Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"High voltage" signs next to Verizon cable conduits were a bluff to keep homeless people away. They did not work. Instead they kept firefighters from extinguishing a mattress fire. Regional phone and Internet service went out as the cables melted. <http://www.eagletribune.com/latestnews/x550073983/Something-that-valuable-has-to-be-secured>
RCN was still out an hour ago (last time I was able to check). They're now talking about a midnight restoration. That would be over thirty hours. So this is tens of thousands of customers losing their access. Oh, and includes plenty of servers, too. Maybe hundreds of thousands.. A "fiber cut" has crippled RCN's service in the greater NYC area since Weds. evening. This kills their phone, tv, and Internet users... One of their reps posted [a]: They are still working on the Fiber cut at this time, so services are still affected. We have crews in the field working diligently to restore services. Jason Nealis, V.P. Engineering and Operations
Today GAO issued a set of recommendations to improve the information security of certain medical devices. http://www.gao.gov/assets/650/647767.pdf Three lawmakers who requested the GAO review issued the following responses: http://markey.house.gov/sites/markey.house.gov/files/GAO_MedicalImplants.pdf http://markey.house.gov/press-release/markey-edwards-eshoo-hacking-threats-implantable-medical-devices-call-improved-fda Kevin Fu, Associate Professor, UMass Amherst Computer Science http://spqr.cs.umass.edu/ N.B.: My lab moves to Michigan on January 1.
"In fact, the researchers said that within a year of these events, an average of 11 percent of the material that was linked to had disappeared completely (and another 20 percent had been archived), and after two-and-a-half years, close to 30 percent had been lost altogether and 41 percent had been archived. Based on this rate of information decay, the authors predicted that more than 10 percent of the information about a major news event will likely be gone within a year, and the remainder will continue to vanish at the rate of .02 percent per day." http://j.mp/SgjSvu (Gigaom via NNSquad)
James Dao, 22 Sep 2012 PHILADELPHIA - In July 2010, a Department of Veterans Affairs employee named Kristen Ruell was updating a benefit claim when she noticed something odd. What should have been an increase of about $2,000 in a monthly payment to the widow of a veteran showed up on her computer screen as $21,000. Puzzled, she set the claim aside and began digging into computer files for an answer. What she found surprised and worried her: the department's database contained duplicate records for the widow, and the system was trying to pay her twice. It was also recommending a retroactive payment dating back months - though the widow had already been paid for that period. After seeing the same problem in other claims, Ms. Ruell, who works on a quality review team at a veterans pension management center in Philadelphia, says she raised red flags with her bosses. If she, one of scores of payment authorizers nationwide, was just noticing the duplicate payments, was it not likely that the department had inadvertently overpaid many other people for years? Two years later, that concern has not been resolved, Ms. Ruell and several other pension management workers say. ... http://www.nytimes.com/2012/09/23/us/duplicate-payments-bedevil-va-pension-system-workers-say.html
The Joint Typhoon Warning Center (JTWC) is the U.S. Department of Defense agency responsible for issuing tropical cyclone warnings for the Pacific and Indian Oceans. It is blocked for non US users, for National Security Reasons. What will they think of next. [...]
Since January, New Jersey banned smiling for driver's license photographs because it can't be handled by new facial recognition software. http://articles.philly.com/2012-09-21/news/33978387_1_smile-motor-vehicle-commission-facial-expressions What good is facial recognition software that can be defeated by a smile? If I see someone with a forced smile at an airport, does that meant they're likely to be a terrorist?
David Goldman, @CNNMoneyTech, 28 Sep 2012, The Cybercrime Economy http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html
[From Dave Farber's IP] Even if you think you know this stuff cold, Bloomberg, 27 Sep 2012, http://www.bgov.com/news_item/mqZezAeKXUSylBI8GncG_Q Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. and Wells Fargo & Co., have breached some of the nation's most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults. The attack, which a U.S. official yesterday said was waged by a still-unidentified group outside the country, flooded bank websites with traffic, rendering them unavailable to consumers and disrupting transactions for hours at a time. Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn't authorized to speak publicly. The extent of the damage may not be known for weeks or months, said the official, who has access to classified information. ... “The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against,'' Rodney Joffe, senior vice president at Sterling, Virginia-based security firm Neustar Inc. said in a phone interview. While the group is using a method known as distributed denial-of-service, or DDoS, to overwhelm financial-industry websites with traffic from hijacked computers, the attacks have taken control of commercial servers that have much more power, according to the specialists. “The notable thing is the volume and the scale of the traffic that's been directed at these sites, and that's very rare,'' Dmitri Alperovitch, co-founder and chief technology officer of Palo Alto, California-based security firm CrowdStrike Inc.,said in a phone interview.
[FTC press release] FTC Halts Computer Spying Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers' Locations Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers. ... user names and passwords for e-mail accounts, social media websites, and financial institutions; Social Security numbers; medical records; private e-mails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home, according to the FTC. rest: http://www.ftc.gov/opa/2012/09/designware.shtm
http://bits.blogs.nytimes.com/2012/09/26/rented-computers-captured-customers-having-sex-f-t-c-says/?nl=todaysheadlines&emc=tha26_20120927 Nick Bilton, *The New York Times*, Sep 26 2012 Rented Computers Captured Customers Having Sex, F.T.C. Says If you rented a computer, you probably should not have been blogging without your shirt on. On Tuesday, seven computer rental companies agreed to a settlement with the federal government after it was discovered that they were unlawfully capturing photos of customers by using illicit software that controlled a computer's webcam. ... The webcam software, called PC Rental Agent, had been installed on approximately 420,000 computers worldwide, according to the F.T.C., and as of August 2011 it was being used by approximately 1,617 rent-to-own stores in the United States, Canada and Australia. [Article Copyright 2012 *The New York Times*, Excerpted for RISKS. PGN]
Symform is offering cloud storage services on the front end, but instead of operating their own cloud on the back end, they store data in unused space on other customer's drives. http://siliconangle.com/blog/2012/09/14/symform-brings-bartering-to-the-cloud/ It seems to me this is a step beyond traditional cloud computing (if something as new as cloud computing can be said to have anything "traditional"). Not only is my data trusted to another party, they in turn are trusting it to unknown (to me) third parties. I can see the argument that encryption and redundancy might make this as secure and reliable as any other cloud services, and perhaps even more so because there's no datacenter to flood or catch fire. But it still seems weird to me, like going to the hospital and finding out my surgery will be performed remotely by a doctor in Bangladesh.
http://www.theverge.com/2012/9/26/3412432/samsung-touchwiz-remote-wipe-vulnerability-android-dialer The article points to a web page which uses tel:*%2306%23 to display the IME number! Just click on the tel: URL in this message on affected phones. Put that through your firewall and see how futile primitive security is.
Kim Zetter, *WiReD*, 27 Sep 2012 The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe. Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability get code approved from the company's code-signing system. Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post. ... http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/ Inappropriate Use of Adobe Code Signing Certificate http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
Gregg Keizer, *Computerworld*, 10 Sep 2012 Baked-in Flash Player in Windows 8's IE10 won't be updated until late October, says Microsoft http://www.infoworld.com/d/security/adobe-confirms-windows-8-users-vulnerable-active-flash-exploits-201941
Dan Goodin, Ars Technica, 17 Sep 2012 The Romanians admitted their role in ring that compromised some 146,000 cards. Two Romanian men have admitted to participating in an international conspiracy that hacked into credit-card payment terminals at more than 150 Subway restaurant franchises and stole data for more than 146,000 accounts. The heist, which spanned the years 2009 to 2011, racked up more than $10 million in losses, federal prosecutors said. http://arstechnica.com/security/2012/09/romanians-cop-to-10-million-hacking-spree/
A customer who cracked his password shows just how easy account takeovers are. Dan Goodin, Ars Technica, 18 Sep 2012 http://arstechnica.com/security/2012/09/virgin-mobile-password-crack-risk/
"A weakness in an Oracle login system-used in the company's databases which grant access to sensitive information-makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned." http://j.mp/PMr1Q3 (ars technica via NNSquad) [See also Oracle database flaw deemed serious, could expose data, noted by Gene Wirchenko. PGN] http://www.infoworld.com/d/security/oracle-database-flaw-deemed-serious-could-expose-data-203001
http://www.telegraph.co.uk/technology/samsung/9565395/Hidden-web-code-means-hackers-can-wipe-Samsung-Galaxy-S3.html Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered.
http://arstechnica.com/security/2012/09/secret-microsoft-policy-limited-hotmail-passwords-to-16-characters/ Ars Technica reports that Costin Raiu from Kaspersky Lab noticed that Hotmail no longer accepts passwords longer than 16 characters, and quotes him as saying "To pull off this trick [of allowing login with only the first 16 characters of the password] with older passwords, Microsoft has two choices. [Either] store full plaintext passwords in their [database]; compare the first 16 [characters] only [or] Calculate the hash only on the first 16; ignore the rest." He then goes on to comment that he isn't sure which option is worse. The article then goes on to note that Hotmail's limit is shorter than other services, and quotes a Microsoft spokesperson as saying that the rule has always been there, and silently enforced - only now it gives a message if you try to type more than 16 characters. Microsoft also noted that length isn't the key thing, it's uniqueness. Further, the Microsoft spokesperson notes that "we've found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords." Of all people, a technical expert like Raiu should understand this last point - if he's relying on Hotmail to protect his information by virtue of a long password, he's putting his faith in the wrong place. Even if he's protected against client-side threats suggested by Microsoft, there's still attacks against the Hotmail servers, not to mention insider attacks. Many years ago, Sami Saydjari used the analogy of security as a picket fence, where security techniques can raise & lower pickets (or create additional fences to be scaled). 16 character passwords are already a reasonably high picket, when compared to the other pickets in our security infrastructure. As security experts, we have a moral obligation to raise the low pickets, and not spend our time complaining about the high pickets, especially in ways that are likely to unreasonably stoke public fears about the wrong problems.
Brian Jackson, *IT Business*, 7 Sep 2012 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68759 In a decision made today, the CRTC says that a home phone line associated with a business can receive telemarketing calls even if it's on the DNCL and the calls are for consumer services.
The most dangerous spam... I got two different variants of this (appended below) about half an hour apart last night, both mentioning NY state (which is the state I vote from), and had to think for a minute before saying, no, spam. I don't *think* it's a genuine effort to game the election by deterring voters like the more traditional tactics of phone-calling and leaflets (advertising, for example, that Democrats vote on Monday and Republicans on Tuesday or vice-versa, or some other misinformation that leads a whole class of voters to disqualify themselves). I think it's just ordinary, but very clever and very dangerous, spam. I sent a copy of the earlier message to Rebecca Mercuri as a curiosity, and she took the trouble to dig through the pages at the link given; she notes they ask for a *ton* of information - driver's license number, SSN, etc. - but also that the quality of the spam breaks down with errors such as mentioning Alabama on the NY State pages. I am in fact an overseas voter from NY state. The giveaways are: - overseas voters do not deal with the NY State Board of Elections but with the Board of Elections in the last county they lived in. - I have always been sent paper registration forms, primary ballots, and election ballots. I've had no information that the BoE I deal with is changing that. - There is nothing on my county's BoE Web site to indicate that they are shifting to electronic ballots for overseas voters. - I don't recall ever having given my BoE my e-mail address. If I ever do, it seems clear that it should be one that is unique, used for no other purpose, and not published. Nonetheless, this is a very cleverly timed spam that could easily lead some people to panic. I'd like it publicized as widely as possible. wg - ------- Original Message -------- Subject: Electronic Ballot Access for Military/Overseas Voters Date: Sat, 22 Sep 2012 02:23:27 +0100 From: NYsupport@secureballotusa.com To: <my correct e-mail address> Dear Voter, An electronic ballot has been made available to you for the GE 11/6/12 (Federal) by your local County Board of Elections. Please access www.secureballotusa.com/NY to download your ballot. Due to recent upgrades, all voters will need to go through the "First Time Access" process on the site in order to gain access to the electronic ballot delivery system. - - - - - Important information for members of the Uniformed Services or Merchant Marine on active duty, their spouses and/or dependents: Please be aware that this is the first of two ballots you will be given access to. This ballot will list only Federal contests (President/Vice President, U.S. Senate and Congressional offices). The second ballot, to be made available the first week in October, will list State contests for Supreme Court Justice, State Senate, State Assembly and any local contests (county/town/village). More detailed information on this has been included inside the downloadable file containing your ballot. - ------- Original Message -------- Subject: Your Ballot is Now Available Date: 22 Sep 2012 00:07:11 -0400 From: NYS Board of Elections <Move@elections.ny.gov> Reply-To: MOVE@elections.ny.gov To: <my correct e-mail address> Dear Voter, An electronic ballot has been made available to you for the November 6, 2012 General Election. Please access https://www.secureballotusa.com/NY to download your ballot. Due to recent upgrades, all voters will need to go through the "First Time Access" process on the site in order to gain access to the electronic ballot delivery system. If you have any questions or experience any problems, please e-mail NYsupport@secureballotusa.com <mailto:NYsupport@secureballotusa.com> or visit the NYS Board of Elections’ website at http://www.elections.ny.gov for additional information. /*Important information for members of the Uniformed Services or Merchant Marine on active duty, their spouses and/or dependents:*/ Please be aware that this is the first of two ballots you will be given access to. This ballot will list only Federal contests (President/Vice President, U.S. Senate and Congressional offices). The second ballot, to be made available the first week in October, will list State contests for Supreme Court Justice, State Senate, State Assembly and any local contests (county/town/village). More detailed information on this has been included inside the downloadable file containing your ballot.
[Via Dave Farber's IP] Excerpt from Examiner.com article<http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot> On Friday, Federal Judge Christine Arguello dismissed a case by Citizen Center, a voter protection and election transparency organization regarding the privacy of ballots in Boulder, Chaffee and Eagle Counties... The ruling, which members of the organization have called *shocking*, argues that there is no constitutional right to a secret ballot. Online article here: http://www.examiner.com/article/federal-district-judge-rules-there-is-no-fundamental-right-to-a-secret-ballot It will be interesting to see what happens with this. The ruling is surprising and deeply problematic, but I'm not aware of anything in the constitution that guarantees voter privacy. I'm inclined to think that Justice Arguello might be on firm constitutional ground here. As I read Article 1, Section 4, the question of voter anonymity for Legislative Branch elections appears to be a state-decided issue. For the Executive Branch election process, the states have *complete* discretion in setting the rules for choice of Electors, and I see nothing in Article 2, Section 1, or Amendment 18 that precludes a state from requiring full transparency of voting at the Elector level. Oh what a fascinating digital age we live in.
Ted Samson, *InfoWorld*, 06 Sep 2012 http://www.infoworld.com/t/cyber-crime/one-poor-security-choice-results-in-250000-bitcoin-heist-201814 One poor security choice results in $250,000 Bitcoin heist Bitfloor operator admits to leaving unencrypted wallet keys laying around, leading to theft of 24,000 Bitcoins
I'm being told that a (new?) class of SPAM with embedded Calendar invites is triggering 'do you want to attend' interactions with Mail.app on OSX. These popups have no exit which doesn't cause a reply to the embedded IP in the invite. ie, the SPAM can force you to an interaction. If true.. worrysome.
Most Norwegian financial institutions participate in a decentralized authentication network called BankID. Briefly summarized, you choose one institution as your primary identity provider, and when you log in on that or any other participating institution's web site, your identity provider handles authentication and certifies to the relying party that you are who you say you are. It's a bit like OpenID, but not quite; more like eduroam, for those familiar with it. The interactive part of the authentication process is handled by a Java applet. One risk is immediately obvious: compromise Java and you've compromised the entire system. During the recent Java debacle, there was at least one report of a user being asked for his credit card number instead of (or in addition to?) his BankID credentials. There is another, more insidious risk. While BankID is opt-in for the customer, once activated, it is enabled for *all* participating institutions - and there is no way to opt out of opting in, so to speak. What does this mean? It's quite simple: someone steals your passport and all your credit cards. You immediately report the theft, notify your bank and credit card issuer, etc. and you're safe, right? Not so - whoever has your passport and looks a bit like you can, if they act quickly, open an account in your name at a different bank, select that bank as their BankID provider, and immediately gain access to all your accounts in all participating institutions. This particular hole has received some press coverage, so I suppose it will be plugged quickly - but it probably won't be long until someone finds another. DES Dag-Erling Sm?rgrav - des@des.no
[Forwarded message from Jeffrey Walton <noloader@gmail.com>, via RicKulawiec in Dave Farber's IP, truncated for RISKS. PGN] I expected better from IEEE. http://ieeelog.com IEEE suffered a data breach which I discovered on Sep 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available to anyone else. ... Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. Separately, spectrum.ieee.org visitor activity is also publicly available. The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it). On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users (sometimes even after the log was anonymized as in the "AOL incident" [3]). However, this case is much worse, since 411.308 of the log entries contain both usernames and passwords. Out of these, there seem to be 99.979 unique usernames. If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome. Keeping a salted cryptographic hash of the password is considered best practice, since it would mitigate exactly such an access permission mistake. Also, keeping passwords in logs is inherently insecure, especially plaintext passwords, since any employee with access to logs (for the purpose of analysis, monitoring or intrusion detection) could pose a threat to the privacy of users.
Facebook likes to suggest friends of friends to people with the "People You May Know" feature. Unfortunately, this can lead to some unintended consequences. http://www.theglobeandmail.com/technology/digital-culture/social-web/facebook-pics-of-secret-wife-lead-to-bigamy-charges/article4545321/ Thomas Dzubin, Saskatoon, Vancouver, or Calgary CANADA
http://j.mp/PvI0I7 (Paul Bernal's Blog) "A story about Facebook went around twitter last night that provoked quite a reaction in privacy advocates like me: Facebook, it seems, is experimenting with getting people to 'snitch' on any of their friends who don't use their real names." - Paul Bernal Facebook appears to claim that such snitching "won't affect your friends' accounts" (now? later?) ... perhaps suggesting it's "only" for data analysis purposes. Maybe so, but it's still seriously creepy, Zuck.
http://www.infoworld.com/t/cringely/facebook-reveals-its-evil-plans-203126 InfoWorld Home / Notes from the Field September 24, 2012 Facebook reveals its evil plans Facebook has announced it will start logging users' searche and track their real world purchases. And so it begins By Robert X. Cringely | InfoWorld
I stumbled upon a really nasty virus on one of my computers running Windows XP, this one bringing up notices that the hard drive is having read errors. Which is strange, it's a 2 terabyte drive I bought maybe 18 months ago and has a 5 year warranty (I bought it for about $90; I just lucked out because hard drive prices doubled shortly after that.) Anyway, I don't even recognize the program - supposedly an anti-virus program - that's telling me about these errors. And, of course, what's running is a so-called "demo" version which tells you about errors but you have to pay for the full version to get it to fix them. Well, for curiosity I tried the link for the "full version" and apparently either it's not there any more or it can't be reached. Anyway, I realized that this was another one of those fake anti-virus programs that actually are a virus or trojan horse, infecting your system or in some way making it look like you're infected with something worse, and demanding payment to "fix" the nonexistent problem. In simple terms, electronic extortion. But I think it hoisted itself on its own petard; it deleted or blocked the networking software that my computer uses to connect to the Internet, so if they're trying to collect money from people thinking it's a legitimate anti-virus, it locked itself out of the Internet! (My desktop is connected by USB wireless adapter so that I don't have to run wires all over the place, so lose the driver for it and I lose the Internet.) This extortion program is really nasty, because it's figured out how to hide everything; the C drive literally appears as nothing is present and all directories (which supposedly aren't there) are also empty. Even the desktop is almost blank except for a couple items. While it might not be that hard to hide files to Windows or Windows explorer, it's even figured out how to make files disappear to the command interpreter CMD.EXE. Your C drive becomes empty - a big red flag, because if the C drive is empty, Windows wouldn't even start - and the program is a bit too smart for its own good, in an attempt to hide everything, if you're in the directory assigned to the desktop, and you go up one directory, the subdirectory you just left isn't there any more. Dragging something out of the recycling bin to the desktop causes *nothing* to happen, which is a neat trick. And it clears out the start menu except for itself. If you've never seen an absolutely blank start menu - even My Computer is missing - you're in for a big surprise. Another hint that it's basically pulling a stunt to hide directory listings is that the usual programs that run in the background are showing their icons in the bottom right corner of Systray, so it's rather interesting to see that supposedly there are hard drive errors popping up, but the usual stuff that runs in the background at startup is still there, even if you can't see the startup folder in the Start Menu and those very same files are not present in a directory listing. And what's more interesting that it is able to continue to replicate this behavior even in Safe Mode. The desktop is basically coming up blank except for this program's shortcut and the recycle bin. And the Start Menu is still blank. Well, I have found a very useful, free tool to fix really badly infected or contaminated or corrupted systems, especially when the people who put the so-called anti-virus or whatever software have killed the TCP/IP stack so badly that you can't even connect to the Internet through an Ethernet cable (I had two laptops my Sister asked me to take a look at because the Internet stopped working.) This program is called Combofix, it is recommended to only download it from the people who release it at www.bleepingcomputer.com, and it is regularly updated so if you have an old version it will warn you. So I downloaded the latest release on another computer, copied it to a jump drive, and proceeded to use it. Problem is, with the start menu blank it really makes it difficult to do anything; even the RUN command is missing. But, there is one save which I didn't know about until I right-clicked on the recycling bin: Command Prompt. And sure enough, I get to a command prompt for the desktop, and a DIR command says it's empty. But I found one way around the emptiness of the system from this program. It doesn't block anything but the C drive; if you plug a jump drive into it, you can see that drive and its contents. I copy combofix over from the jump drive and it shows up, so I run it. It unpacks itself and goes to work; I respond to a couple of prompts as it finds a few things that are missing, and I otherwise just let it go as it has about 45 passes to fix things on the system. I come back to it a while later, and there's a file being shown from Notepad with a huge list of things it's fixed and stuff it's removed. Close that and I can see that all the icons that were there are now back on the desktop. Somehow the networking software for the wireless adapter got lost, but I had the CD and reinstalled it. I am able to use that computer to post this message. So I recommend anyone who has to worry about the risk of a computer losing its Internet connection or having been hit by a virus infection, get a copy of Combofix and run it. It's free, it's very good, and in some really bad cases will do an excellent job of fixing things.
Wolfgang Gruener, 24 Sep 2012 (source: Microsoft) "In China, there is not much you have to do to contract a virus on your PC. Plus, you have a one in five chance that you will get that first virus on your brand new PC right out of the box." "Microsoft revealed this finding in a new whitepaper and attributes the high rate of infections of PCs to a shaky supply chain structure that does not prevent the presence of counterfeit products. To lower the cost of a new PC, potentially compromised products are sometimes knowingly accepted. It does not take much to see that this scenario is a goldmine for malware makers and allows the malware business to flourish." http://www.tomshardware.com/news/microsoft-pc-windows-security-china,17758.html There's a link to a more detailed Microsoft blog post here: Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain https://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx "The discovery and successive action against the Nitol botnet stemmed from a Microsoft study looking into unsecure supply chains. The study confirmed that cybercriminals preload malware infected counterfeit software onto computers that are offered for sale to innocent people. In fact, twenty percent of the PCs researchers bought from an unsecure supply chain were infected with malware. Making matters worse, the malware was capable of spreading like an infectious disease through devices like USB flash drives, potentially causing the victim's family, friends and co-workers to become infected with malware when simply sharing computer files." It really *does* sound a like a disease! Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
Hidden web code means hackers 'can wipe Samsung Galaxy S3' http://j.mp/QvVlCa (Telegraph UK) "Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered." - - - As bad as this exploit is, you can of course restore much of this data automatically from Google servers even after a factory reset. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren nnsquad mailing list http://lists.nnsquad.org/mailman/listinfo/nnsquad
http://www.infoworld.com/t/data-security/leaked-apple-ids-expose-holes-in-corporate-information-security-201608 InfoWorld Home / InfoWorld Tech Watch September 04, 2012 Leaked Apple IDs expose holes in corporate information security Most organizations suffering data breaches don't enforce security policies, study finds By Ted Samson | InfoWorld http://www.infoworld.com/d/security/fbi-denies-it-was-source-of-leaked-apple-device-id-data-201644 InfoWorld Home / Security / News September 05, 2012 FBI denies it was source of leaked Apple device ID data Hacking group AntiSec claimed earlier it had accessed 12 million UDIDs from an FBI agent's computer By Jaikumar Vijayan | Computerworld [Subsequently, "Blue Toad admits it was source of leaked Apple UDIDs". PGN] http://www.infoworld.com/t/data-security/blue-toad-admits-it-was-source-of-12-million-leaked-apple-udids-202037
When I explained how the Google self-driving car could drive itself, my wife said such a capability would help in taking drunk drivers off the road. But it then occurred to both of us that a drunk "driver" is just as likely to tell a Googlized car to take him/her to the wrong place -- perhaps even 3,000 miles from his/her intended destination. "I'm sorry, Dave—I don't have enough gas to take you to Home" (in Pennsylvania, 60 miles NE of Pittsburgh). http://www.itsallgood.itgo.com/photo4.html (As you can see from this web site, my example could have been a _lot_ worse! ;-)
Please report problems with the web pages to the maintainer