Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Perhaps Ford didn't do enough UI testing... http://www.autonews.com/article/20141231/RETAIL05/141239986/lincoln-mkc-recalled-to-move-push-button-start-from-near-touchscreen Ford is recalling about 13,500 2015 Lincoln MKC because drivers are shutting the vehicle off by mistake. Drivers are mistakenly touching the crossover SUV's push-button ignition button while the car is driving, Ford found. “Due to the switch's close proximity to other controls occupants are inadvertently shutting off the engine while driving,'' Ford said in a statement.
The residents of Green Bank, West Virginia, can't use cell phones, wifi, or other kinds of modern technology due to a high-tech government telescope. Recently, this ban has made the town a magnet for technophobes, and the locals aren't thrilled to have them. http://www.washingtonian.com/articles/people/the-town-without-wi-fi/
http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html The ill-fated introduction in Britain of an app to detect predictors of suicide shows what may happen when social media posts are scrutinized for cues about a person's mental health.
(Gigaom): https://gigaom.com/2015/01/11/eu-response-to-free-speech-killings-more-internet-censorship/?utm_medium=social&utm_campaign=socialflow&utm_source=twitter&utm_content=eu-response-to-free-speech-killings-more-internet-censorship_905730 The interior ministers of France, Germany, Latvia, Austria, Belgium, Denmark, Spain, Italy, the Netherlands, Poland, Sweden and the U.K. said in a statement (PDF) that, while the Internet must remain “in scrupulous observance of fundamental freedoms, a forum for free expression, in full respect of the law.'' ISPs need to help “create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible.'' - - - European leaders seem lately to be reliably wrong on most free speech issues coming down the pipe. It's especially damaging when they try to extend their misguided, counterproductive views on this subject to the world beyond Europe. Censorship doesn't work in the Internet era. Trying to remove or de-index materials you fear or dislike only drives them underground in more dangerous ways.
[via Dave Farber] Sean Gallagher, Ars Technica, 8 Jan 2015 In PBS NOVA interview, Snowden warns that U.S. cyber warfare strategy could backfire. http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/ In an on-camera interview with James Bamford for an upcoming episode of PBS' NOVA, Edward Snowden warned that the U.S. Department of Defense and National Security Agency have over-emphasized the development of offensive network capabilities, placing the U.S.'s own systems at greater risk. With other countries now developing offensive capabilities that approach those of the NSA and the U.S. Cyber Command, Snowden believes the U.S. has much more at stake. The raw transcript of the NOVA interview showed Snowden in full control, to the point of giving direction on questions and even suggesting how to organize the report and its visual elements. Snowden frequently steered questions away from areas that might have revealed more about NSA operations, or he went into areas such as White House policy that he considered "land mines." But the whistleblower eloquently discussed the hazards of cyber warfare and the precariousness of the approach that the NSA and Cyber Command had taken in terms of seeking to find and exploit holes in the software of adversaries. In fact, he says the same vulnerabilities are in systems in the U.S.. "The same router that's deployed in the United States is deployed in China," Snowden explained. "The same software package that controls the dam floodgates in the United States is the same as in Russia. The same hospital software is there in Syria and the United States." Some of the interview, which took place last June in Russia, possibly foreshadowed the cyber attack on Sony Pictures. Snowden said that the capabilities for cyber attacks such as the "Shamoon" malware attack in 2012 and other "wiper" attacks similar to what happened to Sony Pictures were "sort of a Fisher Price, baby's first hack kind of a cyber campaign," capable of disruption but not really of creating long-term damage. But he said more sophisticated organizations, including nation-state actors, are "increasingly pursuing the capability to launch destructive cyber attacks as opposed to the disruptive kinds that you normally see online...and this is a pivot that is going to be very difficult for us to navigate." "I don't want to hype the threat," Snowden told Bamford. "Nobody's going to press a key on their keyboard and bring down the government. Nobody's going to press a key on their keyboard and wipe a nation off the face of the earth." But Snowden emphasized that the U.S. should be focusing more on defending against adversaries than trying to penetrate their networks to collect information and do damage. "When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China," Snowden explained. "The U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault or the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full." But because the U.S. has focused on being able to break into other networks, he said, it has made its own technology vulnerable—and other countries can use the same vulnerabilities to attack the U.S.'s networks. [...]
The recent CCC (Chaos Computer Club) presentation about defeating biometric identification using cameras demonstrates the vulnerability of Iris, Face and Fingerprint methods. The theoretical risk is obvious, but here are the practical demonstrations. Dubbed in English: https://www.youtube.com/watch?v=VVxL9ymiyAU&feature=youtu.be Should be good for sales of gloves, latex, pencils...
https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf "In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers."
Nathaniel Popper, *The New York Times* blog, updated version, 5 Jan 2015 In mid-December, a posting appeared on the Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley. Two weeks later, a new posting on the information-sharing site offered a teaser of actual records from 1,200 accounts, and provided a link for people interested in purchasing more, according to a person briefed on the matter. The link pointed to a website that sells digital files for virtual currencies like Bitcoin. In this case, the files were being sold for a more obscure currency, Speedcoin. The offer was quickly taken down the same day, 27 Dec, after Morgan Stanley discovered the leak. In short order, the bank traced the breach to a financial adviser working out of its New York offices, a 30-year-old named Galen Marsh, according to a person involved in the investigation who spoke on the condition of anonymity. ... http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/
http://arstechnica.com/security/2014/12/us-banks-trace-credit-fraud-to-chick-fil-a-locales-in-possible-data-breach/
The most important point that should not be missed, is that Internet voting should be compared to postal votes, not traditional public voting station methods. In the rush to make Internet voting more secure, we should not forget that - like postal voting - it lacks the basic features: making voting public, but the vote contents itself confidential. The public aspect of traditional voting methods assures that everyone who is eligible to vote can do it, freely and confidentially. Internet voting misses this aspect, no matter how secure it can be made. This is not a technical issue!
A couple of months ago I read an electoral court judgment on voting fraud in the UK which was handed down in July 2013: http://www.bailii.org/ew/cases/EWHC/QB/2013/2572.html The judge goes off on a massive rant about the disgraceful state of voting security in the UK and the lack of interest from the authorities in dealing with it. I expect online voting will make it even worse. The whole judgment is quite readable and informative. The rant starts: > Sadly, therefore, this is yet another case where the United Kingdom's > shambolic electoral system has led to an election being challenged on > the ground of widespread fraud. > > The system of electoral registration has always been very insecure and > remains so. The problems this caused were, in the past, largely > mitigated by the fact that 'absent' voting (voting by post or by proxy) > was very limited in scope and hedged about with procedural difficulties. > The introduction of postal voting on demand in 2001, however, laid the > electoral system wide open to massive and well-organised fraud. Warnings > that this might be the case were blithely ignored by Parliament and, to > some extent, by the Electoral Commission.
Not very long ago I came across an accounting and HR package which used ODBC connections from each client computer to its central Microsoft SQL Server database. Installing the client software required the creation of a "data source" file on each client. This file can then be used by any ODBC client, such as Microsoft Office software, without needing the user to know the password. I discovered that the supplier's engineers had persuaded the IT team to let them use the default SA (System Administrator) ID when creating the data sources. As a result of this any other ODBC software installed on a client machine could be used to gain anonymous read/write/delete access to the entire finance and HR databases without needing to use a password. I offered to save the CFO some work by signing off my own invoices but he declined the offer. Once I bypassed the supplier's helpdesk and contacted their CTO directly the issue was quickly resolved. We reconfigured the client machines and the database servers to eliminate the "SA" login completely. RISKS readers might like to check their own systems to see whether any of the Data Sources on their client machines use the SA login. If they do then I suggest they have words with their suppliers and their DBAs (if they have them.) Short pithy words are best.
Michael Cieply and Brooks Barnes, *The New York Times*, 30 Dec 2014 It was three days before Thanksgiving, the beginning of a quiet week for Sony Pictures. But Michael Lynton, the studio's chief executive, was nonetheless driving his Volkswagen GTI toward Sony's lot at 6 a.m. Final planning for corporate meetings in Tokyo was on his agenda - at least until his cellphone rang. The studio's chief financial officer, David C. Hendler, was calling to tell his boss that Sony's computer system had been compromised in a hacking of unknown proportions. To prevent further damage, technicians were debating whether to take Sony Pictures entirely offline. Shortly after Mr. Lynton reached his office in the stately Thalberg building at Sony headquarters in Culver City, Calif., it became clear that the situation was much more dire. Some of the studio's 7,000 employees, arriving at work, turned on their computers to find macabre images of Mr. Lynton's severed head. Sony shut down all computer systems shortly thereafter, including those in overseas offices, leaving the company in the digital dark ages: no voice mail, no corporate email, no production systems. ... http://www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-grew-into-a-firestorm-.html
Dan Goodin, Ars Technica, 7 Jan 2015 Thunderstrike allows anyone with even brief access to install stealthy malware. Securing Macs against stealthy malware infections could get more complicated thanks to a new proof-of-concept exploit that allows attackers with brief physical access to covertly replace the firmware of most machines built since 2011. Once installed, the bootkit-that is, malware that replaces the firmware that is normally used to boot Macs-can control the system from the very first instruction. That allows the malware to bypass firmware passwords, passwords users enter to decrypt hard drives and to preinstall backdoors in the operating system before it starts running. Because it's independent of the operating system and hard drive, it will survive both reformatting and OS reinstallation. And since it replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected boot systems. The proof-of-concept is the first of its kind on the OS X platform. While there are no known instances of bootkits for OS X in the wild, there is currently no way to detect them, either. The malware has been dubbed Thunderstrike, because it spreads through maliciously modified peripheral devices that connect to a Mac's Thunderbolt interface. When plugged into a Mac that's in the process of booting up, the device injects what's known as an Option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions before loading the OS. The Option ROM replaces the RSA encryption key Macs use to ensure only authorized firmware is installed. From there, the Thunderbolt device can install malicious firmware that can't easily be removed by anyone who doesn't have the new key. ... http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/
Search feature overrides widely used setting blocking remote images. Dan Goodin, Ars Technica, 9 Jan 2015 Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets. The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images. ... http://arstechnica.com/security/2015/01/spotlight-search-in-yosemite-exposes-private-user-details-to-spammers/
http://www.nytimes.com/2015/01/06/technology/tech-companies-look-to-break-down-walls-between-apps.html As people spend more time using apps, their Internet has taken a step backward, becoming more isolated—more like the web before search engines.
ArsTechnica reports that Gogo, an inflight Wi-Fi service has been proffering its own version of other domains certificates (the article refers specifically to YouTube). This allows Gogo to decrypt traffic intended to remain encrypted while in-transit. If used for all SSL connections, it would expose a wide variety of traffic to monitoring, capture, and subsequent impersonation (e.g., email, banking, corporate applications). It is not clear if this is being used on all SSL connection attempts, or only on certain connections. The justification offered is to enforce a Gogo ban on streaming applications. This report reemphasizes the need for users to be careful accepting a certificate not signed by a well-known signature authority (CA). The Ars Technica article is at: http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/ Bob Gezelter, http://www.rlgsc.com
Apparently, ASUS routers have a weakness in the implementation of infosvr, which reportedly uses UDP to communicate between different routers. Designated CVE-2014-09583, this vulnerability allows a user inside the firewall zone to use a UDP request to inject a command for execution by the router (e.g., opening ports). The report includes a command which can be manually used to shut down the infosvr service each time the router is restarted. The Ars Technica article is at: http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-network-can-probably-hack-it/ Bob Gezelter, http://www.rlgsc.com
The most tragic element of the AF447 crash was that the stall warning system gave a warning up to a critical angle of attack, but actually went silent after that angle was exceeded on the assumption it could not be possible and the device should not report a false positive. This caused the pilots to keep the plane in a stall since when they tried to take it out of stall by reducing attack angle, the stall alarm sounded. I think there is the new risk that pilots need to be able to handle a system failing in a complex way such as this? Is it reasonable for them to learn and manage all edge cases in automation?
Both Leonard Finegold and Morton Welinder are wrong on the power dissipation in a laptop power supply cord, because the power supply is not a resistor, but a constant power sink, due to the regulator in it, which is designed to convert power at high efficiency, and supply a fixed power to the batter. So the current through the power supply is inverse of the voltage. But the power supply cord is a resistance, so the heat in it is square of current, or inverse square of the voltage in this case. Let's take a 55W power supply for simplicity, and a .1 ohm power supply cord resistance. At 110V it draws .5 A so the power supply cord dissipates .5 * .5 * .1 .025W. At 220V it draws .25A so the power supply core dissipates .25 * .25 * .1 .00625W or a factor of 4 less. [We received a slew of comments in response on this subject. I picked this one as representative. PGN]
Len Finegold said "As my freshman students know... Twinkle twinkle little star Power equals I squared R" 50 years ago when I was a freshman I memorized that jingle. But when I got into the exam, my brain regurgitated this: Little star up in the sky, power equals R squared I.
Please report problems with the web pages to the maintainer