Here's another item on the general theme of the pervasiveness of security vulnerabilities. http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html
http://www.nytimes.com/2015/04/23/us/politics/computer-attacks-spur-congress-to-act-on-cybersecurity-bill-years-in-making.html The House is expected to pass a bill pushing companies to share data with federal investigators in the wake of breaches at Sony, Target and the health insurer Anthem. [So, these companies—and the Congress—might eventually realize that every computer system connected to the Internet is inherently vulnerable, as well as all the systems not even connected? And that ubiquitous abilities for surveillance can only make it worse? PGN]
*The Washington Post*, 22 Apr 2015 http://www.washingtonpost.com/news/morning-mix/wp/2015/04/22/how-computerized-trading-in-the-hands-of-a-nobody-in-britain-allegedly-crashed-the-stock-market/
It's a common refrain among car buyers: “Why do I need a built-in navigation system when I can use the maps app on my smartphone?'' Now automakers are answering, turning factory-installed navigation systems and the maps that support them into crucial components of new advanced driver assistance systems (ADAS) and safety systems. No longer just a convenience item, in-dash navigation systems are evolving both technologically and strategically and someday will help drive not just autonomous vehicles, but new business models, as well. ... (15-years out concept car): Pedestrians can't see inside the vehicle to give passengers privacy. Passengers in the F 015 can see only partly out the side windows, so giant 4K resolution displays in the door panels and a car width 5K display in the dashboard show representations of the vehicle's surroundings as they're detected by the vehicle's various sensors and cameras. A `Guided Path' menu item accesses the navigation system's point-of-interest (POI) database to show places the car will pass along its route—in a timeline fashion, with photorealistic imagery—giving passengers the opportunity to program a stop. Certain POIs also are linked to 360-degree photos, letting passengers get acquainted with destinations before they arrive. There are no buttons in the cars. For controls and menu selections, all the side displays are touch-sensitive and have proximity sensors. http://www.ce.org/i3/Features/2015/March-April/Next-Gen-Navigation What could... Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Starbucks says an outage that affected all of their point of sale terminals was "caused by an internal failure during a daily system refresh and was not the result of an external breach". I find that a strange explanation, since the failure hit mid-day in the US, and I would think that a "daily system refresh" would be during the overnight hours. (During the outage, some locations gave away free drinks, some went cash-only, and other closed. No riots reported by caffeine addicts.) I don't know anything about running global IT infrastructures, so perhaps I'm naive, but I would think that rollouts would be done in a rolling fashion to avoid shutting down the entire company. I'm sure there any many cases like this, but I remember one that affected me, when the local cable TV provider (Cox) did a push update of every cable modem in the county, and in the process bricked 10s of thousands of units before they were realized the problem. It surprised me then that there weren't fail-safe mechanisms in place - i.e., making sure that units "phoned home" after an upgrade, and automatically stopping the rollout if any more than epsilon fail the phone home. https://news.starbucks.com/news/starbucks-point-of-sale-register-outage-resolved
Ars Technica via NNSquad http://arstechnica.com/security/2015/04/wi-fi-software-security-bug-could-leave-android-windows-linux-open-to-attack/ "The end result is that an attacker could corrupt information in memory, causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could essentially be used as a denial-of-service attack on affected devices simply by sending out responses to Wi-Fi probe requests or P2P network Public Action messages. But it could also expose memory contents during the three-way handshake of a peer-to-peer network negotiation (the GO negotiation) or potentially allow for the attacker to execute code on the target. A patch for the bug has been posted, and, based on Google's involvement, it will likely be part of an Android security update shortly. However, the distribution of that fix will depend on Android handset manufacturers and carriers to reach end users." And we can assume that owners of many older Android devices won't be getting a fix from carriers or Google.
Lucian Constantin, InfoWorld, 21 Apr 2015 Flaw in the third-party library AFNetworking broke HTTPS certificate validation, enabling man-in-the-middle attacks http://www.infoworld.com/article/2912440/security/https-snooping-flaw-affected-1000-ios-apps-with-millions-of-users.html Apps used by millions of iPhone and iPad owners became vulnerable to snooping when a flaw was introduced into third-party code they used to establish HTTPS connections. [...]
Gregg Keizer, Computerworld, 21 Apr 2015 Researcher finds 'trivial way' to exploit privilege escalation vulnerability after Apple tries to plug Yosemite hole http://www.infoworld.com/article/2912620/operating-systems/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html
[An item on many cryptography lists, via Dave Farber, on Adi Shamir at the RSA Conference last week.] Fully secure systems don't exist now and won't exist in the future. Cryptography won't be broken, it will be bypassed. Futility of trying to eliminate every single vulnerability in a given piece of software. https://threatpost.com/fully-secure-systems-dont-exist/112380#sthash.sKPz03sv.dpuf
Trader Charged in 'Flash Crash' Case to Fight Extradition to U.S. The trader, Navinder Singh Sarao, is facing criminal fraud charges, including claims that he helped set off a stock market crash in the United States. http://www.nytimes.com/2015/04/23/business/dealbook/trader-charged-in-flash-crash-case-to-fight-extradition-to-us.html How did that UK trader allegedly cause the "flash crash?" Ex-trader Raj Malhotra breaks it down. http://www.cnbc.com/id/102610451
In http://www.mediawiki.org/w/api.php?action=help&modules=main#main.datatypes we read "All times are in UTC, any included timezone is ignored." I say non-UTC timezones should instead raise errors! Why? Because one day, when you finally do implement parsing timezones, the system will be upwardly compatible. Each day you let users enter timezones that are ignored, one day when you finally do parse them correctly, you'll have all the more users scratching their heads as to why are results suddenly different. (Sure you can blame the users for not reading the instructions. But it is more likely they have already added a skew to correct for what turns out to be an ignored time zone.) OK I filed https://phabricator.wikimedia.org/T97214
We talk on this list about the many risks to security and privacy of technology. And it's almost always a pretty bleak picture. But today, I'd like to mention a sunnier side - getting more women involved in the field. Four years ago, ACSA founded the Scholarships for Women Studying Information Security program (www.swsis.org). A year ago, HP made a generous contribution to allow us to grow the program. (Contributions from others are welcome - please contact me!) I'm proud to announce the 16 SWSIS Scholars for 2016-16, each of whom has received a scholarship to further their undergraduate or masters' degree. The HP press release can be found at http://money.cnn.com/news/newsfeeds/articles/marketwire/1188849.htm Photos and bios of most of the awardees can be found at https://swsis.wordpress.com/2015-16-awardees/ The 2015-16 SWSIS Scholars are: Evelyn Brown, Embry Riddle Aeronautical University, Prescott Priya Chawla, University of Cincinnati Shelby Cunningham, Carnegie Mellon University Alejandra Diaz, University of Maryland Baltimore County Fumi Honda, Stony Brook University Ashley Huffman, Northern Kentucky University Cindy Jong, DePaul University Madison Oliver, Pennsylvania State University Mary Sharp, Marshall University Imani Sherman, Kentucky State University Angela Sun, Michigan State University Kebra Thompson, University of Washington, Tacoma Stefanye Walkes, California State University, Dominguez Hills Gena Welk, University of Colorado at Boulder Leah Xu, University of Maryland at College Park Brooke Young, University of Maryland Baltimore County Thanks in particular to Rebecca Wright from Rutgers University and CRA-W, and her team, who sifted through the applications to select the winners. Jeremy Epstein, Founder, Scholarship for Women Studying Information Security Applied Computer Security Associates, Inc.
> A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The > Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer > Age", that would be appreciated by the RISKS audience, collected here: > https://medium.com/@Bob_Wachter I think that Mundkur grossly understated the value of this article series. I have been reading RISKS for many years, and no other information that I have read in connection with risks has hit anywhere nearly as hard as this article series did. The series is very clear and full of detail so it is easy to see how the horrific chain of events that is the main story came to happen. If you have not already read this series, please do so. [Gene's `grossly understated' seems *grossly overstated*, considering Prashanth did a wonderful thing by mentioning that this series of articles would be appreciated by RISKS readers. As a result, I for one really appreciate Bob's efforts, and echo Gene's comments on the significance of Bob Wachter's work. Incidentally, a `Wachter' is a watcher (auf deutsch), and that translation of Bob's name would indeed be a gross understatement of Bob's role in this five-part series. It really deserves careful scrutiny. PGN]
This issue has been discussed at length on the crypto email list, and here are the conclusions, as I see them: * md5 itself is broken; there are better hashes around, so the recommendation of md5 on the Kali web page is indeed a joke (although not quite the same joke I originally had in mind). * https/TLS does not solve all SW distribution problems, but using it in conjunction with various signature mechanisms does make an attacker have to work harder and actively; http makes passive observation way too easy. Once an attacker knows exactly what SW you have, you are much easier to attack. * http makes a MITM/DOS attack trivial; you may never get a bad piece of SW, but you may also never get any SW update at all. Regarding "what would Henry Baker do" when designing a SW update mechanism: I'm not completely sure. The threat model for SW distribution today includes nation-states with "acres of Crays", with no regulatory, budget or location constraints, and with the entire Internet as a "free fire zone"; this threat model may not have been anticipated by many of the SW distribution systems in existence today. SW distribution has been successfully attacked before (Stuxnet), and will continue to be attacked, because it is a Willie Sutton target—"that's where the money is". http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ "You must reboot your computer now to finish installing the latest security updates. NSA/GCHQ/... thanks you for your support in their war of^Hn terror."
Please report problems with the web pages to the maintainer