Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Heather Hollingsworth, AP, 13 Mar 2013 KANSAS CITY, Mo. (AP) - A tax-preparation glitch affecting about 660,000 tax returns will delay refunds by as long as six weeks, with customers of the nation's largest tax preparer among those affected. The Internal Revenue Service said in a statement that a problem with a ''limited number of software company products'' affected some taxpayers filing a form used to claim educational credits between 14 and 22 Feb 2013. The agency didn't name any companies in the statement, which it released Tuesday, but Kansas City-based H&R Block has been informing customers about problems. H&R Block spokesman Gene King said Wednesday that the company isn't saying how many of its customers were affected by the problems with Form 8863. ... http://www.boston.com/news/education/2013/03/13/irs-tax-glitch-affects-about-returns/2RStz826IfaP2YS5fFILsK/story.html
Reuters, 22 Mar 2013 http://www.reuters.com/article/2013/03/23/us-panama-canal-idUSBRE92L19120130323 Thousands of containers have been stuck at Panamanian ports after a computer glitch hampered communication with the railway, causing significant delays, officials said on Friday. The Panama Canal Railway Co transports about 1,500 containers daily between the only port on the Pacific entrance to the Panama Canal and three ports on the Atlantic, said Thomas Kenna, director of operations for the railway. But a computer upgrade on 20 Mar 2013 by Panama Ports Co (which manages two of those ports) caused severe lags, Kenna said. Since then, the railway has moved only about 350 containers a day. Traffic picked up on Friday, and the system should be operating normally by Monday, Kenna added.
John Markoff and Nicole Perlroth, *The New York Times*, 26 Mar 2013 Firm Is Accused of Sending Spam, and Fight Jams Internet A squabble between a group fighting spam and a Dutch company that hosts Web sites said to be sending spam has escalated into one of the largest computer attacks on the Internet, causing widespread congestion and jamming crucial infrastructure around the world. Millions of ordinary Internet users have experienced delays in services like Netflix or could not reach a particular Web site for a short time. However, for the Internet engineers who run the global network the problem is more worrisome. The attacks are becoming increasingly powerful, and computer security experts worry that if they continue to escalate people may not be able to reach basic Internet services, like e-mail and online banking. The dispute started when the spam-fighting group, called Spamhaus, added the Dutch company Cyberbunker to its blacklist, which is used by e-mail providers to weed out spam. Cyberbunker, named for its headquarters, a five-story former NATO bunker, offers hosting services to any Web site "except child porn and anything related to terrorism," according to its Web site. A spokesman for Spamhaus, which is based in Europe, said the attacks began on March 19, but had not stopped the group from distributing its blacklist. Patrick Gilmore, chief architect at Akamai Networks, a digital content provider, said Spamhaus's role was to generate a list of Internet spammers. Of Cyberbunker, he added: "These guys are just mad. To be frank, they got caught. They think they should be allowed to spam." ... http://www.nytimes.com/2013/03/27/technology/internet/online-dispute-becomes-internet-snarling-attack.html
[I don't like sending out anonymized messages, but it appears that many legit users are simply terrified of upsetting Spamhaus. Via NNSquad. Lauren] Date: Wed, 27 Mar 2013 NN:09:11 -NNNN From: [] Subject: More on Spamhaus et al. [Another sender anonymized by request] On 27 Mar, [] wrote: Spamhaus has selected some of my IP addresses now and then for lock down as well—even though they never demonstrated any proof of any sort that there was any good reason. Indeed there was none. Then I found out that they false positive list about 90,000 IPs a day—according to them. And I found out what it takes to get removed—which is excessive for the fact that they are acting without basis and from a location where class action suits are not going to work. They won't even reveal their real names. In any case, vigilante injustice is not what the Internet needs.
"Cyberattacks Seem Meant to Destroy, Not Just Disrupt" http://j.mp/10eldVl (New York Times) Mr. Obama's goal was to erode the business community's intense opposition to federal legislation that would give the government oversight of how companies protect "critical infrastructure," like banking systems and energy and cellphone networks. That opposition killed a bill last year, prompting Mr. Obama to sign an executive order promoting increased information-sharing with businesses. "But I think we heard a new tone at this latest meeting," an Obama aide said later. "Six months of unrelenting attacks have changed some views." In a word regarding this entire article: bull. My bet is that most of this stuff is coming from the functional equivalent of pimple-faced kids in their parents' basements in Cleveland. Hell, sad to say, I wouldn't be all that surprised if our own governments are behind many of the attacks on our own companies. This is all about our own governments wanting to scare the hell out of us so that we'll let them and their cyberscare-industrial complex buddies get more and more powerful, richer and richer, and won't complain as they tap our networks just like they've wanted to do pretty much all along. And we're falling for it, boys and girls.
[image: Tech@FTC Banner] <http://techatftc.wordpress.com/> Steve Bellovin SSL, RC4, and Site Administrators <http://techatftc.wordpress.com/2013/03/29/ssl-rc4-and-site-administrators/> There's been yet another report of security problems with SSL. <http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/> If you run a website or mail server, you may be wondering what to do about it. For now, the answer is simple: nothing—and don't worry about it. First of all, at the moment there's nothing to do. You can't invent your own cryptographic protocol; no one else would have a compatible browser. Besides, they're notoriously hard to get right. In the very first paper on the topic, Roger Needham and Michael Schroeder wrote “Finally, protocols such as those developed here are prone to extremely subtle errors that are unlikely to be detected in normal operation. The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area.'' Why do you think your design will be better than one that has been scrutinized for more than 15 years? Some of the trouble in this latest breach is due to weaknesses in the RC4 cipher algorithm. No one who works in cryptography was surprised by this report; it's been showing cracks since at least 1997. What's new is that someone has managed to turn the weaknesses into a real exploit, albeit one that needs at least 224 and preferably 230 encryptions of the same plaintext to work. (By the way, this is why cryptographers are so concerned about minor weaknesses: as Bruce Schneier is fond of noting, attacks always get better, they never get worse.) Besides, ciphers are even harder to get right than protocols are. <http://www.schneier.com/> The real reason not to worry, though, is that unless you're being targeted by a major intelligence agency, this sort of cryptanalytic attack is *very* far down on the risk scale. Virtually all attackers will look for unpatched holes, injection or cross-site scripting attacks, people who will fall for spear-phishing attacks, etc., long before they'll try something like this. The common attacks are a lot easier to launch; besides, the attackers understand them and know how to use them. In the long run, RC4 has to be phased out. I certainly wouldn't start any new designs that depended on RC4's characteristics or performance, but there are plenty of other algorithm possibilities today. Vendors do need to ship web browsers and servers that support newer versions of SSL (formally known as TLS); weaknesses at the protocol level can't always be fixed by patching code. For now, though, stay up to date with your patches and software, and practice good security hygiene. (And if you are being targeted by a major intelligence agency, you should talk to a major counterintelligence agency, not me!) Posted in Tech@FTC <http://techatftc.wordpress.com/category/techftc/>
The IEEE 802.11 committee that developed the Wi-Fi specification conducted an extensive investigation into the interference potential of microwave ovens. A typical microwave oven uses a self-oscillating vacuum power tube called a magnetron and a high voltage power supply with a half wave rectifier (often with voltage doubling) and no DC filtering. This produces an RF pulse train with a duty cycle below 50% as the tube is completely off for half of every AC mains cycle: 8.33 ms in 60 Hz countries and 10 ms in 50 Hz countries. This property gave rise to a Wi-Fi "microwave oven interference robustness" mode that segments larger data frames into fragments each small enough to fit into the oven's "off" periods. http://en.wikipedia.org/wiki/Electromagnetic_interference_at_2.4_GHz#Microwave_oven
http://j.mp/16TWb2V (BBC via NNSquad) "Encrypted messaging services such as Skype, Viber and WhatsApp could be blocked in Saudi Arabia, the telecommunications regulator there is reported to have warned. It is demanding a means to monitor such applications, but Saudis say that would seriously inhibit their communications. Saudi newspapers are reporting that the companies behind the applications have been given a week to respond."
"FBI Pursuing Real-Time Gmail Spying Powers as 'Top Priority' for 2013" http://j.mp/11Kqi9d (Slate via NNSquad) "Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time. But that may change soon, because the bureau says it has made gaining more powers to wiretap all forms of Internet conversation and cloud storage a "top priority" this year." Actually, what they want is real-time access to pretty much everything from everyone. If they could force hardware manufacturers to install keyloggers, screengrabbers, and audio/video siphons into every piece of telecom gear manufactured, they would. And at some point, they'll probably try. Could they catch more bad guys that way? Yeah. But they also could solve more crimes by installing government cameras and microphones in everyone's homes and businesses. At some point—like now—we simply have to say that civil liberties trump.
"Police are searching for suspects' photos on Instagram and Facebook, then running them through the NYPD's new Facial Recognition Unit to put a face to a name, DNAinfo New York has learned. Detectives are now breaking cases across the city thanks to the futuristic technology that marries mug shots of known criminals with pictures gleaned from social media, surveillance cameras and anywhere else cops can find images." http://j.mp/XCVDrd (DNAinfo.com via NNSquad) Remember what I say, again and again: "Public Is Public!"
Big Data Is Opening Doors, but Maybe Too Many Steve Lohr, *The New York Times*, 23 Mar 2013 In the 1960s, mainframe computers posed a significant technological challenge to common notions of privacy. That's when the federal government started putting tax returns into those giant machines, and consumer credit bureaus began building databases containing the personal financial information of millions of Americans. Many people feared that the new computerized databanks would be put in the service of an intrusive corporate or government Big Brother. "It really freaked people out," says Daniel J. Weitzner, a former senior Internet policy official in the Obama administration. "The people who cared about privacy were every bit as worried as we are now." Along with fueling privacy concerns, of course, the mainframes helped prompt the growth and innovation that we have come to associate with the computer age. Today, many experts predict that the next wave will be driven by technologies that fly under the banner of Big Data - data including Web pages, browsing habits, sensor signals, smartphone location trails and genomic information, combined with clever software to make sense of it all. Proponents of this new technology say it is allowing us to see and measure things as never before - much as the microscope allowed scientists to examine the mysteries of life at the cellular level. Big Data, they say, will open the door to making smarter decisions in every field from business and biology to public health and energy conservation. "This data is a new asset," says Alex Pentland, a computational social scientist and director of the Human Dynamics Lab at the M.I.T. "You want it to be liquid and to be used." But the latest leaps in data collection are raising new concern about infringements on privacy - an issue so crucial that it could trump all others and upset the Big Data bandwagon. Dr. Pentland is a champion of the Big Data vision and believes the future will be a data-driven society. Yet the surveillance possibilities of the technology, he acknowledges, could leave George Orwell in the dust. ... http://www.nytimes.com/2013/03/24/technology/big-data-and-a-renewed-debate-over-privacy.html
Mark Mazzetti, *The New York Times*, 22 Mar 2013 WASHINGTON - NASA has shut down a large public database and is limiting access to agency facilities by foreign citizens as part of a broader investigation into efforts by China and other countries to get information about important technology. NASA announced the security procedures this week, after the F.B.I. arrested a Chinese citizen at Dulles International Airport in Virginia who had boarded a plane to Beijing. The man, Bo Jiang, had been working as a contractor at NASA's Langley Research Center in southern Virginia. According to an affidavit filed on Monday, Mr. Jiang is being charged with making false statements to federal agents - failing to disclose that he was carrying a laptop, hard drive and SIM card that were discovered after a search of his belongings. ... http://www.nytimes.com/2013/03/23/us/nasa-shuts-down-database-during-security-inquiry.html
Peter Wayner, InfoWorld, Performance, security, cost—here's what to really expect from the cloud http://www.infoworld.com/d/cloud-computing/12-hard-truths-about-cloud-computing-214920
Ted Samson, InfoWorld, 27 Mar 2013 Researchers discover nearly 2,000 Amazon Simple Storage Service buckets containing freely accessible sensitive data http://www.infoworld.com/t/cloud-security/one-in-six-amazon-s3-storage-buckets-are-ripe-data-plundering-215349
http://j.mp/XaU20U (Net-Security [+video] via NNSquad) "Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them. But, as proven by Daniel Mende and Pascal Turbing, security researchers with German-based IT consulting firm ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices. Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it."
http://j.mp/Zq5Gzg (Google Translate Blog via NNSquad) Have you ever found yourself in a foreign country, wishing you knew how to say "I'm lost!" or "I'm allergic to peanuts"? The Internet and services like Google Translate can help-but what if you don't have a connection? Today we're launching offline language packages for Google Translate on Android (2.3 and above) with support for fifty languages, from French and Spanish to Chinese and Arabic. Seriously useful and cool.
We recently ran into a situation where I work, where a vendor's (a large, well-known, multinational company with a two letter abbreviation for it's name) piece of software was not fully compatible with Windows 7, 64bit. In particular, a portion of the UI that's very, very useful for looking at variables, is broken. Being that the software in question was a development package for their programmable logic controllers, and the widespread use of Windows 7 / 64 bit in our office, a call to the vendor was in order. The vendor replied that they were *not* going to update the package for 64 bit operating systems and there was *no* workaround. A bit of pressing and a few nasty emails later, we got the full story: Apparently the software uses a library developed by an outside firm. That firm went bankrupt and is no longer in business. There is no copy of the source code to the library. The library is not 64 bit compatible. Thus, the vendor is forced to rewrite a portion of his software in house. Or seek another library. Or something. We are stuck with a piece of broken software for the mean time. They say maybe 6 months to a year to fix it. I doubt we're alone. I'm sure this isn't the first time this has happened. I'm sure it won't be the last. It's a risk of relying on someone else's library to do something. If they go away, you may be stuck with incompatible software. And your customers won't be happy about it. Philip Nasadowski, Project Engineer, PCS Integrators
http://www.newburyportnews.com/local/x1533629801/25-000-could-be-affected-by-data-breach-at-SSU http://bostonglobe.com/metro/2013/03/15/virus-accesses-salem-state-university-database-containing-personal-information-for-thousands/S7AJvP1k7Zb7lLzSqhm7pN/story.html?s_campaignƒ15
Ah, the wonders/blunders of modern communication. Ted Samson, InfoWorld, 21 Mar 2013 Complaint on Twitter about overheard off-color jokes ends up costing two techies their jobs http://www.infoworld.com/t/technology-business/twitter-shaming-can-cost-you-your-job-214956
Lucian Constantin, IDG News Service, InfoWorld, 20 Mar 2013 http://www.infoworld.com/d/security/cisco-inadvertently-weakens-password-encryption-in-its-ios-operating-system-214907 Cisco inadvertently weakens password encryption in its IOS operating system The password encryption scheme used in newer Cisco IOS versions is weak, researchers find.
I have just encountered the most clodsworthy... Lost Password Login https://savannah.gnu.org/ Welcome, jidanni. You may now change your password. New password / passphrase: (not too short, must contain multiple character classes: symbols, digits (0-9), upper and lower case letters) (for instance: Stigma5Brass3Status) New Password (repeat): 1. Why am I here? Because I always forget my password. 2. Why do I always forget my password? Because I am not allowed to use my much better password, but have to conform to some expert person's concept of what is a good password.
Chris Paoli, 20 Mar 2013 And one security expert unravels the tangled web of related attacks. http://redmondmag.com/articles/2013/03/20/xbox-live-hack.aspx
Users caught in the middle: Woody Leonhard, InfoWorld, 26 Mar 2013 http://www.infoworld.com/t/microsoft-windows/updated-windows-8-apps-not-in-sync-google-calendar-215225 Updated Windows 8 apps not in sync with Google Calendar Microsoft's new version of the Metro 'productivity' apps Mail, Calendar, and People refuses to sync with Google Calendar But it is not just Microsoft: "After you upgrade Mail, Calendar, and People (they all come together), the first time the Metro apps try to sync with a Google Calendar, you see this message: Reconnect this account / We can't connect to blahblah@gmail.com because Google no longer supports ActiveSync. Reconnect to get your email and contacts using a different method. Cancel to save your email drafts and reconnect later."
[Ishikawa notes only] the tip of the iceberg. While doing research for a presentation, I focused only on squirrel-related outages of both power and communications. The presentation is available here: http://attrition.org/security/conferences/2012-BruCON-CyberWar-v18-FINAL03.pptx If you start at slide 33 and click through to slide 39, you will not only see my attempt at a humorous assertion that squirrels are a bigger threat than 'cyberwar', but in the notes below each side is extensive details of other incidents caused by squirrels. In some cases, I had to resort to (now shared) Google spreadsheets because there were so many incidents. In particular, look at the notes for Slide 34 which has one fascinating statistic: Squirrels caused 177 power outages in Lincoln, Nebraska, in 1980, which was 24% of all outages. Estimated annual costs were $23,364 for repairs, public relations, and lost revenue. In Omaha, in 1985, squirrels caused 332 outages costing at least $47,144. After squirrel guards were installed over pole-mounted transformers in Lincoln in 1985, annual costs were reduced 78% to $5,148. Another article tells us: In Georgia, squirrel-related outages more than tripled from 5,273 in 2005 to 16,750 in 2006. [..] Georgia Power officials estimate the rodents cost them $2 million last year. [..] It appears that the problem may in part be due to acorns. [..] PECO, which powers Philadelphia and its surrounding counties, spends $1 million a year on squirrel guards to stop outages from "those rascally little varmints," Engel said. Another reference in the presentation also gives us this: http://blog.level3.com/2011/08/04/the-10-most-bizarre-and-annoying-causes-of-fiber-cuts/ According to Level 3 Communications, Squirrel chews account for a whopping 17% of our damages so far this year! (2011) So, while a rat has the distinction of going after a nuclear power plant, that little critter is just the latest in a painfully long history of such incidents. [In addition to the SRI item that Ishikawa noted, I have probably previously noted in RISKS that SRI International has experienced at least 5 squirrelcides that brought down the entire institute's power—despite our having created a co-generation plant in response to the first few. In http://www.csl.sri.com/neumann/illustrativerisks.html, search for "squirrel" gives those and others: * Squirrel arcs power, downs computers in Providence RI * SRI attacked by kamikaze squirrel who downs uninterruptible power * 4th SRI squirrelcide causes 8-hour outage, surges, system rebuild * 5th SRI squirrelcide causes 18.5-hour institute outage * Another squirrelcide: San Jose Airport power cut * Squirrel attack brings down Walla Walla * Squirrel knocked out Trumbull Connecticut infrastructure computer center PGN]
Please report problems with the web pages to the maintainer