Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[No one seems to be making any public explanations, except for this writeup at the Voice of America:] Computer Crash Halts US Visa, Passport Operation The U.S. State Department says a computer glitch will delay passports and visas being issued from its embassies around the world. Officials in Washington say the computer glitch discovered on Saturday (the VOA report was Thursday/ed) potentially could leave millions of people waiting for U.S. travel documents. State Department spokeswoman Marie Harf said the problem is worldwide, and not specific to any country, documents or visa category. She says it will stall the issuance of U.S. passports, visas and reports of Americans born abroad. rest: http://www.voanews.com/content/us-visa-passort-operation-halted-by-computer-crash/1964222.html
Lauren Lyster, Yahoo Finance, 23 Jul 2014 A Tennessee city with fewer than 200,000 residents has arguably become private cable companies' worst nightmare. How? The city of Chattanooga's public electric utility provides super-fast broadband Internet service to residents at competitive prices. Now, the utility—the EPB—is trying to expand its reach beyond city limits. Private sector telecom companies are fighting this effort and appear worried other cities will follow Chattanooga's lead. To expand to more residents in a state where one in five are without Internet access, the EPB needs the Federal Communications Commission to preempt a statute that prohibits the utility from competing with private telecom companies outside its current market. David Sirota, senior writer at International Business Times, tells us in the video above telecom companies are trying to get the FCC to not to preempt this law. As for why this issue exists, Sirota argues "private cable companies don't like publicly-owned municipalities to compete with them," and so have successfully lobbied for passage of laws in 20 states that ban or restrict local governments from offering Internet service. Check out the video to see how Chattanooga, known as "Gig City," has been able to offer what analysts say is the fastest Internet in the country—50 times the average speed for homes in the rest of the U.S.—for $70 a month. http://www.nytimes.com/2014/02/04/technology/fast-internet-service-speeds-business-development-in-chattanooga.html?_r=0 Meanwhile, hundreds of municipalities are reportedly laying their own fiber networks, and more than 100 have started offering Internet access already. Sirota thinks cities and towns will use what limited power they have to continue doing this, saying the "fight will be can they move this from successful model places like Chattanooga outwards." Sirota anticipates a renewed round of lobbying from big telecom companies. ... <http://www.governing.com/columns/eco-engines/col-public-or-private-sector-who-controls-broadband.html>
[Via Dave Farber] Apparently the insurance industry and the utility folks are beginning to look at the security issues around "smart grids", and realizing the risks..... Quick Take: As an industry, we've done a lot of thinking about the smart meter cost/benefit equation. But I wonder if we've adequately considered what would happen if smart meters made insurance rates go up? Two recent articles in the Insurance Journal suggest that the insurance industry is waking up to this new concern. Jesse Berst http://www.smartgridnews.com/artman/publish/Technologies_Metering/Smart-meters-are-a-time-bomb-for-utilities-warns-insurance-expert-6652.html and, from The Insurance Journal.... Last November, Felix Lindner came very close to shutting down the power supply of Ettlingen, a town of almost 40,000 people in the south of Germany. “We could have switched off everything: power, water, gas,'' Lindner, head of Berlin-based Recurity Labs, an IT security company, said. Fortunately for residents, Lindner's cyber attack on its energy utility, Stadtwerke Ettlingen, was simulated. But he revealed how easy it was to hack into the utility's network through its IT grid, which gave him access to its control room. “The experiment has shown that sensitive, critical infrastructure is not sufficiently protected,'' said Eberhard Oehler, managing director of the utility, Stadtwerke Ettlingen. Cyber attacks on infrastructure have become a major worry for utilities following the 2010 Stuxnet computer virus, which experts believe was used by Israel and the United States to make some of Iran's nuclear centrifuges tear themselves apart. [...] http://www.insurancejournal.com/news/international/2014/07/18/335214.htm
Andy Greenberg, *WiReD*, 24 Jul 2014 (Via Dave Farber) http://www.wired.com/2014/07/how-hackers-hid-a-money-mining-botnet-in-amazons-cloud/ Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing power from innocent victims when there's so much free processing power out there for the taking? At the Black Hat conference in Las Vegas next month Ragan and Salazar plan to reveal how they built a botnet using only free trials and freemium accounts on online application-hosting services—the kind coders use for development and testing to avoid having to buy their own servers and storage. The hacker duo used an automated process to generate unique e-mail addresses and sign up for those free accounts en masse, assembling a cloud-based botnet of around a thousand computers. That online zombie horde was capable of launching coordinated cyberattacks, cracking passwords, or mining hundreds of dollars a day worth of cryptocurrency. And by assembling that botnet from cloud accounts rather than hijacked computers, Ragan and Salazar believe their creation may have even been legal. “We essentially built a supercomputer for free,'' says Ragan, who along with Salazar works as a researcher for the security consultancy Bishop Fox. “We're definitely going to see more malicious activity coming out of these services.'' Imagine a distributed denial-of-service attack where the incoming IP addresses are all from Google and Amazon Companies like Google, Heroku, Cloud Foundry, CloudBees, and many more offer developers the ability to host their applications on servers in faraway data centers, often reselling computing resources owned by companies like Amazon and Rackspace. Ragan and Salazar tested the account creation process for more than 150 of those services. Only a third of them required any credentials beyond an e-mail address—additional information like a credit card, phone number, or filling out a captcha. Choosing among the easy two-thirds, they targeted about 15 services that let them sign up for a free account or a free trial. The researchers won't name those vulnerable services, to avoid helping malicious hackers follow in their footsteps. “A lot of these companies are startups trying to get as many users as quickly as possible. They're not really thinking about defending against these kinds of attacks.'' ...
We need to recognize we're in the last days of the "people-moderated processes," i.e., where things can't happen so fast, as they depend on individuals' actions. We're well into an age where the right tail of "smart software" has overlapped the left tail of "humans," in terms of ability to respond to various tests, e.g., captchas, or even carrying on a simple conversation... given the keyhole of "text over the Internet," it's getting easier and easier for bots to pass. (And yet, tests can't be made harder, lest more and more average humans fail in false negatives.) Any system that depends on mapping obligations to individuals, and doesn't account for the problem that bots can masquerade as individuals, is asking for trouble. The trouble is, here, that the trouble they get ends up having its greatest impact on third parties. So I think we also ought to pay a good deal more attention to the economics and liability side of security... I attended the UC Berkeley workshop organized by Hal Varian, Ross Anderson, and Bruce Schneier, et al., more than a decade ago ( http://www.cl.cam.ac.uk/~rja14/econws.html ), and more of that would be a good thing. We are seeing lots of problems by start-ups (and not so young companies, too) wildcatting "undervalued" resources (e.g., throwing a bunch of servers into a cloud to dramatically reduce the cost of cycles) while failing to pay full price for the consequences (e.g., suffering the cost of strong authentication).
[From SECURITY-SIG via Dave Farber] Notice from Black Hat https://www.blackhat.com/latestintel/07212014-a-schedule-update.html PC World article http://www.pcworld.com/article/2456700/black-hat-presentation-on-tor-suddenly-cancelled.html Maybe Tor anonymity is *more* easily subverted than we might think?
"The Scientific Production Association for Special-Purpose Equipment and Communications of the Russian Interior Ministry is offering a contract for researching methods of obtaining technical information about users and user equipment on the Tor anonymous network, according to an entry on the Russian government's procurement portal. It's not clear what Tor de-anonymization would be used for, but the fact that the tender comes from the Russian Ministry of Interior suggests that it could serve law enforcement investigations." (PC World): http://www.pcworld.com/article/2458420/russian-government-offers-money-for-identifying-tor-users.html
Serdar Yegulalp | InfoWorld, 21 Jul 2014 Security researcher says undocumented services allow Apple and law enforcement to access the contents of any iOS device http://www.infoworld.com/t/mobile-security/ios-devices-are-still-safe-everybody-except-apple-and-the-nsa-246678
A driver on a British motorway was startled when the digital driver information display showed "Fire", and they rapidly pulled on to the hard shoulder and abandoned the car for safety. However, when the police arrived it turned out that it was simply part of the name of the Adele track they were listening to. Very possibly a risk occasioned by some people becoming reliant on technology and failing to engage brain. Shouting Fire!' generates a visceral reaction in Jo Public, but in other situations can effect the wrong response. Some years ago, in a joint European naval exercise, officers were exchanged between vessels. A Belgian Gunnery Officer found himself on the bridge of a British warship, manning the torpedo control. As part of a separate test, a rating screamed: "Fire!" 'Guns' immediately pressed the button and a torpedo arched from its tube and hit the water running, straight towards another ship. Fortunately it had a dummy warhead. The captain took the Belgian officer to one side and explained that, to avoid such mistakes, the Royal Navy used the word "Shoot!".
> But then, how do you delete a file called -rf, for instance?
Aw, come on. This is one of the questions that's been asked and answered on
unix mailing lists and BBSes about once a week since the 1970s. (There are
many answers but one of the simplest is "rm ./-rf".)
If you want to force a command to take subsequent arguments as file names,
the typical approach is to use a "--" argument that says it's the end of the
flags, but there are other ways, too.
It is true that if you don't know what you're doing, you can shoot yourself
in the foot in Unix shell scripts. Is this really news? Is it that
different from any other programming language? I'm not sure what to call
the risk of people who don't do their homework and blame everyone but
themselves when they screw up.
[Also noted by R A Lichtensteiger, who adds:
"This sort of file appears every time someone writes a shell script
that directs data into a file named ${FOO}-${BAR}-something and fails
to initialize $FOO, $BAR, or both.
So, this is the sort of question I would ask an entry-level candidate
for a sysadmin position, as a filter."
PGN]
Frankly, both scenarios (dogs positively identifying DVDs or portable memory devices) fail my sniff test (sorry PGN, you had your chance :). Can a dog detect the smell of microelectronics with its nose? Plausibly. Can a dog distinguish between different types of electronic devices by smell? Highly unlikely, in my estimation. I anticipate that evidence found via warrants issued with this premise as justification will be ultimately ruled inadmissible. My speculation is that with Richard Nixon's War On (Some) Drugs on its last lame leg, the cops are desperately seeking additional funding sources, and willing to stoop to fraud to obtain it (shocking, that). A little ground beef smeared on the search objects beforehand would easily duplicate these results. [Perhaps the dog had one leg up on the situation? PGN]
Please report problems with the web pages to the maintainer