Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Pranksters' antics are forcing public safety officials to look at the air above them, generally thought safe and secure, as a place for potential trouble. http://www.nytimes.com/2014/11/27/technology/personaltech/as-drones-swoop-above-skies-thrill-seeking-stunts-elicit-safety-concerns.html
When US Postal Service (USPS) officials received word about a major network intrusion earlier this year, one of its first instructions was to take no immediate action. http://www.informationweek.com/government/cybersecurity/usps-played-cat-and-mouse-with-cyber-attacker/d/d-id/1317684
If the bug is dangerous enough, it gets a name. Heartbleed's branding changed the way we talk about security, but did giving a bug a logo make it frivolous... or is this the evolution of infosec? https://www.yahoo.com/tech/s/branded-bug-meet-people-name-143305883.html
Patrick Tucker, Defense One, 23 Nov 2014 White House Push To Allow FBI Phone Hacks Could Hurt Intelligence Gathering http://www.defenseone.com/technology/2014/11/white-house-push-allow-fbi-phone-hacks-could-hurt-intelligence-gathering/99743/ Through public speeches and secret meetings, FBI Director James Comey has been pushing to stop companies like Apple and Google from encrypting users' phone data. Two former Navy SEALs say that the policy that the FBI and the Justice Department are pursuing would hurt men and women in uniform and possibly even our allies by forcing them to use insecure devices and services for communication. Here's how the fight over encryption took form. In September, Apple announced that its most recent operating system update for the iPhone, the iOS 8, would encrypt phone data. On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants, Apple says in a notice on the privacy portion of its website. Google followed, announcing an encryption update for its Android 5.0 Lollipop operating system. As Yahoo Tech's Rob Pegoraro reports, that will affect the Nexus 6 first and other phones soon after. Upon news of the announcement, Comey responded by condemning encryption, first speaking out at a Brookings Institution event, saying that Apple and Google's decision was going to take the country to a `very dark place' where law enforcement `misses out' on crucial evidence to stop terrorists and gather evidence against criminals. Comey approached the president and, along with representatives from the Justice Department, briefed members of the House in a classified session. Legislatively, the lawmakers could easily block Apple and Google from offering encryption by updating the Communications Assistance for Law Enforcement Act, which mandates that telephone companies like AT&T and Verizon build backdoors into their networks to allow taping. But the 1994 law doesn't apply to companies like Google and Apple or other newer networks, so an update to the law could force the companies to allow law enforcement easier access to user data. How do lawmakers feel about that? Despite widespread public concern about government electronic spying on the public, on 18 Nov the Senate effectively killed the only NSA reform measure to come out of the Snowden scandal, the so-called Freedom Act. [...] [Lots more on Mitch McConnell, the two former seals, Phil Zimmermann, Skype. etc. Truncated for RISKS. PGN]
#HappyTracksgiving : How your travels are tracked this holiday season Craig Timberg, *The Washington Post*, 26 Nov 2016 http://www.washingtonpost.com/blogs/the-switch/wp/2014/11/26/happytracksgiving-a-guide-to-how-your-travels-are-tracked-this-holiday-season/ It's that time again. We're on the move—feasting, sharing, shopping, giving thanks. And we are being tracked every step of the way. So here's a quick guide to the state of the unblinking electronic eye, 2014 Holiday Edition. [Long item, on planes, trains, Uber and Lyft, driving, walking, staying home and using your phones and computers, and more, truncated for RISKS. PGN]
Loz Blain, Gizmag, 26 Nov 2014 http://www.gizmag.com/uber-app-malware-android/34962/ Uber's Android app is acting like malware, reporting personal data back to the company that it doesn't have permissions for. Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base -- including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well. Taxi-busting ride share app Uber might have an operating model that suits customers better than traditional, regulated taxi services—but the company's aggressively disruptive (and frequently illegal) business practices don't seem to stop at harming the taxi industry. Its vicious attacks on competitors have included ordering and canceling more than five and a half thousand rides through its chief competitor Lyft. Its senior Vice President of Business, Emil Michael, casually mentioned at a dinner that maybe Uber could start digging up personal dirt on journalists critical of the company. These kinds of stories, of course, should be taken with a grain of salt -- they're certainly very beneficial to competing services like Lyft. But there doesn't seem to be a lot of grey area in these latest revelations that Uber is collecting a stack of personal data from users who have its Android app installed, including SMS data that its permissions list doesn't allow. Security researcher GironSec decompiled the code of the Uber Android app and found it to be collecting and sending the following information back to Uber: http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/ * Accounts log (Email) * App Activity (Name, PackageName, Process Number of activity, Processed id) * App Data Usage (Cache size, code size, data size, name, package name) * App Install (installed at, name, package name, unknown sources enabled, version code, version name) * Battery (health, level, plugged, present, scale, status, technology, temperature, voltage) * Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled) * GPS (accuracy, altitude, latitude, longitude, provider, speed) * MMS (from number, mms at, mmss type, service number, to number) * NetData (bytes received, bytes sent, connection type, interface type) * PhoneCall (call duration, called at, from number, phone call type, to number) * SMS (from number, service number, sms at, sms type, to number) * TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id) * WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid) * WifiNeighbors (bssid, capabilities, frequency, level, ssid) * Root Check (root status code, root status reason code, root version, sig file version) * Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version) While some people are suggesting it might be an anti-fraud measure to help Uber detect and combat fake accounts set up by its competitors, the fact remains—collecting data without appropriate permission constitutes malware and compromises users' personal data. It's not yet clear whether the iPhone app does the same level of reporting on its users. As for whether Google will move to pull the Uber app from the Play store, that seems unlikely given that Google's US$258 million dollar stake in Uber represents the biggest deal Google Ventures has ever done. This is the new world we're living in, folks, and if you think Uber's the only one building fat files out of your personal information, you're mad.
I have been noticing a lack of clear reasoning in RISKS posts lately, and I think this is a risk risks should describe. Examples: > Subject: House Republicans just passed a bill forbidding scientists from > advising the EPA on their own research (Lindsay Abrams) While I don't doubt that politicians do things for disingenuous purposes, it is not anti-science to have independent peer review and advice. The government should seek and require peer review of funding done by people that aren't funded to do that research by the government. The reviewers should also have expertise in the relevant fields, of course. > Subject: The safest computers are iPhones and iPads (Galen Gruman) > But rarely do you see smartphones and tablets in these reports. Why? > Because they're more secure than computers and data centers. Bingo - the jackpot in in poor reasoning. 1) Privacy breaches identified are only a subset of "security" issues - so the conclusion is drawn based on only an unquantified subset of the relevant facts. 2) Could it be that these reports center around data centers, USBs, and unencrypted computers because that's where the data is? 3) Even if the above two were not correct, that does not support a causal link between more secure smartphones and tablets and rarity of presence in reports. 4) Rarity of presence in reports does not imply (and you should not infer) rarity in fact. 5) There are lots of other similar fallacies in the argument provided. > But it's true: Mobile devices are safer than PCs and servers. With no supporting evidence at all - and "safety" is not "security" - and all servers are not the same - and are non-"PC" computers even safer than any of these? > ... Still, the clear reality is that mobile devices are more secure than > PCs and servers, because—outside of Android—they are less open. Not being open is the cause of increased security? Except for more than 50% of the population of these devices, they are less open? It is clear based on the above unsound arguments? > For example, we hear of a handful of security threats in iOS each year > versus a handful every week in Windows. What "we" hear of may or may not reflect the underlying reality. Also, an example does not constitute an adequate basis for the broad conclusion. > BlackBerry phones have the strongest security, but they're not able to act > as replacement computers as an iPad can. After BlackBerry, the highest > security comes from Apple's iOS. I have a correlation to point out. According to the claims of the author, the devices that are less used have fewer bad outcomes. I know that correlation is not causality, but on the other hand, given the lack of correlation in the alternative, I propose an alternative hypothesis: Cause: Bad actors are more motivated by larger volumes of content to leak and/or sell. Mechanism: Bad actors seek to break into and exploit things that are more often used for storing larger volumes of content. Effect: Things used more often to store larger volumes of content are more often attacked by bad actors. > If you're concerned about endpoint security, you should replace as many > PCs as you can with iPads and iPhones. An alternative viewpoint: If you don't want people to take large volumes of content, don't store it. > Subject: `Bug' spies on computers > A leading computer security company says it has discovered one of the most > sophisticated pieces of malicious software ever seen. Leading computer security companies often make such claims. Is it hyperbole? A lack of having seen things that exist? The lack of a metric for "sophistication"? A poor definition of "malicious"? > Symantec says the bug, named Regin, Now it is a "bug". I thought "bug" was a term we used for something naturally occurring - not intentionally malicious. was probably created by a government. Last time I heard it was "probably written by someone associated with a government". Is there any actual evidence here? What is it? What is the probability they speak of? How was it calculated? and has been used for six years against a range of targets around the world. How exactly do you know this? > http://www.bbc.com/news/technology-30171614 So much for the BBC being the most trusted source for such news. The risk of RISKS being viewed as if it were a sound source of facts or valid reasoning has now (assuming this makes it to print) been reduced - assuming the readers read this and act upon it... Fred Cohen - 925-454-0171 http://all.net/ PO Box 811 Pebble Beach, CA 93953
Thanks to Fred for trying to keep RISKS intellectually sound. Unfortunately, we are at the mercy of the material that is submitted, and rely on Fred and others to respond as needed to contradict some of the hype and blather that emerges in the computer world. I try to be a sensible arbiter of what is acceptable for RISKS, but cannot guarantee accuracy. That is ultimately the responsibility of readers who in certain cases know much more than the unvetted source material indicated. Do some readers actually believe everything they read in RISKS? I doubt it, because we do receive and include contrary responses and follow-up items. Perhaps Fred believes that RISKS is worse than others, or is he just trying to keep us on the straight and narrow? Perhaps RISKS is actually be a less biased source of relevant information than many other sources, in that we continually try to have equal opportunity for reasonable dissenting positions—including Fred's. But many issues rapidly become politically or ideologically or otherwise biased, and we do try to minimize those. PLEASE keep submitting dissenting opinions and factual corrections where appropriate. PGN
... if your definition of "computer" is "I can barely use iWorks". Or Stallman's definition, that works too. Reminds me of the Amiga lab my university maintained for years after Amiga went bankrupt: they taught assembly language on the "proper CPU"—the 68K, -- at the time when the only company that used them in a computer was Apple. According to our professor, "if we used those, we'd have to first spend another semester teaching you how to get past Mac OS to where you can program in assembly." I'm a bit surprised every time I see an obvious advertorial like that in RISKS. Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu [I try to keep advertorials out as much as I can, but sometimes the contrast between different positions is worth bringing to the fore. For example, see Fred Cohen's note, which precedes this item in the RISKS-28.39 issue of the Risks Forum digest. PGN]
Please report problems with the web pages to the maintainer