Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
All United Airlines flights in the US were grounded this morning for nearly an hour, over `dispatching information'. Various tweets from passengers suggest different possible explanations: hacked network? fake flight plans? disgorging random plans? dropped flight plans? Considerable confusion? The problem was then resolved. http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/
http://arstechnica.com/information-technology/2015/06/report-airbus-transport-crash-caused-by-wipe-of-critical-engine-control-data/
The doors don't open without battery power. There is a mechanical release, but it's hidden and many Corvette owners don't know about it. This man may have died while reading his owner's manual, which adds a new dimension to the term RTFM. http://www.khou.com/story/news/local/texas/2015/06/10/texas-man-dog-die-after-being-trapped-in-corvette/70999112/
Today's NYTimes.com http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0 [The article might be interpreted as implying that so-called `smart' anythings could all be vulnerable. No surprise to RISKS readers. PGN]
FYI—It usually takes me longer than 10 seconds to find the right button to push... Dennis Fisher, 4 Jun 2015 Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146
http://www.nytimes.com/2015/06/11/us/amtrak-crash-engineer-brandon-bostian-not-on-cellphone-ntsb-says.html
http://www.nytimes.com/2015/06/08/science/space/lightsail-setbacks-spacecraft-prepares-unfurl-sail.html LightSail was successfully deployed and worked for two days before its computer crashed because of a software flaw. Eight days of silence followed until, as engineers expected, a high-speed charged particle zipping through space fortuitously scrambled part of the computer's memory and caused the computer to restart ... and deploy its solar sail.
[ regarding 8 June 2015 article on The Security Ledger website ] chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT http://it.slashdot.org/story/15/06/08/166207/report-evidence-of-healthcare-breaches-lurks-on-infected-medical-devices *Evidence that serious and widespread breaches of hospital- and healthcare networks is likely to be hiding on compromised and infect medical devices in clinical settings <https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/>, including medical imaging machines, blood gas analyzers and more, according to a report by the firm TrapX. In the report, which will be released this week, the company details incidents of medical devices and management stations infected with malicious software at three, separate customer engagements. According to the report, medical devices—in particular so-called picture archive and communications systems (PACS) radiologic imaging systems—are all but invisible to security monitoring systems and provide a ready platform for malware infections to lurk on hospital networks, and for malicious actors to launch attacks on other, high value IT assets. Malware at a TrapX customer site spread from a unmonitored PACS system to a key nurse's workstation. The result: confidential hospital data was secreted off the network to a server hosted in Guiyang, China. Communications went out encrypted using port 443 (SSL), resulting in the leak of an unknown number of patient records. "The medical devices themselves create far broader exposure to the healthcare institutions than standard information technology assets," the report concludes. One contributing factor to the breaches: Windows 2000 is the OS of choice for "many medical devices." The version that TrapX obtained "did not seem to have been updated or patched in a long time," the company writes.*
Hack allows firmware to be rewritten right after older Macs awake from sleep. Dan Goodin, *Ars Technica*. 1 Jun 2015 Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction. http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/
http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html The intrusion, which appears to have involved information on about four million current and former government workers, was the third such breach in the last year.
Researchers say it suggests spies are no longer just stealing American corporate and military trade secrets, but personal information for some later purpose. http://www.nytimes.com/2015/06/05/technology/chinese-hackers-behind-breach-at-insurers-are-also-responsible-for-government-attack-researchers-say.html [See also http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html PGN]
http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html It's like one-stop shopping for scientists: a blood test can now show every virus that has a crossed a person's path, lending insight into disease.
BBC, 10 Jun 2015 http://www.bbc.com/news/technology-33083050 "Kaspersky Lab said it believed the attack was designed to spy on its newest technologies. It said the intrusion involved up to three previously unknown techniques."
Many Americans do not think the trade-off of their data for personalized services, giveaways or discounts is a fair deal, a University of Pennsylvania study found. http://www.nytimes.com/2015/06/05/technology/consumers-conflicted-over-data-mining-policies-report-finds.html
http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605
Governments of the World Agree: Encryption Must Die!
http://lauren.vortex.com/archive/001104.html
Finally! There's something that apparently virtually all governments around
the world can actually agree upon. Unfortunately, it's on par conceptually
with handing out hydrogen bombs as lottery prizes.
If the drumbeat isn't actually coordinated, it might as well be. Around the
world, in testimony before national legislatures and in countless interviews
with media, government officials and their surrogates are proclaiming the
immediate need to "do something" about encryption that law enforcement and
other government agencies can't read on demand.
Here in the U.S., it's a nearly constant harangue over on FOX News
(nightmarishly, where most Americans apparently get their "news" these
days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN
must share space with primetime reruns of a globetrotting celebrity chef and
crime "reality" shows).
It's much the same if you survey media around the world. The names and
officials vary, but the message is the same—it's not just terrorism
that's the enemy, it's encryption itself.
That argument is a direct corollary to governments' decidedly mixed feelings
about social media on the Internet. On one hand, they're ecstatic over the
ability to monitor the public postings of criminal organizations like ISIL
(or ISIS, or Islamic State, or Daesh—just different labels for the same
fanatical lunatics) that sprung forth from the disastrously misguided
policies of Bush 1 and Bush 2 era right-wing neocons—who not only set the
stage for the resurrection of long-suppressed religious rivalries, but
ultimately provided them with billions of dollars worth of U.S. weaponry as
well. Great job there, guys.
Since it's also the typical role of governments to conflate and confuse
issues whenever possible for political advantage, when we dig deeper into
their views on social media and encryption we really go down the rabbit
hole.
While governments love their theoretical ability to track pretty much every
looney who posts publicly on Twitter or Facebook or Google+, governments
simultaneously bemoan the fact that it's possible for uncontrolled
communications—especially international communications—to take place
at all in these contexts.
In particular, it's the ability of radical nutcases overseas to recruit
ignorant (especially so-called "lone wolf") nutcases in other countries that
is said to be of especial concern, notably when these communications
suddenly "go dark" off the public threads and into private, securely
encrypted channels.
"Go dark"—by the way—is now the government code phrase for crypto they
can't read on demand. Dark threads, dark sites, dark links. You get the
idea.
One would be remiss to not admit that these radical recruiting efforts are
of significant concern.
But where governments' analysis breaks down massively is with the direction
of their proposed solutions, which aren't aimed at addressing the root
causes of fanatical religious terrorism, but rather appear almost entirely
based on preventing secure communications—for anybody!—in the first
place.
Naturally they don't phrase this goal in quite those words. Rather, they
continue to push (to blankly nodding politicians, journalists, and cable
anchors) the tired and utterly discredited concept of "key escrow"
cryptography, where governments would have "backdoor" keys to unlock
encrypted communications, supposedly only when absolutely necessary and with
due legal process.
Rewind 20 years or so and it's like "Groundhog Day" all over again, back in
the early to mid 90s when NSA was pushing their "Clipper Chip" hardware
concept for key escrowed encryption, an idea that was mercilessly buried in
relatively short order.
But like a vampire entombed without appropriate rituals, the old key escrow
concepts have returned to the land of the living, all the uglier and more
dangerous after their decades festering in the backrooms of governments.
The hardware Clipper concept dates to a time well before the founding of
Twitter or Facebook, and a few years before Google's arrival. Apple existed
back then, but centralized social media as we know it today wasn't yet even
really a glimmer in anyone's eye.
While governments generally seem to realize that stopping all crypto that
they can't access on demand is not practical, they also realize that the big
social media platforms (of which I've named only a few)—where most users
do most of their social communicating—are the obvious targets for
legislative, political, and other pressures.
And this is why we see governments subtly (and often, not so subtly)
demonizing these firms as being uncooperative or somehow uncaring about
fighting evil, about fighting crime, about fighting terrorism. How dare
they—authorities repeat as a mantra—implement encryption systems that
governments cannot access at the click of a mouse, or sometimes access at
all under any conditions.
Well, welcome to the 21st century, because the encryption genie isn't going
back into his bottle, no matter how hard you push.
Strong crypto is critical to our communications, to our infrastructures, to
our economies, and increasingly to many other aspects of our lives.
Strong crypto is simply not possible—let's say that once more with
feeling—not possible, given key escrow or other government backdoors
designed into these systems. There is no practical or even theoretically
accepted means for including such mechanisms without fatally weakening the
entire associated encryption ecosystem, and opening it up to all manner of
unauthorized access via hacking and various subversions of the key escrow
process.
But governments just don't seem willing to accept the science and reality of
this, and keep pushing the key escrow meme. It's like the old joke about the
would-be astronaut who wanted to travel to the sun, and when reminded that
he'd burn up, replied that it wasn't a problem, because he'd go at
night. Right.
Notably, just as we had governments who ignored realistic advice and
unleashed the monsters of religious fanatical terrorism, we now have many of
the same governments on the cusp of trying to hobble, undermine, and
decimate the strong encryption systems that are so very vital.
There's every reason to believe that we'd experience a similarly disastrous
outcome in the encryption context as well, especially if social media firms
were required to deploy only weak crypto—putting the vast populations of
innocent users at risk—while driving the bad guys even further
underground and out of view.
If we don't vigorously fight back against government efforts to weaken
encryption, we're all going to be badly burned.
Reading the discussion about "Re: Only 3% of people aced Intel's phishing quiz", I have to wonder how much we should educate the general public AND the SYSTEM INTEGRATORS who hire new graduates without much experience in security matters. The recent news brought home this issue: Japanese Pension Service (run by the government) was attacked by phishing, and as a result, data for 1.25 million people got leaked according to news articles in the past few days. What irked me most, as someone who is in ICT industry and has interest in security matters, is the comment uttered by a senior official according to some news articles in different publications. (So I assume it was on a live interview or something and *is* FOR REAL, to my utter dismay.): My translation: "The organization will take more security measures including that the PCs that handle individual's data cannot access outside Internet, ..." A PC/terminal that handles the privacy information at Pension Service can talk to directly to the outside WAN? I WAS INCREDULOUS INITIALLY. And this seems to be the case, indeed, and that is how a large amount (maybe not total) of the leak seems to have occurred. Sigh. In the aftermath of the revealed incidence, some high government officials blamed the pension fund for its handling of private data and that a clerk should not open an attachment to e-mail from outside sources. But to err is human. I think such an organization ought to 1. - Use a customized mail client so that the clerk on a PC that handles the sensitive data can never open an attachment at all: Yes, what I mean is even if a clerk can click on an attachment or an URL within the main text by mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's mailer is open source, and there are other source mail clients. Customizing to disable certain operations won't be difficult. (If a clueless correspondent sends an attachment, it can be opened in a very very carefully quarantined a computer running a virtual PC environment, after forwarding to it) AND OF COURSE 2. - such PC with sensitive data should not be capable of talking to the outside Internet directly. Regarding the second point, the sophistication of the worms means that they may be able to install a communication proxy on an Internet-capable intranet PC that relays the communication from the Internet-blocked PC to the outside world, but a proper filtering at the local PCs or switches ought to prevent such issues: I looked at Norton Internet security on my PC and I think it can restrict communication only to a selected few and it can disable all the inbound communication. So it can thwart the use of proxy, etc. (And actually, this has been a pain in the neck when I try to use a Privoxy proxy running on a PC from a linux image running on a different PC). So it is doable easily today. Of course, we need constant and independent check of the firewall setting of such locally installed security tool. Anyway, I really would like to know who DESIGNED the intranet at the Pension Service so that we can learn from the mistakes... I found some English articles about this. [1] https://www.itgovernance.co.uk/blog/1-25-million-japanese-pension-records-leaked-following-phishing-attack/ [2] http://www.tripwire.com/state-of-security/latest-security-news/hackers-steal-over-a-million-japanese-citizens-personal-data-in-targeted-attack/ But these leave some key issues missing and a little misinformed to the degree of the serious nature of the attack. Today's Asahi Shimbun newspaper article (online) [in Japanese.] gives a very detailed good report of what has happened. http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01 Usually details remain obscured for this type of incidents, but given the sloppy work of system integrator(s) at key government services in the past, I think someone high up in the command of government security matters must have decided that the detailed explanation would be good to educate the ICT community to rise up from this shoddy level of awareness. At least the next time something like this happens, government can sue system integrators for gross negligence by citing this incident and publicized method of the attack. NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make sure proper security measures is in place. I suspect this is the only stick that sinks in security lessons. From the above link of Asahi Shimbun, I have learned the following: A certaian "Takemura" sent an e-mail using some jargons in the pension business and explained that he sent some suggestions to the procedure at the organization and this made the recipient to believe that the sender is well versed in pension matters. Now, according to the article, the clerk clicked on the URL at the end of the e-mail (ok, so no attachment is involved this time around, but a mere URL clicking.) [At least my suggestion above would block this operation.] This caused a download of malware with 0-day attack ! It collected ID of the user on the PC, etc. Also, this malware subsequently downloaded a bot software. There was a trace that this malware created clones so that even if one is eradicated, the others would remain, and it seems that tried to connect to other PCs on the LAN. Within less than 5 hours of the contamination, the Pension Service was notified of strange network activity of the PC by NISC (National Information Security Center), and pulled the plug. This was on May 8th. 10 days later, in two-minute intervals, about 100 phishing e-mails arrived at addresses within the organization, including some which were never publicized outside before, with virus attachment and now the "From:" address shown was that of an INTERNAL address (!). But the originating IP address was the same of the initial attack. [Obviously some clever attack is being waged.] I have no idea whether the e-mail from the originating IP address was blocked or not. Anyway, on May 21, two PCs in the same office were found to be communicating with external IP addresses. Surprise. One is the "replacement PC" of the clerk whose PC was pulled off the network (!?) On May 23, 9 more PCs in a different office (now in Tokyo) were found to be doing the same. The rest is history. At least the newspaper article stated the forensics has only determined how the initial PC and the two PCs found on May 21 were attacked and hijacked. It is not known how others got infected. Current Japanese administration is trying to introduce a single numeric ID for each citizen in Japan for efficient administrative process ala SS number in USA. In the face of this breach, it is hard to sell such a policy now. Too easy target for ID theft, etc. unless proper security measures and the preventive measures for limiting the damage of ID theft are in place. At least, I hope that there will be more scrutiny on the security design of the computer systems. P.S. I suspect this phishing is a part of well orchestrated attacks by an organized crime or something. News articles report the police seems to have found a part of the leaked data on a data servers used by previous phishing attacks (which I assume they have been monitoring for illegal activities).
http://recode.net/2015/06/10/twitter-advertisers-can-now-target-you-based-on-the-other-apps-on-your-phone/ For the past six months, Twitter has been collecting data on which smartphone apps its users download. Now, the company is using that data to make some money. Twitter announced on Wednesday that its advertisers can use that app information to target users with ads. Marketers will be able to target you based on the different categories of apps you have downloaded onto your phone as well as how recently you downloaded them. I'm incredibly disappointed in the direction Twitter has been taking. I understand why they've felt they need to go in this direction, but that's not an excuse. They're spamming like mad, and now this. Unacceptable, and why I hardly use Twitter any more.
As it happens, there's a review in this weekend's newspaper of a book 'The
New Spymasters' by Stephen Grey (Viking) which makes a similar point.
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
In summary it says:
Langley was far too reliant on technology (or SIGINT), preferring to amass
vast amounts of data on suspected terrorists with few credible human
sources to corroborate it. As Grey observes: “All this scientific
espionage was bewitching. Cool gadgets and smart techniques inspired awe
and a confidence that was comparable to religious zeal.'' ... What was
missing from the American approach, in the author's view, was good,
old-fashioned HUMINT. “Human spies can be terribly frail and unreliable,
but without any element of understanding and verification through human
intelligence, and without basic common sense, terrible errors are bound to
follow.''
There's some debate here in the UK right now (following the recent election)
on what surveillance powers the authorities should have; as usual, there's a
hard sell for the idea that if they can't "collect it all" then we'll all be
blown up by terrorists, but personally I'm more afraid of the country
becoming like 1970s East Germany.
Charles Cumming, What's the point of spies?
A new book about spying argues that modern digital surveillance is no
substitute for old-fashioned espionage
http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
[Long item truncated for RISKS. PGN]
Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the real context in Risks 28.67. I searched for articles on the incident. There are a few, but many are derivative. I summarised what I found in http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and commented. There has to be some lesson in someone trying out a protective function, on live people, with which the car was not equipped. There has to be some lesson in trying out any protective function on live people. There has to be some lesson in conducting the trial in such a way that the protective function would have been suppressed. And there has to be some lesson in conducting this trial without informing oneself about the capabilities of the vehicle or taking elementary safety precautions in case things go wrong. This last, BTW, is also a problem for professionals. There are incidents of professional pilots conducting return-to-service tests on commercial aircraft ... and of auguring in because they were assuming the tests would succeed and they didn't! The main lesson is to remember that functional tests can always have at least two outcomes: pass and fail. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com
Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in RISKS-28.67. He says "...the Court of Justice of the European Union ..... is asked whether an enforcement practice requiring open wireless networks to be locked is an acceptable one. Germany's Federal Supreme Court in 2010 held that the private operator of a wireless network is obliged to use password protection in order to prevent abuse by third parties....." Let me set the record straight. There is no such requirement and no such obligation in Germany (or anywhere else I know). The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether operators of unsecured Wi-Fi networks can be held liable for copyright infringement conducted using their networks. http://www.out-law.com/en/articles/2014/november/cjeu-asked-to-rule-on-copyright-liability-of-operators-of-free-and-open-wi-fi-networks-/ Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com
FYI—Hmmm... Not a single Wall Street banker has faced jail time due to their part in almost bankrupting the country (and the world), yet we're using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing enacted by Congress in the wake of the Enron scandal, to prosecute non-financial crimes? Remind me again which Constitution is supposed to be in effect in the U.S. ?
> It's only one sentence; he doesn't justify the connection he makes and I > don't see one. Two words: "Dennis Hastert". Dennis Hastert was 3rd in line to be President, and presided over a lot of legislation regarding sexual harassment (and worse). Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now be electing their own Dennis Hasterts. Those who are ready to forget the past shouldn't be surprised when the past repeats itself. Once again, "right-to-be-forgotten" is incompatible with democratic representative government. Yes, remembering past mistakes is painful, but the alternative (totalitarian govt) is far, far worse.
BKFLODEC.RVW 20150609 "The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9, U$13.49/C$18.91 %A Carey Nachenberg http://florentinedeception.com %C 345 Hudson Street, New York, NY 10014 %D 2015 %G 978-1-5040-0924-9 150400924X %I Open Road Distribution %O U$13.49/C$18.91 www.openroadmedia.com %O http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20 %O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 321 p. %T "The Florentine Deception" It gets depressing, after a while. When you review a bunch of books on the basis of the quality of the technical information, books of fiction are disappointing. No author seems interested in making sure that the technology is in any way realistic. For every John Camp, who pays attention to the facts, there are a dozen Dan Browns who just make it up as they go along. For every Toni Dwiggins, who knows what she is talking about, there are a hundred who don't. So, when someone like Carey Nachenberg, who actually works in malware research, decides to write a story using malicious software as a major plot device, you have to be interested. (And besides, both Mikko Hypponen and Eugene Spafford, who know what they are talking about, say it is technically accurate.) I will definitely grant that the overall "attack" is technically sound. The forensics and anti-forensics makes sense. I can even see young geeks with more dollars than sense continuing to play "Nancy Drew" in the face of mounting odds and attackers. That a vulnerability can continue to go undetected for more than a decade would ordinarily raise a red flag, but Nachenberg's premise is realistic (especially since I know of a vulnerability at that very company that went unfixed for seven years after they had been warned about it). That a geek goes rock-climbing with a supermodel we can put down to poetic license (although it may increase the license rates). I can't find any flaws in the denouement. But. I *cannot* believe that, in this day and age, *anyone* with a background in malware research would knowingly stick a thumb/jump/flash/USB drive labeled "Florentine Controller" into his, her, or its computer. (This really isn't an objection: it would only take a couple of pages to have someone run up a test to make sure the thing was safe, but ...) Other than that, it's a joy to read. It's a decent thriller, with some breaks to make it relaxing rather than exhausting (too much "one damn thing after another" gets tiring), good dialog, and sympathetic characters. The fact that you can trust the technology aids in the "willing suspension of disbelief." While it doesn't make any difference to the quality of the book, I should mention that Carey is donating all author profits from sales of the book to charity: http://florentinedeception.weebly.com/charities.html copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
Please report problems with the web pages to the maintainer