Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
BMW installs GSM modems in its cars for remote control, but communicates with them in plain-text (Deutsche): http://www.heise.de/newsticker/meldung/BMW-ConnectedDrive-gehackt-2533601.html Machine translation: https://translate.google.com/translate?hl=en&slÞ&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FBMW-ConnectedDrive-gehackt-2533601.html The report doesn't state whether this was the vulnerability leading to interestingly high rates of BMW thefts recently, nor whether the patch that they applied addresses authentication properly, e.g. validates certificates. william@brodie-tyrrell.org http://www.brodie-tyrrell.org/
The risk? Massive/expensive/complex/reliable(?) technology defeated by ... a piece of string. http://www.avweb.com/avwebflash/news/First-Officer-Lands-Delta-Jet-as-Captain-Locked-Out-of-Cockpit223489-1.html ...like Martians in War of the Worlds defeated by ... Earthly bacteria: Wikipedia says... ...it is implied they are ignorant of disease <http://en.wikipedia.org/wiki/Disease> and decomposition. It is theorized that their advanced technology eliminated whatever indigenous diseases were present on Mars, and so they no longer remembered their effects. Ultimately, their lack of knowledge or preparation against any bacteria indigenous to Earth, causes their destruction here (though the epilogue states they may have successfully invaded Venus by what Wells described as `putrefactive bacteria', which digests organic materials upon death. Lessons from airplane, from Martians? Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 [Monty Solomon noted an article on this: http://www.boston.com/travel/2015/01/30/pilot-locked-out-cockpit-during-delta-flight/CV9B8NBqlrC5eRGZtiDsdP/story.html PGN]
Andrew Jacobs, *The New York Times*, 30 Jan 2015, ACM TechNews; 30 Jan 2015 Chinese officials this week took action to block the functioning of several virtual private networks (VPNs) its citizens use to circumvent China's online censorship apparatus. Officials have long tolerated VPNs, which are used by a broad spectrum of Chinese citizens, ranging from business people to academics and scientists to artists. However, the Chinese government has been stepping up its online censorship activities in recent years as part of a push for what it calls "cyber sovereignty," which is the idea the government has the right to block online content it objects to. The cyber sovereignty campaign has seen the degradation or outright blocking of numerous services Chinese citizens use to communicate with the rest of the world. Chinese scientists and academics are particularly incensed about the difficulty they now face in getting access to Google Scholar. Many within and without China say the government's efforts to block Internet content are proving a major impediment to the government's stated goal of shifting the country's economy away from its reliance on manufacturing and construction to a more entrepreneurial model. The restrictions make it difficult for foreigners to do business and are causing many bright Chinese entrepreneurs to consider leaving the country. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d4fbx2c5bdx062061&
Brian Mosley, Sustained Investment in Research Is Needed to Combat Cyberthreats, CISE AD Tells Congress Computing Research Policy Blog, 29 Jan 2015, via ACM TechNews; 30 Jan 2015 In testimony before the U.S. House Science, Space, and Technology Committee's Research and Technology Subcommittee on Tuesday, Computer and Information Science and Engineering (CISE) assistant director Jim Kurose said sustained basic research investment is necessary for countering growing cyberthreats. He also stressed the need for behavioral researchers' participation in this effort, since effective solutions must be social-technical in nature. In addition, Kurose said there must be closer communication between federal agencies, especially the U.S. National Institute of Standards and Technology, and industry in order to get the most up-to-date information on ever-changing threats and best practices. Kurose's views were echoed by all of the witnesses at the hearing, which included both private- and public-sector experts. In response to subcommittee chairwoman Barbara Comstock's (R-VA) query on how Congress should engage with constituents on the cybersecurity issue, witnesses generally agreed everyday people must take a serious view of the threat and use all available security tools. "Utilizing targeted emails, spam, malware, bots, and other tools, cybercriminals, "hacktivists," and nation-states are attempting to access information technology systems all the time," Comstock noted at the hearing. "The defense of these systems relies on professionals who can react to threats and proactively prepare those systems for attack." http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d4fbx2c5bfx062061&
Phil Johnson, ACM TechNews, 30 Jan 2015 CSI Computer Science: Your Coding Style Can Give You Away, Phil Johnson, *ITWorld.com*, 28 Jan 2015 Researchers at Drexel University, the University of Maryland, the University of Goettingen, and Princeton University have developed a code stylometry using natural language processing and machine learning to determine the authors of source code based on coding style. The researchers say the technology could be applicable to a wide range of situations in which ascertaining the originating coder is important, such as to help identify the author of malicious source code. The researchers say they developed abstract syntax trees derived from language-specific syntax and keywords, which capture a syntactic feature set that "was created to capture properties of coding style that are completely independent from writing style." They tested the code stylometry by gathering publicly available data from Google's Code Jam, taking solutions to several identical problems for a group of users as a training dataset in order to learn the style of each coder. The researchers then looked blindly at solutions the same coders wrote to another problem and tried to identify the author of each. The code stylometry achieved 95-percent accuracy in identifying the author of anonymous code. In addition, the researchers found coding style is more well-defined through solving harder problems. "This might indicate that as programmers become more advanced, they build a stronger coding style compared to newbies," according to the researchers. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d4fbx2c5c2x062061&
For many years, I have argued that traffic analysis sets ample precedent to distrust anonymization schemes. It has been well-documented in the signals intelligence history that associating radio call signs with particular units is not overly difficult by combining observable locations with detection of particular call signs. In the "Computer Security Handbook, Third Edition" (1995, Wiley) and subsequent editions, I noted that such collation hazards were a serious privacy hazard. MIT researchers de Montjoye, Radaeliti, Singh, and Pentland have recently reconfirmed this hypothesis. In research recently published in Science, they have illustrated the weakness of commonly used anonymization schemes. Working from credit card transactional data, they were able to identify individual activity without difficulty. From the abstract: "... We study 3 months of credit card records for 1.1 million people and show that four spatiotemporal points are enough to uniquely re-identify 90% of individuals. We show that knowing the price of a transaction increases the risk of re-identification by 22%, on average. Finally, we show that even data sets that provide coarse information at any or all of the dimensions provide little anonymity and that women are more re-identifiable than men in credit card metadata." The implications of this go far beyond credit card transactional data. The complete Science article is at: www.sciencemag.org/content/347/6221/536.full.pdf Bob Gezelter, http://www.rlgsc.com
Howard Solomon, *IT Business*, 29 Jan 2015 http://www.itbusiness.ca/news/80-per-cent-of-canadians-will-choose-a-business-on-its-privacy-reputation-survey-says/53526
Jeremy Kirk, *Infoworld*, 30 Jan 2015 A flaw in the GNU C Library can be exploited remotely for full control and should be patched as soon as possible, according to Qualys. A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email. http://www.infoworld.com/article/2876105/security/ghost-vulnerability-poses-high-risk-to-linux-distributions.html
The US Federal Trade Commission staff has issued "Internet of Things: Privacy and Security in a Connected World", a report from a workshop on the security and privacy issues of Internet-enabled devices and sensors. The FTC Report is at: http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf Bob Gezelter, http://www.rlgsc.com
John Bohannon, *Science Magazine* FYI—Some NSA employees are already in violation of both the ACM and IEEE codes of ethics, and to the extent that NSA helps with the CIA assassination drone program, some NSA employees may also be involved in war crimes. If these professional organizations' codes of ethics are to have any meaning, whatsoever, it is now time for the ethics committees of these professional organizations to stand up and be counted. As a result of the Nuremberg Trials, "it is not an acceptable excuse to say 'I was just following my superior's orders'". [HB] https://en.wikipedia.org/wiki/Nuremberg_principles http://www.sciencemag.org/content/347/6221/495.full.pdf Breach Of Trust After the Snowden revelations, U.S. mathematicians are questioning their long-standing ties with the secretive National Security Agency John Bohannon IN THE WAKE of the Snowden revelations, most of the media attention has focused on NSA's large-scale harvesting of data from U.S. citizens. But it is a more obscure exploit that concerns Hales and many other mathematicians: what they see as an attack on the very heart of modern Internet security. When you check your bank account online, for example, the information is encrypted using a series of large numbers generated by both the bank server and your own computer. Generating random numbers that are truly unpredictable requires physical tricks, such as measurements from a quantum experiment. Instead, the computers use mathematical algorithms to generate pseudorandom numbers. Although such numbers are not fundamentally unpredictable, guessing them can require more than the world's entire computing power. As long as those pseudorandom numbers are kept secret, the encoded information can safely travel across the Internet, protected from eavesdroppers—including NSA. But the agency appears to have created its own back door into encrypted communications. ... But it received little attention until internal NSA memos made public by Snowden revealed that NSA was the sole author of the flawed algorithm and that the agency worked hard behind the scenes to make sure it was adopted by NIST.
Candice So, *IT Business*, 29 Jan 2015T The Canadian Radio-television Communications Commission (CRTC) has ruled it's no longer going to allow cellphone service providers to give special treatment to their own TV content when consumers stream it from wireless devices. http://www.itbusiness.ca/article/crtc-bans-bell-videotron-from-giving-their-customers-subsidies-for-watching-their-content-on-mobile-devices
FYI—"Lost contact with drone" will become the new excuse for U.S. errant drone kills in the Middle East... [Was this stunt calculated to create controversy so that consumer drones will get regulated? If this fall guy were to spend a year in prison, it would at least raise the cost for future false flag operations like this one. (HB, slightly PGN-ed)] Michael D. Shear, *The New York Times*, 29 Jan 2015 http://www.nytimes.com/2015/01/30/us/man-lost-contact-with-drone-before-it-sped-to-white-house-friend-says.html
http://www.telegraph.co.uk/technology/apple/11369711/Why-your-expensive-headphones-will-be-obsolete.html Matthew Sparkes, Deputy Head of Technology, *The Telegraph*, 27 Jan 2015 http://www.telegraph.co.uk/journalists/matthew-sparkes/> Will your expensive new headphones soon be obsolete? switchboards, so it should be no surprise that mobile phones will soon drop it. But many will be left holding expensive and obsolete headphones, says Matthew Sparkes An item in yesterday's newspaper (27 Jan 2015) about headphone connections for smartphones, tablets, etc. In summary, it says that the 3.5mm jack plug has been standard since the days of cassette Walkmans, but it is likely to be soon replaced by proprietary connectors. Good news is that power and digital audio can be fed directly to the headphones, potentially giving better sound quality, while eliminating the (relatively) bulky 3.5mm socket means yet-thinner smartphones. Bad news is if headphones have brand-specific connectors and software so upgrading your smartphone/tablet means changing your headphones as well (or vice-versa). Personally I've also long found model-specific accessories (e.g. batteries, AC mains adapters) to be an irritation with other equipment. [...]
In RISKS-28.47, Danny Burstein raised his eyebrows at the idea of "rely[ing] on a system under the complete control of another nation". From the World CIA Fact Book, World population: 7,174,611,584 (how do they measure so precisely???) US population: 318,89_,___ (given to two places in millions) Russian population: 142,47_,___ This means that 93.5%+ of the world's population has no choice but to rely on a foreign-controlled global navigation system.
Long ago, I was asked for advice penetrating IBM's VM mainframe operating
system. (Don't confuse this with today's VMware.) This was a contract
evaluating security at a government installation running multiple
classification levels simultaneously; the data center manager claimed that
VM's (very robust) virtualization reliably isolated work areas.
I suggested that before trying anything technical, the pen-test staffer
check for egregious screwups, for example by starting at a public file area
("minidisk"), scanning all programs found for links to other minidisks,
scanning them and so on, to see what baubles might be found. A couple days
later he dropped a printout of the system directory on the manager's
desk. Either default link passwords for crown jewels were still in place or
someone had expediently coded real passwords in publicly available programs
-- so anyone on the system could access everything on the system. Either
way, another demonstration that "simple" often cracks the safe.
Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 (703) 204-0433
Regarding the plofkraak, I suspect the below is this occurring in Australia http://www.abc.net.au/news/2014-12-30/winnellie-atm-robbery-man-knocked-backwards-by-explosion/5992498
Please report problems with the web pages to the maintainer