Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[FYI—When IBM service engineers did this sort of thing, we called it "causative maintenance"...] Kevin McGill, Super Bowl blackout was caused by [faulty] electrical relay, Associated Press, 8 Feb 2013 http://www.sfgate.com/news/article/Super-Bowl-blackout-was-caused-by-electrical-relay-4262813.php NEW ORLEANS—The company that supplied electricity to the Super Bowl says the blackout that halted the big game was caused by a device it installed specially to prevent a power failure. But the utility stopped short of taking all the blame and said Friday that it was looking into whether the electrical relay at fault had a design flaw or a manufacturing defect. The relay had been installed as part of a project begun in 2011 to upgrade the electrical system serving the Superdome in anticipation of the championship game. The equipment was supposed to guard against problems in the cable that links the power grid with lines that go into the stadium. "The purpose of it was to provide a newer, more advanced type of protection for the Superdome," Dennis Dawsey, an executive with Entergy Corp., told members of the City Council. Entergy is the parent company of Entergy New Orleans, the city's main electric utility. Entergy officials said the relay functioned with no problems during January's Sugar Bowl and other earlier events. It has been removed and will be replaced. ... The relay was installed in a building near the stadium known as "the vault," which receives a line directly from a nearby Entergy substation. Once the line reaches the vault, it splits into two cables that go into the Superdome. Sunday's power failure cut lights to about half of the stadium, halting play between the Baltimore Ravens and San Francisco 49ers and interrupting the nation's most-watched sporting event for 34 minutes. Not long after the announcement, the manufacturer of the relay, Chicago-based S&C Electric Co., released a statement saying that the blackout occurred because system operators had put the relay's so-called trip setting too low to allow the device to handle the incoming electric load. "If higher settings had been applied, the equipment would not have disconnected the power," said Michael J.S. Edmonds, vice president of strategic solutions for S&C. In a follow-up statement, Entergy said that tests conducted by S&C and Entergy on the two relays at the Superdome showed that one worked as expected, the other did not. Entergy spokesman Mike Burns said both relays had the same trip setting. Entergy's announcement came shortly before company officials went before a committee of the City Council, which is the regulatory body for the company. [Truncated for RISKS. The article continues with somewhat less expressed certainty as to the cause(s). PGN]
Washington (CNN)—Federal safety officials said Thursday they have identified the origin of the battery fire on a Boeing 787 Dreamliner last month, and are turning their microscopes on an aircraft approval process in which the airplane builder evidently greatly underestimated the chances of battery failure. Boeing had estimated a "smoke" event would occur "less than once in 10 million flight hours" with the Dreamliner's novel lithium-ion batteries, National Transportation Safety Board chairwoman Deborah Hersman said. But after fewer than 100,000 hours of actual flight, two batteries failed, one culminating in a fire. Further, Boeing's indications that heat damage in one battery cell would not harm adjacent cells proved false, Hersman said. "The assumptions used to certify the battery must be reconsidered," Hersman said. http://www.cnn.com/2013/02/07/travel/dreamliner-battery-investigation/ Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us [Get it from the horse's mouth: The National Transportation Safety Board: http://www.ntsb.gov/news/2013/130207.html PGN]
http://www.nytimes.com/2013/01/29/science/jared-diamonds-guide-to-reducing-lifes-risks.html?src=me&ref=general "If I'm to achieve my statistical quota of 15 more years of life, that means about 15 times 365, or 5,475, more showers. But if I were so careless that my risk of slipping in the shower each time were as high as 1 in 1,000, I'd die or become crippled about five times before reaching my life expectancy. I have to reduce my risk of shower accidents to much, much less than 1 in 5,475." This article provides a useful and clear overview of risk assessment (of the non-IT kind). It may be of use to folks who need to educate their users...
Chris Matyszczyk, CNET, 29 Jan 2013 Friends say a man in his early 20s was picking up one more of their group to go skating, when his GPS took him to the wrong house and the home-owner allegedly shot him dead, later saying he feared a home invasion. http://news.cnet.com/8301-17852_3-57566488-71/man-allegedly-follows-gps-directions-to-wrong-house-shot-dead/ Two portraits emerge of Lilburn shooter http://www.ajc.com/news/news/man-69-accused-of-killing-man-who-went-to-wrong-ho/nT8xp/
Nicole Perlroth, *The New York Times*, 30 Jan 2103 http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?partner=rss&emc=rss&pagewanted=print For the last four months, Chinese hackers have persistently attacked *The New York Times*, infiltrating its computer systems and getting passwords for its reporters and other employees. After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, *The Times* and computer security experts have expelled the attackers and kept them from breaking back in. The timing of the attacks coincided with the reporting for a *Times* investigation, published online on 25 Oct, that found that the relatives of Wen Jiabao, China's prime minister, had accumulated a fortune worth several billion dollars through business dealings. Security experts hired by *The Times* to detect and block the computer attacks gathered digital evidence that Chinese hackers, using methods that some consultants have associated with the Chinese military in the past, breached *The Times*'s network. They broke into the e-mail accounts of its Shanghai bureau chief, David Barboza, who wrote the reports on Mr. Wen's relatives, and Jim Yardley, *The Times*'s South Asia bureau chief in India, who previously worked as bureau chief in Beijing. "Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied," said Jill Abramson, executive editor of *The Times*. The hackers tried to cloak the source of the attacks on *The Times* by first penetrating computers at United States universities and routing the attacks through them, said computer security experts at Mandiant, the company hired by *The Times*. This matches the subterfuge used in many other attacks that Mandiant has tracked to China. The attackers first installed malware - malicious software - that enabled them to gain entry to any computer on *The Times*'s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past. Security experts found evidence that the hackers stole the corporate passwords for every *Times* employee and used those to gain access to the personal computers of 53 employees, most of them outside The Times's newsroom. Experts found no evidence that the intruders used the passwords to seek information that was not related to the reporting on the Wen family. No customer data was stolen from *The Times*, security experts said. [Long but very worthy article truncated for RISKS. Steve Summit picked up on one paragraph that I deleted, below. PGN]
Attackers—allegedly from China—infiltrate the editorial offices of the New York Times for several months: http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html One point particularly stands out for me: "Investigators [...] suspect the hackers used a so-called spear-phishing attack, in which they send e-mails to employees that contain malicious links or attachments. All it takes is one click on the e-mail by an employee for hackers to install 'remote access tools'—or RATs." I'm afraid I know the answer(s), but I have to ask: why in the world do we put up with this? What once was unthinkable—what amounts to remote execution of untrusted code on any machine, essentially at will—is routine. (And, yes, I understand that what's typically going on is not direct execution of simple .exe-format attachments, but rather exploitation of bugs in complex but popular attachment-handling programs such as Acrobat and Flash, but the net effect would seem to be exactly the same.) The too-familiar entreaties to users to "be careful of clicking on suspicious attachments" do not and cannot work, but it's almost as if we've decided those entreaties are all we can do, that any technological fixes in parallel -- such as closing the holes in those attachment-handling programs once and for all, or replacing them with inherently more secure approaches—are impossible.
Ellen Nakashima, *The Washington Post*, 10 Feb 2013 [via ACM TechNews, Monday, February 11, 2013] The United States is the target of a massive, sustained cyber-espionage campaign that threatens the country's economic competitiveness, according to the National Intelligence Estimate (NIE). The report identifies China as the most aggressive country in trying to penetrate U.S. computer systems, although Russia, Israel, and France also were cited as having engaged in hacking for economic intelligence. Cyber-espionage increasingly is threatening the U.S.'s economic interests and the Obama administration is looking for ways to counter the online theft of trade secrets. "We need the NIE on cyber for a systematic and comprehensive understanding of what the most dangerous technologies are, who are the most threatening actors, and what are our greatest vulnerabilities," says former deputy defense secretary William J. Lynn III. A majority of China's cyberattacks are thought to be aimed at commercial targets with ties to military technology. "The problem with foreign cyber-espionage is not that it is an existential threat, but that it is invisible, and invisibility promotes inaction," according to a former government official. "It's fair to say we're already living in an age of state-led cyberwar, even if most of us aren't aware of it," says Google CEO Eric Schmidt. http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html?hpid=z1
This afternoon for at least 4 hours, Visa was denying purchases for thousands of cardholders. Visa claimed they had a system meltdown. I watched as someone was turned down on a minimal purchase using a VISA obtained through Barclay's Bank. When on the phone with Visa customer service, all they would admit was "all" their systems were down all afternoon and that they were getting thousands of calls from customers. All this sounds very suspicious. Perhaps someone from IP knows more about the problem and whether it was a real system failure or a denial of service attack or some other hack.
Jeremiah Grossman, WhiteHat Security Blog, 7 FEB 2013 Two weeks ago I was in the midst of a nightmare. I'd forgotten a password. Not just any password. THE password. Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc. The password in question unlocks these files from the protection of locally stored AES-256 encrypted disk image. A location where an "email me a password reset link" is not an option. File backups? Of course! Encrypted the same way with the same password. Password paper backup? Nope. I'll get to that. I somehow needed to "crack" this password. If not, the amount of epic self-pwnage would be too horrible to imagine. Before sharing how I got myself into this predicament, it's necessary to reveal some details about my personal computer security habits. More specifics than I'm normally comfortable sharing. ... http://blog.whitehatsec.com/cracking-aes-256-dmgs-and-epic-self-pwnage/
http://j.mp/Z0tyPT (Krebs via NNSquad) "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known "safe" files from computer viruses and other malicious software. Waltham, Massachusetts-based Bit9 is a leading provider of "application whitelisting" services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they'd received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9s own encryption keys."
Lucian Constantin, IDG News Service, *InfoWorld*, 06 Feb 2013 https://www.infoworld.com/d/security/researchers-devise-new-attack-techniques-against-ssl-212343 Almost all libraries used for implementing some of the Internet's most important security protocols are likely to be vulnerable to the new 'Lucky Thirteen' attacks
"Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. Inadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks. As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication." http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm I wonder what is considered "user-generated?" Because I use LastPass to generate random 8-character passwords for all my accounts, are these considered to be user-generated? I know sites that won't even let you have a password more than 8 characters long. I better go to 12 characters moving forward. Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us [I suspect `user-generated' is intended to mean ones you generate yourself without supposedly clever tools. But if you are using well-known supposedly clever tools predictably, that may be riskful as well, or may be irrelevant if your passwords have been sniffed—perhaps even as they are generated... PGN]
Brian Jackson, A group of 13 associations say the proposed regulations for Canada's anti-spam law go too far, *IT Business*, 6 Feb 2013 http://www.itbusiness.ca/it/client/en/home/News.asp?id=69877 opening paragraph: A list of 13 business and technology associations in Canada are using the opportunity to comment on the proposed anti-spam regulations to fight for the right to put spyware on your computer and mobile devices, according to one Internet law expert.
InfoWorld, 5 Feb 2013 U.S. Department of Energy claims no classified info was stolen by hackers, just personal data belonging to employees http://www.infoworld.com/t/hacking/data-breach-exposes-energy-departments-continuing-story-of-negligence-212246
Tom Kaneshige, CIO, *InfoWorld*, 2 Feb 2013 Most iPhone and iPad apps appear harmless and fun, but some are virtual Trojan horses that swipe personal data when you're not looking http://www.infoworld.com/slideshow/84618/9-iphone-and-ipad-apps-invade-your-privacy-and-1-doesnt-212035
Nate Cardozo Staff Attorney Electronic Frontier Foundation nate@eff.org +1 415 436-9333 x146 Mandatory Black Boxes in Cars Raise Privacy Questions EFF Urges Strict Rules to Protect Drivers' Data San Francisco - The Electronic Frontier Foundation (EFF) urged the National Highway Traffic Safety Administration (NHTSA) today to include strict privacy protections for data collected by vehicle "black boxes" to protect drivers from long-term tracking as well as the misuse of their information. Black boxes, more formally called event data recorders (EDRs), can serve a valuable forensic function for accident investigations, because they can capture information like vehicle speed before the crash, whether the brake was activated, whether the seat belt was buckled, and whether the airbag deployed. NHTSA is proposing the mandatory inclusion of black boxes in all new cars and light trucks sold in America. But while the proposed rules would require the collection of data in at least the last few seconds before a crash, they don't block the long-term monitoring of driver behavior or the ongoing capture of much more private information like audio, video, or vehicle location. "The NHTSA's proposed rules fail to address driver privacy in any meaningful way," said EFF Staff Attorney Nate Cardozo. "These regulations must include more than minimum requirements of what should be collected and stored -- they need a reasonable maximum requirement as well." The current NHTSA proposal mandates a boilerplate notice to consumers that "various systems" are being monitored. The plan also calls for a commercial tool to be made available to allow user access to black box data. In its comments submitted to the NHTSA today, EFF calls for complete and comprehensive disclosure of data collection as well as a free and open standard to access black box information. "The information collected by EDRs is private and must remain private until the car owner consents to its use," said Cardozo. "Consumers deserve full disclosure of what is being collected, when, and how, as well as an easy and free way of accessing this data on their own. Having to buy access to your own data is not reasonable. " In addition to submitting its own comments to the NHTSA today, EFF also joined the Electronic Privacy Information Center and a broad coalition of privacy, consumer rights, and civil rights organizations in comments urging the NHTSA to adopt specific, privacy-protecting amendments to its proposed rules. For EFF's full comments submitted to the NHTSA: https://www.eff.org/document/effs-comments-nhtsa-about-black-boxes-cars For this release: https://www.eff.org/press/releases/mandatory-black-boxes-cars-raise-privacy-questions About EFF The Electronic Frontier Foundation is the leading organization protecting civil liberties in the digital world. Founded in 1990, we defend free speech online, fight illegal surveillance, promote the rights of digital innovators, and work to ensure that the rights and freedoms we enjoy are enhanced, rather than eroded, as our use of technology grows. EFF is a member-supported organization. Find out more at https://www.eff.org.
"The URL is garbled, but given the plethora of sites that you can hit to reach this page, TNW is laboring under the presumption that Facebook Connect is to blame. When you hit the blue 'Okay' button, you will be taken to a blank screen. If you hit the back button, the page you had wished to be on will be served to you, but only until the problem kicks back in and Facebook takes you hostage again. This is no small issue. Facebook is dragging people from other sites, to its own website, where it puts them into the above penalty box for no clear reason. Given the number of first-hand reports that TNW received on Twitter, this issue could affect millions the world around. The disruption that Facebook is currently causing could cost its partners big ad dollars. Feel free to list sites that you are seeing the problem with in the comments. Keith Plocek on Twitter dubbed the situation "Facebookmageddon." Not unfitting, frankly." http://j.mp/V2hkTx (*The Next Web* via NNSquad)
http://j.mp/V2nOlf (Gawker via NNSquad) "UPDATE: Facebook responded with the following statement: For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual. We've asked for more information. But in the meantime, it's good to know one small glitch at Facebook can effectively disable the entire Internet by redirecting it to their site." Why worry about terrorist attacks disrupting the Net when you've already got Facebook? [PGN notes Lots of other items contributed on this incident. Gabe Goldberg noted Facebook and Instagram Users Asked To Upload IDs To Regain Access http://news.cnet.com/8301-1023_3-57565293-93/instagram-account-crackdown-spreads-panic-fear-of-hacking/ Gene Wirchenko noted Ted Samson, *InfoWorld*, 8 Feb 2013, Facebook error that hijacks thousands of websites isn't just an 'inconvenience' http://www.infoworld.com/t/internet-privacy/facebook-error-hijacks-thousands-of-websites-isnt-just-inconvenience-212518 and also Roger A. Grimes, *InfoWorld*, February 12, 2013 http://www.infoworld.com/d/security/facebooks-redirect-error-foretells-the-future-of-hacking-212656 ]
Peter Wayner, *InfoWorld*, 12 Feb 2013 Web hijacking wrought by Facebook Connect shows that both sites and users may be ceding too much control to Facebook http://www.infoworld.com/t/application-development/how-facebook-connect-took-down-the-web-212658
I have been reviewing security books for over twenty years now. When I think of how few are really worthwhile that gets depressing. However, Ross Anderson is always worth reading. And when Ross Anderson first published "Security Engineering" I was delighted to be able to tell everyone that it was a worthwhile read. If you are, in any way, interested in, or working in, the field of security, there is something there for you. Probably an awful lot. When Ross Anderson made the first edition available online, for free, and then published the second edition, I was delighted to be able to tell everyone that they should buy the second edition, but, if they didn't trust me, they should read the first edition free, and then buy the second edition because it was even better. http://victoria.tc.ca/int-grps/books/techrev/bkseceng.rvw Now Ross has made the second edition available, online, for free: http://www.cl.cam.ac.uk/~rja14/book.html Everyone should read it, if they haven't already done so. (I am eagerly awaiting the third edition :-) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade
FOSE (Federal Office Systems Exposition)(http://bit.ly/XR4PJE) is the largest, most comprehensive event serving the government technology community. With a robust three-day program consisting of Keynote Speakers, Educational Sessions, Government Tech Talks, New Product/Solution Showcases and an App Arcade, FOSE is a must-attend event for the government technology community. From 14--16 May 2013, thousands of attendees will experience a broad range of technologies including: enterprise, infrastructure, workplace and mobile that are targeted to the specialized regulatory, security and mission needs of government agencies.
Please report problems with the web pages to the maintainer