Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Folk in the NYC area, especially commuters from Long Island, may remember a plane that crash landed on Long Island Railroad tracks earlier this month. [NTSB] [Private plane having engine trouble.. ATC giving him directions...] The controller then provided information on "Bethpage strip" and informed the pilot that the airport was closed; however, there was a runway there. .... An examination of the area of the former Bethpage Airport revealed that industrial buildings occupied the former runway surface area. The accident site was located about 0.25 nm northwest of the former runway's approach end. ^^^^^^^ rest: http://www.ntsb.gov/_layouts/ntsb.aviation/brief.aspx?ev_id 150816X95657&key=1
FYI—I guess this means that encryption is now mandatory? "Wyndham allowed its partner hotels to store credit card information in plain text" 'The FTC argued that “taken together, [Wyndham] unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.'' "the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information." http://arstechnica.com/tech-policy/2015/08/ftc-can-sue-companies-with-poor-information-security-appeals-court-says/ FTC can sue companies with poor information security, appeals court says Court says Wyndham hotels practices could be considered `unfair' and `deceptive'. Megan Geuss - Aug 24, 2015 9:47 pm UTC On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US. http://cdn.arstechnica.net/wp-content/uploads/2015/08/Wyndham-opinion-1.pdf In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.
http://www.slate.com/blogs/future_tense/2015/08/24/rand_report_self_driving_cars_could_give_police_new_powers.html What's less clear is where to draw the line. If a police officer can command a self-driving car to pull over for his own safety and that of others on the road, can he do the same if he suspects the passenger of a crime? And what if the passenger doesn't want the car to stop--can she override the command, or does the police officer have ultimate control? I've been saying for ages that governments will demand access to sensor data and the ability to control these vehicles, both individually and en masse. They'll be able to effectively close down a city, lock your doors and drive you direct to the police station, and more. Don't believe it? It's inevitable if autonomous cars go mainstream.
FYI—Obviously, the head-in-the-sand (or some other orifice) approach isn't working... "There is a sociopathic economic rationality to silencing researchers who come forward with bugs." "GM... says that your car is a copyrighted work and that researching its bugs is a felony form of piracy." "Volkswagen sued security researchers ... over disclosure of major bugs in VW's keyless entry system." Cory Doctorow, BoingBoing, 23 Aug 2015 Car information security is a complete wreck—here's why https://boingboing.net/2015/08/23/car-information-security-is-a.html
FYI—It's time for Dan to host a "Top Geer" TV show... Those '50's cars in Cuba are looking more attractive all the time! "Not all of the vehicles that might be vulnerable ... can be patched easily." "car companies have even sued researchers to shut them up" "the network effect of a vulnerable remote connection to a vehicle increases the odds that something can be hacked" "start sending CAN bus signals to your engine controller and theoretically make your engine explode" "the [OBD II] port allows devices to jack directly into the CAN bus" "CAN is a multi-master bus, and thus any device with a CAN transceiver is able to send messages as well as receive" "transmit access to the CAN bus is frequently sufficient to obtain arbitrary control over all key vehicular systems (including throttle and brakes)" "updates can't fix ... problems that may be in systems that can't be remote updated, or updated at all." "Automakers essentially hope that by deterring security researchers from investigating their systems, they can keep potential vulnerabilities hidden." Sean Gallagher, Ars Technica, 23 Aug 2015 Highway to hack: Why we're just at the beginning of the auto-hacking era http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/ A slew of recently revealed exploits show gaps in carmakers' security fit and finish. Sean Gallagher's long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer's season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet. All complex systems have bugs. Even well-audited systems have bugs lurking in them (cough openssl cough). Mission-critical systems whose failings can be weaponized by attackers to wreak incredible mischief are deeply, widely studied, meaning that the bugs in the stuff you depend on are likely being discovered by people who want to hurt you, right now, and turned into weapons that can be used against you. Yes, you, personally, Ms/Mr Nothing To Hide, because you might be the target of opportunity that the attacker's broad scan of IP addresses hit on first, and the software your attacker wrote is interested in pwning everything, regardless of who owns it. The only defense is to have those bugs discovered by people who want to help you, and who then report them to manufacturers. But manufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs. In the computer world, the manufacturers have largely figured out that threatening researchers just makes their claims more widely know (the big exceptions are Oracle and Cisco, but everyone knows they're shitty companies run by assholes). The car industry is nearly entirely run by Oracle-grade assholes. GM, for example, says that your car is a copyrighted work and that researching its bugs is a felony form of piracy. Chrysler was repeatedly informed about its showstopper, 1.4M-car-recalling bug, and did nothing about it until it was front-page news. Volkswagen sued security researchers and technical organizations over disclosure of major bugs in VW's keyless entry system. Ford claims that its cars are designed with security in mind, so we don't have to worry our pretty little heads about them (because openssl was not designed with security in mind?). None of this stops bad guys from learning about the bugs in these systems -- it just stops you, the poor sucker behind the wheel, making payments on a remote-controllable deathmobile, from learning about them. Tesla, at least, has a bug-bounty program and a commitment to transparency. But the bugs that researchers found are pretty heinous and difficult to comprehensively mitigate. Gallagher's article explains in eye-watering detail the dumb technological decisions the car-makers made that got us into this mess, but more importantly (and less prominently), the culture of the car-makers that has allowed this situation to come to pass. Even if the technological boondoggles can be fixed, we're still in a lot of trouble unless we can sort out their culture. [...]
Twitter's recent decision to cutoff API access to a site that memorializes tweets from politicians, and that refuse to bar access to such tweets after a political figure decides to hide a given tweet, presents an unusual twist on the right to be forgotten. Twitter's position is apparently that it is protecting its users' right to have their own inconvenient past statements *forgotten*. http://venturebeat.com/2015/08/24/twitter-shutters-service-that-saved-politicians-deleted-tweets/ Paul Alan Levy, Public Citizen Litigation Group, 1600 20th Street, NW Wash. D.C. 20009 (202) 588-7725 http://www.citizen.org/Page.aspx?pid96
FYI—If you believe in representative democracy and the First Amendment, the right for politicians' words to be forgotten is the ultimate poison pill. It remains to be seen why Twitter would shut down a service that preserves politicians' embarrassing tweets, but if the reason was to ingratiate Twitter with said politicians, then Twitter should lose all of its Fourth Estate privileges. It's time to incorporate tweets into a Bitcoin-style blockchain so that it will be impossible to delete them. https://en.wikipedia.org/wiki/Fourth_Estate - - - - Open State Foundation promotes digital transparency by unlocking open data and stimulates the development of innovative and creative applications. http://www.openstate.eu/2015/08/twitter-cuts-off-diplotwoops-and-politwoops-in-all-remaining-30-countries/
This case troubles me for many reasons. The police officers were wrong. The prosecutors were wrong. Yet *no one* will remain in jail. I'm sure that this case will be used as an excuse to eliminate anonymous postings on the Internet, but this would be the equivalent to removing everyone's right to drive due to the bad behavior of a few drivers. Furthermore, the apparently voluminous nature of the anonymous postings from prosecutors makes one wonder about the volume of leaks to reporters from "knowledgeable sources"—i.e., prosecutors—in many/most other cases. There seems to be a systematic perversion of the right to a fair trial by unethical prosecutors. >From the Appeals Court ruling: http://www.ca5.uscourts.gov/opinions/pub/13/13-31078-CR0.pdf 'That three supervisory-level prosecutors committed misconduct in connection with the Danziger Bridge prosecution is beyond dispute. Perricone's comments spanned the entire prosecution and went directly to the guilt of the defendants, the collective guilt of NOPD, and the relative competence and integrity of defense counsel versus the USAO. Dobinski's comments stirred the pot by encouraging commenters who were plainly familiar with the trial proceedings, one of whom was Perricone, to keep doing a `public service' with their biased reports. Mann's comments, posted during post-trial sentencing proceedings, displayed partiality toward the prosecution and denigrated the district court and defense counsel in another Danziger Bridge case.' 'The government acknowledges significant, repeated misconduct by Perricone and Jan Mann and, to a lesser extent, Dobinski. [...]
FYI—"Should auld acquaintance be forgot, and never brought to mind?" Remember the hacker's dictionary entry: "Recursion. See recursion." The Right-To-Be-Forgotten (RTBF) is now being abused to take down stories about RTBF itself. Remember the old joke about how to stop a robot: yell "Control-C". Well, the new joke about RTBF is to yell "Control-Z" (undo on Windoze). One of the comments on this TechDirt story: "Recursive Journalism: TechDirt should prepare a recursive strategy for these cases. Nest the prior story inside a new one with an iterative counter. Repeat until it's turtles all the way down." https://www.techdirt.com/articles/20150824/13495432050/google-disappears-techdirt-article-about-right-to-be-forgotten-due-to-right-to-be-forgotten-request.shtml Google Disappears TechDirt Article About Right To Be Forgotten Due To Right To Be Forgotten Request Mike Masnick, TechDirt, 25 Aug 2015 Well, well. Just a few days ago, we wrote about the fact that Google was being asked to "forget" articles about the right to be forgotten, under new right to be forgotten requests... and suddenly we've been notified that a Techdirt article about the right to be forgotten has been similarly stuffed down the memory hole*. The article in question, is our story from last fall about *The NY Times* writing about the right to be forgotten requests that resulted in *NY Times* articles disappearing from some searches. The *NYT* detailed what each story was about and it wasn't too difficult to figure out who was likely trying to make sure the articles were no longer linked to their names. It would appear that one of those individuals similarly has sent in this request—but that's completely bogus, as we'll explain in a moment. First up, the notice: Due to a request under data protection law in Europe, we are no longer able to show one or more pages from your site in our search results in response to some search queries for names or other personal identifiers. Only results on European versions of Google are affected. No action is required from you. [...] [Very long message truncated for RISKS. PGN]
Maria Korolov, InfoWorld (CSO) 24 Aug 2015 When a security incident involves virtual machines, the recovery costs double compared to that of a traditional environment. http://www.infoworld.com/article/2975001/security/virtualization-doubles-the-cost-of-security-breach.html
FYI—For example, using the hacked OPM database and the techniques in this DEFCON talk, one could (virtually) "kill" all 22 million people in the OPM database—or at any rate, get an official death certificate issued for each and every one of them. The appropriate web sites even have an "upload bulk death registration" button for your convenience. Slides: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20&%20Workshop%20Materials/Chris%20Rock/DEFCON-23-Chris-Rock-I-Will-Kill-You-How-to-Get-Away-with-Mu.pdf Book: http://www.amazon.com/Baby-Harvest-terrorist-criminal-laundering/dp/1515014576/ Video: https://www.youtube.com/watch?vŸdHq3WfJgs DEF CON 23 - Chris Rock - I Will Kill You, 14 Aug 2015 Have you ever wanted to kill someone? Do you want to get rid of your partner, your boss or your arch nemesis? Perhaps you want to enjoy your life insurance payout whilst you're still alive. Do you have rich elderly parents that just won't die quick enough? Or do you want a `Do Over' new identity. Then, this presentation is for you! I'll provide you with the insight and techniques on how to `kill' someone and obtain a real death certificate and shutdown their lives. It focuses on the lack of security controls that allow any of us to virtually kill off anyone or any number of people. Forget the Dexter way of killing someone, I'll show you how to avoid the messy clean up and focusing in on the digital aspects. You could be dead right now and not even know it. [...]
FYI—Yet another reason to convert *everything* to HTTPS... http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/ Jonathan Mayer (CS+Lawyer, Stanford), Web Policy, August 25, 2015 While traveling through Dulles Airport last week, I noticed an Internet oddity. The nearby AT&T hotspot was fairly fast—that was a pleasant surprise. But the web had sprouted ads. Lots of them, in places they didn't belong. [...]
In response to: Re: Intel to customers: We listen to you... All The Time! (Maziuk) Henry Baker pointed us towards: https://www.springer.com/cda/content/document/cda_downloaddocument/9781893115729-c1.pdf which says: > Once such variant is 3DES, which will increase the effective key > length to 112 bits or 168 bits, depending on how it's implemented. strongly implying that the "work factor" explained a few lines up would be 2^168 for the 168 bit key length. Wouldn't it be nice to know something about cryptography before writing about it? No matter how many keybits (112/168) you throw at 3-DES, I understand that there is a "meet in the middle" attack that always restricts the amount of work to break it to about 2^112. So 3-DES with more than 112 key bits only serve to instill a false sense of security to those who don't know the details. Moore's law implies we can break 10 more bits every 2 decades. Want to keep a secret for a century (or don't want to be forced to change your encryption system (*)), you need a "margin" of at least 5*10 = 50 bits. Assuming 60 bits is broken today in 2015, 3DES will expire in 2115, even if you use 168 bits. (*) Of course the /system/ can be broken in that period. But if you design a margin of say only 20 bits, you can be SURE that you have to change the encryption scheme in a few decades. R.E.Wolff@BitWizard.nl http://www.BitWizard.nl/ +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233
I noted Geof Kuenning's post about low level hardware controllers to prevent an 'all green' event on traffic lights with a failsafe mode. In a previous job we did some vulnerability research in a lab on a system made by a European manufacturer that controlled traffic lights. By using ladder logic analysis we worked out which memory locations to alter in order to set all the lights to green or red. It worked. Either they don't have that kind of fail-safe controller or we defeated even that. regards David AlexanderEngland
About a year ago I switched to a paid outgoing SMTP service (US$45/year) with better spam prevention logic. Worth every cent.
In the post by Monty Solomon on the developments by PageFair, they seem to have forgotten the basics of human nature. I have been using AdBlock and Ghostery for years and love the freedom they give me from intrusive adverts that annoy me and from <expletive deleted> that I don't want cluttering up my web pages and trying to track my activity. I appreciate that some North American readers may find the concept of privacy a bit 'quaint' but in Europe we guard it as closely and value it as fiercely as many Americans do the right to bear arms. If PageFair think that I am going to be receptive to advertising that finds a way round the blocking features I use then they have another think coming. I am going to be actively hostile towards the companies supplying the technology and those using it to advertise. They run the of alienating their potential customers and losing market share, not gaining it. If I have to choose between receiving adverts and there being a lot less web content available, I'll take less web content every time.
[Jeremy Epstein said, My bank's ATMs have this same "feature", but clicking "yes" just avoids reswiping the card. You still have to re-enter the PIN.] I have used the YES to do more transactions, without having to do the PIN# again. It has been a while since I last tried that, maybe they changed it since. [John Levine said, My bank does that, but demands that I re-enter my PIN if I pick YES for another transaction. Perhaps they're not quite as dumb as they seem. I have occasionally used the YES NO screen at the end of one of my transactions, to do another one. I did not have to enter my PIN # for the later transaction. Usually the customer in front of me is in another personal auto. The last time, it was vehicle of a major company. If that was not his personal account, there might be a lot in there. My bank limits what can be withdrawn via ATM in a day, to a few hundred $, or at least they used to.
So: hang back and use binoculars. Pull on a ski mask and walk or drive up (having covered the license plate). Grab money. That sounds pretty foolproof to me. However, you'd better do it soon because customers will start catching on. (And my own (big) banks have had the multi-transaction capability for decades. So I'd have to suspect the RISK is small since there are relatively few latecomers to the technology.) Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
Please report problems with the web pages to the maintainer