Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is a pretty clear risk! http://arstechnica.com/security/2014/04/bug-can-cause-deadly-failures-when-anesthesia-device-is-connected-to-cell-phones/ Dan Goodin, Ars Technica, 22 Apr 2014 Federal safety officials have issued an urgent warning about software defects in an anesthesia delivery system that can cause life-threatening failures at unexpected times, including when a cellphone or other device is plugged into one of its USB ports. The ARKON anesthesia delivery system is used in hospitals to deliver oxygen, anesthetic vapor, and nitrous oxide to patients during surgical procedures. It is manufactured by UK-based Spacelabs Healthcare Ltd., which issued a recall in March. A bug in Version 2.0 of the software running on the device is so serious that it could cause severe injury or death, the US Food and Drug Administration warned last week in what's known as a Class I recall. In part, the FDA advisory read: Reason for Recall: Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the System to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may also cause the System to stop working. This defect may cause serious adverse health consequences, including hypoxemia and death. Spacelabs Healthcare received one report related to the software defect. There has been no injuries or deaths associated with this malfunction. [...] [Also noted by Tony Finch, who gives new meaning to “Blue screen of death?'' and Monty Solomon: “It's not clear why anyone would ever connect a phone to a medical device.'' to which PGN comments, and yet that's effectively how heart pacemakers and other medical devices are controlled. Whether it is a dedicated remote controller or a mobile phone makes very little difference in practice, except for accidental events such as butt-dialing. PGN]
I saw the following incidence on TV news when the above article from Mark Brader came in. A coincidence? In Japan, a man who was live-streaming his talk to a group of listeners suffered a minor brain stroke, resulting in an unclear speech and strange repetition of words. The listeners got worried and suggested that the speaker consult the doctor immediately. But the speaker, a man who called himself "a stone-headed old fart" or stone-headed man in the live streaming, was adamant that he was just tired, and did not listen. The listeners got really worried because the symptoms were so obvious. So someone managed to contact him via Skype (with video) next day to persuade the man to see the doctor. During the conversation, the man was talked into showing his social insurance card (government medical care a la Obama care on steroid) on the screen, and the keen-eyed caller took note of the address and name, and called the ambulance (in Japan, ambulance service is offered by municipalities and basically free of charge.) The man was hospitalized and diagnosed as having suffered a minor brain stroke, but is now OK with medication. On TV news, he thanked the listeners. A good story, indeed. Of course, I think we need to educate the society, "Don't show your ID cards on video phone" (!?) :-( Cf. I found a mention of the incidence in geek-oriented media: (in Japanese) http://news.livedoor.com/article/detail/8723618/
http://arstechnica.com/tech-policy/2014/04/due-to-license-plate-reader-error-cop-approaches-innocent-man-weapon-in-hand/ Mistaking a "7" for a "2" on wanted Oldsmobile, not a BMW, leads to traffic stop with one of the officers approaching the car with his gun out. "Typically, LPRs can read 60 license plates per second and match observed plates against a "hot list" of wanted vehicles, stolen cars, or criminal suspects. Today, tens of thousands of LPRs are being used by law enforcement agencies all over the country. Practically every week, local media report on some LPR expansion. And often, the data captured by the LPR which plate, when and where it was seen is kept for weeks, months, or sometimes indefinitely. It can create a major pool of data, leaving the very real possibility for an occasional misread"
This effort is quite unusual in that it (1) takes a very broad view of the risk, (2) includes cyber-risk insurance in its scope, and (3) directly invites participation by other parties. The main goals are research and education. "The CAS Task Force on Cyber Risk will engage in research activities and provide educational opportunities in the analysis of cyber risk, with a particular focus on contingent events arising from cyber risk and the financial implications of these events." The analysis of potential financial consequences of cyber-related events is an important part of this. "While there is a growing body of research on some of the specific IT aspects of the risk, it is particularly difficult to tie that research to financial outcomes and insurance coverage. The Task Force on Cyber Risk intends to contribute to this ongoing research, but its primary research goal is to utilize a multidisciplinary approach in order to gain a more comprehensive and accurate view of cyber risk." It's broad, ambitious, which also means it's easier said than done. "We believe that in addressing the challenge of cyber risk analysis, it is essential to follow a multidisciplinary approach that brings together experts in actuarial science, cybersecurity and information technology, big data analytics, legal and other fields," said the task force chair. "We encourage other professionals and organizations to join us in the important effort of advancing research and education in the area of rapidly evolving cyber risk." http://prn.to/1r6iz21 and http://bit.ly/QyfJWj It's a direct invitation.
Peter Wayner | InfoWorld, 21 Apr 2014 As software takes over more of our lives, the ethical ramifications of decisions made by programmers only become greater http://www.infoworld.com/d/application-development/12-ethical-dilemmas-gnawing-developers-today-240574
This comic strip summarizes about half the discussions you see on the Internet: http://wondermark.com/1k20/
Bill Snyder, InfoWorld, 17 Apr 2014 Intuit has launched a fake grassroots campaign to beat a proposal that would allow some taxpayers to file at no cost http://www.infoworld.com/d/the-industry-standard/intuits-secret-campaign-block-free-tax-filing-240663
Scammers abuse thousands of compromised accounts linked to third-party services. Dan Goodin, Ars Technica, 23 Apr 2014 Note the "via weheartit.com" tag in the bottom right of the malicious tweet. Twitter has been hit by an avalanche of malicious tweets that are being sent by thousands of compromised user accounts. The ongoing attack, which was about two hours old and showed no signs of abating as this post was about to go live, appeared to be linked to security breaches affecting third-party sites and apps. ... http://arstechnica.com/security/2014/04/mystery-attack-drops-avalanche-of-malicious-messages-on-twitter/
Lucian Constantin, InfoWorld, 22 Apr 2014 Some iOS users found a malicious library of unknown origin on their jailbroken devices http://www.infoworld.com/d/security/mysterious-malware-steals-apple-credentials-jailbroken-ios-devices-240954 opening text: A malware campaign of yet-to-be-determined origin is infecting jailbroken iPhones and iPads to steal Apple account credentials from SSL encrypted traffic. The threat was discovered after some users reported on Reddit that they experienced crashes in some applications as a result of a mysterious MobileSubstrate add-on called Unflod.
Alanna Durkin | Associated Press, 19 Apri 2014 AUGUSTA, Maine - Maine will begin putting photo identification on welfare benefit cards this month, first in Bangor and then across the state in an effort to target fraud and abuse, the administration of Governor Paul LePage, a Republican, said on Friday. The state will require that the heads of households and secondary card holders have photos placed on EBT cards, which low-income families use to buy food and other necessities. Residents who are younger than 19, older than 60, blind, disabled, or victims of domestic violence will be exempt, according to details about the administration's efforts laid out in a letter to the US Department of Agriculture obtained by the Associated Press through a Freedom of Access Act request. ... http://www.bostonglobe.com/metro/2014/04/18/citing-fraud-maine-put-photos-ebt-cards/vVUKLEiknCky8U2AiADF9I/story.html
For several years, I've had a monthly bill of $4 to $10 automatically charged to the same credit card. A few months ago, the fraud detection system started flagging that small transaction as fraudulent, every month. A robocall to my home land line asks me to confirm; and the card is locked until I confirm. Sometimes I'm not home for days, and often I travel in areas with no cell coverage. So with no effective warning, I can't make purchases far from home, and other automatic charges can bounce. I use automatic charges so I can travel and still pay bills on time. Catch-22. After several rounds of complaints, we are at workaround #3. I'll see what happens next month. Among other nonsense: - The fraud detection system does not maintain any transaction history. - Everyone assumes that card holders have continuous telephone access. I was told several times, by different people, "we'll give you a special number to call when this happens", moments after I explained this happens when I have no telephone access. Yes, there are other workarounds I could use; all would cost more in time, money, reliability, or reputation. Why should I bear that cost? One more stupidity they fixed: The robocall leaves a message with a toll-free number to call back, which is not on my credit card. Until recently, when you called, the first thing you were asked to enter was several digits from your Social Security Number. I immediately hung up the first couple of times this happened. The rest of this story is too depressing to recount.
Mark Mazzetti, *The New York Times*, 23 Apr 2014 WASHINGTON - An informant working for the FBI coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks. Exploiting a vulnerability in a popular web hosting software, the informant directed at least one hacker to extract vast amounts of data - from bank records to login information - from the government servers of a number of countries and upload it to a server monitored by the FBI, according to court statements. The details of the 2012 episode have, until now, been kept largely a secret in closed sessions of a federal court in New York and heavily redacted documents. While the documents do not indicate whether the FBI directly ordered the attacks, they suggest that the government may have used hackers to gather intelligence overseas even as investigators were trying to dismantle hacking groups like Anonymous and send computer activists away for lengthy prison terms. ... http://www.nytimes.com/2014/04/24/world/fbi-informant-is-tied-to-cyberattacks-abroad.html
(Salon/AP): http://www.salon.com/2014/04/24/russias_putin_calls_the_internet_a_cia_project/ "President Vladimir Putin on Thursday called the Internet a CIA project and made comments about Russia's biggest search engine Yandex, sending the company's shares plummeting. The Kremlin has been anxious to exert greater control over the Internet, which opposition activists—barred from national television—have used to promote their ideas and organize protests. Russia's parliament this week passed a law requiring social media websites to keep their servers in Russia and save all information about their users for at least half a year. Also, businessmen close to Putin now control Russia's leading social media network, VKontakte." [Some wag must have noticed the similarity between Putin and Rasputin -- who was a very controversial figure in the time of the Romanovs. That seems really Ba-Czar to me. I note here that RazPutin might be an appropriate nickname for Putin, where "raz" is a somewhat colloquial alternative for "odin" in Russian, with multiple meanings such as (the) number one, or first, or once. PGN]
TechDirt via NNSquad http://www.techdirt.com/articles/20140423/09130227004/russian-net-clampdown-continues-now-its-turn-blogs-vkontakte.shtml "Clearly those onerous conditions are designed to make any blogger think twice or three times before publishing anything at all controversial or embarrassing for the authorities. The article notes that the new law may be challenged before Russia's Constitutional Court, and that there's a huge loophole in the form of blogs located overseas, which are not covered by the legislation. The fear has to be that the Russian government will now move on to blocking them too. Moreover, not content with intimidating independent blogs, the Russian authorities also seem to be tightening their grip on VKontakte, the Russian Facebook."
Roger A. Grimes, InfoWorld, 22 Apr 2014 IOActive reports finds serious risks—and slim prospects for fixes -- in satellite communications http://www.infoworld.com/d/security/the-sky-falling-hackers-target-satellites-240934
Tony Drake, *IT Business*, 21 Apr 2014 http://www.itbusiness.ca/blog/the-trouble-with-canadas-digital-privacy-act/48129 opening text: Ontario privacy commissioner Ann Cavoukian has been in the news this week, following her investigation into Canada's practice of sharing personal (health) information stored by the Canadian Police Information Centre with U.S. border officials. Cavoukian discovered—as reported by the CBC—that details of some 19,000 encounters between police services in Ontario and individuals struggling with mental illness have been uploaded to the CPIC database, to which the FBI and U.S. Customs and Border Patrol have free access. The issue came to light late last year, when one Canadian woman was denied entry into the U.S., ostensibly because of her history of hospitalisation for depression and a suicide attempt.
http://bits.blogs.nytimes.com/2014/04/19/how-urban-anonymity-disappears-when-all-data-is-tracked/?emcíit_th_20140420&nl=todaysheadlines&nlid2604355
Wireless routers attached to rooftops in Sayada form a local network that the developers say is more secure than the Internet. Credit Samuel Aranda for *The New York Times* [Long article, truncated for RISKS. PGN] http://www.nytimes.com/2014/04/21/us/us-promotes-network-to-foil-digital-spying.html?action=click&contentCollection=Business%20Day®ion=Footer&module=TopNews&pgtype=article SAYADA, Tunisia—This Mediterranean fishing town, with its low, whitewashed buildings and sleepy port, is an unlikely spot for an experiment in rewiring the global Internet. But residents here have a surprising level of digital savvy and sharp memories of how the Internet can be misused. A group of academics and computer enthusiasts who took part in the 2011 uprising in Tunisia that overthrew a government deeply invested in digital surveillance have helped their town become a test case for an alternative: a physically separate, local network made up of cleverly programmed antennas scattered about on rooftops. The State Department provided $2.8 million to a team of American hackers, community activists and software geeks to develop the system, called a mesh network, as a way for dissidents abroad to communicate more freely and securely than they can on the open Internet. One target that is sure to start debate is Cuba; the United States Agency for International Development has pledged $4.3 million to create mesh networks there. Even before the network in Sayada went live in December, pilot projects financed in part by the State Department proved that the mesh could serve residents in poor neighborhoods in Detroit and function as a digital lifeline in part of Brooklyn during Hurricane Sandy. But just like their overseas counterparts, Americans increasingly cite fears of government snooping in explaining the appeal of mesh networks. “There's so much invasion of privacy on the Internet,'' said Michael Holbrook, of Detroit, referring to surveillance by the National Security Agency. The N.S.A. is all over it, he added. “Anything that can help to mitigate that policy, I'm all for it.'' Since this mesh project began three years ago, its original aim—foiling government spies—has become an awkward subject for United States government officials who backed the project and some of the technical experts carrying it out. That is because the N.S.A., as described in secret documents leaked by the former contractor Edward J. Snowden, has been shown to be a global Internet spy with few, if any, peers. [...]
Jeremy Kirk, InfoWorld, 23 Apri 2014 Some Android office-productivity apps thought to be vulnerable to Heartbleed are protected thanks to a mistake in invoking SSL functions http://www.infoworld.com/d/mobile-technology/coding-error-protects-some-android-apps-heartbleed-241031 selected text: Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library. "Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app."
David Kravets, (ArsTechnica, 16 Apr 2014) Computer science student is first arrest in relation to vulnerability. http://arstechnica.com/tech-policy/2014/04/heartbleed-hacker-arrested-charged-in-connection-to-malicious-bug-exploit/ A 19-year-old student has been arrested for allegedly exploiting the Heartbleed vulnerability to steal taxpayer data from as many as 900 Canadians, authorities said Wednesday. The arrest of Stephen Arthuro Solis-Reyes by the Royal Canadian Mounted Police marks the first time authorities anywhere have publicly levied charges in connection to the malicious exploitation of a defect in the widely used OpenSSL cryptography library. Canada Revenue Agency officials said they had removed public access to online tax services a day after the defect was discovered earlier this month. <http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/> But it was too late, and the Heartbleed flaw made it possible to pluck private encryption keys, passwords, and other sensitive data out of the private computer memory of the revenue agency's servers running vulnerable versions of the open source library. "The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," Assistant Commissioner Gilles Michaud said in a statement. <http://www.rcmp-grc.gc.ca/ottawa/ne-no/pr-cp/2014/0416-heartbleed-eng.htm> Solis-Reyes is a computer science student, according to the *London Free Press*. <http://www.lfpress.com/2014/04/16/london-teen-charged-in-heartbleed-breach-of-taxpayer-data> The Heartbleed vulnerability is the result of a failure to carry out a routine bounds check in OpenSSL code that handles the Transport Layer (TLS) heartbeat extension. Heartbeat allows a connected Web client or application that sends messages to keep a connection active during a transfer of data. According to Netcraft, two-thirds of websites rely on OpenSSL to implement HTTPS encryption, although not all of them have Heartbeat enabled. The Canadian Revenue Agency said it's putting in place measures to protect the people affected by the Heartbleed-enabled breach. It said it would notify victims by registered mail. Solis-Reyes faces charges of Unauthorized Use of a Computer and Mischief in Relation to Data following his Tuesday arrest at his Ontario residence.
http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html?emcíit_th_20140419&nl=todaysheadlines&nlid2604355
> The main impediment to wide adoption of safe languages at this point is > cost of conversion and the unpredictability of garbage collection > performance. The first is incrementally getting fixed, and the second > seems to have given way in the face of recent work on continuous > concurrent collection. You forgot the "it's not possible to manage resources other than garbage" bit. Including file descriptors—and in unix everything is a file. So yes, safe languages can make openssl safe from buffer overflows. With a somewhat annoying side-effect of running out of sockets every few minutes. Dimitri Maziuk, Programmer/sysadmin BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
Please report problems with the web pages to the maintainer