Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"An electricity company is apologising after it sent a letter to a lamp-post and threatened to cut its power off. Meridian Energy apparently believed someone was living in the pole." <http://www.stuff.co.nz/oddstuff/8988229/Meridian-finally-sees-the-light> Asked who might be occupying the light, Clive Saleman (the neighbour who received the letter) said "Well he'd have to be very tall and skinny. I suspect he sleeps all day because the light's on all night. So maybe he's a night owl. I have a suspicion he could be a being of pure energy actually, and not actually human, but I'm just not sure. But, whatever, he's not paying his power bill." Risk: being lampooned for a data integrity failure. Dr Gary Hinson, IsecT CEO isect.com http://www.iso27001security.com/ NoticeBored.com SecurityMetametrics.com ISO27001security.com
Honestly, this raises such a massive amount of questions, I don't quite know where to begin.. A New York woman says her family's interest in the purchase of pressure cookers and backpacks led to a home visit by six police investigators demanding information about her job, her husband's ancestry and the preparation of quinoa. Michele Catalano, who lives in Long Island, New York, said her web searches for pressure cookers, her husband's hunt for backpacks, and her `news junkie' son's craving for information on the Boston bombings had combined somewhere in the Internet ether to create a `perfect storm of terrorism profiling'. Anyone any recipes? Peter Houppermans /Others take your privacy - we give it back to you/
Not terrorists but a group of four people that work at the railway control center being responsible for the railway network in and around Mainz were the reason why trains weren't able to get to Mainz anymore. It's vacation time and four of the remaining people had to call in sick today leaving DB Die Bahn with not enough people who are capable of operating the system. This situation will last for a couple of days at least and might take up until the end of August. Next week school season will start again, so the biggest chaos is still to come if not enough qualified people are back on duty. Risk here: Having a mission critical system with a single point of failure: People that can become sick at the same time, which can happen quite easily if all of them are working in the same room.
I mentioned recently that New Zealand is trying to modernise its justice system. Part of that is introducing a system of Audio-Visual links between prisons and courts in order to improve safety and reduce costs by having prisoners stay in prison and make their appearance in court electronically. The new system is already being rolled out. Of course, in order to know how much the new system is saving, you need to know how much the old system was costing. They don't. From the *Otago Daily Times* front page, 29 Jul 2013, the Police and prison system * do not know how much they spent transporting prisoners between the new jail and courts since the new jail opened in 2007; * do not know how much it cost last year; * do not know what the annual budget for transport is/was. The newspaper was told that "the [prison] department cannot readily extract ... the costs or budgets relating to the transportation of prisoners ... from our electronic records ... of wider offender transportation costs. ... we would be required to manually review a large number of files" They don't know what it costs now, but they are quite certain there will be 50% to 70% savings (however much that is...) The computer-related part of this is that in an age of manual records, regional information would be kept locally, and only summaries aggregated nationally. Now, the details can be kept nationally, making regional summaries extremely difficult to extract. Of course, it's always possible that their data base _does_ support ad hoc queries, and they are just lying (:-).
In an earlier, simpler day, notes between a publisher and reviewers and the public took a while, and there was plenty of time for proofreading. Not so today, with the increasing speed of publishing, which the publishers of Organometallics discovered the hard way. A note suggesting that data could be fabricated to fill in a gap appeared in an online version of an article. The RISK is simply that there are more mistakes possible as we speed up the publication process - both the mistakes from pressure to publish quickly, and the mistakes of not checking what you're releasing before you do the release. (NSA learned this lesson some years ago in Word documents, and more recently with redaction of PDF documents - although this case is at a higher level of the "stack", its' a variation of the problem that with all electronic documents, it's sometimes hard to see what's being released.) http://sciencecareers.sciencemag.org/career_magazine/previous_issues/articles/2013_08_08/caredit.a1300167
A flash drive containing Boston Public Schools ID badge PDFs was lost en route to the printing vendor. The PDFs contain student name, age, grade, school, ID number, library card number, CharlieCard number, and (in some) photo. The drive was apparently not encrypted. BPS thinks the drive was lost, not stolen, but can't be sure. BPS is redesigning the cards and changing the ID numbers that can be changed to minimize the likelihood of harm from the breach. The drive was lost on Aug 9, and BPS families were notified just three days later, on Aug 12. The notification was clear and detailed. As far as I can tell, BPS's handling of the breach has been perfect. Having said that, the big remaining question is why the flash drive wasn't encrypted. I've emailed Superintendent John McDonough and asked him that question, as well as encouraging him to ensure that flash drives en route to vendors are encrypted as a matter of policy in the future. Although the flash drive had no confidential information on it, as the parent of a BPS parent whose data was lost, I am still concerned, because the information on the drive can be used in social engineering attacks, not to mention that names, ages, schools, grades, and photos is just the kind of information a pedophile would need to pick out attractive targets. Details: http://www.boston.com/yourtown/news/allston_brighton/2013/08/boston_public_schools_vendor_loses_flash_drive_with_data_on.html
[Sent to American Chemical Society:] Your Society should really consider the public relations value of not charging users to see the last few lines of an obituary. I'm sure your members would have never dreamed when they were alive that half of it would be in Google and could be shared publicly. But when 80 years later someone wanted to see those last few lines, out comes the collection plate. And if I link to http://pubs.acs.org/doi/abs/10.1021/cen-v010n006.p073b from my http://jidanni.org/me/ancestors.html all I would be doing is creating more dismayed relatives. So thanks for sending it to me so I now finally see what it says, but I still cannot legally share it in its full form.
Violet Blue for Zero Day, 31 Jul 2013 Summary: Three Georgia Tech hackers have disclosed how to hack iPhones and iPads with malware in under sixty seconds using a "malicious charger." UPDATED. Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger." Today at a Black Hat USA 2013 press conference, the researchers revealed for the first time exactly how the USB charger they built can compromise iOS devices in less than a minute. Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary looking charger into a malicious vector for transmitting malware using an open source BeagleBoard, available for $125 (similar to a Raspberry Pi). For the demonstration, the researchers used an iPhone. They plugged in the phone, and when the passcode was entered, the sign-code attack began. For the demo, the Facebook app was used as an example. Within seconds of plugging in the charger, the Facebook app was invisibly removed from the device and seamlessly replaced with a Facebook app imitation with a malicious payload. The app's icon was in the exact same spot as it was before the attack - there is no way of knowing the application is not malware. ... http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/
Lucian Constantin, PCWorld, 4 Aug 2013 A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas. The feature is called "weblogin" and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices. Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk. Young created a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services. The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn't be installed by users. ... http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html
Darlene Storm, 1 Aug 2013 A trio of researchers presented "Mactans: Injecting Malware into iOS Devices via Malicious Chargers" at Black Hat, demonstrating how an "iOS device can be compromised within one minute" after plugging into a maliciously crafted charger. Until Apple patches the vulnerability that allows the exploit, all iPhone or iPad users are vulnerable as the device does not need to be jailbroken for the attack to work. It takes advantage of an iOS flaw that allows pairing without any notification to the user. Their proof-of-concept charger, dubbed Mactans, was built using a $45 BeagleBoard. As soon as an iOS device is plugged in, the fake charger instantly captures the Unique Device Identifier (UDID). Then it connects to Apple's developer support website and submits that UDID for a "provisioning profile." The charger installs code and the attacker now has full control of the device. GTISC associate director Paul Royal said, "Getting the UDID is trivial, and getting a provisioning profile is easy and automated." In one demonstration of what an attacker could do remotely, the researchers plugged an iPhone 5 into the charger, hid the iPhone Facebook app and installed a malicious copy over it that launched before the legitimate "hidden" copy. The Mactans' malicious payload could be about anything, from allowing "a remote attacker to make an unauthorized phone call from the iOS device" to taking "a screenshot whenever the user enters a password or other sensitive information." Basically it turns an iOS device into a spy tool. ... http://blogs.computerworld.com/cybercrime-and-hacking/22579/wolf-sheeps-clothing-black-hat-getting-pwnd-innocent-looking-devices
Robert L. Mitchell | Computerworld, 13 Aug 2013 The transition to cloud-based services is ratcheting up traditional enterprise software costs and adding layers of complexity
http://www.infoworld.com/d/mobile-technology/more-android-malware-distributed-through-mobile-ad-networks-224815 Lucian Constantin | IDG News Service, InfoWorld, 13 Aug 2013 Security researchers from Palo Alto Networks found Android apps downloading malware from rogue mobile ad networks
http://www.infoworld.com/t/outsourcing/outsourced-software-project-6000-pages-of-specs-ends-badly-224777 Patrick Thibodeau | Computerworld, 13 Aug 2013 Orange County files lawsuit to recover damages from offshore firm Tata in tax system rewrite
http://www.infoworld.com/d/data-explosion/whats-worse-system-failure-what-you-say-about-it-224751 Matt Prigge, Infoworld, 13 Aug 2013 Communicating well in emergencies is often just as important as working to end the emergency
http://www.infoworld.com/d/security/dangerous-linux-trojan-could-be-sign-of-things-come-224649 Jon Gold | Network World, 12 Aug 2013 'Hand of Thief' Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines
http://www.infoworld.com/d/security/anonymous-not-anonymous-224783 Roger A. Grimes | InfoWorld, 13 Aug 2013 At this point, most of us would welcome shelter from the gaze of government cyber spies. Here are six reasons why that may be unattainable
Woody Leonhard | InfoWorld Now would be a good time to change your passwords
http://www.infoworld.com/t/hacking/video-watch-what-happens-when-prius-gets-hacked-224270 Pete Babb | InfoWorld, 07 Aug 2013 Security engineers take over the various computerized systems of a Toyota hybrid and wirelessly control it
Glynn Clements <glynn@gclements.plus.com> wrote: > Any scanner has limits to its accuracy, and any form of lossy compression > has some loss. But unlike e.g. JPEG, where the artifacts are often clearly > visible, there is no indication of the degree of uncertainty involved. Therein lies the real innovation: arbitrary textual variations that can't be detected by the human eye. This kind of technique can and, I expect, will be used to serialize documents by introducing subtle variations into each instance of them—to trace leaks, for example. >—From a legal perspective, the mere fact that such scanners exist brings > into question the authenticity of any document unless its entire history > is known. One way to establish that provenance is to ensure that each instance of a document is unique—by serializing it!
I carry a cell phone only when my employer pays for it, and pays me to carry it. The battery in the work phone lasts longer with GPS and blue tooth turned off. The GPS is supposed to activate automatically if I press 911. GPS is a real time compute intensive application. In other words a battery drainer for mobile devices. Walking around, or commuting by transit I often feel that I an in the middle of some science fiction story, surrounded by people largely oblivious to what is going on around them, eyes focused on a display screen and their hearing blocked by ear buds or by a phone held to their head. Pedestrians often seem oblivious to traffic or sidewalk hazards while they focus on a display or a conversation. RAND Emeritus Willis H. Ware, an ACM and IEEE Fellow, who chaired the committee which wrote the "Records, Computers, and the Rights of Citizens" HEW report, might have an interesting perspective on radio location, identification and tracking. I have read that during the 2nd World War Dr. Ware did classified work on advanced Radio Location and Identify Friend or Foe transponders. I am old enough to remember politicians making a big deal of the fact that that citizens don't have to carry Internal Passports with them at all times, even within the same city, unlike folks in Moscow. Seemed like a killer argument to me at the time. Now you can't get on an intercity bus without identifying yourself. If you drive a private car, it may have built in GP. Your license plate may be scanned as you leave town, drive along the highway, or enter a new town. We saw that used by police in Boston earlier this year, in combination with phone location tracking. How times have changed. www.worldcat.org/title/records-computers-and-the-rights-of-citizens/oclc/251870191/editions?referer=di&editionsView=true
> "The District has also recently been installing next-generation speed > cameras that use infrared light instead of a visible flash when > photographing vehicles. This means drivers will have no way of knowing > whether they will receive a ticket until weeks after the alleged > violation." About 30 years ago (where does the time go?) I read a snippet in New Scientist that their Spy Folk accidentally released some of their super duper sekrit tech tricks. Per the article, the Brits had patented a "near infrared" [a] flash unit assembly for their spooks that hooked into a surveillance camera, letting them take nighttime photograph license plates of the folk they were watching without warning them. So... unless the folk on this side of the pond are paying royalties, they might get hit with Patent Trolls! - I was heavily into photography back then and had my very own Wratton 87C (infrared) filters for my lights, was using Kodak's B&W and colour IR recording film, had the books, etc. [a] "near infrared" is the part of the spectrum just beyond standard and visible red light. It looks... black to the human eye since we can't see that far up the scale. "Far infrared" (or usually, just "infrared" by itself) refers to heat. I'm highly doubtful consumer level speed cameras are using temperature readings for license plate number catching, and doubt it would even work.
> RISK: The TCP/IP specification is extensive and explicit, but doesn't > address simultaneous connections from the same client. ... I'm not sure this can really be blamed on TCP/IP: in the specific example above, the HTTP specification both recommends a connection limit (2, although common convention has adjusted up to 6 over the last few years) and does offer the convention of quickly returning HTTP 503 errors when the server is over capacity. The problem, however, is that this is neither effective nor desirable in practice because by now it's quite rare for the hard limit to actually be the number of simultaneous connections rather than the total bandwidth available—it's quite easy to end up with, say, a hundred slow connections using as much bandwidth as one connection from someone with a gigabit link and modern web servers can easily handle many tens of thousands of simultaneous connections. Total capacity is also affected by traffic using protocols other than HTTP, or even TCP, so effective flow control has to happen at a lower level: there's an existing standard called ECN (http://en.wikipedia.org/wiki/Explicit_Congestion_Notification), which provides a mechanism for a router to inform clients that the upstream path is congested. This problem is also more crudely but effectively solved on the client by adjusting the connection count and speed based on measured performance and error rates. Unfortunately, as the example illustrates there's no way to handle this situation nicely when faced with clients which are buggy and do not follow either standards or accepted best practices. As described above, IDM obviously does not follow standard HTTP conventions, honor ECN, or even throttle or retry failed attempts (a ridiculous lapse for a download manager). There's simply no way to handle that kind of badly broken client without deploying some sort of fair-queuing system on either your servers or, better, the upstream router to avoid clogging the pipe with likely-doomed packets. A good queuing system, possibly combined with a robust fronting cache like Varnish, would also tend to keep the connections from timing even when they become quite slow by ensuring that each connection doesn't go too long without receiving at least a few bytes. Chris P.S. As an aside, http://iotta.snia.org/ does not appear to support HTTP byte ranges, which more intelligent clients can use to resume partial transfers. While this obviously can't help with broken clients I have found this quite effective for retrieving files over unstable links as something wget or curl can repeatedly retry as needed until they've retrieved every chunk of the file.
[Jeff missed Paul Saffo's earlier posting in RISKS-27.13, Jan 2013, having sent in an incremental item. He then responded to my response.] Perhaps of greater interest is the link to the site with the official report on the incident, completed in May 2013: http://www.cpf.navy.mil/foia/reading-room/ Jeffrey Alexander, Assoc.Dir. Research & Analytics, Center for Science, Technology & Economic Development, SRI Arlington VA http://csted.sri.com
Please report problems with the web pages to the maintainer