https://www.nytimes.com/2012/10/13/us/politics/cracks-in-maryland-and-washington-voter-databases.html Some of you saw this at EVT/WOTE and at USENIX Security, where Alex Halderman did live demos of how easy it is. The NYT article actually understates how easy this is—the voter registration database for WA is online for free (or at least it was a few months ago), and you can use that, given just a person's name, to find their address, DOB, and last date voted. I demonstrated this at an FBI cybersecurity conference (of course giving credit to Alex!), and they were pretty surprised. What the NYT article doesn't note is that because the public voter registration database shows the last date voted, it's trivial to find occasional voters, and use that to figure out who to target, especially if you're trying to swing an off-year election. This ties into the online voter registration issue for which the ACM has a working group.
North Carolina e-machine has voters choosing (they claim [a]) Romney but the machine records (and reports to them) a vote for Obama. And as the story continues [b]: Guilford County Board of Elections Director George Gilbert says the problem arises every election. It can be resolved after the machine is re-calibrated by poll workers. "It's not a conspiracy. It's just a machine that needs to be corrected," Gilbert said. [a] have to put that cautionary disclaimer here, of course. [b] http://myfox8.com/2012/10/23/guilford-county-voters-say-they-voted-for-the-wrong-candidate/
Timothy B. Lee, *Ars Technica*, Oct 22 2012 States see the virtue of paper ballots, but some lack funds to ditch e-voting. Ernest Zirkle was puzzled. The resident of Fairfield Township in Cumberland County, NJ, ran for a seat on his local Democratic Executive Committee on June 7, 2011. The official results showed him earning only nine votes, compared to 34 votes for the winning candidate. But at least 28 people told Zirkle they voted for him. So he and his wife-who also ran for an open seat and lost-challenged the result in court. Eventually, a county election official admitted the result was due to a programming error. A security expert from Princeton was called in to examine the machines and make sure no foul play had occurred. Unfortunately, when he examined the equipment on August 17, 2011, he found someone deleted key files the previous day, making it impossible to investigate the cause of the malfunction. A new election was held on September 27, and the Zirkles won. A decade ago, there was a great deal of momentum toward paperless electronic voting. Spooked by the chaos of the 2000 presidential election in Florida, Congress unleashed a torrent of money to buy new high-tech machines. Today, momentum is in the opposite direction. Computer security researchers have convinced most observers that machines like the ones in Fairfield Township degrade the security and reliability of elections rather than enhancing them. Several states passed laws mandating an end to paperless elections. But bureaucratic inertia and tight budgets have slowed the pace at which these flawed machines can be retired. Luckily, no e-voting catastrophes seem to have occurred. The irregularities that have risen to public attention since 2006 have tended to be small-scale or low-stakes incidents like the one in Fairfield Township. But lack of high-profile failure is not an argument for complacency. If an election were stolen by hackers in a state that used paperless voting machines, we wouldn't necessarily be able to detect it. Just because a major disaster hasn't happened in recent elections doesn't mean it can't happen in 2012. ... http://arstechnica.com/features/2012/10/paper-prophets-why-e-voting-is-on-the-decline-in-the-united-states/
Robert X. Cringely, *InfoWorld*, 17 Oct 2012 `All politics is personal' is truer than ever in the big data era -- especially in the hands of the Obama and Romney campaigns https://www.infoworld.com/t/cringely/whats-in-vote-only-your-entire-personal-profile-205149
I especially liked this comment However, it signaled it hoped to be able to ditch the safety measure in the long term. Masaharu Satou, a Nissan engineer. “Such as in the back seat, or it would be possible to steer the car with a joystick. If we are freed from that, we would be able to place the steering wheel wherever we like.'' http://www.bbc.co.uk/news/technology-19979380 I see a new industry opening up, of `e-chauffeurs', who drive your car remotely (perhaps from a centre in low-cost country) while you read the papers for your next meeting. Nothing could go wrong, surely?
“Apps are the next phase of evolution for the connected car, yet safety laws could still completely remove or significantly limit in-vehicle infotainment.'' http://j.mp/OFluyB (mkt1985 via NNSquad) This is an area of increasing controversy. I was a bit perturbed to see new commercials from a luxury car maker promoting the fact that they had replaced most physical controls with a touchscreen "like your phone!" While in-car control systems that use voice recognition can be seen as generally safety-enhancing, anything that forces you to look away from driving—like at a touch screen—rather than using knobs you can control by feel—seem potentially problematic.
9 October 2012 A school district in Texas came under fire earlier this year when it announced that it would require students to wear microchip-embedded ID cards at all times. Now, students who refuse to be monitored say they are feeling the repercussions. Since 1 Oct, students at John Jay High School and Anson Jones Middle School in San Antonio, Texas, have been asked to attend class with photo ID cards equipped with radio-frequency identification (RFID) chips to track every pupil's location. Educators insist that the endeavor is being rolled out in Texas to stem the rampant truancy devastating the school's funding. If the program is judged successful, the RFID chips could soon come to 112 schools in all and affect nearly 100,000 students. Students who refuse to walk the school halls with the card in their pocket or around their neck claim they are being tormented by instructors, and are barred from participating in certain school functions. Some also said they were turned away from common areas like cafeterias and libraries. ... http://rt.com/usa/news/texas-school-id-hernandez-033/
* What are the future/scaling implications of automated checking for dependencies over copyright? * How much of the net could realistically be shut down by DMCA action or lawsuit? http://www.techdirt.com/blog/?tag=beck's+hopelessness+scale robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu
We've seen cases of computerized overbilling before, but by a factor of 10^14? In Pessac, near Bordeaux, a newly unemployed young woman named Solenne San Jose tried to terminate her account with Bouygues Telecom. The phone company sent her a final bill for 11,721,000,000,000,000 euros—“so many zeroes that I didn't know how much it came out to.'' In fact it was 5,872 times last year's GDP for the whole country. When she complained, the company first missed the point and offered her a time-payment plan. (It would have been interesting to know the details of this.) Then they said it should have been 117.21 euros, but there had been a "printing error, not a billing error". And they canceled the 117.21 euros as well. In English: http://www.bbc.co.uk/news/world-europe-19908095 In French: http://www.sudouest.fr/2012/10/10/la-facture-du-siecle-845407-2780.php http://www.leparisien.fr/high-tech/bouygues-telecom-reclame-a-une-cliente-des-centaines-de-milliards-d-euros-10-10-2012-2220287.php [Also noted by Richard Irvin Cook, noting that this amount is nearly 6,000 times France's annual economic output. PGN]
David Talbot, *Technology Review*, 17 Oct 2012 A meeting of government officials reveals that medical equipment is becoming riddled with malware. Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable. While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion. Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features. In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says. As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel. http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/ Jim Reisert AD1C, <email@example.com>, http://www.ad1c.us
The power just went out in a neighbouring building in the office park, but ours is still on .... RISKS readers would expect some unnecessary service disruption due to lack of backup power, perhaps telecoms, but the one thing that isn't working was new to me: the sensor based flush and faucet systems. I would have assumed these were standalone devices, but apparently not - there are no manual override buttons, and you guessed it, automated activation of the water valves by infrared sensor is apparently routed through a computer in the other building with no backup power. [Dave, You think YOU had a bad day. Check out the following outages. PGN] http://thenextweb.com/insider/2012/10/26/major-sites-and-platforms-experiencing-outages-today-including-dropbox-and-google-app-engine/ http://internettrafficreport.com/namerica.htm http://techcrunch.com/2012/10/26/google-app-engine-down-with-major-service-disruption-as-dropbox-and-tumblr-also-suffer/ [and Hurricane Sandy is expected to leave millions without power. PGN]
Michael S. Schmidt and Nicole Perlroth, *The New York Times*, 23 Oct 2012 Hackers have stolen credit card information for customers who shopped as recently as last month at 63 Barnes & Noble stores across the country, including stores in New York City, San Diego, Miami and Chicago, according to people briefed on the investigation. The company discovered around 14 Sep 2012 that the information had been stolen but kept the matter quiet at the Justice Department's request so the F.B.I. could determine who was behind the attacks, according to these people. The information was stolen by hackers who broke into the keypads in front of registers where customers swipe their credit cards and enter their personal identification numbers, or PINs. ... http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html http://www.nytimes.com/interactive/2012/10/24/business/24barnes-and-noble-store-list.html http://s3.documentcloud.org/documents/481338/barnes-and-noble-store-list.pdf
Robert X. Cringely, *InfoWorld*, 24 Oct 2012 A Kindle customer thought she owned her e-books—until she found that Amazon erased them overnight. http://www.infoworld.com/t/cringely/amazons-drm-drama-whose-kindle-it-anyway-205634
http://j.mp/RRuwGa (This message on Google+) http://j.mp/WE5nol (ars technica via NNSquad) “Android applications downloaded by as many as 185 million users can expose end users' online banking and social networking credentials, e-mail and instant-messaging contents because the programs use inadequate encryption protections, computer scientists have found.'' This rather alarming looking headline refers to this research paper: http://j.mp/RRuTAn (University of Hannover [PDF]) By and large, the paper describes issues related to known SSL/TLS/PKI vulnerabilities and implementation/arguable user interface weaknesses that are rather commonly present across most platforms, not just Android. Some of these could be avoided to some extent via automated code scanners (a technology set that is gradually coming to various environments), but the reality is that without severely restricting developer and site flexibility, there is only so far we can go toward making these systems more (but still not perfectly) bulletproof. The paper also notes a number of methodological limitations that make a full analysis somewhat problematic. There are really no big surprises here for anyone who studies crypto systems in the Web environment, but obviously we must work to do better. I'll be popping back up for a couple of minutes on Coast to Coast AM radio tonight a bit after 10 PDT to discuss this. Lauren Weinstein
Ted Samson, *InfoWorld*, 22 Oct 2012 Researchers find Android shortcomings, combined with lazy programming, expose otherwise malware-free Android apps to data theft http://www.infoworld.com/t/mobile-security/legit-android-apps-rendered-unsafe-poor-programming-ssl-misuse-205418
Jeremy Kirk, *InfoWorld*, 25 Oct 2012, Use of weak DKIM signing keys could allow spoofed e-mail messages to look legitimate, US-CERT warned https://www.infoworld.com/d/security/google-microsoft-and-yahoo-fix-serious-email-weakness-205683 interesting bit: The issue came to light after Florida-based mathematician Zachary Harris was sent an e-mail from a Google recruiter that used only a 512-bit key, according to a report published Wednesday by Wired magazine. Thinking it might be some clever test by Google, he factored the key, then used it to send a spoofed message from Sergey Brin to Larry Page, Google's founders.
http://j.mp/QXeppK (Wired via NNSquad) http://j.mp/QXdOnZ (This message on Google+) “The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its google.com e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them - or passing through them - to validate to a recipient that the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender's DNS records and verify the validity of the signature.'' Well, what appeared to be e-mail from a headhunter anyway. But the irony here is that DKIM is much less useful in preventing these kinds of (spam-related, human engineering) attacks than might be thought, since (a) most sites—including legit ones—don't routinely support it, and (b) most email recipients are largely oblivious to any associated warnings. So, while DKIM indicating a problem with mail from the citi.com domain might be noticed by some users running compatible MUAs (Message User Agents), mail coming from a forged, non-DKIM supporting domain like citi-banking.com would probably be accepted as reasonable by many or most recipients. Lauren Weinstein
One expert says whether you're the feds or an small business, a few basic security principles are key. He lays them out for us here. *IT Business, 24 Oct 2012 http://www.itbusiness.ca/it/client/en/home/News.asp?id=69172 redacted opening text: Would you sleep at night knowing your business is only protected from cybercriminals during regular banker's hours? ... the recent auditor-general's report ... pointing out that the Canadian Cyber Incident Response Centre (CIRC) only monitors suspicious stuff from 8 a.m. to 4 p.m. Coincidentally, Ottawa announced shortly before the A-G's report came out that CIRC's hours will be extended to 15 hours per day. So if you're a hacker, now you only have a daily nine-hour window when no one's really minding the store. In fact, Liberal safety critic Francis Scarpaleggia even wondered aloud why CIRC isn't held to the same operating standards as, well—a store: “If 7-Eleven and Couche-Tard can stay open all night, why can't the Incident Response Centre?''
(so they claim) ISLAMABAD: All e-mail, telephone calls and other communications with the rest of the world will begin to be monitored within 90 days at a cost of million of dollars, according to a deadline given by the government to operators including PTCL. The government has assigned PTCL and other operators to install monitoring equipment by the end of this year for checking voice and e-mail communications from abroad and the services of the country's spy agency will be used basically to check and curb blasphemous and obscene websites on the Internet. “The regulator, the Pakistan Telecommunication Authority (PTA), has assigned 14 LDIs, including PTCL, to install this monitoring equipment,'' senior executive vice president of the Pakistan Telecommunication Company Limited (PTCL) Sikandar Naqi told *The News* on Thursday. http://j.mp/RYUDLB (thenews.com.pk via NNSquad)
On closer examination, all Ted Samson's story seems to say is that if a machine with Skype installed is compromised, the black hats can send URLs to malware via Skype to other people. Obviously, any program that can communicate a URL to another person has exactly the same "issue" - and would be useless if it did not - so I'm unclear on how this reflects badly on Skype's security, rather than on the wariness of Skype users.
I agree that good random 16 character passwords not reused elsewhere are probably sufficient so long as the digests are never revealed. Concerning the fact that characters beyond 16 were being ignored: If the desire is to extend the usable length at some point, the first problem is to have folks first revert to using only the currently accepted 16 characters and not entering discarded characters. The change to disallow longer passwords will accomplish that without forcing those with longer passwords into a password reset ceremony. After that, the door is open for extending the limit in the future, also without invalidating anyone's already-used password.
How would you like to spend 3-5 days in a sunny location, learning and networking with fellow security colleagues, while earning continuing education credits? Come join the 28th Annual Computer Security Applications Conference (ACSAC) and hear keynotes from NIST, Google, University of Cambridge (UK), and IARPA, along with 100 other presenters and trainers! Whether your interest is web security, virtualization, cryptography, botnets, usability, protection, privacy, or another security-related specialty, you are sure to find plenty to learn about and discuss with your colleagues at ACSAC 2012. New for this year is the Cloud Computing Workshop, and a revamped Tracer FIRE forensic and incident response exercise and competition. Perennial favorites such as the Layered Assurance Workshop, the FISMA training track, and the NSPW Experience panel will also be back. And you won't want to miss your RISKS mailing list moderator's own panel on the Future of Application Trustworthiness. Program and Registration are available at www.acsac.org. Early registration deadline is November 12th. [ACSAC continues to provide superb opportunities to share diverse knowledge, experiences, and fundamental perspectives relating to application security. PGN]
Please report problems with the web pages to the maintainer