Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Thanks to Paul Saffo. PGN] A 75-yr old woman digging for scrap metal cut into a fiber cable and cut off Internet access for all of Armenia! http://www.theguardian.com/world/2011/apr/06/georgian-woman-cuts-web-access [Perhaps she will get Armenial Servertude?]
Ars Technica via NNSquad http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/ But even if the systems had been encrypted, it would have likely not mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked--likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. NO 2-FACTOR CREDENTIALS. Pretty much criminal negligence at this point.
The Daily Beast via NNSquad http://www.thedailybeast.com/cheats/2015/06/13/russia-china-got-snowden-files.html Russia and China have allegedly decrypted the top-secret cache of files stolen by whistleblower Edward Snowden, according to a report from The Sunday Times, to be published tomorrow. The info has compelled British intelligence agency MI6 to withdraw some of its agents from active operations and other Western intelligence agencies are now actively involved in rescue operations. - - - If this report is true, it seems safe to assume that Snowden has likely lost any chance he ever had of asylum or any other "minimum incarceration" return to the West.
ComputerWorld via NNSquad http://www.computerworld.com/article/2936144/cloud-computing/lastpass-hacked-itbwcw.html?shr=t LastPass, the cloud-based password manager, has been hacked. If you use LastPass, it's probably time for a precautionary master-password change. It might also be a good idea to check out the other options for securing your account. I don't use cloud-based password services. Now you know why.
FYI—I'm very sorry about this OPM data breach, because some members of my family may also be victims, but perhaps some of these very same government officials may now "get religion" re privacy issues. Either keep such information secure—using strong non-backdoorable encryption—or don't keep it at all. These 2 articles talk about the risks & costs of *keeping* such information. By Arshad Mohammed and Joseph Menn Sex, lies and debt potentially exposed by U.S. data hack https://ca.news.yahoo.com/sex-lies-debt-potentially-exposed-u-data-hack-054657057.html WASHINGTON (Reuters)—When a retired 51-year-old military man disclosed in a U.S. security clearance application that he had a 20-year affair with his former college roommate's wife, it was supposed to remain a secret between him and the government. The disclosure last week that hackers had penetrated a database containing such intimate and possibly damaging facts about millions of government and private employees has shaken Washington. The hacking of the White House Office of Personnel Management (OPM) could provide a treasure trove for foreign spies. The military man's affair, divulged when he got a job with a defense contractor and applied to upgrade his clearance, is just one example of the extensive potential for disruption, embarrassment and even blackmail arising from the hacking. The man had kept the affair secret from his wife for two decades before disclosing it on the government's innocuously named Standard Form 86 (SF 86), filled out by millions of Americans seeking security clearances. His case is described in a judge's ruling, published on the Pentagon website, that he should keep his security clearance because he told the government about the affair. His name is not given in the administrative judge's decision. The disclosure that OPM's data had been hacked sent shivers down the spines of current and former U.S. government officials as they realized their secrets about sex, drugs and money could be in the hands of a foreign government. The data that may be compromised by the incident, which was first reported by the Associated Press, included the detailed personal information on the SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to U.S. officials. U.S. SUSPECTS LINK TO CHINA As with another cyberattack on OPM disclosed earlier this month, U.S. officials suspect it was linked to China, though they have less confidence about the origins of the second attack than about the first. China denies any involvement in hacking U.S. databases. While the Central Intelligence Agency does its own clearance investigations, agencies such as the State Department, Defense Department and National Security Agency, which eavesdrops on the world, all use OPM's services to some degree. It was not immediately clear how many Americans' information may have been compromised, nor precisely how many fill out form SF 86. As of Oct. 1, there were 4.51 million people cleared or eligible to receive national security information, according to a report by the Office of the Director of National Intelligence. Intelligence veterans said the breach may prove disastrous because China could use it to find relatives of U.S. officials abroad as well as evidence of love affairs or drug use which could be used to blackmail or influence U.S. officials. An even worse scenario would be the mass unmasking of covert operatives in the field, they said. "The potential loss here is truly staggering and, by the way, these records are a legitimate foreign intelligence target," said retired Gen. Michael Hayden, a former CIA and NSA director. "This isn't shame on China. This is shame on us." The SF 86 form, which is 127-pages long, is extraordinarily comprehensive and intrusive. Among other things, applicants must list where they have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances. A review of appeals of security denials published on the web shows the variety of information now in possession of the hackers, including financial troubles, infidelities, psychiatric diagnoses, substance abuse, health issues and arrests. "It's kind of scary that somebody could know that much about us," said a former senior U.S. diplomat, pointing out the ability to use such data to impersonate an American official online, obtain passwords and plunder bank accounts. SOME AGENCIES LESS VULNERABLE A U.S. official familiar with security procedures, but who declined to be identified, said some agencies do not use OPM for clearances, meaning their employees' data was at first glance less likely to have been compromised. However, the former senior diplomat said someone with access to a complete set of SF 86 forms and to the names of officials at U.S. embassies, which are usually public, could compare the two and make educated guesses about who might be a spy. "Negative information is an indicator just as much as a positive information," said the former diplomat. The case of the 51-year-old former military man who told the government, but not his wife, about his 20-year affair came to light when he filed an appeal because his effort to upgrade his security clearance ran into trouble. According to a May 13 decision by an administrative judge who heard his case, the man revealed the affair in the "Additional Comments" section of SF 86 in January 2012, ended the affair in 2013, and told his wife about it in 2014. "DOD (Department of Defense) is aware of the affair because Applicant disclosed it on his SF 86; the affair is over; and the key people in Applicant's life are aware of it," the judge wrote, according to a Defense Office of Hearings and Appeals document posted online. His access to classified information was approved. (Reporting by Arshad Mohammed in Washington and Joseph Menn in San Francisco; Additional reporting by Mark Hosenball; Editing by David Storey, Sue Horton and Alan Crosby) - - - - Conor Friedersdorf, *The Atlantic*, Jun 2015 Adjusting to a World Where No Data Is Secure If government and corporations cannot safeguard their digital files, then they should regularly purge sensitive information. http://www.theatlantic.com/politics/archive/2015/06/what-if-no-data-held-by-government-or-corporations-is-secure/395810/ Imagine a piece of information that would be useful to store digitally if it could be kept secure, but that would do more harm than good if it ever fell into the wrong hands. With Friday's news that “hackers have breached a database containing a wealth of sensitive information from federal employees' security background checks,'' just that sort of fraught information has arguably been exposed to hackers. One of the documents that they got, the Questionnaire for National Security Positions, asked federal workers and contractors seeking security clearances “to disclose everything from mental illnesses, financial interests, and bankruptcy issues to any brush with the law, major and minor drug and alcohol use as well as a robust listing of an applicant's family members, associates, or former roommates,'' my colleague Adam Chandler explains. “At the bottom of each page, a potential employee must submit his or her social security number. Given the length, that means if you;re filling out this document, you will write your SSN over 115 times.'' That trove of information was useful to the national security bureaucracy in its efforts to stop espionage, monitor potential blackmail, and otherwise police its employees. Yet it now seems like the U.S. would have been better off reviewing information about cleared employees on intake and then destroying it, rather than retaining the records. “These forms contain decades of personal information about people with clearances,'' Joel Brenner, a former high-ranking intelligence official told the Washington Post, “which makes them easier to recruit for espionage on behalf of a foreign country.'' In hindsight, retaining the documents betrayed a degree of hubris: National security officials had excessive confidence in their ability to keep these secrets from falling into the hands of malicious actors, so they risked storing them indefinitely. What else falls in this `better to destroy than to have stolen' category? After Chelsea Manning, Edward Snowden, and numerous successful hacks of various federal databases, perhaps the government should perform an audit and a purge on the theory that it won't ever be competent enough to reliably safeguard information. Isn't there good reason to surmise that is true? Perhaps the privacy activists who want to pass data retention laws forcing private corporations to purge the data that they hold at periodic intervals also have a point. Would it be a national security threat if the Google search histories and iPhone location data of all members of Congress, U.S. military personnel, and American CEOs fell into the hands of Vladimir Putin or China's government? If so, perhaps it makes more sense to prohibit retaining such information for longer than two years, even though the precision of Internet ads might suffer as a result. National security officials and Google leaders have institutional and psychological incentives to assert and believe that if they're just careful enough going forward, they can safeguard the information that they hold. And we have an incentive to believe them. Wouldn't it be great if our government and corporations that make cool products for us could exploit the benefits of unlimited data retention without any costs? But I no longer believe that they can. If you disagree, what sort of leak or hack or data breach would it take to persuade you otherwise? I expect you'll see it sooner, rather than later.
Michael S. Schmidt, *The New York Times*, 16 Jun 2015 The FBI and Justice Department prosecutors are investigating front-office officials for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, for hacking into the internal networks of a rival team to steal closely guarded information about player personnel. Investigators have uncovered evidence that Cardinals officials broke into a network of the Houston Astros that housed special databases the team had built, according to law enforcement officials. Internal discussions about trades, proprietary statistics and scouting reports were compromised, the officials said. The officials did not say which employees were the focus of the investigation or whether the team's highest-ranking officials were aware of the hacking or authorized it. The investigation is being led by the FBI's Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence. The attack represents the first known case of corporate espionage in which a professional sports team has hacked the network of another team. Illegal intrusions into companies' networks have become commonplace, but it is generally conducted by hackers operating in foreign countries, like Russia and China, who steal large tranches of data or trade secrets for military equipment and electronics. Major League Baseball has been aware of and has fully cooperated with the federal investigation into the illegal breach of the Astros' baseball operations database, a spokesman for baseball's commissioner, Rob Manfred, said in a written statement. http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html [Also noted by Jim Reisert. PGN]
Roger A. Grimes, InfoWorld, 15 Jun 2015 Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html
> The real issue is that the avionics and the entertainment system are > on the same network. That's an even stupider thing to do. Also last > month, I wrote about the risks of hacking airplanes, and said that I > wasn't all that worried about it. Now I'm more worried. Are they? With Boeing saying that "it is impossible" (at least at first), I suspect that they have taken measures to prevent exactly what Roberts claims to have accomplished. Let's take a step back. Think of a Boeing aviation electronics engineer. Turns out that ethernet-connectivity on the plane is becoming more and more common. So instead of having a separate wire running from each of the sensors in the tail to the cockpit, there now is an ethernet link carrying information from many different sensors along the plane. Before you know it, also the engines have ethernet connectivity and can be commanded over their ethernet connection. So, one day he's sitting in his office and a guy from the cabin-electronics group walks in and says: "We have a plan for a new in-cabin-entertainment system. We need ethernet connectivity and hear you already have an ethernet link running along the plane, can we use that?" Multiple choice time (*): He answers: A) Sure! B) Sure, as long as you promise not to use more than 50% of the bandwidth, C) WTF are you thinking? I have enough confidence in Boeing that they got this one right. A few months later, the cabin-electronics guy walks into the aviation electronics office again, and asks: "We get questions from the passengers if they can get technical information about the flight on their infotainment screen. Stuff like airspeed and altitude. We'd be no trouble at all, we can gather this information from your flight-computer ourselves." MC time again... He suggests: A) Let's buy a hub: cheap, light, no hassle, great! B) We need to buy a switch, otherwise traffic from the autopilot to the engines will leak onto the entertainment network. C) We need a firewall. I still have enough confidence in Boeing that they got this right. But from the claims from the FBI and Chris, I strongly suspect that from this point on some mistakes were made. Somehow the "firewall" function got integrated into a computer "already there" or the firewall was expanded to have multiple functions, allowing someone to e.g., gain access by finding a vulnerability in a web script, and then continue to hack on "the other side". My opinion is that if you continue to threaten to throw guys like Chris in jail, the next time you'll find out about these bugs/design problems is when a plane is crashed by a teenager who accidentally deletes the engine calibration data or something like that. But "allowing" hacking on live planes is troublesome too. Difficult issue. (*) In many multiple choice tests, the correct answer is often the longest. In case you haven't noticed: not here. R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233
[I don't remember this when I saw the original article. I only though of it now.] Some twenty or so years ago in Australia I heard a story about "back when electric windows were new". Apparently somebody's fuse blew killing both the air-conditioner and (closed tight of course) electric windows. In the 40+C heat in the middle of nowhere. So the poor guy drove 300 km to the first gas station where the owner/mechanic told them "this is an electrical problem, I'm not a licensed electrician, the nearest vehicle electrician is 400 km that way". (That's 105+ degrees and 190 & 250 miles resp. in the "standard" units.) The more things change... Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
Please report problems with the web pages to the maintainer