[It's Election Day in the U.S. today. Stand by for possible RISKS items in the next few days, with several critical runoffs expected to delay the outcomes. PGN] Barbara Simons, *USA Today* (op-ed), 4 Nov 2014 Casting ballots on Internet may be a new trend, but it is neither secure nor trustworthy. http://www.usatoday.com/story/opinion/2014/11/04/barbara-simons-online-voting-problems/18461679/ Today Americans are voting in an election that could shift control of the U.S. Senate and significantly impact the direction our nation will take in the next few years. Yet, 31 states will allow over 3 million voters to cast ballots over the Internet in this election, a practice that computer security experts in both the federal government and the private sector have warned is neither secure nor trustworthy. Most states' online voting is limited to military and overseas voters, but Alaska now permits all voters to vote over the Internet. With a hotly contested Senate seat in Alaska, the use of an online voting system raises serious concerns about the integrity of Alaska's election results. Alaska's State Election Division has even acknowledged that its "secure online voting solution" may not be all that secure by posting this disclaimer on its website: "When returning the ballot through the secure online voting solution, your are [sic] voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur." Unfortunately, faulty transmission is only one of the risks of Internet voting. There are countless ways ballots cast over the Internet can be hacked and modified by cyber criminals. The National Institute of Standards and Technology, at the direction of Congress, has conducted extensive research into Internet voting in the last decade and published several reports that outline all the ways votes sent over the Internet can be manipulated without detection. After warning that there are many possible attacks that could have an undiscovered large-scale impact, the institute concluded that secure Internet voting is not yet achievable. Securing transactions online is a major national challenge, as demonstrated by nearly daily reports of new cyber intrusions into networks of some of our largest financial institutions, corporations and government agencies. Election are even more difficult to protect, because unlike other online transactions, elections are especially vulnerable to undetectable hacking. Since we vote by secret ballot, there is no way to reconcile electronic images of ballots received with the version the voter intended to send. In other words, it is impossible to know if voter choices have been tampered with somewhere between the voter's computer and election official's machine, thereby making it virtually impossible to confirm an attack on an online election system. Nonetheless online voting is expanding around the country. Vendors of commercial online voting systems are exploiting the understandable desire to help remote voters by exhorting well-meaning state legislators and election officials to forge ahead with online voting. Aggressive marketing practices in an unregulated market have created a perfect storm. We cannot afford to continue putting our elections at risk by allowing the use of insecure Internet voting systems. Alaska's online voting system is vulnerable to hackers from anywhere in the world. If this election is attacked, the outcome may be determined by the attackers and Alaskans (and the rest of us) may never even know. It's time for state leaders to reject online voting unless and until it is secure. Barbara Simons is chair of the Board of Directors of Verified Voting and a member of the Board of Advisers of the U.S. Election Assistance Commission. She is a former computer researcher for IBM and past-president of the Association for Computing Machinery.
After many years of concerns on RISKS about fraud concerning voting machines, it appears that it has come true. In two states, voting machines have been observed switching a vote from a Republican candidate to the Democratic candidate. [Again? This is hardly new. PGN] The interesting thing is that the voter could actually observe the fraud taking place. Makes you wonder what is actually happening in those situations where the voter could not observe the fraud. http://www.foxnews.com/on-air/fox-and-friends/blog/2014/10/30/expert-confirms-voting-machines-illinois-and-maryland-rigged-democrats In addition, there seemed to have been a false assumption that allowing illegal immigrants to get drivers licenses would not have any deleterious effects. In fact, obtaining a driver's license allowed those individuals to also register to vote. All one had to do to register was show a driver's license. No one actually checked to see whether they were, in fact, citizens. http://www.nationalreview.com/article/391474/non-citizens-are-voting-john-fund
Bryan Ford (Yale) Cryptography could keep electronic investigations under control *MIT Technology Review*, page 11. vol 117, no 6, November-December 2014. http://www.technologyreview.com/view/531681/open-surveillance/ There's also a nice short item from Dave Farber in the same section, The Wrong Fix: Want regulations to preserve the open Internet? Be careful what you wish for. Also in that issue, George Anders, The Right Way to Fix the Internet: We need to let go of Network Neutrality... pp. 28--34.
“Researchers discover a massive security flaw in smart TV's that allow hackers to intercept data broadcasts, insert malicious code, and transform the TV into an antenna that infects all other Internet-connected devices in the household. Once the television is infected, it seeks out all other devices connected to the router. The attacks are untraceable as no source IP address or DNS server is ever presented, instead, hackers perform a classic man-in-the-middle attack using radio transmissions. " http://www.electronicproducts.com/Analog_Mixed_Signal_ICs/Communications/Smart_Televisions_are_highly_susceptible_to_hacking_by_radio_transmission.aspx robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767
Lucian Constantin, Infoworld, 24 Oct 2014 Pawn Storm attacks target military agencies, embassies, defense contractors, and media organizations, Trend Micro says http://www.infoworld.com/article/2838223/security/cyber-espionage-group-launches-sophisticated-phishing-attacks-against-outlook-web-app-users.html opening text: A cyberespionage group has been using advanced spear-phishing techniques to steal email log-in credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365's Outlook Web App.
Jeremy Kirk, Infoworld, 27 Oct 2014 The server used a technique to append malware to legitimate code http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html opening text: The Tor Project has flagged a server in Russia after a security researcher found it slipped in malware when users were downloading files.
Steve Ragan, CSO, 30 Oct 2014 Drupal urged users to apply an update on Oct. 13, but only those who patched within seven hours may be in the clear http://www.infoworld.com/article/2840939/security/advisory-says-to-assume-all-drupal-7-websites-are-compromised.html opening text: If your organization uses Drupal, you might have a serious problem on your hands. On Oct. 15, Drupal urged users to apply an update that fixed a SQL Injection flaw. However, unless that patch was installed within seven hours, Drupal now says it's best to assume the website was completely compromised.
Serdar Yegulalp, InfoWorld, 30 Oct 2014 SQL injection bug threatens the websites of enterprises, governments, and many other institutions using the open source Drupal CMS http://www.infoworld.com/article/2841068/application-security/drupal-bug-leaves-enterprise-content-management-vulnerable.html opening text: Word broke yesterday of a major-league security issue involving Drupal, the open source content management system (CMS) used widely in enterprises and government. Come to think of it, "major league" doesn't begin to cover it: Drupal developers have admitted that if your installation wasn't patched before Oct. 15, 11 p.m. UTC, it's best to consider the entire site compromised.
Brian Fung, *The Washington Post*, 20 Oct 2014 Who ever thinks that their call to 911 would go unanswered? But in a terrifying incident this spring, thousands of Americans found themselves in need of help - and got none. For six hours, emergency services went dark for more than 11 million people across seven states. The entire state of Washington found itself disconnected from 911. The outage may have gone unnoticed by some, but for the more than 6,000 people trying to reach help, April 9 may well have been the scariest time of their lives. Now a study from the Federal Communications Commission offers the most in-depth explanation of the outage and why it occurred. In a 40-page report, the FCC found that an entirely preventable software error was responsible for causing 911 service to drop. The incident affected 81 call dispatch centers, rendering emergency services inoperable in all of Washington and parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota and Florida. ... http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/20/how-a-dumb-software-glitch-kept-6600-calls-from-getting-to-911/
Craig Timberg, *The Washington Post*, 3 Nov 2014 Verizon and AT&T have been quietly tracking the Internet activity of more than 100 million cellular customers with what critics have dubbed "supercookies" - markers so powerful that it's difficult for even savvy users to escape them. The technology has allowed the companies to monitor which sites their customers visit, cataloging their tastes and interests. Consumers cannot erase these supercookies or evade them by using browser settings, such as the "private" or "incognito" modes that are popular among users wary of corporate or government surveillance. Verizon and AT&T say they have taken steps to alert their customers to the tracking and to protect customer privacy as the companies develop programs intended to help advertisers hone their pitches based on individual Internet behavior. But as word has spread about the supercookies in recent days, privacy advocates have reacted with alarm, saying the tracking could expose user Internet behavior to a wide range of outsiders - including intelligence services - and may also violate federal telecommunications and wiretapping laws. ... http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html Robert Lemos, Ars Technica, 24 Oct 2014 Verizon Wireless injects identifiers that link its users to Web requests The provider adds cookie-like tokens to alert advertisers to users' interests. http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-link-its-users-to-web-requests/
Julia Angwin and Jeff Larson, ProPublica, 30 Oct 2014 Twitter is using a newly discovered hidden code that the telecom carriers are adding to every page you visit - and it's very hard to opt out. http://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users
Sean Gallagher, 3 Nov 2014, Ars Technica Carrier was social-engineered by hacker to steal man's two-letter Instagram name. If you think the two-factor authentication offered by Google and other cloud services will keep your account out of the hands of an attacker, think again. One developer found out this weekend the hard way; Google's account protection scheme can be bypassed by going after something most people would consider an even harder target-the user's cell phone account. ... http://arstechnica.com/security/2014/11/cell-carrier-was-weakest-link-in-hack-of-google-instagram-accounts/
PSA: Turn off autosave of in-progress documents containing sensitive data. Dan Goodin, Ars Technica,3 Nov 2014 Representing a potential privacy snare for some users, Mac OS X Yosemite uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers by default, even if the files are later closed without ever having been saved. The behavior, as noted in an article from Slate, is documented in a Knowledge Base article from December. But it nonetheless came as a surprise to researcher Jeffrey Paul, who said he was alarmed to recently discover a cache of in-progress files he intended to serve as "temporary Post-It notes" that had been silently uploaded to his iCloud account even though he never intended or wished them to be. ... http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/
Lee Hutchinson, 3 Nov 2014, Ars Technica Refuse to unlock my device for international travel? Goodbye forever. http://arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/
http://www.smh.com.au/technology/technology-news/why-whirlpools-smart-washing-machine-was-a-dumb-idea-20141101-11flym.html [The Internet of Thinks? PGN]
I asked Mitre to assign a CVE for this issue, it seems pretty clearly to be a security issue. One thing I've noticed over the last decade is increasingly "if no CVE, then not a security issue" due to CVE's being used to track issues/act as a name (I've literally never seen a customer/client make a big deal about a security flaw if it doesn't have a CVE). Mitre's response: http://seclists.org/oss-sec/2014/q4/206 == = So, for example, the http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html article would indicate to me that this is CVE worthy under #4. Currently not; Adobe has a statement quoted at: http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/ indicating that the information disclosure is intentional, and is (from their point of view) useful to them. This is just an example of a behavior that might also occur in an open-source product. The Adobe issue itself is off-topic for this list. == = So I guess vendors can avoid security flaws by saying "we meant to do that, sending your information back to us without informed consent, and doing it insecurely is ok, because we meant to." I am disappointed to say the least.
I just want to clarify one point here: The device is NOT 'useless forever'. The ability to change the PID/VID/etc is an intentional feature of the original FTDI chips, which is duplicated in the clones in question. As far as I can tell from what I've read, FTDI simply used the appropriate calls to change the PID. Anyone with an older (non-destructive) version of the FTDI drivers and tools can use them to change the PID back to something sensible. Secondly, has there been any legal action against FTDI over this? While FTDI clearly has the right to make their driver reject other company's hardware, actually trying to break end-users' equipment seems to me to be an actionable offense. I'd hope that this is something that would in fact rise to the level of a criminal complaint, not just civil. Am I wrong that breaking people's stuff without notice is kind of against the law here?
I don't think Henry Baker's contribution to RISKS 28.32 sounds insane, although I am unsure of the amount of contribution of MAD to the madness. There is a clear issue involved here, however, of the government putting too much emphasis on a military solution to cyber security issues, and the military once again focusing on fighting the last war. I've spoken about this in invited talks over the last decade, and summarized it (and related thoughts) in the CERIAS blog a while ago: https://ceri.as/9er1z
> I'd be more worried about taxi drivers perusing the google's location > history URL, finding areas where most destinations are, and staying > there. The risk is then you can't get a cab anywhere else. This already happened in New York City, no computer technology needed. Over the last 40-50 years, the places where you could pick up a yellow cab have contracted to Manhattan below 125th St, the airports, and a few outer borough neighborhoods that are either near Manhattan or on the way to/from the yellow taxi base stations. As yellow taxis were the only cabs allowed to answer street hails, outer borough residents had to either reserve a cab with a local taxi service or find a cabbie on the street that would illegally pick them up (which might have been an unlicensed or "gypsy" cab with no insurance). The city recently created a new fleet of apple-green taxis that are authorized to do street hails, but only in the areas that the yellow taxis abandoned. Other than the color and the restrictions, they are pretty much the same service as the yellow taxis. The map on this site shows the Manhattan-centricity of where yellow cabs pick up fares: http://www.nyc.gov/html/tlc/html/passenger/shl_passenger_background.shtml [Also noted very similarly by John Levine. PGN]
“The goal of the contest is to write code that is as readable, clear, innocent and straightforward as possible, and yet it must fail to perform at its apparent function. To be more specific, it should do something subtly evil.'' http://www.underhanded-c.org robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767
Please report problems with the web pages to the maintainer