Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
We've long been suggesting in RISKS that Internet Voting was an inherently BAD IDEA. Now the folks who run the the so-called American Pastime at the top professional level may have decided that Internet Voting is really the American PastTime, although many of us think it is not past time—it is NOT READY for prime time, and perhaps never will be, for elections of any real importance. http://bleacherreport.com/articles/2500903-mlb-cancels-more-than-60-million-all-star-votes-for-fear-of-improper-voting By the way, apologies for letting "Armenia loses Internet access" slip through in the previous issue. That item from 2011 was really past time.
L.A. plans potentially disastrous switch to "electronic" voting Ars Technica http://arstechnica.com/tech-policy/2015/06/los-angeles-county-moves-to-open-source-voting-technology/ The county is also considering a number of customizable options to bolster voter turnout, which has suffered in recent years. Along with the new system, it plans to introduce a "poll pass," which allows users to pre-mark their votes using their phone, tablet, or desktop and scan them with a QR code at their polling place. Logan said the new system is designed to let users vote anywhere in the county, rather than at a designated polling station. He hopes to broaden the 7:00am to 8:00pm voting window to a multi-day "voting period," during which a limited number of stations would be open prior to the election. There's even talk of an electronic equivalent to absentee voting--if and when the law permits. Open source is not a panacea. So much here and planned that could go so very wrong. They never learn. Note the part about "electronic" absentee voting. Given how large the absentee voter population is in L.A., this almost certainly means the disaster of Internet voting.
The Swiss newspaper "20 Minuten" (20 minutes) reports that a Swiss woman of Portuguese descent tried to purchase airline tickets online with the portal Edreams.ch. She was informed a few days later that the tickets were rejected by the airline Swiss because her name of 32 characters was too long - Swiss only accept 28. http://www.20min.ch/schweiz/romandie/story/Name-zu-lang---Flugticket-storniert-20762253 Portuguese and Spanish names are quite long, as there is one from the mother's side and one from the father's side traditionally. Swiss pointed out that it was edreams fault - they should have asked the customer how she wanted to abbreviate her name. In the meantime, she was able to buy tickets from another airline with no length restriction on names—but at a higher price. HTW Berlin, Studiengang IMI,Treskowallee 8, 10313 Berlin +49-30-5019-2320 weberwu@htw-berlin.de http://www.f4.htw-berlin.de/people/weberwu/
[via Dave Farbert] On Wednesday, Special Rapporteur on freedom of opinion and expression David Kaye will present his report on international legal protection for encryption and anonymity to the United Nations Human Rights Council. The report is an important contribution to the security conversation at a time when some Western leaders are calling for ill-informed and impossible loopholes in technology--a trend that facilitates surveillance and tends to enable states that openly seek to repress journalists. http://cpj.org/blog/2015/06/un-report-promotes-encryption-as-fundamental-and-p.php http://www.washingtonpost.com/blogs/the-switch/wp/2015/02/19/what-president-obama-is-getting-wrong-about-encryption/ http://www.theguardian.com/commentisfree/2015/jan/13/cameron-ban-encryption-digital-britain-online-shopping-banking-messaging-terror http://cpj.org/blog/2015/01/classifying-media-and-encryption-as-a-threat-is-da.php http://cpj.org/blog/2015/04/when-it-comes-to-great-firewall-attacks-https-is-g.php http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx
NowSecure via NNSquad https://www.nowsecure.com/keyboard-vulnerability/ Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user ... While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network. In addition, it is difficult to determine how many mobile device users remain vulnerable, given the devices models and number of network operators globally.
About 600,000 payments expected by customers of the RBS group of banks have failed to enter accounts overnight, the bank has admitted. Payments including tax credits and disability living allowance are among the payments that have failed to be credited to accounts. [...] it had now identified and fixed the underlying problem. However, it is an embarrassment for the group which was fined 56M pounds by regulators after a 2012 software issue left millions of customers unable to access accounts. RBS, NatWest, and Ulster Bank customers were affected in June 2012 after problems with a software upgrade. RBS said had invested hundreds of millions of pounds to improve its computer systems since then. http://www.bbc.com/news/business-33162855
The shooting death of an 18-year-old man trying to retrieve his lost smartphone highlights the risks of using mobile-tracking app, say police. Jeremy Cook, a native of Brampton, Ont., was gunned down at about 5:15 a.m. ET on Sunday. London police found his body at the rear of a strip mall near Huron Street and Highbury Avenue in the city's north end. He had multiple gunshot wounds. Cook had left his smartphone in a taxi and traced it electronically to an address on Highbury Avenue. When he and a relative went to the address, he was confronted by three men in a car, Steeves told CBC News. http://www.cbc.ca/news/canada/toronto/shooting-over-cellphone-case-is-extreme-say-police-1.3115069
Appy-geek via NNSquad http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleidC584144&source=googleplus The QR code linked to a URL used for the "Spread the word with Heinz" competition between 2012 and 2014. Heinz allowed the domain name "sagsmithheinz.de" to lapse after the competition closed, which was subsequently purchased by a purveyor of German adult entertainment. The right way to have done this, of course, would have been to have the QR code point at some URL within the permanent Heinz domain and redirect to the promotion site. Then when the promotion ends you could change the redirect to something still sensible. But hey, that takes forethought.
Glenn Fleishman, Macworld, 18 Jun 2015 Researchers discover an exploit that lets OS X and iOS malware in the App Store steal passwords and app data, as well as hijack session tokens http://www.infoworld.com/article/2937241/security/zero-day-exploit-lets-app-store-malware-steal-os-x-and-ios-passwords.html
Early this morning my spouse texted me from the airport to let me know that our credit card had been declined just as she was leaving for a trip. Turns out there was "suspicious activity" on the card last night, and the fraud-control folks had put a hold on it. The suspicious transactions: one small purchase from an online retailer we use often, and three $100-plus payments over the course of 30 minutes to what turned out to be the local cable company, electric company and a mobile phone provider. In other words, my spouse had been financially diligent and made sure all our current bills were paid before leaving town. This is by no means intended to ridicule the credit-card company and its fraud-detection algorithms. The transactions (except, perhaps for the payees) do fit the common fraud pattern of one small test purchase and then a bunch of big-ticket ones. And it took less than 10 minutes on the phone to clear the problem up. But. It did make me think about how vulnerable our current payment infrastructure is, and about the reversal of roles that has occurred. Compromised accounts have become so common that, instead of fraudsters trying to avoid detection, it's the job of legitimate customers to figure out how not to be mistaken for crooks.
http://bigstory.ap.org/article/d81b464390c34ab293e0abb3cccd4fcc/officials-say-security-lapses-left-system-open-hackers [The information was indeed very sensitive. WHY was it on the Web? PGN]
There is also significant risk in "journalists" publishing the uncorroborated assertions of anonymous government officials who have a direct interest in smearing people: https://firstlook.org/theintercept/2015/06/14/sunday-times-report-snowden-files-journalism-worst-also-filled-falsehoods/
Re: Sex, lies and debt potentially exposed by OPM data hack Had the retired officer disclosed to the government that he'd been cheating on his taxes rather than cheating on his wife for twenty years (but later paid up), would he have still gotten his security clearance?
FYI—OPM sent 750k e-mails to notify Fed employees & asked that *they click on a link* to sign up for credit monitoring and other protections. Isn't that how we got here in the first place? [Of course, whoever stole the OPM data just did a facepalm and is now thinking: "why didn't I think of that?"] Lisa Rein, *WashPost*, 18 June 2015 Reacting to Chinese hack, the government may not have followed its own cybersecurity rules http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/reacting-to-chinese-hack-the-government-may-not-have-followed-its-own-cybersecurity-rules/ In responding to China's massive hack of federal personnel data, the government may have run afoul of computer security again. Over the last nine days, the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor's Web site to sign up for credit monitoring and other protections. But those e-mails have been met with increasing alarm by employees—along with retirees and former employees with personal data at risk—who worry that the communications may be a form of spear phishing used by adversaries to penetrate sensitive government computer systems. After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week. “We've seen such distrust and concerns about phishing,'' OPM spokesman Sam Schumach acknowledged, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen. Computer experts said the personnel agency—already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers—could be putting federal systems in jeopardy again by asking employees to click on links in the e-mails. “There's a risk that you desensitize people by telling them that occasionally, there's going to be a very important email you have to click on,'' said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology. He called OPM's first round of e-mail transmissions the equivalent of “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection e-mails and get into your computers all over again.'' That's precisely what worried top Defense officials before the chief information officer of the government's largest agency told OPM last week to suspend the notifications because they disregarded basic cybersecurity training that's crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or e-mail addresses because they expose employees to spear phishing attacks. Defense offices across the country posted a bulletin in their internal communication networks from CIO Terry Halvorsen that said OPM was “suspending notification to DoD personnel that their [Personal Identifying Information] may have been breached until an improved, more secure notification and response process can be put in place.'' [...]
Please report problems with the web pages to the maintainer