The Dutch bank Knab announces a new service dubbed 'Knab Social' to transfer money from a customer's bank account using Facebook or the contacts list in their phone. The bank's website at https://www.knab.nl/mobiel-betalen (sorry, Dutch only) explains how it works: "Did your friends advance a dinner for you? Soon you can pay them back quickly via Facebook or a text message. Simply using your Knab App. Handy, because you don't have to ask them for their IBAN! How does it work 1. Select a friend via Facebook or your mobile address book. 2. Your friend receives a message that you want to pay money to him. 3. Your friend enters his IBAN and receives the money." What would you do if you receive a message that promises you money, if only you provide your own bank account details? What do you do when some rogue software decides to send a 'Knab Social' message to all your contacts, as a Christmas present, emptying your account in the process? In other words: what could possibly go wrong?
Brett Molina and Mike Snider, USA TODAY 10:01 a.m. EDT August 27, 2014 Time Warner Cable dealt with a major Internet outage early Wednesday. During routine network maintenance at 4:30 a.m. ET today, "an issue with our Internet backbone created disruption with our Internet and On Demand services," said Time Warner Cable vice president for public relations Bobby Amirshahi in an e-mail exchange. "As of 6 a.m. ET, services were largely restored as updates continue to bring all customers back online," he said. [...] Coincidentally, on Monday, Time Warner Cable agreed to pay a $1.1 million penalty to the Federal Communications Commission for failing to file "a substantial number" of proper reports on outages that it had notified the agency about. http://www.usatoday.com/story/money/2014/08/27/time-warner-outage/14670747/
BBC News Technology (via Dave Farber) When walking through the centre of a busy city it is easy to feel anonymous. Set against the cacophony of sharing and declaring that happens online, it can be precious to feel that, just for a moment, you are lost in a crowd. Unidentifiable. It is, of course, an illusion. You are never alone, especially if you are carrying a smartphone that has ever been used to connect to a wireless network. Which is pretty much all of them. All of those devices maintain a list of the wi-fi networks they have joined. The way wi-fi works demands that they always seek to rejoin those networks. As a result, smartphones and tablets regularly broadcast the SSIDs (service set identifiers), or names, of those networks. It's a feature designed to ensure that when you are near a network you regularly use, you get connected quickly. Wave snooping However, with the right equipment, that very feature could leave you exposed to some sneaky surveillance. The right equipment is a laptop on which Kali Linux - a version of the free operating system that includes a raft of security tools - is loaded. One of those tools can sniff the airwaves for lists of SSIDs. I tried it for myself. Sipping a latte in a coffee bar that lay in the shadow of the Bank of England, I watched as my laptop gathered a list of all the wi-fi networks the people around me had joined. When anyone walked past the window, the list grew, as a new device being carried in a pocket or purse declared where it had been. I saw the names of wi-fi networks in homes, airports and hotels. Ones that people had changed to include their surname. I saw office networks, other coffee shops, bars, station platforms and football stadiums. "So what?" you might say. Just because a phone is shedding this data does not make it dangerous. But combine those lists with websites that log and list wi-fi networks and you potentially have a way to track where people have been without letting them know. Those websites are easy to find and they handily map all the networks that volunteers have logged. I entered a few of the names I found during my surveillance trip and it pointed me to quite a few homes in and around London - doubtless where the people that passed by actually lived. And now I knew that they were not home. Full story at http://www.bbc.co.uk/news/technology-28891937 School of Computing Science, Newcastle University, Newcastle upon Tyne, NE1 7RU, UK +44 191 222 7923 http://www.cs.ncl.ac.uk/people/brian.randell
FYI—Some sort of accident setting off an automatic response is precisely the sort of thing that Edward Snowden, Matt Blaze & Martin Libicki (of Rand Corp.) worry about. As is usual in a lot of situations (including some human diseases), the defense response may cause far more damage than the initial incident. http://www.theverge.com/2014/8/27/6073827/time-warner-cable-suffers-nationwide-internet-outage Time Warner Cable says botched 'maintenance' caused nationwide Internet outage Chris Welch, *The Verge*, 27 Aug 2014 It's probably a good thing that Time Warner Cable schedules its network maintenance for really early in the morning. That way, when things go terribly wrong and Internet somehow gets knocked out across the entire United States, most customers are asleep and none the wiser. That's exactly what happened today; the company says that at around 4:30AM this morning, routine maintenance took a decidedly bad turn and left every single Time Warner Cable customer without web access. Nationwide outages are fairly uncommon — especially when you're talking about an ISP the size of Time Warner Cable, which provides high-speed broadband to 11.4 million residential customers. Just spoke to Time Warner Cable customer service, TWC is down and out nationwide. No Internet. #timewarner—Glenn Clark (@glennclarkcsm) 27 Aug 2014 "An issue with our Internet backbone created disruption with our Internet and On Demand services," the company said in a statement. "As of 6AM ET services were largely restored as updates continue to bring all customers back online." Some customers are still intermittently reporting issues, but most are already back up and running. Even so, the embarrassing mishap won't do Time Warner Cable any favors in the eyes of customers as it continues its quest to merge with Comcast. It's a bit disconcerting that a botched maintenance session could result in such severe consequences. We should note that the disruption didn't affect cable reception (aside from on-demand programming), nor did it interrupt TWC's voice services. But anyone that needed an Internet connection early Wednesday morning had to look elsewhere. Presumably some of those people turned to smartphone tethering as a temporary solution; Comcast counts LTE and wireless carriers among its competition, after all. http://www.wired.com/2014/08/nsa-monstermind-cyberwarfare/ Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously Kim Zetter, *WiReD*, 13 Aug 2014 Edward Snowden has made us painfully aware of the government's sweeping surveillance programs over the last year. But a new program, currently being developed at the NSA, suggests that surveillance may fuel the government's cyber defense capabilities, too. The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government's policies around offensive digital attacks. Although details of the program are scant, Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat. Cryptographer Matt Blaze, an associate professor of computer science at the University of Pennsylvania, says if the NSA knows how a malicious algorithm generates certain attacks, this activity may produce patterns of metadata that can be spotted. “An individual record of an individual flow only tells you so much, but more revealing might be patterns of flows that are indicative of an attack, If you have hundreds or thousand of flows starting up from a particular place and targeted to a particular machine, this might indicate you're under attack. That's how intrusion detection and anomaly-detection systems generally work. If you have intelligence about the attack tools of your adversary, you may be able to match specific patterns to specific tools that are being used to attack.'' Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s, which in theory would have shot down any incoming nuclear missiles. In the same way, MonsterMind could identify a distributed denial of service attack lobbed against US banking systems or a malicious worm sent to cripple airline and railway systems and stop—that is, defuse or kill—it before it did any harm. More than this, though, Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention -- against the attacker. Because an attacker could tweak malicious code to avoid detection, a counterstrike would be more effective in neutralizing future attacks. Snowden doesn't specify the nature of the counterstrike to say whether it might involve launching malicious code to disable the attacking system, or simply disable any malicious tools on the system to render them useless. But depending on how its deployed, such a program presents several concerns, two of which Snowden specifically addresses in the WIRED story. First, an attack from a foreign adversary likely would be routed through proxies belonging to innocent parties—a botnet of randomly hacked machines, for example, or machines owned by another government. A counterstrike could therefore run the risk of embroiling the US in a conflict with the nation where the systems are located. What's more, a retaliatory strike could cause unanticipated collateral damage. Before returning fire, the US would need to know what it is attacking, and what services or systems rely upon it. Otherwise, it could risk taking out critical civilian infrastructure. Microsoft's recent move to take down two botnets—which disabled thousands of domains that had nothing to do with the malicious activity Microsoft was trying to stop—-is an example of what can go wrong when systems are taken down without adequate foresight. Blaze says such a system would no doubt take the attribution problem -- looking beyond proxies to find exactly where the attack originated—into consideration. “Nobody would build a system like this and be unaware of the existence of decentralized botnet attacks laundered through the systems of innocent users, because that's how pretty much all attacks work,'' he says. That does not, however, make so-called hackback attacks any less problematic, he says. The second issue with the program is a constitutional concern. Spotting malicious attacks in the manner Snowden describes would, he says, require the NSA to collect and analyze all network traffic flows in order to design an algorithm that distinguishes normal traffic flow from anomalous, malicious traffic. “[T]hat means we have to be intercepting all traffic flows,'' Snowden told WIRED's James Bamford. “That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.'' It would also require sensors placed on the Internet backbone to detect anomalous activity. Blaze says the algorithm scanning system Snowden describes sounds similar to the government's recent Einstein 2 and 3 programs, which use network sensors to identify malicious attacks aimed at U.S. government systems. If that system were secretly being extended to cover all U.S. systems, without public debate, that would be a concern. Although MonsterMind does resemble the Einstein programs to a certain degree, it also sounds much like the Plan X cyberwarfare program run by DARPA. The five-year, $110 million research program has several goals, not the least of which is mapping the entire Internet and identifying every node to help the Pentagon spot, and disable, targets if needed. Another goal is building a system that allows the Pentagon to conduct speed-of-light attacks using predetermined and pre-programmed scenarios. Such a system would be able to spot threats and autonomously launch a response, the Washington Post reported two years ago. It's not clear if Plan X is MonsterMind or if MonsterMind even exists. The Post noted at the time that DARPA would begin accepting proposals for Plan X that summer. Snowden said MonsterMind was in the works when he left his work as an NSA contractor last year. The NSA, for its part, would not respond to questions about the MonsterMind program.
FYI—I guess those IRS IT guys/gals weren't so incompetent as the Administration intended them to be. Does anyone besides Dan Geer still think that governments can be trusted not to "forget" inconvenient and/or embarrassing information? Perhaps we now need a separate _fourth_ branch of government whose only job it is to secure _all_ government data against deletion by the other three branches... http://www.judicialwatch.org/press-room/press-releases/backups-for-missing-lois-lerner-irs-emails/ 25 Aug 2014 Washington, DC—Judicial Watch announced the following developments in the IRS's missing emails investigation. Judicial Watch President Tom Fitton stated: Department of Justice attorneys for the Internal Revenue Service told Judicial Watch on Friday that Lois Lerner's emails, indeed all government computer records, are backed up by the federal government in case of a government-wide catastrophe. The Obama administration attorneys said that this back-up system would be too onerous to search. The DOJ attorneys also acknowledged that the Treasury Inspector General for Tax Administration (TIGTA) is investigating this back-up system. We obviously disagree that disclosing the emails as required would be onerous, and plan to raise this new development with Judge Sullivan. This is a jaw-dropping revelation. The Obama administration had been lying to the American people about Lois Lerner's missing emails. There are no `missing' Lois Lerner emails—nor missing emails of any of the other top IRS or other government officials whose emails seem to be disappearing at increasingly alarming rate. All the focus on missing hard drives has been a diversion. The Obama administration has known all along where the email records could be—but dishonestly withheld this information. You can bet we are going to ask the court for immediate assistance in cutting through this massive obstruction of justice. Here is the second set of sworn declarations by IRS officials in response to Judge Emmet G. Sullivan's investigation into the missing emails of Lois Lerner and other IRS officials. The declarations were provided after close of business on Friday, 22 Aug. The first meeting was held this afternoon by Magistrate Judge John M. Facciola, who was appointed by Judge Emmet G. Sullivan to manage and assist in discussions between Judicial Watch and the IRS about how to obtain any missing records which have been the subject of longstanding Judicial Watch Freedom of Information Act (FOIA) requests and lawsuit (Judicial Watch v. IRS (No. 1:13-cv-1559)). Judge Sullivan has encouraged Judicial Watch to submit a request for limited discovery into the missing IRS records after September 10.
FYI—Because the electrical utilities are quickly heading for extinction, they are wrapping themselves in the cyberthreat security blanket in order to thwart distributed solar energy generation and to gain subsidies from the federal Homeland Security teat. Any such "cyberwashing" money would be far better spent to *accelerate* the inevitable rush to distributed generation to the point that the "critical infrastructure" grid simply isn't "critical" anymore. Solar panels are the most important element in distributed electric power generation, with the consumer fleet of electric cars (aka "batteries on wheels") providing the resilient distributed storage: "the 40,000 Tesla vehicles already on the US roads contain about 3.3 gigawatts of storage capacity, roughly 0.3% of US electrical production capacity and 14% of US grid storage", according to a February, 2014, Morgan Stanley report. This combination of cheap local generation and local storage has short-circuited the electrical utility business model and caused demand to melt away. (BTW, Edison himself originally argued for *distributed* power generation, with a power station every few blocks—a la the telephone exchanges. While this distributed model was forced by Edison's DC technology, a distributed power generation system would have been far more reliable & resilient than our current long-transmission-line system.) The U.S. electrical utilities are dinosaurs being killed by kilowatts from outer space. Rather than embracing these new solar technologies, however, they are fighting them tooth and claw with lobbying, from local zoning regulations to state monopoly commissions to federal regulations. The latest salvo is a 180-page July 15th 2014 report called "Securing the U.S. Electrical Grid" (aka "Begging for Bailouts") with 12 recommendations to "secure" the electrical grid. However, as far as I can tell, none of these recommendations will do anything to increase the reliability or resiliency of the electrical grid, but will do much to stymie the progress of solar distributed power generation. The name of the report should have been "Securing the Profits of the U.S. Electrical Grid against Tesla/Musk and solar panels", as the basic *threat* the electrical utilities were attempting to defend against was *irrelevance* in a distributed solar generation world filled with Leaf's, LED's and LEED's. The electrical utilities are scare-mongering the politicians and the public with lies like "while more resilient, such smart grid and microgrid systems present significant challenges to grid security." Indeed, the very first paragraph of the SEG report is electrifying: "Following the end of World War II, the Allied Strategic Bombing Survey—responsible for determining the damage inflicted by U.S. and Allied strategic bombing of German and Japanese industry—determined that the bombing campaign would have been more effective if it had targeted the German and Japanese electrical grid rather than urban and industrial centers." The report then goes on to warn that falling utility profits will not allow significant investments in additional security--including cybersecurity, and that "public-private partnerships" (aka "government bailouts") will be required. SECURING THE U.S. ELECTRICAL GRID, 15 Jul 2014 http://www.thepresidency.org.70-32-102-141.pr6m-p7xj.accessdomain.com/sites/default/files/Grid%20Report%20July%2015%20First%20Edition.pdf [Henry's submitted message was by itself at least twice the size of a typical RISKS issue, and thus I have done some serious truncation of what follows, giving primarily just the URLs and a little introduction. The omitted content is very interesting reading, but perhaps less directly relevant to most RISKS readers. PGN] David Roberts, Energy, politics, and more: Solar panels could destroy U.S. utilities, according to U.S. utilities http://grist.org/climate-energy/solar-panels-could-destroy-u-s-utilities-according-to-u-s-utilities/ Solar power and other distributed renewable energy technologies could lay waste to U.S. power utilities and burn the utility business model, which has remained virtually unchanged for a century, to the ground. That is not wild-eyed hippie talk. It is the assessment of the utilities themselves. Back in January, the Edison Electric Institute—the (typically stodgy and backward-looking) trade group of U.S. investor-owned utilities -- released a report [PDF] that, as far as I can tell, went almost entirely without notice in the press. That's a shame. It is one of the most prescient and brutally frank things I've ever read about the power sector. It is a rare thing to hear an industry tell the tale of its own incipient obsolescence. http://www.eei.org/ourissues/finance/Documents/disruptivechallenges.pdf I've been thinking about how to convey to you, normal people with healthy social lives and no time to ponder the byzantine nature of the power industry, just what a big deal the coming changes are. They are nothing short of revolutionary—but rather difficult to explain without jargon. So, just a bit of background. You probably know that electricity is provided by utilities. Some utilities both generate electricity at power plants and provide it to customers over power lines. They are `regulated monopolies,' which means they have sole responsibility for providing power in their service areas. Some utilities have gone through deregulation; in that case, power generation is split off into its own business, while the utility's job is to purchase power on competitive markets and provide it to customers over the grid it manages. [...] Why the U.S. Power Grid's Days Are Numbered Chris Martin, Mark Chediak, and Ken Wells August 22, 2013 http://www.businessweek.com/articles/2013-08-22/homegrown-green-energy-is-making-power-utilities-irrelevant There are 3,200 utilities that make up the U.S. electrical grid, the largest machine in the world. These power companies sell $400 billion worth of electricity a year, mostly derived from burning fossil fuels in centralized stations and distributed over 2.7 million miles of power lines. Regulators set rates; utilities get guaranteed returns; investors get sure-thing dividends. It's a model that hasn't changed much since Thomas Edison invented the light bulb. And it's doomed to obsolescence. That's the opinion of David Crane, chief executive officer of NRG Energy, a wholesale power company based in Princeton, N.J. What's afoot is a confluence of green energy and computer technology, deregulation, cheap natural gas, and political pressure that, as Crane starkly frames it, poses “a mortal threat to the existing utility system.'' He says that in about the time it has taken cell phones to supplant land lines in most U.S. homes, the grid will become increasingly irrelevant as customers move toward decentralized homegrown green energy. Rooftop solar, in particular, is turning tens of thousands of businesses and households into power producers. Such distributed generation, to use the industry's term for power produced outside the grid, is certain to grow. [...] John McDuling@jmcduling, 25 Feb 2014 Why you could soon be buying your electricity from Elon Musk http://qz.com/180978/why-you-could-soon-be-buying-your-electricity-from-elon-musk/ Last week, we argued that Tesla's most disruptive product might not be its cars. Today, Morgan Stanley has provided further detail around this thesis, which is gaining increased traction on Wall Street. Tesla shares have soared about 13% this morning and are trading at fresh highs. In a note published this morning, the investment bank posits that Elon Musk's electric car company, which will unveil its plans to build the world's biggest lithium-ion battery pack facility this week, is poised to disrupt the $1.5 trillion electric utility industry. Tesla doesn't just make high-performance automobiles, Morgan Stanley analyst Adam Jonas argues, it's also producing a mobile fleet of electrical grid storage. The 40,000 Tesla vehicles already on the US roads contain about 3.3 gigawatts of storage capacity, roughly 0.3% of US electrical production capacity and 14% of US grid storage, he estimates. By 2028, Morgan Stanley (which, it must be said, is among the most bullish of all Wall Street banks when it comes to the car company) estimates there will be 3.9 million Tesla vehicles on US roads. They will have a combined energy storage capacity of 237 gigawatts, some 22% of today's US production capacity and nearly 10 times larger than all US grid storage that exists today. Tesla's “giga-factory,'' where the lithium-ion battery packs will be produced, will probably cost $1 billion to build, Morgan Stanley estimates. But there will be myriad opportunities for the company to reap returns from that investment beyond sales of its own cars.
Thanks to the disclosures of Edward Snowden, the most terrifying words in the English language are *now*: "I'm from the government and I'm here to help fix your Internet". Therefore, I'm going to have to take Michael Daniel at his word that he lacks the expertise to help fix the Internet, but also believe that it will be difficult to get him to understand something, when his salary depends upon his not understanding it. In short, Michael Daniel is part of the problem, not part of the solution. However, I agree wholeheartedly with Professor Don Norman's point about the (un)usability of encryption, and feel that Professor Norman's enormous expertise could single-handedly improve the security of the entire Internet by helping technical wizards—e.g., Phil Zimmerman, Ladar Levison, Gnu, EFF, etc.—to design more usable interfaces that manage keys/certificates/trust chains and ubiquitously encrypt all emails/texts/chats. See Alma Whitten and J. D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0" www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf I encourage Professor Norman to get involved in taking back the Internet where we all live and work, and to help make it an expression of a free and democratic society which respects the First, Fourth, Fifth and Fourteenth Amendments. We don't have to wait for the government's help; we can write code.
> The moral of the story: Triple check digitalizations that could affect > lives, and don't throw out the analogue stuff. No, no, no. The moral of the story is to have an analog system working at all times on behalf of those who eschew the digital one, the side effect being a kind of resiliency-through-preservation that will *never* be otherwise available even in a police state with Central Planning. The thought is in many of my speeches, perhaps first at SOURCE Boston, http://geer.tinho.net/geer.sourceboston.18iv12.txt and later in "Resolved: The Internet Is No Place for Critical Infrastructure," Communications of the ACM, 56:6:41-46, June 2013. Excerpt: At this point, I am at serious risk of being exactly the kind of fear mongerer that quickly becomes fraud. That is, of course, not my point. My point is that the working definition of critical infrastructure is broad and, which is more, indistinct. There has been much talk about whether to grant the President a so-called kill-switch for the Internet. There is a considerable logic to that if you accept what I have been saying, namely that in the presence of interdependence that is inestimable there may be times where it is not possible to disambiguate friend from foe. Were someone on an inbound airplane found to have smallpox, the passengers and crew would be quarantined as a matter of public health until such time as each of them could be separately certified as disease free. Many important enterprises, public and private, quarantine inbound e-mail with nearly as much vigor as them quarantine inbound DHL packages. The logic is sound. The time scale is human. In a kind of living history, we have residing amongst ourselves cloistered communities such as the Amish. We accommodate them. I expect that if a food crisis of some sort were to materialize, it is the Amish who would be least affected. We have amongst ourselves so-called Neo-Luddites. In some sense, the Luddites had a more principled analysis—they knew where the machines would lead and on the basis of their analysis they acted. The Amish merely wish to be left alone, such as to remove their children from compulsory education at the close of the eighth grade. So far as I know, their case, Wisconsin v. Yoder, is the only such case to ever reach the US Supreme Court, which found in their favor. I ask, is there room in our increasingly wired world for those who choose merely to be left alone, in this case to choose to not participate in the Internet society? Do those who do not participate deserve to not have their transactions of all sorts be exposed to a critical infrastructure dependent on the reliability of Internet applications as a class? Paraphrasing Melissa Hathaway from her 60-day review of US cyber policy for President Obama, the United States' ability to project power depends on information technology, and, as such, cyber insecurity is *the* paramount national security risk. Putting aside an Internet kill-switch, might it be wise for the national authorities to forbid, say, Internet Service Providers from propagating telnet or SSH v1 or other protocols known to be insecurable? If not that, should cyber components of the critical infrastructure be forbidden to accept such connections? There is certainly a debate topic in that—if not a natural policy. As with most things, there is an historical echo here such as well; in 1932, the foremost political commentator of the age, Walter Lippmann, told President Roosevelt "The situation is critical, Franklin. You may have no alternative but to assume dictatorial powers." Again, when 10% of the population sees nothing in the Internet for them, should we respect and ensure that, as with the Amish, there is a way for them to opt out without choosing to live in a hovel? Should we preserve manual means? I say "yes" and I say so because the preservation of manual means is a guarantee of a fall back that does not have a common mode failure with the rest of the interconnected, mutually vulnerable Internet world. That this is not an easy choice is the understatement of the day if not year. I cannot claim to have a fully working model here, but neither do our physicist friends yet have a unified field theory. [...] [By the way, in Deborah's RISKS item on Satellite in wrong orbit, I think she meant `their own GPS' rather than `their own GSM'. (Spotted by Drew Dean.) PGN]
Please report problems with the web pages to the maintainer