Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An Article by Aaron M. Kessler in today's issue of *The New York Times* discusses a consequence of the Jeep Cherokee vulnerabilities—very similar problems exist in Fiat Chrysler automobiles, resulting in the recall of 1.4 million vehicles. Car-pay diem.
A pair of researchers said that they had hacked a Jeep Cherokee through its Internet-connected system, allowing them to take control of the engine, brakes and even steering. http://www.nytimes.com/2015/07/24/business/the-web-connected-car-is-cool-until-hackers-cut-your-brakes.html
http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/ Uconnect, a "connected car" system sold in a number of vehicles produced by Fiat Chrysler for the US market, uses the Sprint cellular network to connect to the Internet and allows owners to interact with their vehicle over their smartphone--performing tasks like remote engine start, obtaining the location of the vehicle via GPS, and activating anti-theft features. But vulnerabilities in Uconnect, which Fiat Chrysler has issued a patch for, made it possible for an attacker to scan Sprint's cellular network for Uconnect-equipped vehicles, obtaining their location and vehicle identification information. Miller and Valasek demonstrated that they could then attack the systems within the car via the IP address of the vehicle, allowing them to turn the engine of the car off, turn the brakes on or off, remotely activate the windshield wipers, and take control of the vehicle's information display and entertainment system. Miller and Valasek also found that they could take remote control of the steering of their test vehicle, the aforementioned Jeep Cherokee--but only while it was in reverse. Thinking about what hackers will do to *autonomous* vehicles.
Let's see if anyone rushes to send out a bunch of USB drives with a "security update" to the Chrysler owners before they get them from Chrysler? A great way to plant a time bomb. Today, the automaker will update the software in the infotainment system of the cars it is recalling by sending customers a USB drive that can be used to download new software. The cars and trucks under the recall are equipped with 8.4-inch touchscreens on the following models: - 2013-2015 MY Dodge Viper specialty vehicles - 2013-2015 Ram 1500, 2500 and 3500 pickups - 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs - 2014-2015 Jeep Grand Cherokee and Cherokee SUVs - 2014-2015 Dodge Durango SUVs - 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans - 2015 Dodge Challenger sports coupes "It's important to reiterate that there is no real safety threat to FCA owners," said Edmunds.com consumer advice editor Ron Montoya. "This week's hack was an isolated incident that was performed on one specific vehicle and it was not something that could be replicated on a mass scale." Customers who own cars subject to the recall will not need to take them to dealers. They will receive a USB drive in the mail. The USB drive provides additional security features. Owners who are not comfortable installing the software themselves can take their car to a dealer. Also, customers who want to check if their vehicle is affected by the recall can visit http://www.driveuconnect.com/software-update/ to see if their vehicle identification numbers is included in the recall." Lance J. Hoffman, Director, Cyber Security Policy and Research Institute http://www.cspri.seas.gwu.edu/ http://www.cs.seas.gwu.edu/people/faculty/99 [Quack? Web(foot)ware? Inter(duck)net? If it looks like an duck and walks like a duck, it must need another software fix. PGN]
It is nice that Andy Greenberg offered himself as a "crash test dummy" for a hacker demonstration. I wonder if the other people sharing his bit of the St. Louis highway where he was going 70 MPH are as appreciative of his offer. Loss of forward visibility at a random time at high speed could have resulted in injury to others.
[Note: This item comes from friend Paul Pangaro. DLH][via Dave Farber] Lori Emerson, 23 Jul 2015 <http://loriemerson.net/2015/07/23/whats-wrong-with-the-internet-and-how-we-can-fix-it-interview-with-internet-pioneer-john-day/> Below is an interview I conducted with the computer scientist and Internet pioneer John Day via email over the last six months or so. The interview came about as a result of a chapter I've been working on for my Other Networks project, called The Net Has Never Been Neutral. In this piece, I try to expand the materialist bent of media archaeology, with its investment in hardware and software, to networks. Specifically, I'm working through the importance of understanding the technical specs of the Internet to figure out how we are unwittingly living out the legacy of the power/knowledge structures that produced TCP/IP. I also think through how the Internet could have been and may still be utterly different. In the course of researching that piece, I ran across fascinating work by Day in which he argues that “the Internet is an unfinished demo'' and that we have become blind not only to its flaws but also to how and why it works the way it works. Below you'll see Day expand specifically on five flaws of the TCP /IP model that are still entrenched in our contemporary Internet architecture and, even more fascinating, the ways in which a more sensible structure (like the one proposed by the French CYCLADES group) to handle network congestion would have made the issue of net neutrality beside the point. I hope you enjoy and many, many thanks to John for taking the time to correspond with me. Emerson: You've written quite vigorously about the flaws of the TCP/IP model that go all the way back to the 1970s and about how our contemporary Internet is living out the legacy of those flaws. Particularly, you've pointed out repeatedly over the years how the problems with TCP were carried over not from the American ARPANET but from an attempt to create a transport protocol that was different from the one proposed by the French Cyclades group. First, could you explain to readers what Cyclades did that TCP should have done? Day: There were several fundamental properties of networks the CYCLADES crew understood that the Internet group missed: * The Nature of Layers, * Why the Layers they had were there, * A complete naming and addressing model, * The fundamental conditions for synchronization, * That congestion could occur in networks, and * A raft of other missteps most of which follow from the previous 5, but some are unique. First and probably foremost was the concept of layers. Computer Scientists use layers to structure and organize complex pieces of software. Think of a layer as a black box that does something, but the internal mechanism is hidden from the user of the box. One example is a black box that calculates the 24 hour weather forecast. We put in a bunch of data about temperature, pressure and wind speed and out pops a 24 hour weather forecast. We don't have to understand how the blackbox did it. We don't have to interact with all the different aspects it went through to do that. The black box hides the complexity so we can concentrate on other complicated problems for which the output of the black box is input. The operating system of your laptop is a black box. It does incredibly complex things but you don't see what it is doing. Similarly, the layers of a network are organized that way. For the ARPANET group, BBN [erstwhile Bolt, Beranek, and Newman] built the network and everyone else was responsible for the hosts. To the people responsible for the hosts, the network of IMPs was a blackbox that delivered packets. Consequently, for the problems they needed to solve, their concept of layers focused on the black boxes in the hosts. So the Internet's concept of layers was focused on the layer in the Hosts where its primary purpose was modularity. The layers in the ARPANET hosts were the Physical Layer, the wire; IMP-HOST Protocol; the NCP; and the applications, such as Telnet, and maybe FTP. For the Internet, they were Ethernet, IP, TCP, Telnet or HTTP, etc. as application. It is important to remember that the ARPANET was built to be a production network to lower the cost of doing research on a variety of scientific and engineering problems.
The title suggests a steward of civility and decency. However, online, unpaid moderators can become a force for mayhem. http://www.nytimes.com/2015/07/26/magazine/when-the-internets-moderators-are-anything-but.html?smprod=nytcore-ipad&smid=nytcore-ipad-share [Gabe, Are you suggesting that RISKS is biased? We're just reporting it like it is... PGN]
Facebook does not have legal standing to challenge search warrants on behalf of its users, a New York appeals court has ruled in what was the biggest batch of warrants the social-media site said it ever received at one time.
[1) Risk number 1 is the vulnerability. 2) Risk number 2 is Microsoft taking their sweet time dealing with it. GW] Woody Leonhard, InfoWorld, 23 Jul 2015 ZDI went public after extending the disclosure deadline twice with no fix forthcoming from Microsoft http://www.infoworld.com/article/2951738/patch-management/hp-s-zdi-discloses-four-new-vulnerabilities-in-internet-explorer.html HP's Zero Day Initiative (ZDI) doesn't cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That's what happened—again. With ZDI and Microsoft—again. Over Internet Explorer -- again. [...]
Who is responsible for ensuring security and privacy in the age of the Internet of Things? As the number of Internet-connected devices explodes, Gartner estimates that 25 billion devices and objects will be connected to the Internet by 2020—security and privacy issues are poised to affect everyone from families with connected refrigerators to grandparents with healthcare wearables. In this interview, U.S. Federal Communications Commission CIO David Bray says control should be put in the hands of individual consumers. Speaking in a personal capacity, Bray shares his learnings from a recent educational trip to Taiwan and Australia he took as part of an Eisenhower Fellowship: "A common idea Bray discussed with leaders during his Eisenhower Fellowship was that the interface for selecting privacy preferences should move away from individual Internet platforms and be put into the hands of individual consumers." Bray says it could be done through an open source agent that uses APIs to broker their privacy preferences on different platforms. <http://www.gartner.com/technology/research/internet-of-things/> <https://enterprisersproject.com/article/2015/7/empower-consumers-control-their-privacy-internet-everything> itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords. <http://it.slashdot.org/story/15/07/22/1715244/bug-exposes-openssh-servers-to-brute-force-password-guessing-attacks>
http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html This paper outlines the results of two surveys--one with 231 security experts, and another with 294 web-users who aren't security experts--in which we asked both groups what they do to stay safe online. We wanted to compare and contrast responses from the two groups, and better understand differences and why they may exist. I agree with all of the points made in this article, with the notable exception of #5—password managers. One of the most common "mass" failure points reported to me is use of password managers. I do not use them, and I strongly recommend that others not use them either. [What is interesting to me is that there is ZERO overlap between the "experts" and the "non-experts". And yes, password managers are just kicking the ball back to the goalie. PGN]
Haley Mlotek, *The New York Times magazine, 20 Jul 2015) Apartment hunting in the age of social media. http://www.nytimes.com/2015/07/20/magazine/what-my-landlord-learned-about-me-from-twitter.html?smprod=nytcore-ipad&smid=nytcore-ipad-share
"There are lies, damned lies, statistics, ..." Galen Gruman, InfoWorld, 24 Jul 2015 It's jeopardizing your business! It's already a passing fad! It's the standard in business today! Why the claims don't add up. http://www.infoworld.com/article/2951555/byod/the-messy-truth-about-byod.html
Looks like a bad idea http://abcnews.go.com/Technology/destructing-gmail-free-chrome-extension/story?id=32667353 A new Chrome extension called Dmail brings its self-destructing super powers to a user's Gmail inbox, allowing users to take control of the messages they send even long after they've been fired off to the recipient ... Messages sent to a friend who has Dmail appear in their inbox as normal. The extension still works if a friend doesn't have the service. They'll instead be given a Dmail link in the email which will take them to the secure message. The potential for confusion or abuse with this extension strikes me as being quite high. Because of the manner in which it may confuse Gmail users who are recipients of messages through "Dmail" who have not chosen to install the Dmail extension, it seems possible that this extension violates the Gmail and/or Chrome Terms of Service.
http://www.betaboston.com/news/2015/07/23/sleazy-internet-domain-sucks-up-the-bucks/ Do I need to point out again that what really sucks is the idea that you can't own your identity and that the web is held together by links that are designed to unravel for no reason other than the artificial scarcity of identifiers? Of course ICANN benefits by this refilling its coffers by harvesting our misery. That sucks. I still don't understand why we put up with the idea of making failure the default for something so fundamental and vital as our ability to communicate and maintain relationships. It's not the only problem but is one of the more egregious. ICANN.Sucks is a valid use of this TLD. As to the purveyors of the .SUCKs domain they are doing exactly what ICANN is supposed to do - monetizing people's identity and reputation. Apologies to the creators of ICANN who had the best intentions—sometimes noble ideas do not work out and we need to put them to rest and move on.
Today in issues we never thought a court would weigh in on: if you accidentally pocket dial someone, pulling the move we all know as “butt dialing,” don't expect anything you say during the call you don't know you're making to stay private. The U.S. Court of Appeals for the Sixth Circuit in Kentucky ruled yesterday that a person who butt dials another party during a conversation doesn't have a reasonable expectation of privacy. This, because everyone knows about such accidental calls and there are a lot of ways to prevent such a thing from happening. That means anyone who happens to be listening in on the call that came in on their phone isn't violating privacy laws by recording that conversation, the three-judge panel determined. http://consumerist.com/2015/07/22/court-you-have-no-right-to-privacy-when-you-butt-dial-someone/ But(t)—I didn't mean to dial! Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
A city measure requiring retailers to warn cellphone customers about radiation exposure is on hold pending a lawsuit from the wireless industry. http://www.nytimes.com/2015/07/22/us/cellphone-ordinance-puts-berkeley-at-forefront-of-radiation-debate.html
http://www.washingtonpost.com/news/morning-mix/wp/2015/07/23/bison-selfies-are-a-bad-idea-tourist-gored-in-yellowstone-as-another-photo-goes-awry/ [Let's let bi-sons be bi-sons! PGN]
For the latest episode of Silver Bullet, we spoke to two of the fifteen co-authors of the Keys Under Doormats paper describing the technical peril of implementing crypto back doors as FBI Director Comey has suggested. Steve Bellovin comes at the problem with years of experience and direct involvement in the first crypto wars. Matthew Green comes to the problem with a solid understanding of applied cryptography in real world systems. Have a listen: http://bit.ly/SB-crypto-wars
FYI—Shoot oneself in the foot; see 127.0.0.1. https://en.wikipedia.org/wiki/Localhost Allegedly Infringing URLs: http://127.0.0.1:4001/#/fr/ https://i.imgur.com/V4ZAXEa.png https://www.chillingeffects.org/notices/10969223
HuffPost via NNSquad http://www.huffingtonpost.com/bruce-kushnick/is-verizon-planning-on-be_b_7866124.html Of course almost everyone reading this has a cell phone. But, you may have been misled if you believe that the wires don't matter or that wireless services alone are the future.
Please report problems with the web pages to the maintainer