In 2008, RISKS reported that the design of the B787 onboard network did not completely separate the passenger entertainment network from the flight control network; the FAA was imposing special conditions for testing. According to Wired and CNN, a new GAO report says the vulnerabilities persist. http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/ http://www.gao.gov/products/GAO-15-370 Neither article cites the report, though CNN names one of the authors. The GAO site shows only one new report that seems relevant, “FAA Needs a More Comprehensive Approach to Address Cybersecurity as Agency Transitions to NextGen seems to be mostly about the Nextgen ATC system, considering as one significant element the possibility of unauthorized remote access to aircraft avionics systems via the passenger entertainment system.'' http://www.gao.gov/products/GAO-15-370 This report (April 14) Mary Shaw, AJ Perlis University Professor of Computer Science, Carnegie Mellon University, http://cs.cmu.edu/~shaw http://orcid.org/0000-0003-1337-4557 [PGN suggests: see also http://tech.slashdot.org/story/15/04/15/1437211/gao-warns-faa-of-hacking-threat-to-airliners ]
The US Government Accounting Office has published a report on the vulnerability of FAA equipment and avionics to cyberattack http://www.gao.gov/products/GAO-15-370 . It makes three main points. The third one is organisational; I am concerned here with the first two. First, the FAA has not developed and apparently doesn't intend to develop a threat model for its ground-based systems. Unsurprisingly, the GAO thinks it might be a good idea to do so. Many FAA ground-based systems are decades old and were installed in an era which didn't need to worry as much about cybersecurity. Many of them are dedicated systems, so some physical access would be required. But some are not. Does anyone remember the NY ATC outage a quarter century ago? http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial 4ESS switch took out ATC. I seem to remember (or was it another incident?) ATCOs coordinating by using their private mobile phones. A DoS attack on ATC communications nowadays could take out a commercial switch but would have to take out the cellular phone comms also. So there's the first entry for the threat model. Second, the GAO queries the wisdom of critical avionics and passenger in-flight entertainment systems (IFE) sharing network resources. So did many of us when it was first mooted (for the Boeing 787, I seem to recall). Because, after all, the best start on assuring non-interference is physical separation of networks and good shielding. And indeed someone recently claimed on Fox News to be able to hack avionics through the IFE http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/ He was apparently subsequently pulled from a flight out of Denver by the FBI, interviewed for a number of hours and relieved of some kit. People may think: "shooting the messenger". But hang on. Roberts told Fox News (I quote from Fox) "We can still take planes out of the sky thanks to the flaws in the in-flight entertainment systems...." Here is a guy who claims publicly to be able to "take planes out of the sky" getting on an airplane with computer equipment. It is surely the task of security services to ensure he is not a threat in any way. If you were a passenger on that airplane, wouldn't you like at least to know he is not suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a nice book to read and sent his kit ahead, separately, by courier? Some of this is quoted from my blog post http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/
The first F-35 jets ready for combat won't be able to protect forces in ground combat as well as the nearly 40-year-old A-10s the Pentagon wants to retire, according to the Defense Department's chief weapons tester. <http://www.bloomberg.com/news/articles/2014-10-02/u-s-sending-a-10-plane-to-combat-while-trying-to-kill-it>, One major problem yet to be solved is the plane's computer information system that's designed to alert pilots to logistical problems, he said, adding that he has a plan to improve it through a redesign. Gilmore said the initial F-35s will fall short because "of the combined effects of digital communications deficiencies, lack of infrared pointer capability" to distinguish friendly from hostile forces and an inability to confirm the Global Positioning Satellite ground coordinates programmed into its two air-to-ground bombs. To read the entire article, go to http://bloom.bg/1H4fWXY Can't detect problems, can't tell friendly forces from foes, can't deploy bombs accurately. But let's build and fly it now, redesign it later. What could go wrong? It's only $12.7B/year for more than 20 years.
Title says it all; nothing new here... http://www.washingtonpost.com/news/morning-mix/wp/2015/03/31/driver-follows-gps-off-demolished-bridge-killing-wife-police-say/?tid=hybrid_experimentrandom_2_na ...but how would self-driving cars handle this? Presumably their GPS data was obsolete, but accuracy of data depends on local authorities supplying it. Presumably robocars read road signs and notice roadway surface ending. Presumably...
If you have had problems with vehicle repair or tinkering because you were locked out of your vehicle's computers, if you would have engaged in a vehicle-related project but didn't because of the legal risk posed by the DMCA, or if you or your mechanic had to deal with obstacles in getting access to diagnostic information, then we want to hear from you—the Copyright Office should hear from you, too. https://www.eff.org/deeplinks/2015/04/automakers-say-you-dont-really-own-your-car Cars as black boxes with wheels, subject to manufacturer software updates whenever they desire (I've heard advocated). Remember the joke about "If Microsoft made cars..."?
There are a lot of incredible smart home devices out there that are worthy of your time and money. Some of the examples that spring immediately to mind include the Nest thermostat, which will save you energy and money by ensuring you only heat your house when needed. Then there's the Philips Hue Lights, which allow you to control the illumination in your home. Some will even save your life. The Nest Protect is an incredibly precise WiFi connected smoke and carbon monoxide detector. They are all useful products that will ultimately become ubiquitous because they're so incredibly helpful. But then there are the WiFi enabled, smartphone-powered appliances that aren't quite as useful. The kinds that should never see the light of day. Here are 9 of the worst. http://www.makeuseof.com/tag/9-stupidest-smart-home-appliances/ Biggest risk here might be wasting money—though surely some of these will be hack-vulnerable network entry points.
Colin Neagle, Network World, 3 Apr 2015 Scary stories of hacking Internet of Things devices are emerging, but how realistic is the threat? http://www.infoworld.com/article/2905290/security/smart-home-hacking-is-easier-than-you-think.html opening text: Last March, a very satisfied user of the Honeywell Wi-Fi Thermostat left a product review on Amazon.com that shed some light on an unexpected benefit of the smart home—revenge. The reviewer wrote that his wife had left him, and then moved her new lover into the home they once shared, which now featured the Honeywell Wi-Fi thermostat. The jilted ex-husband could still control the thermostat through the mobile app installed on his smartphone, so he used it to make the new couple's lives a little less happily ever after: “Since this past Ohio winter has been so cold I've been messing with the temp while the new love birds are sleeping. Doesn't everyone want to wake up at 7 AM to a 40 degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won't last forever, but I can't help but smile every time I log in and see that it still works. I also can't wait for warmer weather when I can crank the heat up to 80 degrees while the love birds are sleeping. After all, who doesn't want to wake up to an 80 degree home in the middle of June?'' In the past year, more than 8,200 of the 8,490 Amazon users who have read the review deemed it "useful."
The Virginia State Board of Elections decertified the AVS WinVote machine, after releasing a brief but damning report on the vulnerabilities. Among the items they identified are: * The machines use an unpatched version of Windows from 2004. * The machines use the WEP protocol for WiFi encryption, which has been broken for over a decade. * The machines use a hardwired WEP encryption key ("abcde"). * Even if configured to disable the wireless communication, the machines allow numerous services, including file services. * The adminstrator password is "admin", which can't be changed through the user interface provided to the election administrator. * The database is an obsolete version of Microsoft Access, with a hardwired password of "shoup" (the family that owned the company). * The entire database can be replaced without any verification (i.e., there's no MD5 checksums). Oh, why keep piling on. More details at https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-machine-in-the-us/ Press coverage at http://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/ And much more. In nearly 30 years of working in security, this is the single worst system I've seen. Jeremy
EFF via NNSquad https://www.eff.org/deeplinks/2015/04/new-south-wales-attacks-researchers-who-warned-internet-voting-vulnerabilities While moving to Internet voting may sound reasonable to folks who haven't paid any attention to the rampant security problems of the Internet these days, it's just not feasible now. As Verified Voting notes: "Current systems lack auditability; there's no way to independently confirm their correct functioning and that the outcomes accurately reflect the will of the voters while maintaining voter privacy and the secret ballot." Indeed, the researchers' discovery was not the first indication that New South Wales was not ready for an Internet voting system. Australia's own Joint Standing Committee on Electoral Matters concluded last year, "Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity."
A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer Age", that would be appreciated by the RISKS audience, collected here: https://medium.com/@Bob_Wachter with the following titles: "How Medical Tech Gave a Patient a Massive Overdose" Pablo Garcia went to the hospital feeling fine. Then the hospital made him very sick. "Beware of the Robot Pharmacist" In tech-driven medicine, alerts are so common that doctors and pharmacists learn to ignore them—at the patient's risk. "Why Clinicians Let Their Computers Make Mistakes" We tend to trust our computers a lot. Perhaps too much, as one hospital nurse learned the hard way. "Should Hospitals Be More Like Airplanes?" “Alarm fatigue at Pablo Garcia's hospital sent him into a medical crisis. The aviation industry has faced the same problem—and solved it. "How to Make Hospital Tech Much, Much Safer" We identified the root causes of Pablo Garcia's 39-fold overdose—and ways to avoid them next time.
Computerworld via NNSquad http://www.computerworld.com/article/2909348/lawyers-smell-blood-in-electronic-medical-records.html EMRs require physicians to perform their own data entry, stealing precious face time with patients. What had been a note jotted into a paper record, now involves a dozen or more mouse clicks to navigate a complex EMR workflow. Healthcare providers can be prone to taking shortcuts on entering the data or not entering it in a timely manner, Klein said. Vital sign data is often duplicated as it moves between hospital departments, but it remains part of one integral patient record. Data administrators may copy and paste patient information from an older record to a newer one, supposing that the data would remain the same. And the sheer complexity of EMRs pose issues with accuracy, as being able to track who has entered what data, and when, over time can become confusing. "This is a fire hydrant," Klein said. "Try to take a drink out of it. That's what it's like trying to read an EMR."
The entire outpatient EMR for a large multihospital system in a major US city had to be taken off-line after it suffered a "severe unanticipated issue" during a maintenance update to improve performance this weekend. Yesterday, the decision was taken to roll the system back to its pre-update (presumably, last-known-good) state, which was late Friday evening. Everything entered after that point until Monday evening has been lost and must be re-created and re-entered. The hospital system is trying to ascertain which patients and charts may have been touched during that time. Staff are being asked to gather all their paper records (!) from Friday onwards to see if they are present in the read-only version of the system. The live system is still not yet operational. Robert L Wears, MD, MS, PhD, University of Florida 1-904-244-4405 (ass't) Imperial College London firstname.lastname@example.org +44 (0)791 015 2219
Indolering via NNSquad https://www.indolering.com/e2e-web-crypto "Researchers have been testing the efficacy of security iconography for over a decade, and the results are dismal. The most dramatic "experiment" was performed by Moxie Marlinspike in 2009. Marlinspike removed encryption from connections using a malicious Tor exit node, which also removed the browser encryption icons. Despite drawing his sample from a population with above average technical acumen and paranoia, he achieved a 100% "success" rate; meaning that every user who visited a login page logged into to their account. Marlinspike collected over 400 logins and 16 credit card numbers in 24 hours."
Steven J. Murdoch, The Conversation, March 30 2015 http://theconversation.com/banks-undermine-chip-and-pin-security-because-they-see-profits-rise-faster-than-fraud-38952 Contactless cards are being promoted because it appears they cause customers to spend more. Some of this could be accounted for by a shift from cash to contactless, but some could also stem from a greater temptation to spend more due to the absence of tangible cash in a wallet as a means of budgeting. Greater convenience leads to increased spending, which means more fees for the card issuers and more profit for the merchant—this is the real reason why the PIN check was dropped from contactless cards. The risk of fraud is mitigated to some degree by limiting transactions in the UK to £20 (rising to £30 in September), but it's been demonstrated that even these limits can be bypassed.
*The Boston Globe* http://www.bostonglobe.com/business/2015/04/06/tewksbury-police-pay-bitcoinransom-hackers/PkcE1GBTOfU52p31F9FM5L/story.html Tewksbury had joined the list of police departments victimized by "ransomware," an insidious form of Internet crime that is crippling computers worldwide.
*The Atlantic* via NNSquad http://www.theatlantic.com/technology/archive/2015/04/how-the-internet-ruined-april-fools-day/389213/ "What that means is that, this time of year, we become trained to doubt the people and institutions--news outlets, businesses, fellow humans--we are meant, ideally, to trust. Everything operates in a kind of limbo of credibility: Wait, is that a real thing or an April Fool's thing? How can we know for sure? What would it mean to know for sure? What is truth anyway?" I agree. And I'm not sharing or resharing any "joke" items today in any of my venues. The more sophisticated and heavily produced these "joke" items become, the less amusing I'm finding them. And I can tell you from my own inbox, that confusion and doubt sowed on 1 April lasts throughout the year. Just *too much* of what was once a reasonably fun thing. Thanks a bunch.
Can you say “DOH''? I knew you could! Dan Goodin, Ars Technica, 12 Apr 2015 http://arstechnica.com/security/2015/04/hacked-french-tv-network-admits-blunder-that-exposed-youtube-password/ The head of the French TV network that suspended broadcasting following last week's hack attack has confirmed the service exposed its own passwords during a TV interview, but said the gaffe came only after the breach. "We don't hide the fact that this is a blunder," the channel's director general Yves Bigot, told the AFP news service. The exposure came during an interview a rival TV service broadcast on the TV5Monde attack. During the questioning, a TV5Monde journalist sat in front of several scraps of paper hanging on a window. One of them showed the password of for the network's YouTube account. As Ars reported last week, the pass code was "lemotdepassedeyoutube," which translates in English to "the password of YouTube." Bigot stressed that the passwords were broadcast only after the hack attack, which occurred overnight Wednesday when hackers compromised TV5Monde servers and social networking accounts. A TV5Monde manager told AFP that the gaffe came in the immediate aftermath of the hack attack, when network managers were scrambling to quickly hand out new temporary online access codes.
A couple of months ago, Laura Harper, a 44-year-old freelance writer and editor from Houston, Texas, got upset while reading a Jezebel story about a service called "Invisible Boyfriend." http://fusion.net/story/111041/crowdsourcing-and-privacy/ Let us count the risks... Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing websites using known vulnerabilities in Wordpress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers. http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/
Robert X. Cringely, Notes from the Field InfoWorld, 14 Apr 2015 The .sucks domain was all fun and games until a greedy but enterprising Web registry decided to blackmail major corporations into paying up http://www.infoworld.com/article/2909535/cringely/how-icann-enabled-legal-website-extortion.html
Jeremy Kirk, InfoWorld, 30 Mar 2015 The attacks, which started Thursday, were particularly aimed at two GitHub-hosted projects fighting Chinese censorship http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive-ddos-attacks.html selected text: Software development platform GitHub said Sunday it was still experiencing intermittent outages from the largest cyber attack in its history but had halted most of the attack traffic. Starting on Thursday, GitHub was hit by distributed denial-of-service (DDoS) attacks that sent large volumes of Web traffic to the site, particularly towards two Chinese anti-censorship projects hosted there. Anthr@X wrote that it appeared advertising and tracking code used by many Chinese websites appeared to have been modified in order to attack the GitHub pages of the two software projects. "In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech," Anthr@X wrote.
New documents released by NYCLU shed light on Erie County's use of spying tool. Cyrus Farivar, Ars Technica, 7 Apr 2015 http://arstechnica.com/tech-policy/2015/04/fbi-would-rather-prosecutors-drop-cases-than-disclose-stingray-details/ Not only is the FBI actively attempting to stop the public from knowing about stingrays, it has also forced local law enforcement agencies to stay quiet even in court and during public hearings, too. An FBI agreement, published for the first time in unredacted form on Tuesday, clearly demonstrates the full extent of the agency's attempt to quash public disclosure of information about stingrays. The most egregious example of this is language showing that the FBI would rather have a criminal case be dropped to protect secrecy surrounding the stingray. Relatively little is known about how, exactly, stingrays, known more generically as cell-site simulators, are used by law enforcement agencies nationwide, although new documents have recently been released showing how they have been purchased and used in some limited instances. Worse still, cops have lied to courts about their use. Not only can stingrays be used to determine location by spoofing a cell tower, they can also be used to intercept calls and text messages. Typically, police deploy them without first obtaining a search warrant. Ars previously published a redacted version of this document in February 2015, which had been acquired by the Minneapolis Star Tribune in December 2014. The fact that these two near-identical documents exist from the same year (2012) provides even more evidence that this language is boilerplate and likely exists in other agreements with other law enforcement agencies nationwide. The new document, which was released Tuesday by the New York Civil Liberties Union (NYCLU) in response to its March 2015 victory in a lawsuitfiled against the Erie County Sheriff's Office (ECSO) in Northwestern New York, includes this paragraph: In order to ensure that such wireless collection equipment/technology continues to be available for use by the law enforcement community, the equipment/technology and any information related to its functions, operation and use shall be protected from potential compromise by precluding disclosure of this information to the public in any manner including but not limited to: press releases, in court documents, during judicial hearings, or during other public forums or proceedings. In the version of the document previously obtained in Minnesota, the rest of the sentence after the phrase "limited to" was entirely redacted. Mariko Hirose, a NYCLU staff attorney, told Ars that she has never seen an agreement like this before. "This seems very broad in scope and undermines public safety and the workings of the criminal justice system," she said. Your tax dollars at work The FBI letter also explicitly confirms a practice that some local prosecutors have engaged in previously, which is to drop criminal charges rather than disclose exactly how a stingray is being used. Last year, prosecutors in Baltimore did just that during a robbery trial there, Baltimore Police Detective John L. Haley cited a non-disclosure agreement, and he declined to describe in detail how he obtained the location of the suspect. [...]
IP'ers might enjoy revisiting Dyson, Gilder, Keyworth, Toffler's 1994 manifesto - Cyberspace and the American Dream: A Magna Carta for the Knowledge Age. The longish 7000+ word essay (see link below) anticipates the disruptions of the present moment to an amazing extent. The Internet remained a government project in 1994 and the Web included all of 3000 or so websites. The futurist group identifies the regulatory risk to computer networks as the primary threat to the benefits of the Knowledge Age. The past provided plenty of evidence to doubt the benefits of industrial policy in the domain computer networks. The FCC's implementations of telephone network industrial policy in the Telecom Act of 1996 failed without exception otherwise known as the telecom crash. The steady stream of public interest benefits generated by the information technology sector left computer networks classified as non-regulated information services. The group did not predict the Commission would vote to impose telephone network industrial policy on the Internet after 20 years of successful non-regulation (and failed regulation of the telephone network). Daniel Berninger, Founder, Voice Communication Exchange Committee e: firstname.lastname@example.org tel SD: +126.96.36.19938 w: www.vcxc.org Cyberspace and the American Dream: A Magna Carta for the Knowledge Age Esther Dyson, George Gilder, George Keyworth, and Alvin Toffler Future Insight, Release 1.2, August 1994 Preamble The central event of the 20th century is the overthrow of matter. In technology, economics, and the politics of nations, wealth—in the form of physical resources—has been losing value and significance. The powers of mind are everywhere ascendant over the brute force of things. [...] http://www.pff.org/issues-pubs/futureinsights/fi1.2magnacarta.html
Steve Ragan, CSO, Apr 6, 2015 While having instant access to your information via the cloud is a major bonus to productivity and convenience, there's a risk that the security trade-off will be too high. http://www.csoonline.com/article/2906143/cloud-security/lost-in-the-clouds-easily-compromised-personal-information.html opening text: Google has indexed thousands of backup drives Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe, but that's not entirely true. In fact, depending on how you've configured the device, your backups are freely available online to anyone who knows what they're looking for.
French Senate Backs Bid To Force Google To Disclose Search Algorithm Workings TechCrunch via NNSquad http://techcrunch.com/2015/04/17/french-senate-backs-bid-to-force-google-to= -disclose-search-algorithm-workings "Meanwhile in France, the upper house of parliament yesterday voted to support an amendment to a draft economy bill that would require search engines to display at least three rivals on their homepage. And also to reveal the workings of their search ranking algorithms ..." Give in to bullies, and they'll never stop demanding more. I've been saying this all along, and efforts like this—whether or not they actually become law—show that even when dealing with countries in the West politicians are attempting to take total control of information for their own purposes and their own pandering political ends. They cannot be permitted to succeed -- the end result could make Orwell's vision of government information management and censorship look like a walk in the park by comparison.
The latest Web server vulnerability affects desktop systems as well as Microsoft products Serdar Yegulalp, InfoWorld, 16 Apr 2015 http://www.infoworld.com/article/2910262/windows-security/4-no-bull-facts-about-microsofts-http-sys-vulnerability.html
Trevor Timm, *The Guardian* http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-ta ken-seriously-on-cybersecurity
*The New York Times* via NNSquad http://qz.com/374299/how-the-new-york-times-is-eluding-chinas-censors/ "The New York Times' English and Chinese-language websites have been blocked since an October 2012 article about the wealthy family of prime minister Wen Jiabao. But according to employees in the company, outside observers, and mainland Chinese readers, the Times is quietly pursuing a new, aggressive strategy to reach readers in China."
[The closing text about responsibility does not bode well for a solution soon.] Malvertising has been a growing problem for years Lucian Constantin, InfoWorld, 8 Apr 2015 http://www.infoworld.com/article/2907215/security/largescale-google-malvertising-campaign-hits-users-with-exploits.html opening text: A large number of ads distributed by a Google advertising partner redirected users to Web-based exploits that attempted to install malware on users' computers. closing text: A 2014 investigation into malvertising by the U.S Senate concluded that "the online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user's computer through an advertisement." That's because a typical online advertisement goes through five or six intermediaries before being displayed in a user's browser and it can be replaced with a malicious one at any point in that chain. Website owners also have no control over what ads will be displayed on their websites, the U.S. Senate said.
CNN via NNSquad http://money.cnn.com/2015/04/08/technology/security/insurance-data-tracking/index.html "John Hancock is partnering with Vitality, which many people probably know as one of those work-related wellness programs. The program is available in 30 states. If you sign up for this, John Hancock will send you a free Fitbit monitor. That's a tiny, pill-shaped device that some people wear in sleek-looking bracelets to track how far they walk/run, the calories burned, and the quality of sleep. That means the insurance company would know exactly when a customer does a sit-up, how far she runs—or when she's skipped the gym for a few days ... Second, that personal data -- your heart rate, preferred exercises, what gym you visit and when—ends up on insurance company computers. And these databases are a target for hackers, who steal this information and sell it on the black market to identity thieves and fraudsters. CNNMoney has just asked John Hancock where the data will be kept, and whether it will be sold to other companies. The company has not provided an immediate reply." Yeah, like WHAT COULD GO WRONG? Slap it on the wrist of the nearest healthy 22-year-old?
Mixed feelings, this gives me: /Your Fire TV Stick has received a software update that contains features requested by customers like you. The update has been applied automatically to your device and you will notice the new features when you next use it./ There seems to be no option controlling updates. Nor for Roku boxes, nor my cable box. But at least that last one isn't on my home network. I've no idea about security/authentication for Fire Stick and Roku updates so I wonder how hackable they are. Same for promised/threatened automatic automotive software updates. And, while I requested these updates—sigh, I see no Unsubscribe link. [... Long message from Amazon truncated for RISKS. Check with gabe.]
ABC via NNSquad http://abcnews.go.com/Technology/wireStory/internet-naming-body-moves-crack-sucks-30211323 The Internet Corporation for Assigned Names and Numbers, or ICANN, on Thursday sent a letter to the U.S. Federal Trade Commission and Canada's Office of Consumer Affairs to see if the actions of company Vox Populi Registry Ltd. are illegal. ICANN initially approved of the so-called top-level domain name, among nearly 600 it has added recently to expand beyond common names such as ".com," ''.org" and ".us." But it is backtracking after an advisory panel made up of industry groups and companies like Microsoft, Verizon and eBay complained last month. Vox Populi began accepting registrations using ".sucks" on March 30 from trademark holders and celebrities before it's released to public applicants. It has recommended charging $2,499 a year for the privilege, and according to Vox Populi CEO John Berard, most of the names have been sold by resellers for around $2,000 a year. So far, purchased names include Youtube.sucks, Bing.sucks, Visa.sucks, Bankofamerica.sucks, Yahoo.sucks, Telusmobility.sucks and other major brand names.
Google via NNSquad Android Security State of the Union 2014 https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf "In 2014, the Android platform made numerous significant improvements in platform security technology, including enabling deployment of full disk encryption, expanding the use of hardware-protected cryptography, and improving the Android application sandbox with an SELinuxbased Mandatory Access Control system (MAC). Developers were also provided with improved tools to detect and react to security vulnerabilities, including the nogotofail project and the SecurityProvider. We provided device manufacturers with ongoing support for fixing security vulnerabilities in devices, including development of 79 security patches, and improved the ability to respond to potential vulnerabilities in key areas, such as the updatable WebView in Android 5.0." I just finished reading the entire report. I must simultaneously congratulate Google for their work improving app security on newer versions of Android—and I must express my strong disappointment that the report seems to effectively ignore the impact of vulnerabilities associated with known WebView bugs affecting vast numbers of Android users who cannot update their phones to the newer versions, having been abandoned in this respect by OEMs, mobile carriers, and/or Google itself. Nor has (as far as I know) Google reached out proactively to the extremely large number of affected Android users to warn them of these vulnerabilities and inform them about potential workarounds that are available in various instances.
This issue has been discussed at length on the crypto email list, and here are the conclusions, as I see them: * md5 itself is broken; there are better hashes around, so the recommendation of md5 on the Kali web page is indeed a joke (although not quite the same joke I originally had in mind). * https/TLS does not solve all SW distribution problems, but using it in conjunction with various signature mechanisms does make an attacker have to work harder and actively; http makes passive observation way too easy. Once an attacker knows exactly what SW you have, you are much easier to attack. * http makes a MITM/DOS attack trivial; you may never get a bad piece of SW, but you may also never get any SW update at all. Regarding "what would Henry Baker do" when designing a SW update mechanism: I'm not completely sure. The threat model for SW distribution today includes nation-states with "acres of Crays", with no regulatory, budget or location constraints, and with the entire Internet as a "free fire zone"; this threat model may not have been anticipated by many of the SW distribution systems in existence today. SW distribution has been successfully attacked before (Stuxnet), and will continue to be attacked, because it is a Willie Sutton target—"that's where the money is". http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ "You must reboot your computer now to finish installing the latest security updates. NSA/GCHQ/... thanks you for your support in their war of^Hn terror."
Please report problems with the web pages to the maintainer