prior to applying them. The demo referenced in the MSNBC report involved an HP printer's fuser. The altered firmware turned the fuser on and left it on, browning the paper and throwing off smoke, before the printer's thermal interrupt kicked in.
researchers claim (Jon Brodkin) Jon Brodkin, Ars Technica Security researchers at Columbia University have accused HP of selling printers with a flaw that could let hackers gain remote control over the devices. Once compromised, the access can be used to steal personal information, attack networks, and even set printers on fire by feeding them a continuous stream of instructions designed to heat them up. The researchers, funded by government and industry grants, reported the flaw to federal officials and HP this month, and gave a demonstration to MSNBC, which has an extensive article on the subject today. HP told MSNBC that it is reviewing the details, but denied that the problem is as extensive as claimed by Columbia PhD student Ang Cui and Professor Salvatore Stolfo. ... http://arstechnica.com/business/news/2011/11/hp-printers-can-be-remotely-controlled-and-set-on-fire-researchers-claim.ars
My daughter sent me the following note: There's some discussion on the cycling list I'm on about whether bike thieves are looking at Strava, a site that lets people compare routes they've ridden, to target nice bikes. Apparently, people's profiles show the bikes they've ridden on which rides, and given the ride data, you can make a pretty good guess about where their bikes are stored... There's no hard evidence that this is the thieves' MO, but a lot of people are speculating and wondering. Steve Bellovin, https://www.cs.columbia.edu/~smb
Jenny Anderson and Peter Applebome, *The New York Times*, 2 Dec 2011 http://www.nytimes.com/2011/12/02/education/on-long-island-sat-cheating-was-hardly-a-secret.html The suspected test takers came from prominent, respected families, some of them in financial distress - among the five facing felony charges were the sons of a well-known lawyer, the president of the local library board and a wealthy philanthropic family. The youths who are accused of paying them as much as $3,600 to take SAT and ACT tests were largely undistinguished students willing to cut corners to strengthen their modest sums. The combination yielded one of the most conspicuous cheating scandals in memory, a telling reflection on the college admissions rat race - and, perhaps, contemporary ethics more broadly. According to prosecutors, principals, parents and teenagers here on Long Island's Gold Coast, it was common knowledge at some of the nation's most prestigious high schools that if you had the money, you could find someone with a sharper vocabulary and a surer grasp of geometry to fill in the blanks for you. ...
[From Dave Farber's IP] It is being announced that the iTunes software you probably have on your computer has a purposely built-in back door that allows governments to surreptitiously log into your computer and prowl around through your personal data and files. And of course, virtually everyone allows iTunes to go through firewalls and other security protections that would otherwise prevent malicious intrusion. (This web page is in French, if you're using Google Chrome and don't understand French, I suggest you use the Google Chrome translation feature.) http://www.nikopik.com/2011/12/itunes-un-cheval-de-troie-a-la-solde-des-gouvernements.html Gordon Peterson II http://personal.terabites.com
Download the wrong app to your Android phone, and you may end up with ads on your home screen or notification bar. We'll tell you who's behind the annoyance and how to get the ads off your phone. Tom Spring, 4 Dec 2011 Are you wondering how that mysterious icon ended up on your Android phone's start screen? Annoyed at the ads clogging your notification bar? You aren't alone. Thousands of Android apps now include software that shoves marketing icons onto your phone's start screen or pushes advertising into your notification bar--and many of the apps give you no warning about the ad invasion. Many of these ads come from mobile marketing firms such as AirPush, Appenda, LeadBolt, Moolah Media, and StartApp. The companies work with app developers hungry for some way to make money from their smartphone software. By bundling their adware into popular Android programs, these marketing companies say they are now pushing ads to millions of new smartphones each week. Smartphone users generally hate the swarm of marketing on their touchscreens, but the approach is growing fast. One of the companies, AirPush, says 800,000 people a day download an Android app with its adware inside--up from 250,000 just three months ago. It may be next to impossible to completely avoid this kind of advertising on your phone. I looked at dozens of apps that contain ad software and found that few of them disclose that they contain adware. But there are ways to get the ads off your phone, as we'll see below. ... http://www.pcworld.com/article/245305/sneaky_mobile_ads_invade_android_phones.html
Robert X. Cringely, *InfoWorld*, 30 Nov 2011 Can someone legally record almost everything you do on your phone without telling you? Yes. Meet Carrier IQ, whose software is installed on nearly 142 million handsets http://www.infoworld.com/t/cringely/carrier-iq-spying-your-cellphone-180425
"Carrier IQ (CIQ) sells rootkit software included on many US handsets sold on Sprint, Verizon and more. Devices supported include android phones, Blackberries, Nokias, Tablet devices and more ... Carrier IQ is able to query any metric from a device. A metric can be a dropped call because of lack of service. The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user's pressing of keys on the device, usage history of the device, including those that characterize a user's interaction with a device." http://j.mp/vCyUA1 (Android Security Test) [NNSquad]
[From Dave Farber's IP] On the other hand, Carrier IQ may *not* have violated wiretap law in millions of cases. Dan Rosenberg said that he has reverse-engineered Carrier IQ and found "no evidence that they are collecting anything more than what they've publicly claimed: anonymized metrics data." He found "no code in CarrierIQ that actually records keystrokes for data collection purposes." See: http://pastebin.com/aiYNmYVz John Graham-Cumming also is unconvinced: "If you watch the 'security researcher's' video you'll find that nowhere does he make the claim that content that the application sees is leaving the device... At no point does he enter a debugger and look inside the CarrierIQ application, and at no point does he run a network sniffer and look at what data is being transmitted to CarrierIQ." http://blog.jgc.org/2011/11/getting-little-tired-of-security.html Sprint said today that "we do not and cannot look at the contents of messages, photos, videos, etc., using this tool," which is a pretty broad denial: http://news.cnet.com/8301-31921_3-57335110-281 I hope that IPers remember the panic earlier this year when Samsung was falsely accused of installing key loggers on laptops. Network World, which ran the article, ended up deleting it and saying, in a lovely passive voice, that "an apology has been issued": http://news.cnet.com/8301-31921_3-20049259-281.html If Carrier IQ is transmitting keystrokes or the contents of communications, I'll be the first to call them on it. But, as far as I know after watching the video, nobody has demonstrated that's what the software actually does.
Galen Gruman, *InfoWorld*, 2 Dec 2011 Users are regularly signing up for Big Brother-like tech that could result in the loss of insurance coverage or worse http://www.infoworld.com/t/internet-privacy/carrier-iq-and-facebook-pose-the-least-your-privacy-threats-180619 selected text: But the worst risk is what people aren't talking about: Big Brother-type technology used to monitor specific individuals and shape their behavior through penalties and rewards. If the government were doing this, we'd have people in the streets, but in the hands of private companies, these seductive methods convince people to naively agree to being controlled. Take, for example, Progressive Insurance's program of offering tracking devices to monitor how you drive. If you drive safely, as determined by Progressive, you get an discount. If you're determined to be unsafe, you pay the "normal" rate. Given insurance companies' business model—pay out as little as possible, take in as much as possible—the long-term result is obvious: "Unsafe" drivers will pay more, or they won't be eligible for insurance. It's not just Progressive. There's been a lot of excitement in the health care industry over monitoring devices that can make sure people are taking their medication, eating right, and even exercising. If you do what you're supposed to, you may get a discount, such as on medical insurance, a measure now being considered for employer-sponsored plans. If you don't, you may get nagged, pay more, or be denied coverage. The Orwellian name for such control approaches is "wellness incentives." Here is what one poster had to say about the medical monitoring. That last paragraph is particularly nasty: unbound55: A very good article pointing out activities that are already occurring that will impact people's lives far more than they think. My company has been on the leading edge of the health care tracking that is mentioned in this article. Already offering incentives for providing additional health information, they are now offering incentives for providing detailed health information such as height, weight, cholesterol, etc. The plan has already been announced that in another year that information will be provided to some kind of CSR that will make sure that your numbers either improve, or that you are actively working on improving your numbers...or you lose access to the premium insurance. It is only a half-step further to lose access to all insurance altogether by participating in the program. Unfortunately, most people do not understand the very real problem being started here. They likely will not understand it until they get bit by it. All they see is the discounts being offered. As someone who spent 9 years trying to get doctors to understand that I actually was exercising very well and ate correctly culminating in the discovery of Conn's Syndrome (the actual root cause of my very high hypertension), I shudder to think how I would have to deal with that with some under-educated CSR who would simply report that I clearly was lying about something.
doesn't anymore (NNSquad) > AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it > doesn't anymore + my comments > http://j.mp/rPycF6 (This message on Google+) - - - > http://j.mp/vVRV3J (Fierce Mobile) > "The controversy over Carrier IQ illegally tracking cell phone users' > activities continues. AT&T Mobility (NYSE:T), Sprint Nextel (NYSE:S) and > T-Mobile USA have come forward, admitting to using Carrier IQ software, > albeit allegedly only to improve their network performance. On the other > end of the spectrum, Apple said it stopped using Carrier IQ's platform in > the latest version of its operating system, iOS 5." As I noted originally, it seems unwise to "pile on" in this situation, given that the facts are not entirely clear. In particular, it apparently has not yet been demonstrated that CIQ is actually *transmitting* specific user data that would be trigger wiretap laws, irrespective of ephemeral data collection on the device to gather service and use statistics that are being sent. My gut feeling is that in this case there may be parties opportunistically attacking ahead of the facts, and that it is quite possible that the failures in this situation are mainly ones of transparency, disclosure, and user control, rather than the much more serious issues of "wiretapping" per se. We shall see.
What other industry would get away with selling a product that isn't fit for purpose, and then blaming the customers for failing to be quick enough to carry out repairs? The vendors should be liable for the consequences of their incompetence and lack of professionalism. Let's stop blaming the customers.
I'll admit that I took the comment on complexity out of context but the larger context actually reinforces my point. The more constraints you put on a system the less likely you'll satisfy them so there is inherent complexity in the sense that the odds of finding an effective solution are significantly reduced. This is why we need to understand a fundamentally different dynamic based on discovery or opportunity. You have a solution and then find out what problems it solves. Once you look around you'll find that is the norm not the exception. We use USB for power because creating a standard with new requirements would've been too difficult. We may lament Facebook's security model but use it because we find value and deal with the trust problems, even if we don't do it very well. We can't really articulate what we mean by "trust" anyway and certainly not as a spec. Perhaps the most Internet-relevant example is defining "quality" outside the network rather than in the network. Thus instead of having to have a perfect network we get the kind of quality we want by choosing our own polices such as better never than late or vice versa. This is why the Internet is so many orders of magnitude less expensive than the traditional phone networks. In fact I argue that tolerance is the key to Moore's law as I wrote in http://rmf.vc/BeyondLimits.
Please report problems with the web pages to the maintainer