Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Physics > Popular Physics (Submitted on 26 Dec 2013) (From Robert J. Nemiroff via Dave Farber) http://arxiv.org/abs/1312.7128 Time travel has captured the public imagination for much of the past century, but little has been done to actually search for time travelers. Here, three implementations of Internet searches for time travelers are described, all seeking a prescient mention of information not previously available. The first search covered prescient content placed on the Internet, highlighted by a comprehensive search for specific terms in tweets on Twitter. The second search examined prescient inquiries submitted to a search engine, highlighted by a comprehensive search for specific search terms submitted to a popular astronomy web site. The third search involved a request for a direct Internet communication, either by e-mail or tweet, pre-dating to the time of the inquiry. Given practical verifiability concerns, only time travelers from the future were investigated. No time travelers were discovered. Although these negative results do not disprove time travel, given the great reach of the Internet, this search is perhaps the most comprehensive to date.
I should note that whenever I've conducted time travel experiments, I've always scanned for any published research revealing it later (or, well, earlier) and then gone "back" and introduced sufficient changes (small "c" as per Asimov) to eliminate any evidence of those articles and/or newscasts, etc. That process will ultimately include this message.
Germany's Der Spiegel reports that the NSA has compromised a wide range of hardware for years to enable its spying InfoWorld, 31 Dec 2013 http://www.infoworld.com/d/security/apple-cisco-dell-unhappy-over-alleged-nsa-back-doors-in-their-gear-233261
Nicole Perlroth, *The New York Times*, 31 Dec 2013 Apple said Tuesday that it was unaware of the National Security Agency's efforts to hack into the iPhone and has never facilitated agency efforts to install backdoors into its products. The Cupertino, Calif., company released a strongly worded statement in response to a recent article in the German magazine Der Spiegel, which reported that N.S.A. analysts refer internally to iPhone users as "zombies" who "pay for their own surveillance." "Apple has never worked with the N.S.A. to create a backdoor in any of our products, including iPhone," an Apple spokeswoman said in an e-mail. *Der Spiegel* released a number of slides detailing the agency's hacking division - known internally as the Tailored Access Operations, or T.A.O. division. One slide, describing an N.S.A. software implant called DROPOUTJEEP, stood out. The agency described DROPOUTJEEP as a "software implant for Apple iPhone" that has all kinds of handy spy capabilities. DROPOUTJEEP can pull or push information onto the iPhone, snag SMS text messages, contact lists, voicemail and a person's geolocation, both from the phone itself and from cell towers in close proximity. It can also turn the iPhone into a "hot mic" using the phone's own microphone as a recording device and capture images via the iPhone's camera. (Reminder to readers: Masking tape is not a bad idea). ... http://bits.blogs.nytimes.com/2013/12/31/apple-says-it-is-unaware-of-n-s-a-iphone-hack-program/
"A hacker has found a backdoor to wireless combination router/DSL modems that could allow an attacker to reset the router's configuration and gain access to the administrative control panel. The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network. The backdoor requires that the attacker be on the local network, so this isn't something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources." http://j.mp/1cpQ717 (Ars Technica via NNSquad)
National Cyber Awareness System: TA14-002A: Malware Targeting Point of Sale Systems, 2 Jan 2014 https://www.us-cert.gov/ncas/alerts/TA14-002A For quite some time, cyber criminals have been targeting consumer data entered in POS systems. In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming. In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards. As POS systems are connected to computers or devices, they are also often enabled to access the Internet and e-mail services. Therefore malicious links or attachments in e-mails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers. [Excerpted for RISKS. Please dig up the entire CERT message if this might affect you. PGN]
http://j.mp/1d9Nt0o (Verge via NNSquad) The phone numbers and usernames of more than 4.6 million North American Snapchat users have been leaked online. SnapchatDB, an unofficial site run by an anonymous individual or group, allows open access to two files - one an SQL dump, one CSV text - that show details of the photo-sharing app's users alongside their location. The final two digits of phone numbers have been censored "to minimize spam and abuse," but SnapchatDB says people should "feel free" to contact it for the uncensored database, as it may release it under certain circumstances. Usernames are presented unedited, and SnapchatDB notes that "people tend to use the same username around the web." Those that download the information, it says, can try to "find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with." See also Has your Snapchat info been leaked? http://j.mp/1da2rDs (Snapcheck) [See also http://www.zdnet.com/researchers-publish-snapchat-code-allowing-phone-number-matching-after-exploit-disclosures-ignored-7000024629/ PGN]
Deirdre Fernandes, *The Boston Globe*, 27 Dec 2013 A local restaurant chain confirmed Friday that its computer systems were breached, putting at risk the credit card information of thousands of customers, including visitors who attended two major conventions in Boston. Briar Group, which owns 10 restaurants and bars in Boston, including two at the Westin hotel connected to the Boston Convention and Exhibition Center, said its computer systems were infiltrated sometime between October and early November. It said customer names, credit card numbers, expiration dates, and security information were captured from the cards' magnetic strips. ... http://www.boston.com/business/news/2013/12/27/local-restaurant-chain-was-source-data-breach-that-compromised-card-info-conventioneers/0dpNHdFp7VVltD9bZIbrVI/story.html Chain confirms it was source of breach affecting conventions By Deirdre Fernandes | GLOBE STAFF DECEMBER 28, 2013 http://www.bostonglobe.com/business/2013/12/27/local-restaurant-chain-source-data-breach-that-compromised-card-info-conventioneers/wPhKKndyN4hshrU47J2rwO/story.html?s_campaignƒ15 Important information about unauthorized access to credit card data December 27, 2013 http://www.briar-group.com/whats-new/important-information-about-unauthorized-access-credit-card-data
Nick Bilton, *The New York Times*, 19 Dec 2013 If you're sitting at your computer reading this, smile, you could be on camera. Actually, don't smile. Last week, researchers at Johns Hopkins University's Department of Computer Science showed off an exploit that allows a hacker to take over some MacBook computers and activate their Web cameras without the users' knowledge. The webcam hacking technique, first reported by The Washington Post, is said to be similar to a tactic used to spy on Cassidy Wolf, a 19-year-old Miss Teen USA, who fell victim to a webcam hacker earlier this year. The Federal Bureau of Investigation arrested the man responsible for the spying on Ms. Wolf. He pleaded guilty to charges in connection with his spying on her and a number of other women, using software that could snap a picture or record video of them without warning. The Johns Hopkins paper, titled "iSeeYou: Disabling the MacBook Webcam Indicator LED," explains how the researchers were able to reprogram an iSight camera's microcontroller to activate the recording functions and LED activation lights independently to spy on someone without giving that person any idea that the computer camera is in use. ... http://bits.blogs.nytimes.com/2013/12/19/researchers-hack-webcam-while-disabling-warning-lights/
Edward Snowden, Whistle-Blower The Editorial Board, *The New York Times*, 1 Jan 2014 http://www.nytimes.com/2014/01/02/opinion/edward-snowden-whistle-blower.html Seven months ago, the world began to learn the vast scope of the National Security Agency's reach into the lives of hundreds of millions of people in the United States and around the globe, as it collects information about their phone calls, their e-mail messages, their friends and contacts, how they spend their days and where they spend their nights. The public learned in great detail how the agency has exceeded its mandate and abused its authority, prompting outrage at kitchen tables and at the desks of Congress, which may finally begin to limit these practices. The revelations have already prompted two federal judges to accuse the N.S.A. of violating the Constitution (although a third, unfortunately, found the dragnet surveillance to be legal). A panel appointed by President Obama issued a powerful indictment of the agency's invasions of privacy and called for a major overhaul of its operations. All of this is entirely because of information provided to journalists by Edward Snowden, the former N.S.A. contractor who stole a trove of highly classified documents after he became disillusioned with the agency's voraciousness. Mr. Snowden is now living in Russia, on the run from American charges of espionage and theft, and he faces the prospect of spending the rest of his life looking over his shoulder. Considering the enormous value of the information he has revealed, and the abuses he has exposed, Mr. Snowden deserves better than a life of permanent exile, fear and flight. He may have committed a crime to do so, but he has done his country a great service. It is time for the United States to offer Mr. Snowden a plea bargain or some form of clemency that would allow him to return home, face at least substantially reduced punishment in light of his role as a whistle-blower, and have the hope of a life advocating for greater privacy and far stronger oversight of the runaway intelligence community. Mr. Snowden is currently charged in a criminal complaint with two violations of the Espionage Act involving unauthorized communication of classified information, and a charge of theft of government property. Those three charges carry prison sentences of 10 years each, and when the case is presented to a grand jury for indictment, the government is virtually certain to add more charges, probably adding up to a life sentence that Mr. Snowden is understandably trying to avoid. The president said in August that Mr. Snowden should come home to face those charges in court and suggested that if Mr. Snowden had wanted to avoid criminal charges he could have simply told his superiors about the abuses, acting, in other words, as a whistle-blower. “If the concern was that somehow this was the only way to get this information out to the public, I signed an executive order well before Mr. Snowden leaked this information that provided whistle-blower protection to the intelligence community for the first time,'' Mr. Obama said at a news conference. “So there were other avenues available for somebody whose conscience was stirred and thought that they needed to question government actions.'' In fact, that executive order did not apply to contractors, only to intelligence employees, rendering its protections useless to Mr. Snowden. More important, Mr. Snowden told The Washington Post earlier this month that he did report his misgivings to two superiors at the agency, showing them the volume of data collected by the N.S.A., and that they took no action. (The N.S.A. says there is no evidence of this.) That's almost certainly because the agency and its leaders don't consider these collection programs to be an abuse and would never have acted on Mr. Snowden's concerns. In retrospect, Mr. Snowden was clearly justified in believing that the only way to blow the whistle on this kind of intelligence-gathering was to expose it to the public and let the resulting furor do the work his superiors would not. Beyond the mass collection of phone and Internet data, consider just a few of the violations he revealed or the legal actions he provoked: [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
I wanted to write to highlight some important documents that have recently been released by Der Spiegel about the NSA and GCHQ. We worked very hard and for quite some time on these stories - I hope that you'll enjoy them. Inside TAO: Documents Reveal Top NSA Hacking Unit: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html Part 1: Documents Reveal Top NSA Hacking Unit: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html Part 2: Targeting Mexico: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-2.html Part 3: The NSA's Shadow Network: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html NSA's Secret Toolbox: Unit Offers Spy Gadgets for Every Need: http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html Shopping for Spy Gear: Catalog Advertises NSA Toolbox: http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html Interactive Graphic: The NSA's Spy Catalog: http://www.spiegel.de/international/world/a-941262.html [The following are auf deutsch, URLs omitted. PGN:] TAO slides NSA QUANTUM Tasking Techniques for the R&T Analyst Yahoo! user targeting and attack example with QUANTUM QUANTUMTHEORY and related QUANTUM programs QUANTUM INSERT, race condition details Details about the Man-On-The-Side with QUANTUM QFIRE, TURMOIL, TURBINE, TURBULENCE MARINA Catalog of equipment covering around ~50 programs NSA QUANTUMTHEORY capabilities list GCHQ QUANTUMTHEORY capabilities list OLYMPUSFIRE An overview of all of these articles is available in German: http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die-nsa-weltweit-rechner-hackt-a-941149.html Earlier this week, I also recently gave a talk titled "To Protect and Infect: part two" at CCC's 30C3. In the talk I explain a number of these topics - the video is a reasonable complement to the above stories: https://www.youtube.com/watch?v°w36GAyZIA There are quite a few news articles and most of them have focused on the iPhone backdoor known as DROPOUTJEEP - they largely miss the big picture asserting that the NSA needs physical access. This is a misunderstanding. The way that the NSA and GCHQ compromise devices with QUANTUMNATION does not require physical access - that is merely one way to compromise an iPhone. Generally the NSA and GCHQ compromise the phone through the network using QUANTUM/QUANTUMNATION/QUANTUMTHEORY related attack capabilities. An example of a vulnerable Apple user is shown: http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329-24.html "note: QUANTUMNATION and standard QUANTUM tasking results in the same exploitation technique. The main difference is QUANTUNATION deploys a state 0 implant and is able to be submitted by the TOPI. Any ios device will always get VALIDATOR deployed." [Details on VALIDATOR auf deutsch. PGN] They're not talking about Cisco in that slide, I assure you. Welcome to 2014! The truth is coming and it can't be stopped, Jacob
https://www.aclu.org/national-security-technology-and-liberty/court-rules-no-suspicion-needed-laptop-searches-border Decision Dismisses ACLU Lawsuit Challenging DHS Search Policy as Unconstitutional 31 Dec 2013 [via Dave Farber's IP distribution] BROOKLYN—A federal court today dismissed a lawsuit arguing that the government should not be able to search and copy people's laptops, cell phones, and other devices at border checkpoints without reasonable suspicion. An appeal is being considered. Government documents show that thousands of innocent American citizens are searched when they return from trips abroad. "We're disappointed in today's decision, which allows the government to conduct intrusive searches of Americans' laptops and other electronics at the border without any suspicion that those devices contain evidence of wrongdoing," said Catherine Crump, the American Civil Liberties Union attorney who argued the case in July 2011. "Suspicionless searches of devices containing vast amounts of personal information cannot meet the standard set by the Fourth Amendment, which prohibits unreasonable searches and seizures. Unfortunately, these searches are part of a broader pattern of aggressive government surveillance that collects information on too many innocent people, under lax standards, and without adequate oversight." The ACLU, the New York Civil Liberties Union, and the National Association of Criminal Defense Lawyers filed the lawsuit in September 2010 against the Department of Homeland Security. DHS asserts the right to look though the contents of a traveler's electronic devices, and to keep the devices or copy the contents in order to continue searching them once the traveler has been allowed to enter the U.S., regardless of whether the traveler is suspected of any wrongdoing. The lawsuit was filed on behalf of Pascal Abidor, a dual French-American citizen who had his laptop searched and confiscated at the Canadian border; the National Press Photographers Association, whose members include television and still photographers, editors, students and representatives of the photojournalism industry; and the NACDL, which has attorney members in 25 countries. Abidor was traveling from Montreal to New York on an Amtrak train in May 2010 when he had his laptop searched and confiscated by customs officers. Abidor, an Islamic Studies Ph.D. student at McGill University, was questioned, taken off the train in handcuffs, and held in a cell for several hours before being released without charge. When his laptop was returned 11 days later, there was evidence that many of his personal files had been searched, including photos and chats with his girlfriend. In June, in response to an ACLU Freedom of Information Act request, DHS released its December 2011 Civil Rights/Civil Liberties Impact Assessment of its electronics search policy, concluding that suspicionless searches do not violate the First or Fourth Amendments. The report said that a reasonable suspicion standard is inadvisable because it could lead to litigation and the forced divulgence of national security information, and would prevent border officers from acting on inchoate "hunches," a method that it says has sometimes proved fruitful. Today's ruling is available at: aclu.org/sites/default/files/assets/abidor_decision.pdf CONTACT: 212-549-2666, media@aclu.org
The article states that the researchers said the gang must have had a "profound knowledge' of the workings of the cash machines in order to develop and successfully install the software." Nobody should be surprised that organised crime knows how to attach ATMs the smart way. Gangs have been known to physically remove ATMs from buildings and take them away to empty at their convenience. It's not beyond their wit to either sell the empty machine on to a group of smart criminals for analysis or to simply steal one of each type to order for that very purpose. Exactly the same thing used to happen with the units in payphones to work out how to open them and get the coins out. It's simply the next version of the 'arms race'.
"What the companies would not specify in full were their sources for consumer data. Three companies, Acxiom, Experian, and Epsilon, would not reveal the sources of their data, citing confidentiality clauses as the reason." Oh the irony.
This article deals with the vagaries of citizen mobilization of and support for the law via the Net. http://web.mit.edu/gtmarx/www/marx-publicas.html www.garymarx.net This article taking off from citizen uses of the Net after the Boston Marathon case, deals with the irony presented by technologies of visibility which can protect the integrity of the person and the group ala Hobbesian deterrence, yet can also be a tool for dastardly deeds. The challenge is to create informational borders that sustain the former, but not the latter. One of the great unresolved civilizational issues is coming to terms with (but never comfortably resolving) the tensions between and within visibility as accountability and invasion, and invisibility as both freedom and license.
Please report problems with the web pages to the maintainer