Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Samuel Gibbs, *The Guardian*, 12 Aug 2015 A serious weak point in vehicle security enables hackers to remotely control a vehicle, according to researchers at the University of California, San Diego (UCSD). The team demonstrated the vulnerability on a Corvette by turning on the windshield wipers, applying the brakes, or even disabl[ing] them at low speed. The flaw involves the small black dongles that are connected to the onboard diagnostic ports of vehicles to enable insurance companies and fleet operators to track them and collect data such as fuel efficiency and miles driven. The researchers found the dongles could be hacked by sending them short-message-service text messages, which relay commands to the car's internal systems. “We acquired some of these things, reverse-engineered them, and along the way found that they had a whole bunch of security deficiencies,'' says UCSD professor Stefan Savage. The researchers warn the compromised dongles enable hackers to control almost any aspect of the car, including steering and locks, and note that any of the thousands of cars equipped with the dongles were potentially vulnerable. The researchers will present their work this week at the Usenix security conference in Washington, D.C. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-df9dx2d22dx062537&
The concept of the transponder challenge and response is secure. Unfortunately the execution - (briefly) massively reduced entropy in the 96 bit key, and the use of standard (per manufacturer) or no write protection PIN in the control unit. Two classic RISKS stories - Key entropy and "global keys". More in increasing detail: http://arstechnica.com/security/2015/08/researchers-reveal-electronic-car-lock-hack-after-2-year-injunction-by-volkswagen/ In German: http://www.heise.de/newsticker/meldung/VW-Wegfahrsperre-Volkswagen-Hack-endlich-veroeffentlicht-2778632.html https://www.usenix.org/sites/default/files/sec15_supplement.pdf I won't go into the 2 year delay in publishing caused by an injunction... http://www.itpro.co.uk/security/20313/curious-case-volkswagens-fight-car-hacking-scientists
Joseph Menn, Reuters via NNSquad http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814 "Kaspersky Lab [may have] manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013." Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees. They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs.
http://www.boston.com/news/nation/2015/08/12/harvard-student-loses-facebook-internship-after-pointing-out-privacy-flaws/zASZFdUjn6PoliUiR9kVHJ/story.html
Tim Greene, NetworkWorld, 10 Aug 2015 Flaw means 55 percent of Android phones are vulnerable to being taken over; a patch is available http://www.infoworld.com/article/2968403/mobile-security/ibm-finds-another-android-phone-bug.html
Adam Vaccaro, *The Boston Globe*, 13 Aug 2015 Buying medical marijuana in Massachusetts got a little less anonymous Thursday morning, when the state's lone pot dispensary accidentally shared some of its patients' email addresses with other patients. State health officials are investigating. Salem's Alternative Therapies Group sent an email addressed Dear Patient, to 157 email addresses. A copy of the email obtained by Boston.com listed the addresses in the CC line, meaning the recipients could see each other's addresses. The dispensary had meant to send the email as a blind CC, or BCC, which would have kept the email addresses from being seen by all. http://www.boston.com/business/news/2015/08/13/mass-pot-dispensary-accidentally-shares-patients-email-addresses/JLel4hAbjEYMzVhPV2OW4L/story.html [If the dispensary had sent the email from a gmail account, could they have unsent it?]
The FTC has filed complaints against In a complaint filed last week, the agency said that Sequoia One for providing financial and other personal data to third parties, enabling fraudulent bank transactions against over 500,000 payday loan customer accounts, reportedly resulting in excess of US$ 7.1M in fraudulent transactions. The moral is as always: Be careful when providing bank account and PII to third parties. The complete NY Times article is at: http://bits.blogs.nytimes.com/2015/08/12/when-online-loan-applications-lead-to-unauthorized-bank-account-debits Bob Gezelter, http://www.rlgsc.com
[I really hope this is *not* accurate! - Lauren] http://localghost.org/posts/a-traffic-analysis-of-windows-10 All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to: oca.telemetry.microsoft.com.nsatc.net pre.footprintpredict.com reports.wes.df.telemetry.microsoft.com There isn't a clear purpose for this, considering there there's no autocorrect/prediction anywhere in the OS. The implications of this are significant: because this is an OS-level keylogger, all the data you're trying to transmit securely is now sitting on some MS server. This includes passwords and encrypted chats. This also includes the on-screen keyboard, so there is no way to authenticate to a website without MS also getting your password ... Everything that is said into an enabled microphone is immediately transmitted to: oca.telemetry.microsoft.com oca.telemetry.microsoft.com.nsatc.net vortex-sandbox.data.microsoft.com pre.footprintpredict.com i1.services.social.microsoft.com i1.services.social.microsoft.com.nsatc.net telemetry.appex.bing.net telemetry.urs.microsoft.com cs1.wpc.v0cdn.net statsfe1.ws.microsoft.com If this weren't bad enough, this behaviour still occurs after Cortana is fully disabled/uninstalled ... [and much more - Lauren]
http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/ Unfortunately for privacy advocates, these controls don't appear to be sufficient to completely prevent the operating system from going online and communicating with Microsoft's servers. For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots ... Some of the traffic looks harmless but feels like it shouldn't be happening. For example, even with no Live tiles pinned to Start (and hence no obvious need to poll for new tile data), Windows 10 seems to download new tile info from MSN's network from time to time, using unencrypted HTTP to do so. While again the requests contain no identifying information, it's not clear why they're occurring at all, given that they have no corresponding tile. Other traffic looks a little more troublesome. Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and log-ins are using a local account that isn't connected to a Microsoft Account. The exact nature of the information being sent isn't clear--it appears to be referencing telemetry settings--and again, it's not clear why any data is being sent at all.
It's such a short distance between crapware in the BIOS and malware in the BIOS; oh, and need anyone be reminded that Lenovo machines are made in *China* ? Now, why anyone should trust Microsoft, either, after their Windows 10 Privacy^H^H^H^H^H^H^H Spying Policy is beyond me. "To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become." So much for Intel's "root of trust"... Chris Williams, *The Register*, 12 Aug 2015 CAUGHT: Lenovo crams unremovable crapware on Windows laptops by hiding it in the BIOS; And how Microsoft made it possible http://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/ Analysis Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability. If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop's firmware will quietly and automatically reinstall Lenovo's software on the next boot-up. Built into the firmware on the laptops' motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, LSE is executed before the Microsoft operating system is launched. LSE makes sure C:\Windows\system32\autochk.exe is Lenovo's variant of the autochk.exe file; if Microsoft's official version is there, it is moved out of the way and replaced. The executable is run during startup, and checks the computer's file system to make sure it's free of any corruption. Lenovo's variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system's system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot. LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system "optimizer", and whatever else Lenovo wants on your computer. Lenovo's software also phones home to the Chinese giant details of the running system. To pull this off, the LSE exploits Microsoft's Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware. The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable should take care of the job of installing files before the operating system starts. "During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary," Microsoft's documentation states. "The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process." Crucially, the WPBT documentation stresses: The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a `clean' configuration ... Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. Oh dear. Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in LSE that could be exploited to compromise the low-level software to gain administrator-level privileges. When Lenovo learned of this bug, it decided its LSE was falling foul of Microsoft's security guidelines for using the powerful WPBT feature and pulled the whole thing: the LSE software is no longer included in new laptops. Lenovo has also pulled the LSE from new desktop machines, which phone home system data but do not download and install any extra software, it appears. A tool quietly released on 31 July will uninstall the engine if it is present in your machine. The full list of affected desktop and notebook models is here, and all were shipped with Windows 7 or 8.x installed. Think-branded PCs did not include the LSE, we're told. http://news.lenovo.com/article_display.cfm?article_id=2013 ... [Lots more omitted. PGN] http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/ We've asked Microsoft to explain the thinking behind its WPBT feature. The Redmond giant was not available for immediate comment.
“I think they should have to get warrants to get this information,'' said Frank Askin, a law professor "the ["mail cover" surveillance] program had been used by a county attorney and sheriff in Arizona to investigate a political opponent" http://www.nytimes.com/2015/08/14/us/copy-of-postal-service-audit-shows-extent-of-mail-surveillance.html Copy of Postal Service Audit Shows Extent of Mail Surveillance Ron Nixonaug. 13 Aug 2015 WASHINGTON—In what experts say is the first acknowledgment of how the United States Postal Service's mail surveillance program for national security investigations is used, the service's internal watchdog found that inspectors failed to follow key safeguards in the gathering and handling of classified information. The overall program, called *mail covers*, allows postal employees working on behalf of law enforcement agencies to record names, return addresses and other information from the outside of letters and packages before they are delivered to the home of a person suspected of criminal activity. The information about national security mail covers, amid heated public debate over the proper limits on government surveillance, was contained in an audit conducted by the Postal Service's inspector general last year. Although much of the information was public, sections about the national security mail covers were heavily redacted. An unredacted copy of the report was provided to a security researcher in response to a Freedom of Information Act request this year. The researcher, who goes by a single legal name, Sai, shared the report with The New York Times. https://drive.google.com/file/d/0BzmetJxi-p0VOExOZGo2V1ktWHM/view?pli=1
http://cphpost.dk/news/it-experts-national-police-still-at-risk-from-hackers.html "Three years after Denmark's most devastating hacker attack, during which the national police's IT security was breached and hackers stole millions of confidential files over the course of several months, the IT interest organisation IT-Politisk Forening (IT-Pol) has warned the same thing could happen again." More from IT-Pol: http://itpol.dk/presentation-of-it-pol dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund, Denmark Tel. +45-3331 2581 http://donwagner.dk [Donald also noted the following, although with no indication how it might have applied to the above item... PGN] Danish Data Protection Agency http://www.datatilsynet.dk/english/ "The Danish Data Protection Agency conducts an annual series of inspections of public authorities and private companies that have received the agency's authorisation to process personal data. The Danish Data Protection Agency inspects whether the processing of data is carried out in accordance with the Act on Processing of Personal Data." Act on Processing of Personal Data http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/ dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund Denmark Tel. +45-3331 2581 http://donwagner.dk
"a diplomatic or economic response [to OPM] only distracts from the US government's most pressing problem: *bolstering security measures to foil the next attack.*" "[Deterrence] comes from enabling security protocols that make sensitive or valuable data so hard to steal that the effort isn't worth the reward." http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0804/Opinion-Retaliation-against-China-is-the-wrong-reaction-to-OPM-hack Jeffrey Carr, 4 Aug 2015 Opinion: Retaliation against China is the wrong reaction to OPM hack Even if Beijing was responsible for breaches that exposed sensitive data on millions of Americans, a diplomatic or economic response only distracts from the US government's most pressing problem: bolstering security measures to foil the next attack. The Office of Personnel Management breach the worst in US history is a graphic testament to the White House's ongoing inability to identify and secure its most critical data. In this case, it lost control of incredibly sensitive and detailed information on federal employees. That's a bounty worth many millions of dollars to foreign intelligence services in a breach for which China is the "leading suspect," according to Director of National Intelligence James Clapper. But even if Beijing is to blame, the way to fix the administration's cybersecurity problem and to prevent future data heists that rival the OPM breach isn't to retaliate against a foreign government. After all, we are living in a world in which this kind of digital espionage is the new normal. It's the kind of thing that the National Security Agency wishes it could do against China. That is, if the spy agency isn't already doing it. Sure, President Obama is upset about the shameful state of security in place at OPM, and has made limited efforts to correct security problems at government agencies in a 30-day "Cybersecurity Sprint." But exacting some kind of diplomatic or economic toll against China seems like a key play in the Obama administration's plans. According to unnamed officials quoted in The New York Times, Obama staff members are considering a range of options meant "to disrupt and deter what our adversaries are doing in cyberspace." Traditional forms of deterrence in cyberspace are only partially effective even when you're certain about the attacker's identity. And determining that with absolute certainty is tough. Hackers working for foreign intelligence services are trained to hide their identities and use deception techniques to throw off investigators. They can mimic tools, techniques, and procedures used by other hackers to make it look like a different group or foreign government carried out the strike. Still, administration officials and at least one large cybersecurity firm with ties to the government are intent on pointing the finger at China. There are two key reasons for this blame game: (1) In order for the US to respond, the responsible party must be another government; (2) Under international law, the standard of evidence for state responsibility is solely based upon "reasonableness" versus proof beyond a reasonable doubt. The administration hasn't publicly presented any proof that China directed the OPM attacks. While the US government is expert at denying, disrupting, and deterring kinetic actions on battlefields in each of the four domains (land, air, sea, and space), it still hasn't grasped that the digital battlefield is entirely different. The recent Times article about retaliating against China makes that all too clear. http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html Deterrence is possible. But it doesn't come from force or trying to instill fear. It comes from enabling security protocols that make sensitive or valuable data so hard to steal that the effort isn't worth the reward. The goal of deterrence isn't to keep bad guys out of a network, it's to make it next to impossible for them to acquire the assets that they're targeting. Technically, that's already possible. So, instead of shifting the focus to China, Mr. Obama should take full responsibility for the breach (OPM being part of the Executive Office) and immediately start work on a fulsome solution to the government's cybersecurity problem. That requires more than the Cybersecurity Sprint. It means a complete overhaul of how the government employs security measures and uses encryption technology across out all of its networks. It means ferreting out additional weaknesses in security and correcting them. It means identifying those responsible for making that breach possible and firing them. It means apologizing to the estimated 20 million Americans whose personal information is forever compromised. Without those steps, nebulous talk of retaliation against China only tells the world the US doesn't understand the limitations of deterrence in cyberspace. It shows that the US remains weak and naive when it comes to battling criminal hackers. The way to demonstrate strength is to take actions that show the president understands the limitations and advantages of the cyberthreat landscape and acts accordingly. The president and Congress simply need the will to make it happen. Jeffrey Carr is an internationally known author, speaker, entrepreneur, and the founder and president of Taia Global. Follow him on Twitter @jeffreycarr. Editor's note: This article was updated after publication to correct James Clapper's position. He is Director of National Intelligence.
Please report problems with the web pages to the maintainer