Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Meet the medical scribe, who follows the doctor around and does the data entry required by all the electronic health records systems that have been adopted by medical care providers in recent years. Apparently no one budgeted for all the time needed to type stuff in, creating a new job opportunity in the health care field: Physicians who use [medical scribes] say they feel liberated from the constant note-taking that modern electronic health records systems demand. Indeed, many of those doctors say that scribes have helped restore joy in the practice of medicine, which has been transformed -- for good and for bad—by digital record-keeping. ... For decades, physicians pinned their hopes on computers to help them manage the overwhelming demands of office visits. Instead, electronic health records have become a disease in need of a cure, as physicians do their best to diagnose and treat patients while continuously feeding the data-hungry computer. Full article is here: http://www.nytimes.com/2014/01/14/health/a-busy-doctors-right-hand-ever-ready-to-type.html *The NY Times* notes that the 70% adoption rate of electronic health records in hospitals and doctors' offices is partly due to "tens of billions of federal incentive payments". They don't mention that the companies that make the medical records systems have lobbied Congress and the public for those types of incentives. Newt Gingrich comes to mind as one of their more prominent (and probably more influential) paid lobbyists.
Liana Heiten, *Education Week* 10 Jan 2014 [via ACM TechNews, 15 Jan 2014] No female, African American, or Hispanic students took the Advanced Placement (AP) computer science exam in some states in 2013, according to Georgia Institute of Technology computing outreach director Barbara Ericson, who compiled state comparisons of College Board data. In Mississippi and Montana, no students in any of the three categories took the AP computer science exam last year, although the College Board notes that Mississippi only administered one of the exams and Montana only administered 11. Eleven states had no African-American students taking the exam, and eight states had no Hispanic students taking the test. Among the 30,000 students who took the exam last year, less than 20 percent were female, about 3 percent were African American, and 8 percent were Hispanic, according to the College Board website. Females, African Americans, and Hispanics also had lower pass rates than white males on the exam, Ericson says. AP computer science courses "are more prevalent in suburban and private schools than in urban, poor schools," says Ericson, noting that only 17 states currently accept computer science as a core math or science credit. The College Board is committed to increasing access to rigorous computing courses and is working with national organizations, nonprofits, and the private sector to expand access, says spokesperson Deborah Davis. http://blogs.edweek.org/edweek/curriculum/2014/01/girls_african_americans_and_hi.html
[Note: This item comes from friend Steve Goldstein. DLH][via Dave Farber] How the Chinese Internet ended up at a house in Cheyenne, Wyoming Brian Fung, *The Washington Post*, 22 Jan 2014 <http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/22/that-time-the-chinese-internet-found-itself-at-a-tiny-house-in-cheyenne-wyoming/> It's not clear how it happened, but for several hours on Tuesday thousands if not millions of Chinese Internet users were being dumped at the door of a tiny, brick-front house on 2710 Thomes Ave. in Cheyenne, Wyo. The users' Internet traffic, bound initially for Chinese social networking sites and search engines, was redirected due to a mysterious error in the country's domain name system, *The New York Times* reports. At first, some speculated the malfunction in the traffic-routing machinery might have been a cyberattack. Others said that China's Great Firewall—the collection of human and technological censors that blocks Web sites deemed undesirable by the government—simply made a tactical error. "Either it was an intentional DNS [domain name system] hack or the unintentional result of the Great Firewall, but I haven't seen any technical analysis of what was more likely," Adam Segal, a scholar on China and cybersecurity at the Council on Foreign Relations, told me. The true nature of the mix-up may still be unclear, but there's a growing consensus for the latter explanation. To get around the Great Firewall, many Chinese (and expats, too) use services that route Web traffic through a foreign IP address, effectively making it look like the traffic isn't coming from inside China. One of these services, Sophidea, happens to be registered at the very address in Wyoming that bore the brunt of all that traffic. So the prevailing theory is that in trying to block Chinese traffic going to Sophidea, the Great Firewall's operators accidentally diverted more traffic there instead. According to a Chinese anti-virus software company, the Times reports, about 75 percent of China's domain name system servers were affected by the roughly eight-hour malfunction, during which Web browsers failed to load .com, .net and .org Internet addresses. As for the Wyoming house itself, it's not a bit unlike the wardrobe from C.S. Lewis's "Chronicles of Narnia." It may look small on the outside, but it technically houses around 2,000 corporate entities and people. A 2011 Reuters report says the place is filled with numbered mailboxes and serves as the headquarters for Wyoming Corporate Services, a business that helps set up shell companies that exist only on paper. [...]
[via David Farber] [Note: This item comes from friend David Isenberg. DLH] Rob Jackson, Phandroid, 20 Jan 2014 FBI snatches Google Glass off the face of innocent AMC movie-goer <http://phandroid.com/2014/01/20/fbi-google-glass-movie/> Love it or hate it, Google Glass has been the cause for a lot of excitement lately. Last week it was pronounced legal to wear but not use while driving in the state of California. Shortly after, Glass was making waves again with the launch of an app called `Sex with Glass', allowing participants to essentially create their own sex tapes with the facial tech. Apparently, the FBI felt left out of all the fun. At an AMC theater in Easton Mall in Columbus, Ohio, one Google Glass Explorer went to see Jack Ryan: Shadow Recruit, but got a rude awakening instead. An hour into the movie he was approached by a federal agent who, without hesitation, snatched the Google Glass off the man's face and removed him from the theater. Outside there were 5 to 10 officers and agents who proceeded to allegedly badger and question him for over 3 hours, suggesting he was illegally recording the movie. Let's get a few facts out of the way: * It's probably not smart to bring a recording device into a movie theater, but let's not forget mostly everyone takes a mobile phone into a theater that is perfectly capable of recording. * The man's Google Glass were the prescription version, so he essentially needed them on to see the movie (maybe he should have worn other glasses). * The man had his Google Glass powered off in advance to avoid any misunderstandings. The authorities eventually let the man go, but not without hours of intimidation and a frightening story that has him shaking—literally -- even a day after the event. A Movie Association representative compensated the Glass Explorer with 2 free movie tickets for his night of troubles. The authorities certainly have the right to remove a patron from the theater suspected of recording the screen, but should wearing Google Glass be suspicion enough? The Explorer cooperated with the authorities, but considering his rights and his innocence, would you have acted differently or pursued a better outcome? As Google Glass and other wearable tech become more prevalent, you can bet we'll hear a lot more of these stories popping up across the world. ...
Adi Robertson, 21 Jan 2014 Wearing Google Glass recently proved perilous for a movie patron in Columbus, Ohio. On Monday, The Gadgeteer posted a frightening story apparently from a member of the Glass Explorer program. An hour into watching Jack Ryan: Shadow Recruit wearing his prescription version of Glass, he said, he'd been abruptly pulled from the theater and interrogated at length by "feds," who accused him of attempting to pirate the movie by recording it. What followed was over an hour of the "feds" telling me I am not under arrest, and that this is a "voluntary interview", but if I choose not to cooperate bad things may happen to me (is it legal for authorities to threaten people like that?). [...] They wanted to know who I am, where I live, where I work, how much I'm making, how many computers I have at home, why am I recording the movie, who am I going to give the recording to, why don't I just give up the guy up the chain, 'cause they are not interested in me. Over and over and over again. After going through the photos on his device, the man says, the officers concluded that there'd been a misunderstanding, and theater owner AMC called a man from the "Movie Association," who gave him free passes to see the film again. But the man described himself as shaken by the incident, especially because he'd worn Glass to the theater before and had no trouble. The story initially seemed too dramatic to be true, but both AMC and the Department of Homeland Security's Immigration and Customs Enforcement division have confirmed it. [...] http://www.theverge.com/2014/1/21/5331748/google-glass-wearing-movie-patron-questioned-for-piracy
Adi Robertson, 20 Jan 2014 Eager to tap the largely unexplored market for erotic Google Glass experiences, a team of hackathon participants have somehow created both an intriguing app and a weird, depressing commentary on gender. Called Sex with Glass, the app shares some DNA with James Deen's parody video: assuming that you and your partner are both participating in a closed beta that requires purchase of a $1,500 headset, you can both don the fragile prototypes and have extremely cautious intercourse while watching a live camera feed from the other person's viewpoint. There are a few other commands ("Okay Glass, play Marvin Gaye" and "Okay Glass, give me ideas") and a few dirty puns, but these are all distractions from the main event. Afterwards, it promises to "put all the footage together" into a video, which will disappear five hours after being constructed. http://www.theverge.com/2014/1/20/5328772/sex-with-google-glass-app-is-getting-either-sex-or-glass-wrong
Obvious points: 1. NEST has apparently failed to learn from many decades of computer programming experience that you don't roll out an upgrade to all your customers until you've done a thorough small-scale test and you always ensure you have a readily applicable rollback method. See also CompuServe UK, c. 1991, AT&T... 2. Despite the scathing comments from one poster, problems for the entire category are quite clear: how "smart home" components will be patched, who will be liable for failures, and how to cope when critical elements fail if you've taken out all the fallbacks. Plus the fact that "smart" systems that learn from your past behavior are ignoring a lesson dunned into all of us with respect to financial investments: past performance is no guarantee of future behavior. www.pelicancrossing.net Twitter: @wendyg
"The malicious program used to compromise Target and other companies was part of a widespread operation using a Trojan tool known as Trojan.POSRAM, according to a new report released Thursday about an operation that investigators have dubbed Kaptoxa." [literally more like Kartocha, PGN] http://j.mp/LmaJCc (Wired via NNSquad) [Late count seems to be 110 million customers' records implicated. The identity of the alleged culprit(s) remains unclear, despite some initial reports. PGN]
Danny Yadron Connect, *Wall Street Journal*, 16 Jan 2014 Hacking Campaign Appears Broad, Sophisticated and Against Many Retailers The holiday data breach at Target Corp. appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, according to a report prepared by federal and private investigators that was sent to financial-services companies and retailers. The report offers some of the first details to emerge about the source of the attack that compromised 40 million credit- and debit-card accounts and personal data for 70 million people. It also provided further evidence the attack on Target during peak holiday shopping was part of a concerted effort by skilled hackers. Parts of the malicious computer code used against Target's credit-card readers had been on the Internet's black market since last spring and were partly written in Russian, people familiar with the report said. Both details suggest the attack may have ties to organized crime in the former Soviet Union, former U.S. officials said. ... http://online.wsj.com/news/articles/SB1000142405270230441910457932490260242686 2
There has been a reported surge in fraudulent credit card activity connected with cards used at Neiman Marcus stores in the Dallas, Texas area. According to a company spokesperson, a forensics firm and the Secret Service are presently investigating. Reportedly, the breach has been confirmed, but details remain undisclosed. The original report can be found at: http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/ Bob Gezelter, http://www.rlgsc.com
White hat hacker says he found 70,000 records on Healthcare.gov through a Google search Adrianne Jeffries, *The Verge*, 21 Jan 2014 The federal health insurance marketplace at Healthcare.gov still has major security issues according to some experts, including a flaw that allows user records to show up in Google results. At least 70,000 records with personal identifying information including first and last names, addresses, and user names are accessible by using an advanced Google search and then tweaking the resulting URLs, according to David Kennedy, founder of the security firm TrustedSec. Kennedy notes that he never modified any URLs, just that he noticed that it was possible. Kennedy first testified about the issue before a Congressional committee in November, he says, but it still hasn't been resolved. It's just one of several issues he's identified with the site, and it's actually one of the easier ones to fix: Kennedy estimates it would take just a few days to hide the records. ... http://www.theverge.com/2014/1/21/5331756/white-hat-hacker-says-he-found-70000-records-on-healthcare-gov
David E. Sanger, Thom Shanker, *The New York Times*, 14 Jan 2014 [via ACM TechNews, 15 Jan 2014] The U.S. National Security Agency (NSA) has embedded software within nearly 100,000 computers worldwide, enabling the United States to monitor those machines and set up a digital pathway for launching cyberattacks. The software uses technology that employs a covert channel of radio waves that can be sent from tiny circuit boards and USB cards inserted secretly into the computers. The transceivers can share information with an NSA field station or hidden relay station up to eight miles away, which communicates back to the agency's Remote Operations Center. The transceiver also is capable of malware transmission. The system addresses the challenge of infiltrating computers that adversaries have tried to render invulnerable to surveillance or cyberattack by keeping them disconnected from the Internet. "What's new here is the scale and the sophistication of the intelligence agency's ability to get into computers and networks to which no one has ever had access before," says the Center for Strategic and International Studies' James Lewis. Officials and experts stress that the bulk of these software implants are defensive, used solely for surveillance and as an early warning system for cyberattacks targeting the United States. http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html
Fridge sends spam emails as attack hits smart gadgets http://www.bbc.co.uk/news/technology-25780908 A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets. The fridge was one of more than 100,000 devices used to take part in the spam campaign. Uncovered by security firm Proofpoint, the attack compromised computers, home routers, media PCs and smart TV sets. The attack is believed to be one of the first to exploit the lax security on devices that are part of the "Internet of things". The spam attack took place between 23 Dec 2013 and 6 Jan 2014, said Proofpoint in a statement. In total, it said, about 750,000 messages were sent as part of the junk mail campaign. The emails were routed through the compromised gadgets. About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said. [...] See also http://www.proofpoint.com/about-us/press-releases/01162014.php
Trust Me (I'm a kettle) by Charlie Stross and The kettle of doom by Matthew Squair These two links are by way of the critical safety mailing list (highly recommended) and are about the risks of the Internet of things. http://www.antipope.org/charlie/blog-static/2013/12/trust-me.html http://criticaluncertainties.com/2013/12/20/the-kettle-of-doom/ The original article on kettles as a trojan horse bearing malware comes from an October 2013 report in *The Register*. http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/ "The possibilities are endless: it's the dark side of the Internet of things. If you'll excuse me now, I've got to go wallpaper my apartment in tinfoil ..." robert schaefer Atmospheric Sciences Group MIT Haystack Observatory Westford, MA 01886 email: rps@haystack.mit.edu voice: 781-981-5767 www: http://www.haystack.mit.edu
Reportedly, version 2.6.1 of the Starbucks iOS app stores the user's Starbucks loyalty credentials en clair in the device file system. This exposes the credentials to theft if the device is imaged, lost (or if the computing device being used to backup the device is compromised). Generically, it is a poor practice to save login credentials in forms that can be compromised. Mobile developers should take care, this class of vulnerability often is implemented as a "feature" to enable easier use, it is a serious vulnerability on many fronts and should not be done. More care is needed to protect information that can be translated into real money. For that matter, with the increasing forensic use of digital footprints, the ability to effectively steal someone's digital identifier provides the ability to create a trail of someone being where they have not been. The original report can be found at: http://seclists.org/fulldisclosure/2014/Jan/64 Bob Gezelter, http://www.rlgsc.com
Our group uses several kinds of commercial software, under license control. "Floating" licensing is convenient—some number of licenses are made available, and a central server parcels them out, ensuring that at-most-N are in use at once, but possibly by a larger set of machines. The server knows when & where an instance of the licensed program is started and finishes, but not more than that. We're now looking at some software which chose a different vendor's scheme. For their floating licensing, they hooked up with a company that distributes an across-the-board software management solution. The design is for enterprise system administrators to be able to track *all* software installed on *any* monitored machine—and select some subset of packages as "interesting". Interesting software can be usage-tracked, and optionally flagged as being under a variety of kinds of license control. It seems to be a well-designed system. But... In order to do this, when you install the software on any client machine, it scans the entire machine for any sort of graphical app, and reports the full list of programs to the central server. A server administrator can see the list of programs installed on any client computer. My Mac had 536 (!) entries. Also: whenever you invoke any app—not just one that's under license control, but anything—the central server is notified (in clear text over the network) of what app you ran, where, by whom, and for how long. It logs the invocation in a database, even if the app isn't listed as "interesting", presumably for future reference in case it becomes interesting later. This bugs me. I hope it bugs you. We'd been considering getting this floating-license setup for some software that students would use, to allow them to put it on their own laptops and develop freely. If it worked like other licensing systems, that'd be fine. But if it's going to reveal everything they've installed on their personal machines and when they run it, then—even if we trust the people running the server (us)—maybe we shouldn't use this vendor's floating license scheme after all. That's easy for me to say. If I were a student, I wouldn't be given that choice.
An interesting question. What happens when your car comes pre-equipped with monitoring? Who has access to the data and for what purposes? New generation cars are being equipped with instrumentation and audio-visual recording technologies. The "goal" is to improve the car and better understand what was happening prior to an accident. However, the information will be recorded regardless. Who has access to this information and under what safeguards is a serious question. Consider audio recording. Should a manufacturer be able to download audio contents from a vehicle at any time? What is privacy? Your mumblings while in transit? Conversations with your business colleagues? Your spouse? Your date? Even in the context of accident reconstruction, safeguards are needed. What about the legal question (e.g., recording people without their consent and without notice). A complex topic, to be sure. *The NY Times* article can be found at: http://www.nytimes.com/2014/01/11/business/the-next-privacy-battle-may-be-waged-inside-your-car.html I previously discussed some of these issues in a blog article on the use of GPS data entitled "GPS Recorders and Law Enforcement Accountability" (August 2010) at http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html. Bob Gezelter, http://www.rlgsc.com
Warning: I recommend removing your credit/debit cards from all Network Solutions/Web.com accounts http://j.mp/1dPevzH (Google+ via NNS) I am attempting to verify this rather incredible story. In the meantime, if you have any credit or debit cards on file with Network Solutions or any other Web.com company, I recommend immediately removing them from your account profiles. In fact, even if this particular story turns out not to be true, I'd make the same recommendation given their ongoing shady practices that are already confirmed. Reference: "Network Solutions Auto-Enroll: $1,850": http://j.mp/1dPf3Wh (inessential) "To help recapture the costs of maintaining this extra level of security for your account, your credit card will be billed $1,850 for the first year of service on the date your program goes live. After that you will be billed $1,350 on every subsequent year from that date. If you wish to opt out of this program you may do so by calling us at 1-888-642-0265." [Apparently public outrage has led NSI to reverse this policy to be opt-in, not opt-out. PGN]
If the bad guys have physical access to the router in your home, then you have bigger things to worry about than them plugging a USB stick into your router! Dr Martin Ward STRL Principal Lecturer and Reader in Software Engineering
A reminder that the submission deadline for USENIX Security is Feb 27th, 2014. Don't be late! I've added some new topics such as the "public good" category while keeping traditional technical topics as the continues to grow. https://www.usenix.org/sites/default/files/sec14_cfp_011514.pdf https://www.usenix.org/conference/usenixsecurity14/call-for-papers Kevin Fu, Associate Professor, EECS Department, The University of Michigan kevinfu@umich.edu, http://spqr.eecs.umich.edu/, 616-594-0385
Please report problems with the web pages to the maintainer