Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
David Millward, *The Telegraph*, 9 May 2016
http://www.telegraph.co.uk/news/2016/05/07/italian-mathematician-taken-off-flight-after-fellow-passenger-al/
An Italian mathematics professor at the University of Pennsylvania was
escorted off an American Airlines flight after a fellow passenger feared
that his mysterious scribbling on a notepad was evidence that he was a
terrorist. In fact Guido Menzio was working on an [differential] equation
connected with a presentation on price-setting.
But the sight of a slightly swarthy curly-haired individual scrawling odd
symbols on a notepad was enough to alarm the woman who was sitting next to
him on the flight from Philadelphia to Syracuse. She thought the mysterious
writing was evidence that he had nefarious intent. The woman decided to
feign illness and passed a note to a member of the cabin crew. The note
contained detail of her suspicions and the plane sat on the tarmac. ...
[After Menzio convinced authorities of his legitimate mathematics,
he was permitted to board the plane—after a two-hour delay. His
accuser was not on board. One of my colleagues suggests that
perhaps partial differential equations might need to be added to the
no-fly list. PGN-ed]
[Story by Catherine Rampell in *The Washington Post*, 7 May 2016, on the
flight from Philly to Syracuse, with lots more detail, noted by Henry
Baker. PGN]
Dan Goodin, Ars Technica, 9 May 2016 http://arstechnica.com/security/2016/05/how-a-security-pros-ill-advised-hack-of-a-florida-elections-site-backfired/?view=archive A Florida man has been slapped with felony criminal hacking charges after gaining unauthorized access to poorly secured computer systems belonging to a Florida county elections supervisor. David Michael Levin, 31, of Estero, Florida, was charged with three counts of unauthorized access to a computer, network, or electronic device and released on $15,000 bond, officials with the Florida Department of Law Enforcement said. According to a court document filed last week in Florida's Lee County and a video it cited as evidence, Levin logged in to the Lee County Elections Office website using the pilfered credentials of Sharon Harrington, the county's supervisor of elections. Levin, who authorities said is the owner of a security firm called Vanguard Cybersecurity, also allegedly gained access to the website of Florida's Office of Elections. Levin posted a YouTube video in late January that showed him entering the supervisor's username and password to gain control of a content management system used to control leeelections.com, which at the time was the official website for the elections office. At no time did anyone from the county authorize Levin to access the site, officials said. <https://www.youtube.com/watch?v=38rsseDeFYQ&feature=youtu.be> <http://www.leeelections.com/> Lee County supervisor of elections server security issues. "Based on the evidence obtained regarding the SQL injections attack Levin performed against the Lee County Office of Elections on December 19, 2015, probable cause does exist to charge Levin with unauthorized access of any computer, computer system, computer network, or electronic device, a violation of Florida Statute 815.06(2)(a), a third degree felony," prosecutors wrote. Unsettling concerns As ill-advised as it was for Levin to log in to the website CMS, the video raises some unsettling concerns about the security of the Lee County elections website, which is used to display voting results, verify registration status, and provide ballots for upcoming elections. In the video, Levin shows how he was able to use a SQL injection attack <https://en.wikipedia.org/wiki/SQL_injection> to obtain the user names and plain-text passwords belonging to Harrington and at least 10 other account holders. He then shows how the password for Harrington's account allowed him to enter the CMS and move through various application menus. According to Dan Sinclair, a Lee County resident who is a candidate running against Harrington for the elections supervisor post, Levin used a separate SQL injection attack to obtain plain-text passwords for the state's Office of Elections website but never used them to log in. Sinclair told Ars that Levin discovered the vulnerabilities on his own and then notified Sinclair of the findings. Sinclair said Levin is declining to speak to reporters pending the outcome of the case filed against him. Ars was unable to reach Levin directly. Officials at the Lee County Elections Office told Ars that, contrary to the claims of Levin and Sinclair, the security of all of the election systems -- including voter registration, vote tabulations, and website—were never at risk. The server that was vulnerable to Levin's SQL injection attack, they said, had been retired in October. At the time of Levin's attack, at least two months later, it no longer stored sensitive data and had been replaced by a new server that wasn't vulnerable to the attack, they said. Similarly, the CMS Levin logged in to had also been retired and replaced with one that ran WordPress. While the older CMS was allowed to continue running during a transition period, its functionality was limited to storing only historical data, the officials said. People logging in to it didn't have the ability to post new pages to the site or to access voter data or tabulation systems, they said. Ultimately, the picture that emerges from the hack and the resulting arrest provides cautionary tales for the entire cast of characters. An elected official charged with ensuring the security of her department's computer systems allowed servers operated by her office to remain vulnerable to hacks that are so common that even unskilled script kiddies can carry them out with aplomb. As anyone with even a passing familiarity with network security knows, hackers are often able to pivot from low-level systems to more sensitive ones. And even if the unauthorized access in this case couldn't be escalated, the hacks can give rise to the appearance of insecurity, which is never good for democracy, especially in a state like Florida, where confidence in voting systems is already lacking. But it's equally problematic for Levin to have posted a video showing him using pilfered credentials to log in to a system he had no authorization to access. Levin's commendable deed in blowing the whistle on lax security practices in Lee County's Elections Office has been overshadowed by actions of his own doing and very well may result in him having a criminal record for the rest of his life.
Exclusive: Big data breaches found at major email services - expert Eric Auchard, Technology, 5 May 2016 http://uk.reuters.com/article/us-cyber-passwords-idUKKCN0XV1I6 opening text: Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security.
<https://yro.slashdot.org/story/16/05/08/2242242/uae-bank-suffers-massive-data-breach> Two weeks ago, Qatar's National Bank suffered a massive data breach at the hands of Turkish hackers. That data included details about Qatar's royal family and Al Jazeera reporters... <http://www.bankinfosecurity.com/qatar-national-bank-suffers-massive-breach-a-9068> Now it appears that the same hacker group has dumped data from a UAE bank. The data appears to be the same data stolen by a hacker last year, who tried to blackmail the bank for $3 million. <http://www.bankinfosecurity.asia/invest-bank-uae-breached-a-9086>. An analysis of the data can be found here. <http://news.softpedia.com/news/an-inventory-of-what-was-included-in-the-investbank-data-dump-503822.shtml>
> Date: May 8, 2016 at 8:24:44 AM EDT > From: ianG <iang@iang.org> > To: Cryptography Mailing List <cryptography@metzdowd.com> > Subject: [Cryptography] Russian spies using steganography? http://www.theguardian.com/world/2016/may/07/discovered-our-parents-were-russian-spies-tim-alex-foley?CMP=share_btn_tw Bezrukov and Vavilova communicated with the SVR using digital steganography: they would post images online that contained messages hidden in the pixels, encoded using an algorithm written for them by the SVR. A message the FBI believes was sent in 2007 to Bezrukov by SVR headquarters was decoded as follows: “Got your note and signal. No info in our files about E.F., BT, DK, RR. Agree with your proposal to use 'Farmer' to start building network of students in DC. Your relationship with 'Parrot' looks very promising as a valid source of info from US power circles. To start working on him professionally we need all available details on his background, current position, habits, contacts, opportunities, etc.''
> It is certainly well understood how to do this. I believe that currently > a lot of digital images are steganographically watermarked to be able to > detect IPR violations. And using digital media is a lot faster than much > earlier, when secret messengers purportedly had their heads shaved and the > messages written on their scalp, and then had to wait until their hair > grew back before they could leave to deliver their message.
*The Economist* 7 May 2016 http://www.economist.com/news/science-and-technology/21698234-ibm-making-quantum-computer-available-anyone-play-now-try USING the rules of quantum mechanics to carry out computations far faster than any conventional machine can manage is an idea that goes back decades. It was proposed in the early 1980s, but was confined to the blackboards of theoreticians until the late 1990s, when experimentalists gave it life by building simple machines which proved that the equations on those blackboards worked in practice. Now it has bloomed into a corporate project. Google, Microsoft, Hewlett-Packard and IBM each have dedicated quantum-computing research groups. What quantum computing has not done, though, is make much impact on the outside world. And in some part that is because those quantum computers which do exist are still confined to laboratories. Only researchers have been able to tinker with them. Until now. For, on May 4th, IBM announced that it would connect one of its quantum computers to the Internet and make it available for anyone to play with. Quantum computing is exciting because it offers the promise of computers that can crunch through some kinds of mathematics (though not all) far faster than any classical computer that could ever be built could manage. This power comes from two counterintuitive phenomena: superposition and entanglement. Superposition turns the fundamental unit of classical computing, the bit, into the qubit. A bit represents the smallest possible dollop of information: on or off; yes or no; 1 or 0. A qubit, though, is a mixture of both, superimposed upon each other. A classical computer with, for example, four bits can represent 16 different states. This machine can, however, exist in only one of those states at any given time. Its quantum equivalent, by contrast, can exist in a superposition of all 16 states at once. But it is entanglement, which binds the fates of particles together, that really makes quantum computers sing. Entanglement makes it possible to manipulate groups of qubits all at once=E2=80=94so, as the number of qubits grows, the number of states a machine can occupy rises, quite literally, exponentially. A 300-qubit computer would have more possible states than there are atoms in the universe. The result could manipulate prodigious amounts of information with ease. It could thus crunch through many tricky problems, from cracking cryptographic codes to simulating chemical reactions accurately at the molecular level. That is something ordinary computers find intractable, but which would prove useful for all manner of industrial processes. A 300-qubit machine is far in the future. IBM's current offering is a five-qubit processor built on a chip from loops of superconducting metal (see picture). It is suspended at the bottom of a large helium fridge at the firm's research centre in Yorktown Heights, New York. This chills it to within a whisker of absolute zero—the lowest temperature possible—so that the chip's delicate innards remain undisturbed by any stray puffs of heat. The chip is programmed by squirting carefully calibrated doses of microwaves into the fridge, with each qubit responding to a different frequency.
Woody Leonhard, InfoWorld, 4 May 2016 Released by Microsoft without documentation, it's safe to hide this patch if you don't want Windows 10 or its related updates http://www.infoworld.com/article/3065380/microsoft-windows/mystery-solved-kb-3150513-is-another-windows-10-update-enabling-patch.html
ADP is not exclusively a payroll services company. They also issue economic statistics, thanks to their access to payroll data of an enormous number of people in the USA. For an example of that dimension: http://www.wsj.com/articles/adp-shows-private-sector-hiring-cooled-to-156-000-in-april-1462366272 http://www.cbsnews.com/news/employment-report-u-s-added-160k-jobs-in-april/ I should mention that, before it ended, just over a year ago, my day used ADP for payroll services, and that the portal provided for me had, what I considered to be, very serious flaws, which I complained about but got no resolution. I do not know if our portal was like the situation with US Bank, or if it was an ADP managed portal. Thus I think I understand some of what these people are talking about, but lack definitive clarity. There was also a portal for the 401k, and that portal was screwed up in the same way as the payroll portal. Both the ADP and 401 k connections were being run by personnel in the HR dept whom I did not consider to be computer security savvy. Past communications from IT dept regarding breach-friendly activities were ignored. Employee PII was exposed for years, before the move to ADP. One boss ordered me to stop bothering HR, because for reasons of corporate security, the IT dept is totally divorced from the HR dept. I had several bosses, different ones for different types of activities. Typically at least once a year, one of them was replaced. With each one, I asked if I could brief them on our capabilities and cyber security weaknesses. One of the weaknesses was the exposed PII. I told over a dozen new bosses about that, before it was actually fixed. I do not trust any of these Internet services which expect us to key in PII info in what appears to be unencrypted interfaces. Call me a legacy man. ADP says that it was not ADP which was breached, rather it was incompetent clients who could not set up their registration with ADP in a secure manner. Thus all the W-2s now in the hands of fraudsters were because of prior intruder activities at the clients which made themselves vulnerable to such attacks, by failing to follow best cyber practices. None of those clients named in this article so far, other than US Bank. News of an alleged "weakness in ADP's customer portal," was first reported by security blogger Brian Krebs, who said related attacks helped compromise accounts at more than a dozen firms, including the nation's fifth-largest bank, U.S. Bancorp, a.k.a. U.S. Bank. <http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from-adp/> Reading between the lines, I think each employee of a client of ADP, has a unique ADP account # composed of: * ADP code for the particular client. * PII info on the employee Thus, if you know the ADP code for a client, and have the PII for one person (yourself), you can deduce the account number for any other person for whom you have PII info. You might find that PII, if the client involved has a lack of best cyber security practices in maintaining PII confidentiality. The feds have strict rules for banks on protecting PII of bank customers. I wonder if fed regulations have overlooked that nuance for employee PII? http://www.govinfosecurity.com/tax-return-fraudsters-hit-adp-portal-a-9083 If you know or even just suspect that your ID has been stolen, the IRS recommends you send it <https://www.irs.gov/pub/irs-pdf/f14039.pdf> Form 14039, Identity Theft Affidavit. This puts the agency on alert for your Social Security number and other information that could show up on a fake return. If a criminal does file a fake return pretending to be you, file your real tax return on paper, attaching a copy of the Form 14039 with your legitimate filing. Also watch for any follow-up correspondence from the IRS about your real or possible fake returns and respond immediately. http://www.bankrate.com/financing/taxes/adp-w-2-data-hacked-in-latest-breach I knew ADP was probably the largest provider of payroll services in the USA. Krebs says it is 640,000 US companies. When I visited the Krebs article, it had 41 comments, reflecting a good typical cross-section of people aware of various problems, and clueless. Here are some comments I consider informative: * Some years ago my employer selected ADP+SAP as a Payroll solution, without going through the usual *Due Diligence* process (which I was then in charge of). When live, we discovered that more than one person could logon to the same Employee account simultaneously : a colleague and I tested it together. When we reported it (along with 20+ other *bugs*), the Payroll Manager rejected the complaint(s) as *irrelevant*. * We are a small law Firm in Southern Ca and we too have fallen to ADP's weak security and inability to take responsibility for their shortcomings. Someone logged into their portal as our administrator. This hacker setup bogus direct deposit accounts for a number of our users, if our Finance director would not have seen these bogus accounts we would of lost over half of our payroll to these criminals. ADP refuses to share the logs showing the IP address linked to this attack and said the changes were made from our organization. We have checked our network and did a forensic examination of our Finance directors computer, the attack did not come from our network and we are 100% sure. We have made multiple requests for their log information and the last response indicated the logs were property of ADP. One of the replies to the above comment read: * Did you check your Finance Director's emails? Likely they were victim to a phishing attack and provided the credentials the hackers used—that could be why ADP is saying the login was legitimate. http://krebsonsecurity.com/2016/05/fraudsters-steal-tax-salary-data-from-adp/ Here is a blog, about how a fake job recruiter collects PII of job hunters. http://fakestaffing.blogspot.com/ Do my e-pals see a pattern here? I do. e-banking; SWIFT; ADP; what next I wonder =96 401 k. The pattern is that financial services are offered electronically, with the assumption that the customers will have the cyber know-how to conduct their affairs in a secure manner, but that is a bad assumption. Just as individual employees of many companies lack the training and will power to resist phishing, similarly the employees tasked with setting up electronic financial arrangements lack the computer training to know whether secure practices are doable for their company infrastructure, which includes whatever ma bell service they are using for Internet connections. We connect through many Internet and phone services, to many companies providing essential quality of life services. They ALL say “trust us, we have state-of-art security, we protect your PII.'' But many of them get breached, and they sing the same song. One thing we have needed for decades is a standard where there is proof of the song's chorus delivered to people who do business with them. In theory, a computer professional can examine the hardware and software that is in some building & declare that it is seup with good security, but the ordinary customer cannot get at that info from their phone company, ISP, bank, public utilities, etc. Similarly an employee cannot get that assurance from their employers. Gone are the days when a SWIFT or ADP will visit customer site for the purpose of setting up the connection service where THEY guarantee that it will work right, or they suffer the financial losses. Gone are the days when a small business can have a contract with a service provider which has clarity, and judicial appeal if anything goes wrong. I predict that some of the victim companies will be run by people in denial that it is their fault, as ADP claims. They will make statements to the news media which will then help us see the sizes of companies, and if there were other breaches to confirm ADP story, assuming these customers are not in one of the US states which does not require breaches to be made public via the combination of must tell Attorney General of the state, and that state have FOIA. I find it incredible that such alleged incompetence would be true for an outfit the size of US Bank. US Bank says this did not impact their customers. It impacted about 2 percent of their employees. How many is that? According to U.S. Bank's first-quarter earnings release for 2016, the company has about 67,000 employees, meaning that about 1,350 of those employees were the victims of tax fraud, or attempted tax fraud. US Bank blames “a weakness in ADP customer portal.'' They describe a process where a person, armed with an employee's PII, could create an account, in the name of an employee, to get at that employee's W-2 info. ADP says no, the breached portal was one setup by the client, such as US Bank, where it was the client which screwed up, not ADP. Employees who access the ADP portal need to know: the unique ADP link for their employer, the code for their employer, and their own PII. That is not how it worked when my day job was one of the companies. The problem, ADP speculates, seems to stem from ADP customers that both deferred the signup process for some or all of their employees and at the same time inadvertently published online the link and the company code. As a result, for users who never registered, criminals were able to register as them with fairly basic personal info, and access W-2 data on those individuals. U.S. Bank acknowledged that the bank published the link and company code to an employee resource online, but said ADP had never told them that the data itself was privileged. I speculate that, like my day job, stuff gets setup by personnel who themselves lack cyber security training, so they are oblivious to nuances which the service provider's Plug & Play system has a fiduciary responsibility to spell out sufficiently clearly to be understood by people who lack cyber security literacy. I have never worked in that interface between what ADP really tells the client's HR dept, and how HR interprets the fine print, so I do not know on which side of the conversation is the most blame. We can see from the KREBS article that the IRS has been using cyber security illiterates in a manner similar to at US Bank. I had occasion to buy a CD not so long ago. Many banks are still asking for mother=92s maiden name for their security check. Anyone who is on Facebook, or other social media with extended families, will realize what a joke that security is. ADP says it has developed systems to monitor the Web for any other customers that may inadvertently publish their signup link and code. When they find such foolish clients, they turn off the service, to protect the employees from crooks taking advantage of their employer incompetence.
On the BBC News yesterday, we had an article about how BT is spending millions of pounds upgrading to "superfast broadband". But the same article pointed out that about 2.5M households (that's maybe 1 in 10) don't have ANY broadband, and there are no plans to improve that situation. "To those that have, more will be given. But to those that have not, even the little they do have will be taken away from them". Several people from these broadband-free areas were interviewed, and the general gist was that the modern Internet was unusable over a 33.6K modem. And BT scrapped ISDN some ten years ago, so even that option of 64K/128K no longer exists. (That's why we moved over to broadband.)
I concur with Mr Russell's comments. I wrote an article on Expanding the Role of Rural Electric Cooperatives to Provide Broadband to their Members: https://www.linkedin.com/pulse/expanding-role-rural-electric-cooperatives-provide-broadband-petras?trk=pulse_spock-articles My electrical coop was established in the 1930's to electrify rural parts of Idaho. To quote from their history, "Bringing electrical power to the 10,000 homes and businesses ... was like most movements - hard fought and slow in coming. Putting in over 2,800 miles of line over some of the nation's most rugged terrain, on behalf of sometimes only 3 customers per mile of expensive line, was hard and took a commitment only a neighbor-owned cooperative was willing to provide." Unfortunately the movement has stopped and taken deep roots. I approached the general manager of the coop with my idea and the response was underwhelming. He commented that it would take money and easements to do that. Sigh... I suppose if it was easy everyone would be doing it. Chuck Petras, Schweitzer Engineering Laboratories, Inc., Pullman, WA 99163 http://www.selinc.com
From the quoted article: > "Our researchers were able not only to discover this phenomenon, but to > develop a means of using it to identify devices right out of the box." Disney has discovered nothing. Forensic fingerprinting of RF transmitters has been in play for decades. I recall this being used in the 80s to identify rogue transmitters in the Amateur Radio service, but the concept and technology predates that (and was lifted from commercial and government applications). A quick DuckDuckGo search on "rf transmitter fingerprinting" turns up plenty of prior art.
"... we found that SmartApps can be overprivileged." All "apps" can be, and usually are, overprivileged. For example, I wanted to download the Android United Airlines app. One of the privileges it demanded was access to my camera. Why does an app that tells me about flight status need access to a camera? I've found many many such apps. It's either laziness on the part of the programmer, lack of fine grain permissions (an app needs one tiny bit of information but can't get it without full access to a large number of things), or malware. This has never been considered a major problem for programs, since regular OS take either an all or nothing (root or user) view of privileges. Those with finer grain (SElinux, e.g.) seem to have less of an issue, but perhaps that's because the user is never told what privileges the program is getting as explicitly as for apps?
Please report problems with the web pages to the maintainer