Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Bloomberg News has a nice index page of stories about hacking pacemakers and insulin pumps, electronic health records privacy/security issues, and so on. There's also articles on "Who's buying medical records" and one on deaths blamed on electronic health record systems. In short, it reads like a RISKS digest special issue on computers and health care: http://topics.bloomberg.com/putting-patient-privacy-at-risk/ One interesting thing noted from the article "UnitedHealth recalls Digital Health Record Software"—medical devices that have software bugs that kill people have to be reported to the FDA, but health record software that has bugs that can kill people doesn't. And special mention for the graphic on re-identifying allegedly anonymous medical records: http://www.bloomberg.com/infographics/2013-06-05/reidentifying-anonymous-medical-records.html
A *Los Angeles Times* investigation found that many former and current Pentagon officials familiar with the U.S. missile defense program consider it a failed program. The U.S. Missile Defense Agency (MDA), tasked with developing and testing missile defense systems, has spent over $40 billion to develop the Ground-based Midcourse Defense system (GMD), a system many industry observers call unreliable and requiring complete redesign. http://www.homelandsecuritynewswire.com/dr20140618-badly-engineered-missile-defense-systems-deployed-because-there-was-a-rush
Source: Reuters, *The Guardian*, 14 Jun 2014 (Thanks to Peter Ladkin; slightly PGN-ed) Dozens of aircraft briefly vanished from air-traffic control radars in nAustria, Germany, the Czech Republic and Slovakia over the last two weeks in incidents that Slovak authorities blamed on military electronic warfare exercises. Air-traffic controllers in Austria and Germany said data about the planes—position, direction, height or speed—went missing on 5 and 10 June 2014, but the outages posed no serious danger. Their Czech and Slovak counterparts also encountered cases of vanishing aircraft on the same days. The disappearance of objects on radar screens was connected with a planned military exercise that took place in various parts of Europe, whose goal was the interruption of radio communication frequencies, according to the Slovak air traffic services. “Immediately after the identification of the problem with the displays, the side organising the exercises was contacted and the exercise was stopped.'' It did not identify the military force, but Austrian media said it was NATO. NATO declined to comment.
Craig Whitlock, *The Washington Post*, 20 Jun 2014 [PGN-ed] More than 400 drones have crashed since 2011, due to mechanical breakdowns, human error, bad weather, and other reasons. The cited report is certainly a warning for future private drones. http://www.washingtonpost.com/sf/investigative/2014/06/20/when-drones-fall-from-the-sky/?hpid=z1
Is There a Crisis in Computer-Science Education? The Chronicle of Higher Education (06/23/14) Jonah Newman via ACM TechNews, Monday, June 30, 2014 Mother Jones editor Tasneem Raja recently wrote a report on computer science education trends in the United States and found the country graduated proportionally fewer computer science majors in 2011-12 than in 1985-86. In 1985-86, 4.3 percent of college graduates received computer science degrees, compared to just 2.6 percent of graduates in 2011-12. However, the report also found a steady fluctuation in interest among undergraduates and graduates in computer science. For example, in the 1970s and 1980s, many elementary, middle, and high schools taught computer science programming to students, according to University of Oregon professor Joanna Goode. However, "as the PC revolution took place, the introduction to the CD-ROMs and other prepackaged software, and then the Internet, changed the typical school curriculum from a programming approach to a 'computer literacy' skill-building course about 'how to use the computer,'" Goode says. In addition, fluctuations in college-degree attainment are often connected to changes in the job market in certain industries. The peak in computer science degrees came in 1985, about four years after the introduction of IBM's first personal computer and the Apple II. Similarly, a second wave of computer science graduates came in the early 2000s, about four years after the dot-com bubble. The latest data indicates the U.S. currently is in the middle of another rise in interest in computer science at the college level, according to Raja. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-ba53x2b4a5x060127&
Shortage of Cybersecurity Professionals Poses Risk to National Security PhysOrg.com (18 Jun 2014) via ACM TechNews, Monday, June 30, 2014 The nationwide shortage of cybersecurity professionals is posing risks for national and homeland security, according to a new RAND Corporation study. The demand for trained cybersecurity professionals is particularly severe in the federal government, which offers lower salaries than the public sector. "As cyberattacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks," says RAND scientist and lead study author Martin Libicki. "But educating, recruiting, training, and hiring these cybersecurity professionals takes time." Libicki says the demand for cybersecurity professionals began to overtake supply in 2007, largely due to increased reports of large-scale hacking attacks. The manpower shortage is primarily at the high end of the capability scale, where cybersecurity professionals command salaries of more than $200,000 to $250,000, according to Libicki. Many organizations are trying to deal with the shortage by focusing on internal promotion and educational efforts. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-ba53x2b4a7x060127&
(South China Morning Post via NNSquad) http://www.scmp.com/news/hong-kong/article/1535654/referendum-organisers-extend-poll-after-cyberattacks-electronic Organizers of Occupy Central say they will extend voting on electoral reform from three days to 10 days after its electronic system was targeted by hackers. The system, set up to accept advance registrations, has been hit by more than 10 billion cyberattacks since it was launched last week. As Gomer Pyle used to say, "Surprise, surprise, surprise!"
[Via Dave Farber's ip] The FATAL flaw of online voting systems (and one for which there is *no* technological solution whatsoever) isn't DDoS, identification, or communications security. it's very simply that there is *no* way to ensure that the voter isn't voting under duress... with a gun held to their head (figuratively, or even literally). No way to be sure there isn't someone watching over their shoulder to make sure they're voting the "right" way. No way to make sure the voter isn't selling their vote (drugs, sex, alcohol, money...). Anyone in a position of power over the voter. Employer, landlord, union shop steward, nursing home attendant, parent, health care giver, social worker, gang lord, .... could be almost anybody. We *must* not allow online voting, or even generalized mail-in balloting, for that reason. [That is hardly the ONLY FATAL FLAW. The entire concept is fundamentally fatally flawed, given the total lack of trustworthiness throughout the entire process. This is the ultimate Whack-a-Mole game, and Gordon is DRAMATICALLY oversimplifying. PGN]
[Press Enterprise, California] Confidential records for 35,212 Riverside Community College District students were mistakenly e-mailed to an unknown account in a security breach, officials said Monday, June 16. Students were being notified that some of their confidential information -- including Social Security numbers, birth dates, addresses and phone numbers -- may be at risk. ... The employee used a personal e-mail account to send the data to the researcher's personal e-mail address because the data file was too large to go through the district's secure, encrypted e-mail server, district Interim Chancellor Irving Hendrick said. The employee incorrectly typed the address, he said. The data contains students' names, addresses, birth dates, student e-mail addresses, preferred telephone numbers, some academic records, student ID numbers and Social Security numbers for 97 percent of students, district officials said. rest: http://blog.pe.com/colleges-universities/2014/06/16/colleges-rcc-moreno-valley-norco-students-data-breached/
How many organisations have warned users of their cards about the risks vs how many have been discovered and reported ? I was checking the balance on my Oyster card  on-line and noticed this: http://tfl.gov.uk/fares-and-payments/oyster/using-oyster/card-clash = = = Card clash Keeping your Oyster card in your wallet or purse with other cards could cause card clash. If you keep your Oyster card in your wallet or purse with your bank cards, you might occasionally see a red light when you touch it on a card reader at stations and on buses. The red light means you haven't paid for your journey and if you are at a ticket gate, it may not open. This can happen even if you've got enough pay as you go credit or a valid Travelcard on your Oyster card because you could be experiencing 'card clash'. Many cards are now issued with contactless technology - the same as Oyster cards: * Most bank, credit and charge card companies are issuing new cards ready for contactless payments * Many companies, educational establishments now issue contactless cards for cashless catering or as building entry passes If you touch your Oyster card on a yellow card reader when it's in the same wallet or purse as another contactless card, the reader may detect more than one card. When this happens, the card reader doesn't know which one to read so rejects them and you could experience any of the following: * The ticket gate does not open. * You get a red light when you touch in on a yellow card reader on a bus, ticket gate or free-standing yellow card reader. * On buses, where contactless payment cards are accepted, your fare could be charged to a card that you did not intend to pay with. To avoid card clash: * Don't touch a wallet or purse with multiple cards on the yellow card reader. * Keep your Oyster card separate from your contactless payment cards only touch the card you want to use on the reader when touching in and out. Later in 2014, when contactless payment cards are accepted for travel on Tube, tram, DLR, London Overground and most National Rail services in London, one of the following could also happen: * Your fare could be charged to a card you didn't intend to pay with. * You could be charged two maximum fares if the card reader reads one card when you touch in at the start of your journey and a different card at the end when you touch out. * Remember to separate your Oyster card from other contactless cards when touching in and out.  Oyster is a plastic smartcard which can hold pay as you go credit, Travelcards and Bus & Tram season tickets. You can use an Oyster card to travel on bus, Tube, tram, DLR, London Overground and most National Rail services in London.
Paul Venezia, InfoWorld, 23 Jun 2014 The demise of Code Spaces at the hands of an attacker shows that, in the cloud, off-site backups and separation of services could be key to survival http://www.infoworld.com/d/data-center/murder-in-the-amazon-cloud-244705
This might not come as a surprise to what's left of traditional Blackberry device users, but it appears that the 9900 and 9930 Blackberry devices do not have a fully functional PKI security environment "out of the box." I first discovered this when testing Steve Gibson's "revoked" web site (https://revoked.grc.com). I opened up a trouble ticket at Research in Motion through T-Mobile and after an hour on the phone with a RIM tech support person, finally got him to understand that a web site security certificate that has been revoked should NOT show "stale chain status" and "implicitly trusted." I also convinced him that a legitimate secure web site (in this case www.chase.com) should NOT display the same status as one with a deliberately revoked security certificate. The implications of a completely insecure web browser (in this case RIM's) are only the tip of the iceberg with this particular device, since Blackberry Enterprise Server (BES), and the less often used Blackberry Desktop Redirector, both use an exchange of keys to implement point-to-point Triple-DES encryption. The suspicious aspect of this security breach is that two models of Blackberry devices from two different wireless carriers, and potentially different parts of the world, have been compromised. I own both a Verizon 9930 and a T-Mobile 9900 (US frequencies, but may have originated out of the US), and after wiping and re-initializing with both factory defaults Apploader reformat, IT policies wiped (only one had one previously), both devices show the exact same "stale chain status" and "implicitly trusted" status for about half the root certificates in the devices. For Steve's "revoked" web site, the Blackberry devices consistently show "stale chain status," "unknown chain status," revocation status reads "unknown," and trust status reads "implicitly trusted." But I also see the same status message for "https://mobilebanking.chase.com" and "https://www.google.com." RIM has published many papers on how PKI security works with their devices and BES products, and I thought that the certificate synch, OSCP, and CRL functions were pretty good. As of this moment, although the desktop certificate sync sort of works (only adds, won't delete), nothing else does. Both the desktop and devices ignore the OCSP and CRL URL's, and none are not sync'ing into any device or from the device to the desktop. Even if I enter the OSCP and CRL URL's directly in the devices, the devices are not reaching out to any of them. The last RIM customer service person was trying to prompt me through manually "trusting" the questionable certificates (including a revoked certificate), and tried to convince me that this is how security is supposed to work on Blackberry devices. I asked him if he had heard about the Heartbleed bug, and how secure web site operators were revoking their security certificates so that people surfing the web couldn't be tricked into viewing a fraudulent site using one of the old certificates (now revoked), but he wasn't getting it. RIM insists that "unknown chain status" doesn't mean a secure connection isn't secure, since the device is always supposed to load any web page I select. I asked the RIM tech how can a connection be "secure" if the device couldn't validate the certificate? He wouldn't answer. I asked the RIM tech how can a Blackberry device on a Blackberry Enterprise Server (BES) detect if it's reaching a bogus BES system, and he wouldn't answer that, either. Previously, after I brought this to RIM's attention, all they did was to attempt to quickly close out the trouble ticket and record it as "closed." whether I responded or not. Each time, they close the ticket quicker. This time the RIM tech refused to escalate the problem to anyone, just insisted this is the way the device is supposed to work and that's it. It's obvious at this point that the PKI system compromise was intentional, and that RIM has no intention of changing it. It's also obvious that if Blackberry devices can't detect deliberately revoked security certificates, and the devices have been rigged to NOT warn users when their devices cannot determine the validity of any certificate, I have to wonder whether or not the devices could detect a bogus Blackberry Enterprise Server at the other end of a secure channel.
Ars Technica via NNSquad http://arstechnica.com/tech-policy/2014/06/poorly-anonymized-logs-reveal-nyc-cab-drivers-detailed-whereabouts/ "Botched attempt to scrub data reveals driver details for 173 million taxi trips."
The lengths that police and government folks will go to lie, cheat, steal, is still amazing to me. Do they have any moral compass that's recognizable anymore to anyone but themselves? In this episode of our long-running drama, US marshalls and cops use Stingrays (and presumably other things they simply haven't been caught with yet) that nab cell location and activity and then collude to lie to judges, defendants, just about everyone but themselves, and take outrageous actions to hide their activities (well, no surprise, even they know they're beyond the pale.) The ACLU even seems taken aback.
Sean Gallagher, Ars Technica, 22 Jun 2014 Ars tests how easy it is to spoof big broadband providers to grab data. http://arstechnica.com/security/2014/06/free-wi-fi-from-xfinity-and-att-also-frees-you-to-be-hacked/ Welcome to a way for hackers to fool you into connecting to malicious networks and give up your personal data: a spoofed Xfinity login page. Xfinity If you've traveled and tried to get on the Internet, you've probably seen some pretty suspicious looking Wi-Fi networks with names like "Free Wi-Fi" and "Totally Free Internet." Those are likely access points you'd best avoid. But there's a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you've already connected to and trusted, like AT&T and Xfinity. Enlarge / The default settings for the AT&T Wi-Fi network on my iPhone, before I got paranoid. Mobile broadband providers are eager to get you to connect to their Wi-Fi-based networks while you're away from home. AT&T has built a network of free hotspots for customers at thousands of places—including train stations, as well as Starbucks and McDonald's locations across the country. Comcast has spread its Xfinity wireless network far and wide as well, turning customers' cable modems into public Wi-Fi hotspots accessible with an Xfinity account login. These free Wi-Fi connections are popular, for good reason—they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection. But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes. Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result. As we reported in our joint experiment with NPR, AT&T sets smartphones to recognize and connect to attwifi hotspots automatically. This can be switched off in iPhones by setting the phone to ask the user before connecting to networks when Wi-Fi is turned on but not associated with a hotspot. But that isn't an option on many Android devices. (Update: as readers point out, the latest AT&T Android settings allow for auto-connect to be disabled.) To demonstrate this, I set up my laptop as a Wi-Fi hotspot broadcasting the network name (SSID) attwifi (after alerting my neighbors, of course). After killing off the settings for my preferred networks on my iPhone, I turned on the Wi-Fi, and it connected to the fake attwifi hotspot without prompting. Enlarge / The captured traffic from my iPhone as it finds the fake "attwifi" hotspot and starts looking for things. When I killed the attwifi network after a few seconds, my iPhone promptly demonstrated the further risks of auto-connecting—it automatically reconnected with another network in the list of trusted networks on my phone: a hotspot called xfinitywifi. I had used an Xfinity hotspot while waiting for an appointment a few days earlier, and suddenly I was logged into a hotspot running on my neighbor's cable modem. Enlarge / When the fake AT&T network went away, a real Xfinity network connected me right away. Comcast's Xfinity wireless hotspots present a Web page for login that requests a customer's account ID and password, and each time you connect to a new hotspot it re-authenticates you. But if you've connected once during the day, the hotspot remembers your device and reconnects you without prompting. That means that if someone were to set up a malicious Wi-Fi access point called xfinitywifi, devices that have connected to Xfinity's network before could automatically connect without alerting the user or asking for the password. Alternatively, using a honeypot tool such as PwnStar, an attacker could spoof both the xfinitywifi SSID and the Xfinity login page—stealing their Xfinity credentials in the process. PwnStar includes the ability to redirect devices connecting to a Web page on the attacking system, record credentials, and then pass the victim on to Internet access as if nothing had happened—meanwhile launching man-in-the-middle attacks against the client (as I demonstrated for myself using an SSID called notxfinity to deter any of my neighbors from trying to connect to it). Enlarge / PwnStar in action on my Kali Linux laptop. By the way, those Xfinity Wi-Fi login credentials? They're the same set of credentials used to gain access to Comcast customers' account billing information, webmail, and other services. This is not to say that AT&T's and Xfinity's networks are insecure in themselves. They are just common enough to give someone with evil in mind a way to cast a wide net for potential victims over Wi-Fi. The same tools I used to spoof Xfinity could be set to automatically respond to a victim's phone as any Wi-Fi access point they've trusted. That's because of the probe requests generated by smartphones and Wi-Fi—when you turn on your phone's Wi-Fi adapter, it will seek out any network you've ever connected to that it was not told to forget. When I set my attack access point (the laptop) to not connect devices but to respond to all probe requests, my iPhone attempted in turn to connect to every Wi-Fi network I've connected to this year. That in itself can be a privacy concern, since the SSIDs and other data associated with those probe requests can be used to essentially map out my movements. This sort of attack can be played out anywhere you'd normally connect to a public Wi-Fi network. Tools like the ones I've tested can be set up to actively go after a user of a public network, force them to disconnect from their existing Wi-Fi network, and then pick up that connection themselves. All of this can be done with something as small as an Android phone as well, using a broadband cellular connection to provide victims with uninterrupted Internet access, as we saw with the PwnPhone. Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.
[via Dave Farber] Uh, maybe. But then, check this: https://wei.sos.wa.gov/agency/osos/en/voters/Pages/vote_by_mail.aspx. The first lines on that official website of Washington State read: "Washington State votes by mail. Vote by mail is convenient and gives you extra time to learn about the ballot measures and candidates before casting your vote." In practice, we do not observe more fraud in Washington State than in other places that stuck with traditional ballots.
It seems that (and I can confirm [a]) Citibank's online payment system had a hiccup. Quoting from the message to account holders when they logged in: “We discovered that Citibank Online Bill Payment check(s) processed from your account between 7 Jun and 11 Jun 2014 displayed an incorrect 'Remitted by' or sender name and address." The msg adds that the rest of the info, such as send to, account, amount, were correct. [a] as it turns out, the check I had them print up and mail out was... to me. And I hadn't yet deposited it. Looking at it right now, the "remitted by" info on both the tear sheet, and on the actual check, where it should have _my name and address_, has that of someone completely unrelated to me with a cross country address. The "pay to" section, which should have my name and address, was correct. * Annoyingly enough, Citi's daily summary e-mails (balance info) continued through the week, but no one thought to send out an e-mail notice about this issue.
Perhaps the easiest solution is to simply turn updates off. I don't know about all versions, but as of 29.0,you can do this by clicking on the tools menu, selecting options, advanced, then select the update tab. There is an option there to never check for updates. A more definitive way of customizing Firefox is to simply download the source code from ftp.mozilla.org, and change it however you wish. The license allows you to freely change it at your pleasure.
Please report problems with the web pages to the maintainer