Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ars via NNSquad http://arstechnica.com/security/2015/01/lack-of-encryption-makes-official-nfl-mobile-app-a-spear-phishers-dream/ "The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl LXIX, traditionally one of the world's most popular sporting events." [I hope it cannot be blamed for leaking footballs? PGN]
Europe's relatively good credit card security (i.e., Chip & Pin) is suspected as the cause of the increase in "plofkraak" attacks on ATM machines where the interior of the ATM is filled with explosive gas in order to breach its cash drawer: http://www.bloomberg.com/graphics/2015-atm-bombers/ So far this hasn't happened yet in the USA, but it stands to reason that if all the harder ways of stealing money from ATMs get fixed, the technique will spread there as well, just like carjacking became more popular as cars got harder to hot-wire or otherwise break into. [Can we do something with "The Love Song of J. Alfred Plofkraak"? ER] [Maybe its a spoonerism on ProfKlaak? PGN]
Natasha Singer and Brian X Chen, *The New York Times*,, 26 Jan 2015 http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?ref=technology&_r=0 For the last several months, cybersecurity experts have been warning Verizon Wireless that it was putting the privacy of its customers at risk. The computer codes the company uses to tag and follow its mobile subscribers around the web, they said, could make those consumers vulnerable to covert tracking and profiling. It looks as if there was reason to worry. This month Jonathan Mayer, a lawyer and computer science graduate student at Stanford University, reported on his blog that Turn, an advertising software company, was using Verizon's unique customer codes to regenerate its own tracking tags after consumers had chosen to delete what is called a cookie -- a little bit of code that can stick with your web browser after you have visited a site. In effect, Turn found a way to keep tracking visitors even after they tried to delete their digital footprints. The episode shined a spotlight on a privacy issue that is particularly pronounced at Verizon. The company's customer codes, called unique ID headers, have troubled some data security and privacy experts who say Verizon has introduced a persistent, hidden tracking mechanism into apps and browsers that third parties could easily exploit. While Internet users can choose to delete their regular cookies, Verizon Wireless users cannot delete the company's so-called supercookies. [... Long article truncated for RISKS. PGN] [Also noted by Matthew Kruk. PGN]
The Verge via NNSquad http://www.theverge.com/2015/1/27/7921463/google-facebook-accountable-for-hate-speech-france The French government announced today a plan to hold web companies accountable for any extremist messages they may host, Bloomberg reports. French president Francois Hollande wants to introduce a law that would make companies like Google and Facebook "accomplices" in crimes of hate speech if users post content the government deems extremist. - - - Apparently, Europe wants to censor the world.
Meanwhile, in other news, the IETF has promoted ARPANET Request For Comments 20 ("ASCII format for network interchange" - Author Vint Cerf of UCLA - October 16, 1969 - http://datatracker.ietf.org/doc/rfc20/ ) to full Internet Standards status: http://datatracker.ietf.org/doc/status-change-rfc20-ascii-format-to-standard/ (2015-01-12) Now, no more complaints about slow standards tracks!
A colleague of mine likes to distinguish being "clever" (e.g., trying to outguess the stock market) from being "smart" (e.g., buying a low-overhead index fund). A couple of years ago our college built a new classroom building. It was outfitted with state-of-the-art A/V technology. Naturally, it had what were called "glitches" (e.g., a blackboard blocked by a screen that wouldn't go up because the projector's bulb had burned out) but most of those were eventually squashed. One of the shiny new features is cross-classroom broadcast. The idea is that if the main lecture hall fills up, the overflow crowd can be seated in another room and watch the show on video. The broadcast system is very flexible in terms of who can be a source or a sink. Of course it all goes through a centralized control system so that the A/V people can configure it without leaving their desks. Last night I rehearsed a presentation with a team of students; everything went smoothly. Today in the same hall, the audio refused to work properly. The students' voices cut in and out as if somebody were randomly flipping the power switch; nothing we or the A/V people in the sound booth could do seemed to fix the problem. Eventually we gave up and just asked the students to speak loudly. It turns out that the fancy cross-broadcast software was the culprit. A presentation in another room was being fed into the central control system, and somehow that audio interfered with ours (perhaps a priority system was choosing one or the other based on which was louder at the moment?). Clever, but not smart. The cross-broadcast feature is almost never used. Nor is there a real requirement for centralized control (which takes power out of the hands of the people in the sound booth, who can hear what is going on). But the people who designed the system went for shininess over robustness. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/ One could not be a successful scientist without realizing that, in contrast to the popular conception supported by newspapers and mothers of scientists, a goodly number of scientists are not only narrow-minded and dull, but also just stupid.—James Watson
Devlin Barrett, *Wall Street Journal*, 26 Jan 2015 (via Dave Farber) DEA Uses License-Plate Readers to Build Database for Federal, Local Authorities http://www.wsj.com/articles/u-s-spies-on-millions-of-cars-1422314779 WASHINGTON—The Justice Department has been building a national database to track in real time the movement of vehicles around the U.S., a secret domestic intelligence-gathering program that scans and stores hundreds of millions of records about motorists, according to current and former officials and government documents. The primary goal of the license-plate tracking program, run by the Drug Enforcement Administration, is to seize cars, cash and other assets to combat drug trafficking, according to one government document. But the database's use has expanded to hunt for vehicles associated with numerous other potential crimes, from kidnappings to killings to rape suspects, say people familiar with the matter. Officials have publicly said that they track vehicles near the border with Mexico to help fight drug cartels. What hasn't been previously disclosed is that the DEA has spent years working to expand the database “throughout the United States,'' according to one email reviewed by The Wall Street Journal. Many state and local law-enforcement agencies are accessing the database for a variety of investigations, according to people familiar with the program, putting a wealth of information in the hands of local officials who can track vehicles in real time on major roadways. The database raises new questions about privacy and the scope of government surveillance. The existence of the program and its expansion were described in interviews with current and former government officials, and in documents obtained by the American Civil Liberties Union through a Freedom of Information Act request and reviewed by The Wall Street Journal. It is unclear if any court oversees or approves the intelligence-gathering. A spokesman for Justice Department, which includes the DEA, said the program complies with federal law. “It is not new that the DEA uses the license-plate reader program to arrest criminals and stop the flow of drugs in areas of high trafficking intensity,'' the spokesman said. Sen. Patrick Leahy, senior Democrat on the Senate Judiciary Committee, said the government's use of license-plate readers “raises significant privacy concerns. The fact that this intrusive technology is potentially being used to expand the reach of the government's asset-forfeiture efforts is of even greater concern.'' The senator called for “additional accountability'' and said Americans shouldn't have to fear “their locations and movements are constantly being tracked and stored in a massive government database.'' [...]
FOIA Documents Reveal Massive DEA Program to Record American's Whereabouts With License Plate Readers ACLU via NNSquad https://www.aclu.org/blog/technology-and-liberty-criminal-law-reform/foia-documents-reveal-massive-dea-program-record-ame "The Drug Enforcement Administration has initiated a massive national license plate reader program with major civil liberties concerns but disclosed very few details, according to new DEA documents obtained by the ACLU through the Freedom of Information Act. The DEA is currently operating a National License Plate Recognition initiative that connects DEA license plate readers with those of other law enforcement agencies around the country."
(via DLH and Dave Farber) And here's why they're doing it - as Deep Throat said "follow the money": <https://www.emptywheel.net/2015/01/27/double-duty-dragnets/>
There are many objectionable things about this program, but one that's (perhaps) less than obvious is that the databases being constructed by it are *enormously* tempting targets for third parties. To stalkers, kidnappers, spies, pedophiles, rapists, blackmailers, extortionists and other people, this is a motherlode just waiting to be mined. (And the best part? They don't have to spend the money to compile it. It's already been paid for by US citizens.) I'm sure we'll be told that it's being gathered, stored, and searched securely. And that it will never be misused. And that it will never be breached or leaked. And that it's completely immune from this: New report: DHS is a mess of cybersecurity incompetence http://www.zdnet.com/article/new-report-the-dhs-is-a-mess-of-cybersecurity-incompetence/
Henry Baker is right that our computers (and routers etc.) are owned by the manufacturers and their suppliers (and anyone who hacks them), but the proposed test "can I reflash its operating system with contents of my choosing" does not go far enough. Code in the BIOS can be used to insert backdoors in a subsequently reloaded operating system, and logically the BIOS updating mechanism and credentials must also be trusted. We never believed in 100% security, did we?
FYI—Security researchers are shocked, shocked... Michael Mimoso, ThreatPost, 27 Jan 2015 Researchers Link Regin to Malware Disclosed in Recent Snowden Documents https://threatpost.com/researchers-link-regin-to-malware-disclosed-in-recent-snowden-documents/110667 Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany's Der Spiegel. The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together. “Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,'' wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report. The Der Spiegel article describes how the U.S National Security Agency, the U.K.'s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries. The new Snowden documents, disclosed by Laura Poitras and a collection of eight security and privacy technologists and experts, also include an overview of a malware platform called WARRIORPRIDE. Within WARRIORPRIDE is QWERTY, a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced. The magazine released QWERTY to the public upon publication of its article. It describes QWERTY's structure as `simple' and said there is a core driver called QWERTYKM that interacts with the Windows keyboard manager, and a QWERTYLP library which logs and stores keystrokes for analysis. Der Spiegel said after its examination of binary files, various components and libraries it's likely there's a connection between WARRIORPRIDE and the Australian Signals Directorate, an Aussie government intelligence agency. Kaspersky researchers Raiu and Soumenkov said after analysis that the QWERTY malware is identical in functionality to a particular Regin plugin. Raiu and Soumenkov said researchers took apart the QWERTY module and found three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251. In a report published today, side-by-side comparisons of the respective source code shows they are close to identical, sharing large chunks of code. The researchers said that one piece of code in particular references plug-ins from the Regin platform and is used in QWERTY and its Regin counterpart. It addresses a Regin plug-in, called 50225, that is responsible for kernel-mode hooking, the Kaspersky researchers said. “This is solid proof that the QWERTY plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,'' Raiu and Soumenkov wrote. “As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.'' The Regin malware platform was disclosed in late November by Kaspersky Lab and it was quickly labeled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators. Last week, Kaspersky researchers published another Regin report, this one describing two standalone modules used for lateral movement and to establish a backdoor in order to move data off compromised machines. The modules, named Hopscotch and Legspin, have also likely been retired given they were developed perhaps more than a decade ago.
Yeah, well. You can have a SAFE brick or the UNSAFE built-in hardcoded credentials. You choose. Consider getting locks that ensure nobody will be able to get into the house, ever, after you lose the key. Sadly, "encased in concrete and dropped to the bottom of the sea" still applies. Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
I am [re]minded of the Dick Feynman story (part of his safe-cracker legend) where he was called in, shortly after the war, to try and get into some general's top secret safe, said general having left the service. Recalling that many safes shipped with an initial combination of 0000 or 01234, he tried them, and opened the safe at the first attempt. Considerably enhancing his reputation as a safe cracker in the process.
http://www.nena.org/news/news.asp?id!2385 NENA Responds to Unfounded GLONASS Concerns Thursday, January 22, 2015 Posted by: Chris Nussman Statement of NENA: The 9-1-1 Association The recently-announced Roadmap for Wireless E9-1-1 Location Accuracy improvements is not a `carrier plan'. It is a consensus plan negotiated by the national associations representing the 9-1-1 and field responder radio communities, NENA and APCO, and agreed to by the four national wireless carriers. The plan does contemplate carrier use of Assisted Global Navigation Satellite Systems (A-GNSS)—including both the U.S. NavStar/GPS system and the Russian GLONASS system—as one aspect of a multi-pronged approach to improving wireless E9-1-1 location accuracy. The consensus plan discusses the GLONASS system as a new component of handset A-GNSS capabilities because it is the only globally-available GNSS, other than NavStar/GPS that is currently operating. The consensus plan does not restrict carriers' ability to add or substitute other GNSSs, such as the European Galileo and Chinese BeiDou constellations, as those systems come online over the next 5-7 years. However, neither of these systems is currently available. Because handset A-GNSS chips can operate with any combination of satellites from any supported constellation, adding GLONASS support to existing GPS capabilities will not provide the Russian Federation with any leverage over U.S. 911 capabilities: Even if the GLONASS system were shut-down completely, handsets in locations with clear views of the sky could still calculate location estimates based solely on measurements of U.S. GPS satellite signals. Even if Russia attempted to somehow degrade the performance of its satellite network, both carrier networks and consumer handsets would be capable of detecting erroneous signals and rejecting them from a position fix. The consensus Roadmap makes available the full panoply of rapidly-advancing commercial location technologies for E9-1-1 use for the first time. In the event of a GLONASS failure or shut-down, other high-accuracy handset and network-based technologies—including the ability to return the exact address (including apartment, suite, or floor number) of the caller's location—will still be available. It's true that an NDAA amendment places limits on the proposed construction of Russian monitoring facilities on U.S. soil. That amendment, however, will not impact the availability of GLONASS ranging. Transportation and other critical life-safety sectors are rapidly adopting multi-constellation GNSS technology—including GLONASS—because of its ability to improve fix yield and quality. Using GLONASS, GPS, or any other A-GNSS system would not give any government power over consumers' 911 calls: These systems are `receive-only', and no signals from consumer handsets are ever transmitted to a GNSS satellite.
Please report problems with the web pages to the maintainer