Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Lizette Alvarez, *The New York Times*, 13 Sep 2013 MIAMI - The clues were buried in her bedroom. Before leaving for school on Monday morning, Rebecca Ann Sedwick had hidden her schoolbooks under a pile of clothes and left her cellphone behind, a rare lapse for a 12-year-old girl. Inside her phone's virtual world, she had changed her user name on Kik Messenger, a cellphone application, to "That Dead Girl" and delivered a message to two friends, saying goodbye forever. Then she climbed a platform at an abandoned cement plant near her home in the Central Florida city of Lakeland and leaped to the ground, the Polk County sheriff said. In jumping, Rebecca became one of the youngest members of a growing list of children and teenagers apparently driven to suicide, at least in part, after being maligned, threatened and taunted online, mostly through a new collection of texting and photo-sharing cellphone `applications. Her suicide raises new questions about the proliferation and popularity of these applications and Web sites among children and the ability of parents to keep up with their children's online relationships. For more than a year, Rebecca, pretty and smart, was cyberbullied by a coterie of 15 middle-school children who urged her to kill herself, her mother said. The Polk County sheriff's office is investigating the role of cyberbullying in the suicide and considering filing charges against the middle-school students who apparently barraged Rebecca with hostile text messages. Florida passed a law this year making it easier to bring felony charges in online bullying cases. [...] http://www.nytimes.com/2013/09/14/us/suicide-of-girl-after-bullying-raises-worries-on-web-sites.html
[This is not the first time I've heard of such problems with these electronic locking systems. LW] http://www.kmph.com/story/23421319/police-bmw-door-locks-contribute-to-14-year-old-girls-death
12 Sep 2013: "..... the [UK] Department for Work and Pensions (DWP) could write off up to 161 million pounds spent on an IT system for ambitious welfare changes......." Full story at http://gu.com/p/3ty4n
Joshua Freed, The Associated Press, 14 Sep 2013 United Airlines said on Friday that it will honor the tickets it accidentally gave away for free. The decision is good news for people who snapped up the tickets on Thursday after United listed airfares at $0. Many customers got tickets for $5 or $10, paying only the cost of the Sept. 11 security fee. The mistake was an especially good deal for any passengers who bought tickets for travel within the next week. For instance, a Houston to Washington Dulles flight for next weekend would have cost $877, according to United's website on Friday. ... http://www.dailyfinance.com/2013/09/14/united-airlines-price-error-free-tickets/
Last night on the NBC TV network program "The Million Second Quiz," Host Ryan Seacrest admitted two things. (1) The App to allow viewers to play along with the TV show at home is the most-downloaded free app ever provided on iTunes. (2) So many people were playing the home game app that it crashed the servers. Tonight they admitted that there aren't even that many downloading the app, a mere 1000 downloads a minute. While that doesn't indicate how many were connecting to the servers, clearly a game where the money accumulating as a contestant is playing is $10/second and the grand prize which the 4 top winners (all of whom will probably have won a minimum six figures each by the time the game completes) will be going after is US$2,000,000 and it's possible for a home game contestant to be invited on the show (a "line jumper" as they call it), that it should have been obvious the home game would be getting a lot of hits on their servers. With inadequate provisioning like this, it doesn't even require attackers to try to DDOS or otherwise disable a system, the users can do it just by too many of them showing up all at once!
http://j.mp/16CqA2Q (*The Guardian* via NNSquad) "Eric Schneiderman announced agreements with 19 firms Monday that commissioned fake reviews and several reputation-enhancement companies that helped place reviews on sites like Citysearch, Google, Yahoo and Yelp. They were fined a total of $350,000."
Bill Snyder, InfoWorld, 12 Sep 2013 The carrier wants to charge websites for carrying their packets, but if they win it'd be the end of the Internet as we know it http://www.infoworld.com/d/the-industry-standard/verizons-diabolical-plan-turn-the-web-pay-view-226662
[In the CACM —Vint's Comments on the Role of Government. DF] FROM THE PRESIDENT (of the ACM) Freedom and the Social Contract By Vinton G. Cerf Communications of the ACM, Vol. 56 No. 9, Page 7 10.1145/2500468.2500470 The last several weeks (as of this writing) have been filled with disclosures of intelligence practices in the U.S. and elsewhere. Edward Snowden's unauthorized release of highly classified information has stirred a great deal of debate about national security and the means used to preserve it. In the midst of all this, I looked to Jean-Jacques Rousseau's well-known 18th-century writings on the Social Contract (Du Contrat Social, Ou Principes du Droit Politique) for insight. Distilled and interpreted through my perspective, I took away several notions. One is that in a society, to achieve a degree of safety and stability, we as individuals give up some absolute freedom of action to what Rousseau called the sovereign will of the people. He did not equate this to government, which he argued was distinct and derived its power from the sovereign people. I think it may be fair to say that most of us would not want to live in a society that had no limits to individual behavior. In such a society, there would be no limit to the potential harm an individual could visit upon others. In exchange for some measure of stability and safety, we voluntarily give up absolute freedom in exchange for the rule of law. In Rousseau's terms, however, the laws must come from the sovereign people, not from the government. We approximate this in most modern societies creating representative government using public elections to populate the key parts of the government. I think it is also likely to be widely agreed that a society in which there was no privacy and every action or plan was visible to everyone might not be a place in which most of us might like to live. I am reminded, however, of my life in a small village of about 3,000 people in Germany. In the 1960s, no one had phones at home (well, very few). You went to the post office to mail letters, pick up mail, and make or receive phone calls. In some sense, the Postmaster was the most well-informed person about the doings of the town. He saw who was calling or writing to whom. There was not a lot of privacy. The modern notion of privacy may in part have derived from the growth of large urban concentrations in which few people know one another. In today's world, threats to our safety and threats to national security come from many directions and not all or even many of them originate from state actors. If I can use the term "cyber-safety" to suggest safety while making use of the content and tools of the Internet, World Wide Web, and computing devices in general, it seems fair to say the expansion of these services and systems has been accompanied by a growth in their abuse. Moreover, it has been frequently observed that there is an asymmetry in the degree of abuse and harm that individuals can perpetrate on citizens, and on the varied infrastructure of our society. Vast harm and damage may be inflicted with only modest investment in resources. Whether we speak of damage and harm using computer-based tools or damage from lethal, homemade explosives, the asymmetry is apparent. While there remain serious potential threats to the well-being of citizens from entities we call nation- states, there are similarly serious potential threats originating with individuals and small groups. Presuming we have accepted the theory that safety is partly found through voluntarily following law, we must also recognize that there are parties domestic and otherwise who wish us individual and collective harm. The societal response to this is to provide for law enforcement and intelligence gathering (domestic and non-domestic) in an attempt to detect and thwart harmful plans from becoming harmful reality. We do not always succeed. The tension we feel between preserving privacy and a desire to be protected from harm feeds the debate about the extent to which we are willing to trade one for the other. Not everyone, nor every culture, will find the same point of equilibrium. Moreover, as technology and society evolve, the equilibrium points may shift. It has been said that "security" is not found in apprehending a guilty party but in preventing the harm from occurring. While this notion can surely be overextended, it can also be understood to justify a certain degree of intelligence gathering in the service of safety and security. There is some irony in the fact that our privacy is more difficult than ever to preserve, given the advent of smartphones, tablets, laptops, the Web and the Internet, but that the threats against our safety and security use the same infrastructure to achieve nefarious ends. Our discipline, computer science, is deeply involved in the many dimensions of this conundrum and we owe it to our fellow citizens to be thoughtful in response and to contribute to reasoned consideration of the balance our society needs between potential policy extremes. Vinton G. Cerf, ACM PRESIDENT Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from permissions@acm.org or fax (212) 869-0481.
http://j.mp/17VN56u (Marcia Hoffman in *WiReD.com* via NNSquad) "But if we move toward authentication systems based solely on physical tokens or biometrics—things we have or things we are, rather than things we remember—the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply."
Bruce Schneier, *The Guardian*, Thursday 5 September 2013 20.04 BST The NSA has undermined a fundamental social contract. We engineers built the Internet - and now we have to fix it http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying
Kevin Poulsen, *WiReD.com*, 13 Sep 2013 It wasn't ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It's not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control. The new details emerged in local press reports from a Thursday bail hearing in Dublin, Ireland, where Marques, 28, is fighting extradition to America on charges that Freedom Hosting facilitated child pornography on a massive scale. He was denied bail today for the second time since his arrest in July. Freedom Hosting was a provider of turnkey "Tor hidden service" sites - special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users' privacy to an extraordinary degree - including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them. On August 4, all the sites hosted by Freedom Hosting - some with no connection to child porn - began serving an error message with hidden code embedded in the page. Security researchers dissected the code and found it exploited a security hole in Firefox to identify users of the Tor Browser Bundle, reporting back to a mysterious server in Northern Virginia. The FBI was the obvious suspect, but declined to comment on the incident. The FBI also didn't respond to inquiries from WIRED today. ... http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
NIST: "we are not deliberately... working to undermine or weaken encryption." Jeff Larson and Justin Elliott, ProPublica.org Sept 13 2013 Ars Technica Following revelations about the National Security Agency's (NSA) covert influence on computer security standards, the National Institute of Standards and Technology, or NIST, announced earlier this week it is revisiting some of its encryption standards. But in a little-noticed footnote, NIST went a step further, saying it is "strongly" recommending against even using one of the standards. The institute sets standards for everything from the time to weights to computer security that are used by the government and widely adopted by industry. As ProPublica, The New York Times, and The Guardian reported last week, documents provided by Edward Snowden suggest that the NSA has heavily influenced the standard, which has been used around the world. In its statement Tuesday, the NIST acknowledged that the NSA participates in creating cryptography standards "because of its recognized expertise" and because the NIST is required by law to consult with the spy agency. "We are not deliberately, knowingly, working to undermine or weaken encryption," NIST chief Patrick Gallagher said at a public conference Tuesday. Various versions of Microsoft Windows, including those used in tablets and smartphones, contain implementations of the standard, though the NSA-influenced portion isn't enabled by default. Developers creating applications for the platform must choose to enable it. ... ... elliptic curve-based deterministic random bit generator http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/
http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/ NSA leaks, Ars Technica Of course NSA can crack crypto. Anyone can. The question is, how much? Long-shot bill forbidding NSA backdoors in encryption has renewed attention Spooks break most Internet crypto, but how? Google speeding up end-to-end crypto between data centers worldwide Let us count the ways: How the feds (legally, technically) get our data Today, *The New York Times* reported that an algorithm for generating random numbers, which was adopted in 2006 by the National Institute of Standards and Technology (NIST), contains a backdoor for the NSA. The news followed a *NYT* report from last week, which indicated that the National Security Agency (NSA) had circumvented widely used (but then-unnamed) encryption schemes by placing backdoors in the standards that are used to implement the encryption. In 2007, cryptographers Niels Ferguson and Dan Shumow presented research suggesting that there could be a potential backdoor in the Dual_EC_DRBG algorithm, which NIST had included in Special Publication 800-90. If the parameters used to define the algorithm were chosen in a particular way, they would allow the NSA to predict the supposedly random numbers produced by the algorithm. It wasn't entirely clear at the time that the NSA had picked the parameters in this way; as Ars noted last week, the rationale for choosing the particular Dual_EC_DRBG parameters in SP 800-90 was never actually stated. Today, *The NYT* says that internal memos leaked by Edward Snowden confirm that the NSA generated the Dual_EC_DRBG algorithm. Publicly, however, the agency's role in development was significantly underbilled: “In publishing the standard, NIST acknowledged 'contributions' from NSA, but not primary authorship,'' wrote the NYT. From there, the NSA pushed the International Organization for Standardization to adopt the algorithm, calling it “a challenge in finesse'' to convince the organization's leadership. “Eventually, NSA became the sole editor'' of the international standard, according to one classified memo seen by the NYT. The details come just as NIST released a promise to reopen the public vetting process for SP 800-90. “We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,'' a memo from the Institute read. “NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the US government and industry at large.'' Still, NIST asserted that its purpose was to protect the federal government first: “NIST's mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards.'' The public comment period on SP 800-90 ends November 6, 2013.
A computer security company, TrendMicro, Thursday reported that it has found a particular family of malware gathering information "related to the civil aviation sector." [but doesn't mention how such a sector is targeted] The best defense against the Sykipot malware is to keep your computer systems updated with the most current security software. [Profoundly advises a company selling security software] Sykipot attacks normally arrive via email attachments that exploit applications like Adobe Reader and Microsoft Office but has evolved to use a target's operating system, web browsers and Java scripts. [Exploiting such innovative attack vectors...] http://www.avweb.com/avwebflash/news/Malware-Mining-Civil-Aviation-sykipot-attack220572-1.html
Of course, with license plate readers everywhere, this is now old news... http://www.forbes.com/sites/kashmirhill/2013/09/12/e-zpasses-get-read-all-over-new-york-not-just-at-toll-booths/ Kashmir Hill, *Forbes*, 12 Sep 2013 (PGN-ed) After spotting a police car with two huge boxes on its trunk—that turned out to be license-plate-reading cameras—a man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He's not the only one.) The man, who goes by the Internet handle Puking Monkey, did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths. Puking Monkey is an electronics tinkerer, so he hacked his RFID-enabled E-ZPass to set off a light and a `moo cow' every time it was being read. Then he drove around New York. His tag got milked multiple times on the short drive from Times Square to Madison Square Garden in mid-town Manhattan, and also on his way out of New York through Lincoln Tunnel, again in a place with no toll plaza. At Defcon, where he presented his findings, Puking Monkey said he found the reading of the E-ZPass outside of where he thought it would be read when he put it in his car “intrusive and unsettling,'' quoting from Sen. Chuck Schumer's remarks about retailers tracking people who come into their stores using their cell phones. [...] [Also noted by Monty Solomon. PGN]
Does it seem to you that it has been a bad time lately for patches? Lucian Constantin, InfoWorld, 11 Sep 2013 The new updates address vulnerabilities that could allow attackers to compromise computers http://www.infoworld.com/d/security/adobe-issues-critical-security-updates-flash-player-reader-and-shockwave-player-226621
Woody Leonhard, *InfoWorld*, 12 Sep 2013 Pulling the KB 2871630 patch took Microsoft more than 14 hours after the first warnings appeared, and admins are furious. What's Microsoft doing wrong? http://www.infoworld.com/t/microsoft-windows/microsoft-pulls-botched-kb-2871630-while-many-office-patch-problems-remain-226690 [Gene previously had noted an earlier article: It must be Wretched Wednesday—the day after Black Tuesday. Watch out for automatic patches KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583. PGN-ed] http://www.infoworld.com/t/microsoft-windows/microsoft-botches-still-more-patches-in-latest-automatic-update-226594
My partner's phone developed problems in the last few weeks and was finally taken in for repair this week. I will brush over the risks associated with over dependence on mobile devices (we have no fixed voice line so depend on our mobiles heavily) to consider what I found the most interesting bit of the experience. The loaner phone she was given still had the last users messages on it! I can see three places someone should have checked for data that shouldn't be shared: - when the previous user was done with the phone - when the shop received the phone back - before the phone was given out again An interesting vector for data leakage.
Dr. Perrow has a long history of studying how safe systems seem to go wrong. http://www.huffingtonpost.com/charles-perrow/fukushima-forever_b_3941589.html
Rebecca Slayton Arguments that Count: Physics, Computing, and Missile Defense, 1949-2012 MIT Press, 2013 xi + 325 (including 76 pages of end notes and a 21-page index) Here is a remarkably well researched and comprehensive book that is totally within the mainstream of RISKS. The MIT Press release includes this text: She compares how two different professional communities—physicists and computer scientist—constructed arguments about the risks of missile defense, and how these changed over time.
Please report problems with the web pages to the maintainer