Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
causes 2-hour disruption; one power supply shut down for replacement; the other had a disconnected wire [As I say to a few close confidants that, as an auditor, I am grateful that my clients continue to make the same mistakes - because that is what keeps me relevant!!!] I thought that you might like to include the item below, the event happened at Grand Central station in New York City last night. What is does not talk about are the stampedes that happened when trains started running, it was almost dangerous. - - - - An Explanation & Apology for Last Evening's (Thursday, 23 Jan 2014) System-Wide Disruption of Service The two-hour disruption in service you experienced last evening traced to human error during an electrical repair project. The computers that run the railroad's signal system lost reliable power at 7:45 PM when one of two main power supply units was taken out of service for replacement. Technicians performing the work did not realize that a wire was disconnected on the other main power supply unit. This destabilized the power supply system for more than an hour until a backup supply could be connected. At the time this incident occurred, there were more than 50 trains at various locations on all three lines. While the cause of this power problem was being identified and repairs were being made, Rail Traffic Controllers immediately took the safest course of action. They instructed all train engineers, via radio, to bring their trains to the nearest station. This had to be done slowly, train-by-train, to ensure everyone's safety. Trains were not allowed to proceed through switches until signal maintainers could respond and manually ensure the switches were lined up correctly. All trains had light, heat and power during the disruption, and no customers were ever in danger. Customers were able to get off trains when they reached a station. Repairs were made by 9 PM. Once repairs were made, the computers needed to reboot before we could begin running trains again. Trains began moving again by 9:30 PM. Full control over the signal system was re-established by 10:30 PM. Significant delays continued throughout the evening hours. This project should have been analyzed for risks and redundancy before it began, and it should have been performed in the middle of the night over a weekend, not when thousands of customers were trying to get home in cold weather. While this specific incident has been addressed and an internal review is underway, we are also bringing in an independent consultant to examine how and why these mistakes were made, and to recommend any necessary changes to operating procedures and practices. Metro-North customers deserve better. We sincerely regret this incident and apologize for the inconvenience our customers experienced. Peter Wild, Mobile (203) 722 9453
Silencing Many Hospital Alarms Leads To Better Health Care <http://www.npr.org/blogs/health/2014/01/24/265702152/silencing-many-hospital-alarms-leads-to-better-health-care> Richard I Cook, MD, Professor of Healthcare System Safety, STH, KTH, Huddinge, SWEDEN +46 70 190 42 16 www.ctlab.org<http://www.ctlab.org> [The Foresight Saga once again: An ounce of prevention is worth nothing at all, because it would pound healthcare into oblivion? PGN]
Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What's interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers —which may be the case if this was a `hacktivist' attack. “In terms of the cyberattack, we continue to further strengthen our security. This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation." (Adrienne Hall, General Manager of Microsoft's Trustworthy Computing Group) http://j.mp/1gcN2tK [Source: Mike Lennon, Security Week, 24 Jan 2014; via NNSquad, PGN-ed]
Darrell Etherington, Gmail and Google+ go down across the world, service returns after roughly 50 minutes, TechCrunch http://techcrunch.com/2014/01/24/gmail-goes-down-across-the-world Sarah Perez, Glitch is causing thousands of e-mails to be sent to one man's Hotmail account, TechCrunch http://techcrunch.com/2014/01/24/gmail-glitch-is-causing-thousands-of-emails-to-be-sent-to-one-mans-hotmail-account/
[From Steve Greenwald's Greenwald-INFOSEC] Okay, here we go again. Gee, Coke just announced that "employee data was exposed". How? Stolen laptops. Wow! Who would have guessed it? How is this still happening? Actually, I know. Last May the laptop belonging to the head of Human Resources at my place of employment was stolen (but not reported to us peons (otherwise know as the organization's employees) until late December). A couple of weeks ago the university's executive committee announced that that same HR department head was promoted to Vice President, making HR a separate division. And nothing else has been said about the matter. There has been no response to the numerous e-mails and complaints that have been made (many by me, and I haven't given up). Apparently, the people running the university see that this problem is prevent (after all, it's happening to large financial institutions, fortune 500 companies, even the government) so evidently there is nothing they can do about it. Maybe the focus of all the security experts on this list (and everywhere else) should be to start an information campaign to tell them that, yes, there are things that can be done and here's a list of what to do. Research is important. Figuring out how to stay ahead (or even get close to) of the hackers, thieves, insiders (i.e. the "bad guys") is important. Discussing what is and isn't working is important. But, what is even more important is getting the information out there, beyond just the IT department (assuming that they have a clue). We might not be able to prevent stolen laptops, but we certainly can make sure that the resulting problems are mitigated. My approach is to get the attention of the HR department head and the CIO and outline for them exactly what can be done to protect this from happening again (and to protect the reputation of the university). I will bring in anyone and everyone who can and is willing to help me. I think this list should start publishing a public blog addressing these issues. All of you have connections and all of you have credentials that should make people, including executives, listen and pay attention. Protecting data on stolen laptops might be a good place to start. Anyone agree? Anyone interested? Does anyone have a better suggestion? Because every time something like this happens, it makes the security community look inconsequential and incompetent.
http://thehackernews.com/2014/01/converting-google-chrome-into-bugging.html
Jeremy Kirk, InfoWorld, 23 Jan 2014 Chrome can access a computer's microphone after a person thinks a speech recognition feature is off, says Web developer http://www.infoworld.com/d/security/google-dismisses-eavesdropping-threat-in-chrome-234824 selected text: Google said there's no threat from a speech recognition feature in its Chrome browser that a developer said could be used to listen in on users. But Ater found that Chrome remembers if a person granted permission to a site that uses HTTPS, a security feature that encrypts communication between a client and a server. It will allow sites using HTTPS to start listening in the future without asking for permission again. The attack doesn't work if permission isn't granted to enable speech recognition.
Dan Goodin, Ars Technica, 23 Jan 2014 Potential privacy leak "feature" continues to take some users by surprise. It's a feature that has bitten Google Calendar users in the past, but it's worth a reminder: in some cases, the widely used service may unexpectedly leak sensitive information to bosses, spouses, or just about anyone else. The inadvertent leakage stems from Google Calendar's quick add feature, which is designed to automatically add the who, what, and where to events without requiring a user to manually enter those details. Typing "Brunch with Mom at Java 11am Sunday" is intended to schedule the event for the following Sunday morning at 11 and list the place as "Java." Participants can be added by listing their e-mail addresses, and in many cases, Google will respond by automatically adding an entry to the participants' calendar as well. Google heavily promoted this time-saving feature during the rollout of its mail and calendar services. But as documented as early as 2010, the behavior can also result in the leakage of private information for people who are unaware of it. Alas, almost four years later, it's still catching some people by surprise. Blogger Terence Eden explained how an entry his wife put in her personal Google Calendar made its way to her boss. It read: "e-mail [boss's address] to discuss pay rise" and included a date a few months in the future. The boss quickly received the reminder as an entry in her own Google Calendar. [...] http://arstechnica.com/security/2014/01/how-google-calendar-can-tip-off-your-boss-you-want-a-raise/
More than 750,000 Phishing and SPAM e-mails Launched from "Thingbots" Including Televisions, Fridge [PGN-ed] SUNNYVALE, Calif. January 16, 2014. Proofpoint, Inc., a leading security-as-a-service provider, has uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household "smart" appliances. The global attack campaign involved more than 750,000 malicious e=mail communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks. As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years according to media reports, proof of an IoT-based attack has significant security implications for device owners and Enterprise targets. [...] "Bot-nets are already a major security concern and the emergence of thingbots may make the situation much worse" said David Knight, General Manager of Proofpoint's Information Security division. "Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur. Enterprises may find distributed attacks increasing as more and more of these devices come on-line and attackers find additional ways to exploit them." http://www.proofpoint.com/about-us/press-releases/01162014.php
Dan Goodin, Ars Technica, 24 Jan 2014 Apple.com does more to protect your password, study of top 100 sites finds Which sites allow "123456"? Study names/shames the best/worst password policies. Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst. Apple.com was the only site to receive a perfect score of 100, which was based on 24 criteria, such as whether the site accepts "123456" and other extremely weak passwords and whether it sends passwords in plaintext by e-mail. Microsoft and academic supplier Chegg tied for second place with 65, while Newegg and Target came in third with 60. By contrast, MLB received a score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale and Toys R US each got a -60. Each site was awarded or deducted points based on each criterion, leading to a possible score from -100 and 100. The study was conducted by researchers from password manager Dashlane based on the password policies in effect on the top 100 e-commerce sites from January 17 through January 22. [...] http://arstechnica.com/security/2014/01/apple-com-does-more-to-protect-your-password-study-of-top-100-sites-finds/
http://j.mp/1aME2Xu (Steve's Computer Vision Blog via NNSquad) "With very little effort, my code was able to "find the ghost" in the above example with 100% accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing." - - - The problem is that Snapchat is demonstrating that they don't really care about security at all. They're hardly even going through the motions. [See also 4.6 million Snapchat phone numbers and usernames leaked (RISKS-27.68) and other items in RISKS-27.69. PGN]
Lauren Weber, *Wall Street Journal*, 21 Jan 2014 Some Companies Wipe Workers' Personal Cellphones Clean After They Leave In early October, Michael Irvin stood up to leave a New York City restaurant when he glanced at his iPhone and noticed it was powering off. When he turned it back on again, all of his information-email programs, contacts, family photos, apps and music he had downloaded-had vanished. The phone looked "like it came straight from the factory," said Mr. Irvin, an independent health-care consultant. It wasn't a malfunction. The device had been wiped clean by AlphaCare of New York, the client he had been working for full-time since April. Mr. Irvin received an email from his AlphaCare address that day confirming the phone had been remotely erased. [...] http://online.wsj.com/news/articles/SB10001424052702304027204579335033824665964
John Foreman, MailChimp, 18 Jan 2014 SUMMARY: MailChimp Chief Data Scientist is at Disney World this weekend wearing his RFID-equipped MagicBand. Here's how he thinks the practice of digitally tracking consumers in the physical world will reach everywhere from theme parks to our homes. http://gigaom.com/2014/01/18/you-dont-want-your-privacy-disney-and-the-meat-space-data-race/
> ... Instead, electronic health records have become a disease in need of a > cure, as physicians do their best to diagnose and treat patients while > continuously feeding the data-hungry computer. Was this not entirely predictable? The whole EMR charade was hyped as being the penultimate solution to everything wrong with healthcare in the United States. But what EMR use was really doing was taking the #1 critical resource choke point, the work time of the MD, and instead of optimizing it, demanding [s]he spend time on clerical work best done by someone less skilled, less trained, and far far less expensive per minute. [The MD time touches another medical issue, infection control. Yes, if they thoroughly scrubbed between each patient visit as they do rounds, it would reduce infection spread. But where will that scrub time come from; what else gets dropped?] To me, the whole EMR euphoria harks back to the promises re: how electronic voting machines were going to err solve all our election problems. The common thread: The Hill dumped lots of money onto a problem, without really looking at what the solution would be. It's rather like the Cardassian legal system: Sentence First, Verdict Later; but here it's "Money First, Thinking Later..."
On Fri, 10 Jan 2014 Stuart Levy wrote: > ... The design is for enterprise system administrators to be able to > track *all* software installed on *any* monitored machine—and select > some subset of packages as "interesting". Interesting software can be > usage-tracked, and optionally flagged as being under a variety of kinds of > license control ... and monitored ... The flip side: a scientist working on NMR spectra is using several (of many) software packages to combine multiple spectra, FFT them, identify regions of interest, clean up the noise, and so on and so forth. A lot of it is manual and is driven by the scientist's expertise. The end result is often the 3D structure of the studied molecule that yields insight into its biological function and leads to new drugs etc. The problem is reproducibility: in order to get from the original raw data to the same exact final result, potentially you need to not only use the same software but also the exact versions and retrace the exact sequence of steps. Or not—but as long we can do that, we can't prove otherwise or run any software comparison studies. So yeah, we want to know not only what software you're using but also what you did with it in exact detail. Otherwise we can have one study claim that zinc kills common cold virus and another: that it kills small furry kittens, and no way to reproduce either result. (I expect NMR is not the only field where this exists, it's the one I'm familiar with.)
As I've just noted on my Verisign blog today, we're organizing a workshop in March 2014 on the risks of "name collisions" in the Domain Name System - a major topic in the ICANN community of late: http://namecollisions.net/ http://blogs.verisigninc.com/blog/entry/collisions_ahead_look_both_ways I thought you might find this of interest in your ongoing effort to collect and analyze computer system risks. I've enjoyed following your commentary over the years, from my early days in cryptography and security. The risk is not well known outside the Domain Name System community, and we're looking for ways to get more of industry informed and engaged. The workshop is open to the public. Papers will be selected by the technical program committee. In addition, the top papers will receive awards of up to $50,000. Burt Kaliski Jr., Senior Vice President and CTO, bkaliski@Verisign.com m: 571-528-2679 t: 703-948-4664 12061 Bluemont Way, Reston, VA 20190
Sandia National Laboratories and DARPA will be hosting the 2nd annual Neuro-Inspired Computational Elements Workshop (NICE 2014), 24-26 Feb 2014 Objective: The focus of this workshop is the creation of next generation of information processing/computation architectures beyond stored program architecture and Moore's Law limits. Goal: Bring together researchers from different scientific disciplines and applications areas that are converging towards a new computational / information processing approach, determine potential pathways, identify applications that would have immediate benefit, and pursue resources to accelerate activity in those areas. A list of confirmed speakers is available at the event web site. Registration: Cost for the workshop is $150. Event website: http://nice.sandia.gov_ Contact: Murat Okandan <mokanda@sandia.gov>, Ph.D., Chair, 1-505-284-6624 Event Organization Linda Wood <llwood@sandia.gov1>, 1-505-284-8404
Please report problems with the web pages to the maintainer