http://techonomy.com/2015/02/can-open-source-voting-tech-fix-u-s-election-systems American voting technology is trapped in the last millennium. This lifeline to democracy is kept secret—closed off from public inspection and controlled by large businesses. It is decades old to boot. Our voting methods ought to be at least as cutting edge as our selfie apps, but they're not. “Our nation's elections systems and technology are woefully antiquated. They are officially obsolete,'' says Greg Miller of the TrustTheVote Project, an initiative to make our voting system accurate, verifiable, transparent, and secure. He adds: “It's crazy that citizens are using twentieth-century technology to talk to government using twentieth-century technology to respond.'' Miller and others are on a mission to change that with an entirely new voting infrastructure built on open-source technology. They say open source, a development model that;s publicly accessible and freely licensed, has the power to upend the entire elections technology market, dislodging incumbent voting machine companies and putting the electorate at the helm. With Miller's system, we'd still go to the polls to vote and use a machine to cast our ballot. But the software on that machine would be completely open to public inspection. While coders wouldn't be able to edit or tamper with the code, technically literate citizens would be able to, in effect, cross-examine the processes tabulating all of our votes, verifying their integrity and assuring accountability. The organization behind TrustTheVote, the Open Source Elections Technology Foundation (OSET), believes open-source voting software can instill confidence that people's votes are being counted. “Make that machine a glass box instead of a black box,'' says Miller, who chairs OSET. He says that will get more voters to the polls. Other organizations like the California Association of Voting Officials (CAVO) are also working to bring open-source principles to American elections. “Every ballot that's cast in the United States is counted by a machine, so we owe it to the voters and the public to use the most secure, most transparent, most auditable technology,'' says former CAVO President Kammi Foote, who is also the elected registrar of voters for Inyo County, California. “Open source has proven itself in the private sector,'' says Foote. “Now governments around the world are starting to look at open source as a good business model.'' [Long item PGN-truncated for RISKS. Of course, open-source systems would be a huge advance over proprietary vendor-controlled systems, but are of course only one piece of the puzzle that also involves compromised registration processes, gerrymandering, insider manipulations, unlimited contributions for the best elections money can buy, and many other risks. PGN]
http://lauren.vortex.com/archive/001085.html I'm opposed to capital punishment for a whole slew of reasons, but every time I hear about a hack attack exposing masses of innocent persons' information, I find myself reconsidering that penalty—not for the hackers, but for the irresponsible system administrators and their bosses who leave their operations so incredibly exposed when effective solutions are available—and have been for quite some time. OK, perhaps capital punishment for them would be going a bit too far, but I'll bet that spending a couple of years shackled in a cell with their new best friend "Bubba" would impress upon them the seriousness of the situation. If we look at what is publicly known about the recent Sony hack, and the just announced and potentially much more devastating Anthem attack—plus a whole list of other similar mass data thefts, a number of common threads quickly emerge. First, these typically have nothing to do with failures of communications link security. They weren't attacks on SSL/TLS, they didn't involve thousands of supercomputer instances chomping on data for months to enable the exploits. Nor were they in any way the fault of weak customer passwords -- which are bad news for those customers of course, but shouldn't enable mass exploits. By and large, what you keep hearing about these case is that they were based on the compromise of administrative credentials. What this means in plain English is that an attacker managed to get hold of some inside administrator's login username and password, typically via email phishing or some other "social engineering" technique. When these successful attacks are belatedly reported to the affected customers and the public, they're almost always framed as "incredibly sophisticated" in nature. That's usually bull, a way to try convince people that "Golly, those hackers were just so incredibly smart that even our crack IT team didn't have a chance against them!" Usually though, the attacks are incredibly unsophisticated—they're simply relentless and keep pounding away until somebody with high level administrative access falls for them. Then, boom! It's often argued that important financial and similar data should be kept encrypted—and this is certainly true. But so long as system administrators have the need and ability to access data in the clear, encryption alone doesn't address these problems. Rigorous control and auditing systems to prevent unnecessary access to data en masse can also help ("Does Joe really need to copy 80 million customer records to a Dropbox account?")—but this won't by itself solve the problem either. The foundational enabling feature of so many successful mass attacks is failures of authentication protocols and processes in the broadest sense, and ironically, getting a handle on authentication is at least relatively straightforward. Many firms aren't terribly interested in implementing even middling quality authentication, because they have faith in their firewalls to keep external attacks at bay. This is an incredibly risky attitude. Over-reliance on firewalls—that is, perimeter computer security—is sucker bait, because once an intruder obtains high level administrative credentials, they can often plant software inside the firewall, and send data out in various ways with relative impunity. After all, most corporate firewalls are designed to keep outsiders out, not to wall insiders off from the public Internet. To put this another way, a properly designed security system should in most instances be location agnostic—employees should be able to work from home with the same (hopefully high) level of security they would have at the office. This isn't to say that secure deployment and administration of VPNs and associated systems are trivial, but they aren't rocket science, either. Yet the real elephant in the room is at the basic authentication level, the usernames and passwords that most firms still rely upon as their only means of administrator authentication on their internal systems. And so long as this is the case, we're going to keep hearing about these mass attacks. Yes, you can try force employees to choose better passwords. But passwords that are hard to remember get written down, and forcing them to be changed too often can make matters worse rather than better. The problem cannot be solved with passwords alone. And—"surprise, surprise, surprise" (as Gomer Pyle used to say—go ahead, Google him)—the technology to drastically improve the authentication environment not only exists, but is already in use in many applications that arguably are of a less critical nature in most cases than financial and insurance data. I'm speaking of 2-factor or "multiple factor" authentication/verification systems, the requirement that system access is based on "something you know" and "something you have"—not on just one or the other. One of the best implementations of 2-factor is that deployed by Google, which offers a variety of means for fulfilling the "what you have" requirement—text messages, phone calls, phone apps, and cryptographic security keys. https://www.google.com/landing/2step/#tab=how-it-works Different forms of multiple factor have varying relative levels of protection. For example, the use of "one time passwords" generated by apps or hardware tokens is not absolutely phishing-proof, but is a damned sight better than a conventional username and password pair alone. Security keys, which can interface with user systems via USB or in some cases NFC (Near Field Communications) technology, are the most secure method to date, and a single key can protect a whole variety of accounts—even at different firms—while still keeping the associated credentials isolated from one another. And this brings us back to Bubba. While one never wants unnecessary mandates and legislation, sometimes you can't depend on industry to always "do the right thing" when it comes to security, when the intrinsic costs for the sloppy status quo are relatively low. So while some countries and U.S. states do have laws about encryption of customer data, or notification of customers when breaches occur, there is little sense of closing the barn door before—not after—the cows have escaped. After all, these careless firms usually have pretty easy outs when big breaches occur. They offer you free "credit monitoring" after the fact. Gee, thanks guys. They usually manage to pass along associated costs and fines to their customers. Another big thank you punch to the gut. How to really get their attention? Maybe they'd notice potential prison time for top executives of firms that deal primarily with sensitive consumer personal information (like banks, insurance companies, and so on) who voluntarily refuse to implement appropriate, modern internal security controls—such as strong multiple factor logins—and then suffer mass consumer data hacks as a result. I'm not even arguing here and now that they must provide such systems to their individual customers—though they really, seriously should. Nor am I suggesting such sanctions for failure of security systems that were deployed and operating competently and in good faith. After all, no security tech is perfect. But I am putting forth the "modest proposal" that these types of firms be given some reasonable period of time to implement internal security systems including strong multiple factor verification, and if they refuse to do so and then suffer a mass data breach, the associated executives should be spending some time in the orange or striped jumpsuits. Perhaps that prospect will light a fire under their you-know-whats. Now, do I really believe it's likely that anything of this sort will actually come to pass? Hell no, after all, these are the kinds of firms that basically own our politicians. But then again, if enough of these mass data thefts keep occurring, and enough people get seriously upset, the dynamic might change in ways that would have seemed fanciful only a few years earlier. So despite the odds, my free advice to those execs would be to get moving on those internal multiple factor authentication systems now, even in the absence of legislative mandates requiring their use. Because, ya' know, Bubba will be patiently waiting for you.
Peerj via NNSquad "We conclude that developers limit themselves to using goto appropriately in most cases, and not in an unrestricted manner like Dijkstra feared, thus suggesting that goto does not appear to be harmful in practice." https://peerj.com/preprints/826v1/
Aaron M. Kessler, *The New York Times*, 9 Feb 2015 Serious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology, according to a report being released by Senator Edward J. Markey. The report concludes that security to prevent hackers from gaining control of a vehicle's electronics is “inconsistent and haphazard'' and that the majority of automakers do not have systems that can detect breaches or quickly respond to them. [PGN-ed] This should not be news to RISKS readers, but does show that someone in the Senate actually cares. Next maybe they'll get to the Internet of Things, the Smart Grid, the Critical National Infrastructures, and everything else. Tomorrow of course is President Obama's Cybersecurity Summit at Stanford.
Massive increase in attacks on Utah state government attributed to presence of NSA's datacenter. http://www.sltrib.com/news/2135491-155/massive-utah-cyber-attacks-may-be
Ars via NNSquad http://arstechnica.com/tech-policy/2015/02/sites-featuring-terrorism-or-child-pornography-to-be-blocked-in-france/ "Now, the General Directorate of the National Police and its cybercrimes unit will be able to request that sites serving terrorist or pedophilia-related content be blocked by Internet Service Providers serving people in France and its territories. ISPs then have to comply with the request within 24 hours. ISPs will be able to request compensation from the French government for any extra costs incurred in blocking the sites." Sorry, France! Not only is that not going to work, but you'll actually be making matters worse. Typical.
Ars via NNSquad http://arstechnica.com/business/2015/02/internet-providers-lobby-against-backup-power-rules-for-phone-lines/ "The Federal Communications Commission is considering whether to impose backup power requirements on Internet providers that offer phone service, but cable companies and telcos don't want to be required to keep customers connected through long power outages." - - - And this, boys and girls, demonstrates most clearly and decisively the depths of degradation of the dominant ISPs—cable cos, and telcos. Remember, the telcos are lobbying the FCC to eliminate landline requirements and have been aggressively forcing customers to move to cable, wireless, and fiber-based systems that are far less reliable than copper in emergencies. Depending on consumers to keep backup systems running is a recipe for utter disaster—yes, and deaths. Having been through two major earthquakes here in L.A., this isn't just a theoretical concern to me.
Aaron M. Kessler, *The New York Times*, 8 Feb 2015 Washington—Serious gaps in security and customer privacy affect nearly every vehicle that uses wireless technology, according to a report set to be released on Monday by a senator's office. http://www.nytimes.com/2015/02/09/business/report-sees-weak-security-in-cars-wireless-systems.html
http://www.nytimes.com/2015/02/09/technology/uncovering-security-flaws-in-digital-education-products-for-schoolchildren.html The law has long treated educational information as a category worthy of special protections, like credit or medical records, but the reality is often different.
Candice So, *IT Business*, 6 Feb 2015 The new Microsoft Outlook app for iOS may be the one of the best email apps to come out in a while—but according to IT security professionals, it also presents myriad privacy issues. [...]
for All Windows Versions Ars Technica reports that Microsoft recently patched a remote code execution exploit affecting ALL versions of Windows released over the last 15 years. The report indicates that there are patches available for all versions of Windows, except for Windows 2003. The flaw, named Jasbug by its discoverer, is classified as Microsoft MS15-011. It reportedly allows users who are able to examine traffic at an intermediate point to launch a man-in-the-middle attack against the client machine, inserting executable code. From the article: "All computers and devices that are members of a corporate Active Directory may be at risk," warned a blog post published Tuesday by JAS Global Advisors, one of the firms that (along with simMachines) reported the bug to Microsoft in January 2014. "The vulnerability is remotely exploitable and may grant the attacker administrator-level privileges on the target machine/device. Roaming machines—Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN))—are at heightened risk." http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-execution-in-all-versions-of-windows/
*Medium* via NNSquad https://medium.com/backchannel/how-a-lone-hacker-shredded-the-myth-of-crowdsourcing-d9d0534f1731 "Meet Adam. He's a mid-level engineer at a mid-level software company in a cookie-cutter California office park. He can code a handful of languages, has a penchant for computer vision and enjoys soccer and skiing. In short, Adam has little to distinguish him from legions of other programmers in the Bay Area. Except that over a couple of nights in 2011, he stopped thousands of people from sharing in $50,000, nudged the American military in a new direction, and may have changed crowdsourcing forever."
The Verge via NNSquad http://www.theverge.com/2015/2/10/8013531/jeb-bush-florida-email-dump-privacy "Jeb Bush, a rumored 2016 Republican presidential candidate, just decided to publish hundreds of thousands of emails sent to him during his time as governor of Florida. On its face it seems like a great idea in the name of transparency, but there's one huge problem: neither Bush nor those who facilitated the publication of the records, including the state government, decided to redact potentially sensitive personal information from them."
In explaining the importance of heterogeneous redundant systems (a concept still very alien to many it seems) I want to defer to an air crash disaster I remember caused by the secondary and tertiary cabin-pressure outflow-valve controllers on a commercial airliner all being from the same supplier as the primary, and all with the same fault. I was wrong it associating this with the crash of Helios Flight 522, (which turned out to be cost-cutting use of the same alarm for two different very situations in cabin pressure). I can now not find an example of aircraft safety requirements anywhere that assert outflow valve controllers must be diverse but conforming implementations provided by different companies. It's a nice simple example for non-IT people. Do any RISKS readers recall the outflow valve case that has slipped my mind?
> Many people use icons in text messages ... at which point the message ceases to be a text message. In other news, adding salt to water makes water salty, and sticking hand in fire make hand hurtz. This is a very bad mis-quote: people *don't* use icons in text messages, they use [semi]colon-[dash-]parenthesis chords. The article itself is about helpful DWIM apps combined with lack of clear indication of what's going on, combined with "no hidden charges" regulations that exist where article was published.
Please report problems with the web pages to the maintainer