Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
How do you dock to a space station that has lost all power, when your docking procedure relies on telemetry from the station's computer and the expectation that the station will turn itself so its docking port faces the incoming spacecraft? "The following story happened in 1985 but subsequently vanished into obscurity. [...] After extensive research, writer Nickolai Belakovski is able to present, for the first time to an English-speaking audience, the complete story of Soyuz T-13’s mission to save Salyut 7, a fascinating piece of in-space repair history." http://arstechnica.com/science/2014/09/the-little-known-soviet-mission-to-rescue-a-dead-space-station/
MG via NNSquad http://www.michaelgeist.ca/2014/11/ontario-provincial-police-recommend-ending-anonymity-internet/ "Leaving aside the deeply troubling inference of requiring licences to the use the Internet in the same manner as obtaining a driver's licence, the police desire to stop online anonymity suggests that the OPP has not read the Supreme Court of Canada Spencer decision very carefully. If it had, it would know that not only does the court endorse a reasonable expectation of privacy in subscriber information, but it emphasizes the importance of online anonymity in doing so." The OPP: A "Dangerous Idiots" Award Winner!
Here is the map http://www.fireeye.com/cyber-map/threat-map.html Here is the explanation of the dots connected. http://www.fireeye.com/blog/uncategorized/2014/10/a-threatening-threat-map.html Some customers have given Fire Eye permission to share info about attacks they experienced. To mask customer identity, locations are represented as the center of the country in which they reside. There is nothing in the data that can be used to identify a customer or their origin city. I became interested in Fire Eye, when a breached place was determined to have purchased cyber security protection, then ignored alerts and warnings about vulnerabilities at high risk of being exploited, and the security companies were identified - had the breached place only acted on those warnings, it would not have been breached. Fire Eye was one of the cyber protection outfits named.
Network World (via NNSquad) http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html "There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the "security surveillance footage" meant for protection into an invasion of privacy ... So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam "hacker" yelled at the babies ... I'm unwilling to say how many calls I made, or else you might think I enjoy banging my head against the wall. It was basically how I spent my day yesterday. Too many times the location couldn't be determined, led to apartments, or the address wasn't listed in a reverse phone search. After too many times in a row like that, I'd switch to a business as it is much easier to pinpoint and contact ... One call was to a military installation. Since the view was of beautiful fall foliage, it seemed like a "safe" thing to find out if that camera was left with the default password on purpose. Searching for a contact number led to a site that was potentially under attack and resulted in a "privacy error." Peachy. Then I had two things to relay, but no one answered the phone. After finding another contact number and discussing both issues at length, I was told to call the Pentagon! Holy cow and yikes! ... Managers, don't shoot the messenger; a person out to hurt you might dig into a Linux box with root, but no exploit or hacking is needed to view the surveillance footage of your unsecured cameras! It's exceedingly rude to yell or accuse a Good Samaritan of "hacking" you. If your cameras are AVTech and admin is both username and password, or Hikvision "secured" with the defaults of admin and 12345, then you need to change that. Or don't and keep live streaming on a Russian site." [The usual countermeasure to this kind of attack is Peeping Duck. But ducking doesn't work very well. PGN]
There's a report in the newspaper of Sir Bernard Hogan-Howe, Metropolitan (London) Police Commissioner, speaking at an international terrorism conference in New York this week (Nov 6th). Among other things, he's quoted as saying "... the Internet is becoming a dark and ungoverned space in which too little is done to guard against... murders and terrorists, and called on technology firms to do more to provide online protection... the methods used by offenders... are in danger of making the Internet anarchic... we cannot allow parts of the Internet—or any communications platform—to become a dark and ungoverned space... in a democracy, we cannot accept any space -- virtual or not—to become anarchic." Not sure what he wants; a Chinese-style firewall? This is taken from the print version, which is a summary of two longer on-line articles with slightly different words: http://www.telegraph.co.uk/news/uknews/law-and-order/11215149/Bobbies-on-the-beat-will-help-tackle-terrorism-says-Met-chief.html http://www.telegraph.co.uk/news/uknews/crime/11216093/Six-Britons-accused-of-running-online-drug-market-Silk-Road-2.0.html
IT World via NNSquad http://www.itworld.com/article/2845603/german-spy-agency-seeks-millions-to-monitor-social-networks-outside-germany.html "The BND also wants to spend EUR4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent [on] the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers." Weren't the Germans complaining loudly about NSA? Oh well.
ZDNet via NNSquad http://www.zdnet.com/users-cant-tell-facebook-from-a-scam-7000035440/ "A new whitepaper from Bitdefender examined victims targeted in 850,000 Facebook scams. It turns out Facebook's user experience makes it easy for scammers to exploit users."
Ars Technica via NNSquad http://arstechnica.com/security/2014/11/potentially-catastrophic-bug-bites-all-versions-of-windows-patch-now/ Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning. The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.
Microsoft Security Bulletin MS14-066 reports a Critical bug in its implementation of TLS on Windows 7/2003 and later systems. From the announcement: "Vulnerability in Schannel Could Allow Remote Code Execution This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server. This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section. The security update addresses the vulnerability by correcting how Schannel sanitizes specially crafted packets. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability. The report is at: https://technet.microsoft.com/library/security/MS14-066 The CVE reference for this problem is: CVE-2014-6321 - Bob Gezelter, http://www.rlgsc.com
The EFF reports that some ISPs are apparently altering data in customer SMTP connections to remove the STARTTLS flag. The STARTTLS flag, defined in RFC 3207 switches SMTP connections from plaintext to TLS. By stripping the STARTTLS flag, the ISP disables encryption on the connection, enabling eavesdropping on the headers and the message body (if not otherwise encrypted with S/MIME or PGP). Several questions arise: - WHY? Is this being done on their own initiative, or is it being ordered by a third party? - As there was apparently no disclosure, is it legal? Unannounced modification of customer data streams has a number of implications in different domains, from legal to simple privacy. The EFF article is at: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks Bob Gezelter, http://www.rlgsc.com
Kapersky Laboratories has reported the discovery of a long-running set of attacks targeted against senior executives using hotel (cabled and Wi-Fi) Internet access. Most disturbingly, the attacks involved forged certificates and were targeted at individuals, which implies systematic breaches beyond the attack itself. The mechanism involved targeted IFRAMEs from the network access gateway which users use to authenticate to the local property's network access. This would appear to be a case of precision targeted malware, something I wrote about in the "Computer Security Handbook, Fourth Edition" more than 10 years ago. Such malware is particularly pernicious, as it is not seen enough to be familiar to anti-virus vendors and thus detectable. It can only be detected by a very detailed review of the affected system(s). The report is at: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf - Bob Gezelter, http://www. rlgsc.com
EFF via NNSquad https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks "Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag--called STARTTLS--from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client."
Jeremy Kirk, Infoworld, 5 Nov 2014 New research says Gatekeeper and XProtect aren't entirely effective in protecting Mac OS X against iWorm malware http://www.infoworld.com/article/2843798/security/apple-security-checks-may-still-miss-iworm-malware.html
Lucian Constantin, Infworld, 5 Nov 2014 The tool simulates man-in-the-middle attacks to detect SSL/TLS vulnerabilities and implementation issues http://www.infoworld.com/article/2843756/security/google-releases-tool-to-test-apps-devices-for-ssltls-weaknesses.html
Serdar Yegulalp, InfoWorld, 10 Nov 2014 California DOJ report on data breaches shows most losses in health care revolve around stolen devices, due to weak use of encryption http://www.infoworld.com/article/2844957/data-security/device-loss-not-hacking-puts-health-care-data-most-at-risk.html
Steve Ragan, Infoworld, 7 Nov 2014 In addition to 56 million payment cards, 53 million email addresses are added to the list of compromised data http://www.infoworld.com/article/2844514/security/home-depot-says-53-million-email-addresses-compromised-during-breach.html
ATLANTA, Nov. 6, 2014 /PRNewswire/—The Home Depot, the world's largest home improvement retailer, today disclosed additional findings related to the recent breach of its payment data systems. The findings are the result of weeks of investigation by The Home Depot, in cooperation with law enforcement and the company's third-party IT security experts. In addition to details previously released, the investigation to date has determined the following: * Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. * The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada. * In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information. https://finance.yahoo.com/news/home-depot-reports-findings-payment-213000609.html
Jeremy Kirk, Infoworld, 10 Nov 2014 The project doesn't have funding as yet to improve the security of hidden sites http://www.infoworld.com/article/2845008/security/tor-project-mulls-over-how-law-enforcement-took-down-hidden-websites.html opening text: Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses. The websites were set up using a special feature of the Tor network, which is designed to mask people's Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.
Monty Solomon wrote in about "Fall of the Banner Ad: The Monster That Swallowed the Web" in the NY Times, which claims the Web banner ad is 20 years old. I think it's a bit older than that. Anybody remember the Prodigy online service? Back in the 1980's, they were using banner ads - or perhaps we should call them footer ads as they usually occupied the bottom quarter of the screen. Here's a sample: http://cdn.theatlantic.com/assets/media/img/posts/2014/07/screenshot_games/5df26af65.png Back when I worked there, I had no idea how close that image was to the future of world-wide online services. Many of the other things Prodigy did turned out to be precursors of the modern Web—online shopping, airline tickets, grocery orders, unscientific but absurdly popular online polls, and a nationwide content caching network built on IBM Series/1 minicomputers, with a bank of dialup modems in each one, at least ten years before Akamai had the same idea. All this was built with clunky technology about as efficient for the purpose as Roman numerals are for doing calculus. Prodigy was also ahead of their time when it came to getting statistics on user behavior - the software that ran the service on the user's PC sent back regular accounting data on what users were doing, the kind of stuff you might get now with Google Analytics, cookies, and Web bugs. Prodigy patented many of their software processes -- http://www.google.com/patents/US5347632 is one example, which describes the Prodigy "reception system", software running on the user's PC that had a role analogous to the modern Web browser. It didn't run Java or HTML, but it did download code written in Prodigy's proprietary "TBOL" language, and marked-up data in another proprietary format. Who knows, if they'd written that patent a little more broadly, they might be collecting licensing fees today from every copy of IE and Firefox. Interestingly, that patent also describes how Prodigy monitored user characteristics in order to target online ads. This patent was filed a year before Sergei Brin and Larry Page met at Stanford. Just like ontogeny was supposed to have recapitulated phylogeny, it looks like the Web's ontogeny has recapitulated Prodigy.
http://www.nytimes.com/2014/11/12/science/weapons-directed-by-robots-not-humans-raise-ethical-questions.html?emcíit_th_20141112&nl=todaysheadlines&nlid2604355&_r=0
Klint Finley, *WiReD*, Nov 7 2014 (via Dave Farber) The $11M Tool That Could Help Computers Write Their Own Code <http://www.wired.com/2014/11/darpa-pliny/> Nowadays, if you start typing something into Google, it tries to guess what you're looking for. Type `Wi', and it might suggest Wikipedia. Key in `Bra', and it'll guess Brad Pitt. Yes, these autocomplete suggestions are sometimes hilariously off the mark, but more often than not, they're rather accurate, providing a handy shortcut to what you want. Now, a government-backed research team wants to provide similar suggestions to the world's programmers as they're writing computer code. That's right: the aim is to guess what programmers are coding before they code it. This week, Rice University said that DARPA, the Pentagon's mad science division, has invested $11 million in this autocomplete programming project, dubbed PLINY, after the ancient Roman author of the first encyclopedia, “Text search prediction is the best analogy,''says Vivek Sarkar, the chair of the computer science department at Rice and the principal investigator on the project. `People will be able to will be able to pick from a list of possible solutions.'' That's right: the aim is to guess what programmers are coding before they code it. The project involves researchers from from Rice, the University of Texas-Austin, the University of Wisconsin-Madison, and the developer tools company GrammaTech. PLINY will index massive amounts of opens source code gathered from the web to power a prediction engine that the researchers hope will be able to predict what coders are about to type. It could also, in theory, spot bugs or security vulnerabilities. If successful, PLINY could be a boon to companies struggling to find enough qualified programmers to work on increasingly complex software projects. It's a problem a growing number of startups are trying to solve, ranging from code education companies like Codecademy to tools like Light Table that aim to make programming more intuitive. Microsoft and Beyond PLINY isn't the first attempt to build an autocomplete system for coders. Microsoft is working on something similar with its Bing Developer Assistant, which was released last summer. But Sarkar says PLINY is an even more ambitious project. “Most others are just text analysis with some knowledge of code structure,'' he says. [Warren Teitelman's DWIM in Interlisp? PGN] Sarkar's team is trying to develop software that analyzes not only text, but also the concepts expressed in code, regardless of the programming language it's written in. Sarkar hopes this will enable PLINY to suggest even large chunks of code that can seamlessly integrate with what a developer has already written. Better still, it might correct security vulnerabilities and other mistakes. [...]
(The Kiniry in the Goal Mine? PGN) Joe Kiniry, Galois http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf http://galois.com/blog/2014/11/hacking-internet-voting-via-ballot-tampering/
Assume "only the citizens get to vote" is an essential principle of voting. Letting illegal immigrants eat allowed those individuals to survive to obtain a drivers license. Which in turn allowed them to register to vote. As a result these non-citizens are now able to vote. Non-citizens voting violates an essential principle. Violation of the essential principles is usually seen as damaging. QED Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
On Nov 6, 2014, at 6:45 PM, RISKS List Owner <risko@csl.sri.com> wrote: > This is equivalent to saying "...there seemed to have been a false > assumption that allowing illegal immigrants to eat would not have any > deleterious effects (on voting)." Not quite the same thing. In my state (and many others), drivers are offered the opportunity to register to vote when they obtain a drivers license. I have never been offered a voter registration form when buying groceries or dining in a restaurant. Also, in my state (and many others), voters are required to present a drivers license or other state ID. Issuing drivers licenses certainly facilitates illegal voting in a way that eating does not.
Responding to Amos on the constitutionality of a voter choosing to waive ballot secrecy for Internet voting .. IANAL but I do know a bit about elections. Ballot secrecy is a matter of state election law, not state of federal constitutional law. Following the chain 3 levels: * The U.S Constitution simply requires elections to happen, in Article 1 Section 2 and then says in Section 4 "The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof" and that's it for elections. * State constitutions sometimes define or constrain election procedures, but Alaska's does not: "Methods of voting, including absentee voting, shall be prescribed by law. Secrecy of voting shall be preserved." Article 5 Section 3, in other words, defers to state election law on particulars, and states a goal (without definition) "secrecy of voting." Since AK election law permits absentee voting, clearly the interpretation of secrecy is not absolute. * Alaska's state election laws specifically allow an individual to waive anonymity and indeed even integrity of their ballot, and further passes responsibility from state law to regulation adopted by the state election director. The law requires that the regulation "ensure the accuracy and, to the greatest degree possible, the integrity and secrecy of the ballot" ... ... which as we know for electronic transmission the greatest degree possible is "not a lot" in practice. (The same law specifies the message Amos noted with horror: "I understand that, by using electronic transmission to return my marked ballot, I am voluntarily waiving a portion of my right to a secret ballot to the extent necessary to process my ballot, but expect that my vote will be held as confidential as possible.") I didn't track down the regulation itself but I surmise that it follows election law, which permits any voter to vote absentee at their discretion, in allowing any absentee voter to use electronic transmission at their discretion. So in practice, Alaska allows an unbounded number of voters to cast a ballot where the integrity of the ballot need be only best-effort based on the capability of the local election officials. It's interesting to note that in the recent Senate contest, the margin of victory (based on current reports) is 8,149 out about 225,000 votes cast. A 3% margin sounds safe—until you realize that it is only 8000 votes, and you wonder how many people voted by Internet, and if was indeed around 8000 people, who was running the servers that received and stored the digital ballots. Good thing that control of the Senate did not hinge on this contest :-) John Sebes, TrustTheVote Project, Open Source Election Technology Foundation
In "Absentee ballot of deceased Boston mayor not counted," Wexelblat <wex@cs.uml.edu> wrote: "The big risk, of course is that some close election will be overturned after a year or so because it is determined that several voters who were presumed living on election day were ultimately discovered to have been dead. The implications of determining that sitting legislators, even Senators, were not actually elected ..." I don't know about local or state elections, but Congressional elections are governed by Article I, Section 5, of the Constitution which makes Congress the sole judge of the elections, returns, and qualifications of its sitting Members. Therefore, once a Member of Congress has been sworn into office only Congress itself, and not even the Supreme Court, can remove that Member. The candidate who should have won is free to file a Federal Election Appeal with Congress, but nobody else has any recourse. Once a Member has been sworn in, Congress is usually reluctant to unseat them no matter how fraudulent that Member's election may have been (as some may recall from the Clint Curtis case), so there is no risk of a sitting Senator being removed merely because of proof of dead voters.
There are multiple issues here. One is the marketing frenzy of the buzzword IoT. Reminds me of gluing a tablet to a refrigerator and marking it up to $6000 as an Internet device. Closely related is the moral judgment by those who take the contrived stories seriously. The bigger risk, though is the one I wrote about in http://rmf.vc/CILight -- the need to create high value applications because no one wants to be in the business of providing enabling technology and infrastructure like we got with IP and HTML. You can invest a lot of money to make such applications work. That is why today's IoT is full of non-synergistic point solutions. Some are very clever but many are like the smart systems in cars and are prisoners of history. They create the illusion of the NBT (Next Big Thing) but it's going to take a while to work through the myriad of new risks. At least this digest will get lots of content ...
I used to work at a development center in Israel of a US company. I once traveled to a show in NYC carrying a sample product in my luggage, which was developed and built in Israel; on the way back, I had to leave it with the US customs because it was considered too advanced to be exported! Considering the history of some of the most popular encryption algorithms and products (e.g., RSA), it would be ironic if among the products banned by the BIS, were one which was invented in Israel, developed in Russia, designed in South Korea and produced in China...
Please report problems with the web pages to the maintainer