Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An incident in a hospital in Roermond, the Netherlands, uncovered a problem that may be present in more hospitals. a free summary/translation of , http://nos.nl/artikel/2004721-tno-noodstroom-ziekenhuizen-onzeker.html> In the Roermond hospital, the emergency power did not start due to a poorly charged battery of the computer controlling the emergency power. This battery ought to be charged continuously. The poor charging state had not been detected by regular checks and tests. The battery has a normal life time of 10 years and was only 3 years old at the moment of failure. Batteries are normally changed after 5 years. Switching back when power was available again also went wrong. TNO (the Dutch applied research institute who investigated the failure) suspect the low voltage caused by the poor battery. TNO recommend to use redundant batteries. Sampling other hospitals showed similar configurations in at least 10 other hospitals. Gerrit Muller (part-time employed at TNO, however, not related to the department that did this research) Gaudi System Architecting homepage <http://www.gaudisite.nl/>
Print headline on this: Soon your phone will be as smart as your doctor Topol sees a future in which "your smartphone will become central to labs, physical exams, and even medical imaging; and you can have ICU-like [intensive-care unit] monitoring in the safety, reduced expense, and convenience of your home." This is a book full of technical wizardry and intriguing questions about the nature—and the future—of diagnosing, monitoring and healing. ...and insurance companies will limit coverage to buying cheap phones and medical apps up to $0.99; doctors no longer needed. At least it will be easier getting appointments with your phone. http://www.washingtonpost.com/opinions/book-review-the-patient-will-see-you-now-on-future-of-medicine-by-eric-topol/2015/01/16/4b345b00-9761-11e4-aabd-d0b93ff613d5_story.html Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
http://www.wired.com/2014/02/outsourcing-humanity-apps/
The new operating system can help you monitor battery use better, help take better photos and make Siri easier to use. http://www.nytimes.com/2015/01/15/technology/personaltech/tips-to-get-the-most-out-of-apple-ios-8.html
Ars via NNSquad http://arstechnica.com/security/2015/01/wireless-device-in-two-million-cars-wide-open-to-hacking/ "An electronic dongle used to connect to the onboard diagnostic systems of more than two million cars and trucks contains few defenses against hacking, an omission that makes them vulnerable to wireless attacks that take control of a vehicle, according to published reports. US-based Progressive Insurance said it has used the SnapShot device in more than two million vehicles since 2008. The dongle tracks users' driving to help determine if they qualify for lower rates. According to security researcher Corey Thuen, it performs no validation or signing of firmware updates, has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols. SnapShot connects to the OBDII port of Thuen's 2013 Toyota Tundra pickup truck, according to Forbes. From there, it runs on the CANbus networks that control braking, park assist and steering, and other sensitive functions." - - - Waiting to hear what FLO has to say about this ...
Much has been made of the benefits and detriments of the Internet of Things (IoT). Security, integrity, and privacy problems are a particular challenge. Implementing ease of use while maintaining security is a challenge. There have been many cases of consumer and SOHO devices coming with pre-installed credentials and backdoors. The problem is even more serious with industrial systems where compromised credentials can permit conversion of a network attack into an attack with serious physical consequences. Reportedly, the Schneider Electric SCADA Gateway comes with pre-installed, known FTP credentials. An update is reported to permit FTP access to be disabled, but the credentials remain. The original article is at: http://threatpost.com/hard-coded-ftp-credentials-found-in-schneider-electric-scada-gateway/110565 Bob Gezelter, http://www.rlgsc.com
Galen Gruman, InfoWorld, 13 Jan 2015 Many Internet of things devices can be controlled via smartphone only. What could possibly go wrong? http://www.infoworld.com/article/2867356/internet-of-things/beware-this-iot-fallacy-the-headless-device.html
*The NY Times* Dealbook column has reported the establishment of Hacker's List, a website providing an exchange allowing those in "need" of hacking attacks to interact with providers of the services. Exchanges that facilitate monetized hacking, serve to reduce the costs of hacking to a level compatible with consumer purchases is not a positive development. Exchanges for such activities accentuate the trend of hacking for profit, which has been building for nearly two decades. The original article is at: http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/ Bob Gezelter, http://www.rlgsc.com
Spies should be able to monitor all online messaging, says David Cameron *The Telegraph* via NNSquad http://www.telegraph.co.uk/technology/internet-security/11340621/Spies-should-be-able-to-monitor-all-online-messaging-says-David-Cameron.html The Security Services will be given the powers to read all messages sent over the Internet, if the Conservatives win the general election. David Cameron, the Prime Minister, made the pledge at a campaign event attended by up to 100 Conservative activists in Nottingham. The police and the intelligence agencies have expressed concerns that they are not able to access the content of some of the new ways to communicate over the Internet. - - - At face value, he appears to be saying that he wants to ban or weaken TLS and PGP, etc.
*The Independent* via NNSquad http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-and-snapchat-could-be-banned-under-new-surveillance-plans-9973035.html "The Prime Minister said today that he would stop the use of methods of communication that cannot be read by the security services even if they have a warrant. But that could include popular chat and social apps that encrypt their data, such as WhatsApp. Apple's iMessage and FaceTime also encrypt their data, and could fall under the ban along with other encrypted chat apps like Telegram."
Lauren Weinstein's Blog Update, 15 Jan 2015 http://lauren.vortex.com/archive/001084.html It's always illuminating when the longtime enemies of security and free speech come out from the shadows, making their intentions and sensibilities crystal clear for all to see and understand. Nope, I'm not talking about terrorists of whatever stripes—we've always known how criminal scum like that thinks and how they desire to remake the world in the image of their tiny minds and 13th century mindsets. Nor am I speaking of Putin, Kim Jong-un, Ali Khamenei, Xi Jinping, or the like—the iron fist with which these leaders desire to control speech and suppress domestic dissent is all too obvious even at a glance. No. I'm painfully forced to note the new threat matrix aimed squarely at shedding our free speech and security rights that is spewing squarely from Western governments—from the U.S., U.K, and across the length and breadth of Europe. It's tempting to suggest that this renewed push to strip us of these fundamental rights was triggered by the recent devastating terrorist attack in Paris—but that horrendous event serves only as an excuse for a long simmering, long sought crackdown on Internet speech and security that has been smoldering for ages. Going all the way back to 1993 and the fiasco of the proposed U.S. "Clipper Chip" reveals the U.S. intelligence community's fear of strong cryptography. And today, the EU's enthusiastic embrace of the nightmarish "Right to Be Forgotten" concept, and their push to apply that EU censorship system across the entire world, gives us clues to European motives along these lines. So for anyone really paying close attention to these matters, the dots were already pretty much in place, certainly sufficiently so that the latest proposals from Western leaders shouldn't come as any kind of significant surprise. And those repulsive proposals have been arriving hot and heavy over the last few days. President Obama is reportedly to offer a vast expansion of criminal penalties for "computer hacking" broadly defined, and as part of that legislative package also to vastly expand the definition of hacking in the process. If you thought the late Aaron Swartz really had the book thrown at him by DOJ, the new proposals would likely make that look like a paperback novel compared with a wall of ancient encyclopedias dumped on the heads of future defendants. The details we've heard so far reportedly suggest that at the discretion of prosecutors, merely clicking the wrong link on a public site, or conducting perfectly legitimate cybersecurity research, could net you being shackled in a federal cell for a decade or more. But it gets worse. Western leaders, led by David Cameron of the UK, appear poised to demand that all Internet communications be subject to data retention and monitoring by governments, and that no applications be permitted to deploy encryption that the government could not disable or defeat on demand. Prime Minister Cameron has said this explicitly of late, and is seeking support from other European leaders and President Obama for this disastrous concept. Let's be crystal clear about this. While the initial discussion might revolve around instant messaging apps, it's obvious that the logical and inevitable extension of this concept is to require the undermining of all Internet encryption. Email. PGP. The works. And what you can't backdoor or otherwise undermine you simply outlaw, with criminal penalties draconian enough to scare off all but the most dedicated or masochistic of free speech and security activists. The word "security" is critical here, because while these leaders are claiming that such proposals would enhance security to "protect us from the terrorists"—in reality the proposed decimation of the foundational structures of cryptographic systems would put all of us—our personal information, our power systems, our industrial facilities, and so many other aspects of our lives—at the mercy of cyberattacks newly enabled by such weakened and so inevitability exploitable encryption ecosystems. Without any exaggeration, this may easily be the most serious threat to Internet security—and so to the entire global community that now depends on the Internet for so many facets of our lives—since the first ARPANET messages clattered over a teletype at UCLA decades ago. Legitimate and measured means to fight against the scourge of terrorism are essential. But those do not include trying to convert the secure communications of law abiding citizens—billions of them—into "tap on demand" portals for government snoops, no matter how ostensibly laudable or graphically terrifying those officials attempt to frame their arguments. We've all come to expect the "government owns your communications" propaganda from Putin and his ilk. To hear the same sort of twisted reasoning—no matter how candy coated or sprinkled with excuses—flinging forth from our Western leaders is disheartening in the extreme, and must not be accepted without vigorous challenge, debate, and due consideration for the enormous damage such proposals could easily wreak on us all.
http://www.nytimes.com/2015/01/13/us/isis-is-cited-in-hacking-of-central-commands-twitter-feed.html
A federal study found that there was no reliable way to get at the communications of terrorism suspects without sweeping up records of every call in the United States. http://www.nytimes.com/2015/01/16/us/politics/report-finds-no-alternative-to-bulk-collection-of-phone-data.html
Mining For Dollars Remember a few years after 9/11 when the airlines started requiring you to use your full name as it appears on a government issued ID, date of birth and gender when you buy a plane ticket? That's so the TSA can check you against the Federal No-Fly List. But there is more than meets the eye. In 2012, TSA rolled out "PreCheck" (or "Pre✓®"). Exempt from Federal privacy laws, the PreCheck database contains detailed personal information, including name, birthdate, biometric information, physical characteristics, Social Security Number and financial information. TSA now plans to release applicant's data to federal, state, tribal, local, foreign governments and debt collectors. http://strandedpassengers.blogspot.com/ ...a stinky bouquet of "What could go wrong?" Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Sorting, personalization, recommendation, and search algorithms now have their own public relations, complicating the need for transparency about how important computer systems operate. Examples covered: quicksort represented as a Hungarian folk dance, a cartoon that explains how Google search works, a social media consultant that explains that Facebook is like a 19th Century grist mill, and an advertising campaign for ask.com proclaiming that "The Algorithm Constantly Finds Jesus." Seeing the Sort http://median.newmediacaucus.org/art-infrastructures-information/seeing-the-sort-the-aesthetic-and-industrial-defense-of-the-algorithm/
*Daily Finance* via NNSquad http://www.dailyfinance.com/on/fcc-relax-robocall-rule/ "But now the Federal Communications Commission is considering relaxing a key rule and allowing businesses to call or text your cellphones without authorization if they say they called a wrong number. The banking industry and collections industry are pushing for the change." - - - Really bad idea—because it hands the perfect excuse to the really evil players.
No longer just the domain of intelligence agencies, `hacktivists' or criminal gangs, there is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage. http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/
FYI—You scratch my back and I'll scratch yours, whether or not I even know you. The NSA's "4th Party Collection" provides the mechanism for gathering information that the NSA can't legally collect on its own. By spying on other spies, the NSA avoids a problem the FBI ran into in the 1950's, when there were sometimes so many illegal taps on a labor union's phone lines that the labor unionists could barely hear the person at the other end of the phone conversation. The NSA has already run into computers & routers with surveillance malware from spy organizations from multiple countries simultaneously! “The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: Fourth Party Collection.'' http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html The Digital Arms Race: NSA Preps America for Future Battle By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer The NSA's mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars—a struggle for control of the Internet that is already well underway. ......... Part 2: How the NSA Reads Over Shoulders of Other Spies In addition to providing a view of the US's own ability to conduct digital attacks, Snowden's archive also reveals the capabilities of other countries. The Transgression team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged. The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department's remit is to "discover, understand (and) evaluate" foreign attacks. Another document reads: "Steal their tools, tradecraft, targets and take." In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack's point of origin to China, but also in tapping intelligence information from other Chinese attacks—including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. "NSA is able to tap into Chinese SIGINT collection," a report on the success in 2011 stated. SIGINT is short for signals intelligence. The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: "Fourth Party Collection." And all countries that aren't part of the Five Eye alliance are considered potential targets for use of this "non-traditional" technique—even Germany. 'Difficult To Track, Difficult To Target' The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples' Liberation Army. It wasn't easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them "difficult to track; difficult to target." In the end, though, the document states, they succeeded in exploiting a central router. The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive "wading through uninteresting data" did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access sourcecode for Chinese malware. NSA Docs on Fourth Party Access Description of an NSA employee on fifth party access / When the targeted fourth party has someone under surveillance who puts others under surveillance http://www.spiegel.de/media/media-35679.pdf 4th-party collection / Taking advantage of non-partner computer network exploitation activity http://www.spiegel.de/media/media-35680.pdf Combination of offensive and defensive missions / How fourth-party missions are being performed http://www.spiegel.de/media/media-35681.pdf Overview of the TRANSGRESSION program to analyze and exploit foreign CNA/CNE exploits http://www.spiegel.de/media/media-35682.pdf NSA example SNOWGLOBE, in which a suspected French government trojan is analyzed to find out if it can be helpful for own interests http://www.spiegel.de/media/media-35683.pdf NSA fourth party access / "I drink your milkshake" http://www.spiegel.de/media/media-35684.pdf NSA Program TUTELAGE to instrumentalize third party attack tools http://www.spiegel.de/media/media-35685.pdf Codename BYZANTINE HADES / NSA research on the targets of Chinese network exploitation tools, the targets and actors http://www.spiegel.de/media/media-35686.pdf CSEC document on the handling of existing trojans when trojanizing computers http://www.spiegel.de/media/media-35688.pdf Analysis of Chinese methods and performed actions in the context of computer network exploitation http://www.spiegel.de/media/media-35687.pdf
George Ledin <ledin@sonoma.edu> at Sonoma State has written a fairly comprehensive treatise on the above-cited subject. http://www.cs.sonoma.edu/ledin/malware/pdf/Sullins_Creds2014.pdf It should be of interest to white-hat analysts, administrators, law enforcement and defense lawyers, faculty members and university deans, and many others. (George is a strong advocate of not being able to defend against malware if you don't know malware. If you knew malware like George does, you'd be better off.)
Please report problems with the web pages to the maintainer