Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Joshua Eaton, *The Christian Science Monitor*, 16 Jun 2016 With U.S. technology companies refusing to allow anyone, including the federal government, access to suspected criminals' encrypted communications conducted on their devices, a leading cybersecurity expert is proposing another method for authorities to obtain the information they need without undermining the security of the millions of other consumers who also use those products. Worcester Polytechnic Institute professor Susan Landau suggests law enforcement boost the hiring of government hackers and foster in-house experts to legally hack such devices when they have a warrant. The strategy entails exploiting existing software bugs instead of having tech companies install "backdoors" in their products. Landau says the U.S. Federal Bureau of Investigation (FBI) can bypass encryption by investing in court-sanctioned lawful hacking capabilities such as installing remote surveillance programs on computers and phones and hiring more agents with computer science backgrounds. The unacceptable alternative would compromise consumer security and give criminal hackers, among others, another exploitation option, according to Landau. She also says the FBI's paltry lawful hacking budget and resources may be one reason why the bureau wants companies to install backdoors. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-f2f6x2e54ax065639&
John Ribeiro, InfoWorld, 17 Jun 2016 The U.S. House of Representatives voted down a proposed anti-surveillance amendment that would prevent warrantless searches by law enforcement on Americans http://www.infoworld.com/article/3085175/government/surveillance-reform-measure-blocked-in-the-wake-of-orlando-killings.html selected text: "With Orlando fresh in everyone's mind, members of Congress appear to be voting based on fear rather than on reason," wrote Kevin Bankston, director of New America's Open Technology Institute. He added that there is no reason to think that mandating backdoors into American companies' encrypted products or allowing warrantless searches of Americans' private data would have prevented the tragedy, a view widely held by many privacy advocates.
The result of last month's London Mayoral election on 5 May was delayed by several hours after staff had to manually query a bug-stricken database. http://www.bbc.co.uk/news/technology-36558446
[Boing Boing. More on this latter . Not what is suggested djf] http://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late. The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments. ... [Werner U. notes SlashDot item that refers to BoingBoing.
http://cacm.acm.org/magazines/2016/6/202646-physical-key-extraction-attacks-on-pcs/fulltext Our research thus focuses on two main questions: Can physical side-channel attacks be used to nonintrusively extract secret keys from PCs, despite their complexity and operating speed? And what is the cost of such attacks in time, equipment, expertise, and physical access? Results. We have identified multiple side channels for mounting physical key-extraction attacks on PCs, applicable in various scenarios and offering various trade-offs among attack range, speed, and equipment cost. The following sections explore our findings, as published in several recent articles.
[This song is made for you and me!] [NNSquad] http://arstechnica.com/tech-policy/2016/06/lawyers-who-yanked-happy-birthday-into-public-domain-now-sue-over-this-land/ The lawyers who successfully got "Happy Birthday" put into the public domain and then sued two months ago over "We Shall Overcome" have a new target: Woody Guthrie's "This Land." Randall Newman and his colleagues have filed a proposed class-action lawsuit against The Richmond Organization (TRO) and Ludlow Music, the two entities that also claim to own the copyright for "We Shall Overcome." ... According to the "This Land" suit, the melody of the song is actually a Baptist hymn from the late 19th or early 20th century, often referred to as "Fire Song."
via NNSquad http://gizmodo.com/the-air-force-had-a-totally-accidental-computer-disaste-1781973697?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+gizmodo%2Ffull+%28Gizmodo%29 Last Month, Lockheed Martin, the government contractor which operates the servers that store sensitive information about internal Air Force investigations, came to realize that all of the data on said servers was missing. The apparent reason was a run-of-the-mill system crash--but what caused that actual crash is still unclear. Now, the United Stated Air Force is reportedly missing all of its investigation records dating all the way back to 2004. Whoops! Investigation records lost back to 2004. And no clear sense of what backups may or may not exist. This is the same government that wants access to our secure communications. Yeah. [The Air Force and the FBI are *not quite* the same.]
This article covers risks and concerns about Google Home. Fahmida Y. Rashid, InfoWorld, 15 Jun 2016 Always-listening devices accelerate our transformation into a constantly surveilled society. That's a problem not only for us but for our kids, too http://www.infoworld.com/article/3079846/security/home-invasion-3-fears-about-google-home.html
"Best Korea's Social Network" hacked after using worst ID and password possible http://en.rocketnews24.com/2016/06/16/best-koreas-social-network-hacked-after-using-worst-id-and-password-possible/
Help Net Security, 16 Jun 2016 The average data breach cost has grown to $4 million, representing a 29 percent increase since 2013, according to the Ponemon Institute. Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, the study found that companies lose $158 per compromised record. Breaches in highly regulated industries like healthcare were even more costly, reaching $355 per record – a full $100 more than in 2013. https://www.helpnetsecurity.com/2016/06/16/data-breach-cost-4-million/
Michael Kan, InfoWorld, 16 Jun 2016 In the U.S. alone, victims have lost $960 million to the schemes over the past three years, according to new data from the FBI http://www.infoworld.com/article/3084886/cyber-crime/companies-pay-out-billions-to-fake-ceo-email-scams.html opening text: Email scammers, often pretending to be CEOs, have duped businesses into giving away at least $3.1 billion, according to new data from the FBI.
http://boingboing.net/2016/06/16/spam-king-sanford-wallace.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 A hacker who called himself 'Spam King' and sent 27 million unsolicited Facebook messages for a variety of scams has been sentenced to 30 months in jail. Sanford Wallace, 47 was also ordered to pay more than $310,000 in fines. The hacker also known as "Spamford" is reported to have compromised over 500,000 Facebook accounts from November 2008 to March 2009, and messaged victims links to external sites that harvested their log-ins and Facebook friend lists. Then, Wallace spammed the Facebook users with links to other websites ... allace's spamming career didn't begin with Facebook messages, but stretches all the way back to the '90s, when he sent junk fax messages. He faced civil suits from both Myspace and Facebook in 2007 and 2009, respectively, and racked up nearly $1 billion in fines from the two companies that he was unable to pay. This recent sentence, is the first time Wallace has been convicted of a crime, with the Spam King pleading guilty to one count of "fraud and related activity in connection with electronic mail." His two-and-a-half year jail sentence is just short of the three year maximum he was facing.
CRYPTO-GRAM
June 15, 2016
by Bruce Schneier
CTO, Resilient, an IBM Company
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<https://www.schneier.com/crypto-gram/archives/2016/0615.html>. These same
essays and news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent comment
section. An RSS feed is available.
Interesting research paper:
Cormac Herley, "Unfalsifiability of security claims":
There is an inherent asymmetry in computer security: things can be
declared insecure by observation, but not the reverse. There is no
observation that allows us to declare an arbitrary system or technique
secure. We show that this implies that claims of necessary conditions for
security (and sufficient conditions for insecurity) are unfalsifiable.
This in turn implies an asymmetry in self-correction: while the claim that
countermeasures are sufficient is always subject to correction, the claim
that they are necessary is not. Thus, the response to new information can
only be to ratchet upward: newly observed or speculated attack
capabilities can argue a countermeasure in, but no possible observation
argues one out. Further, when justifications are unfalsifiable, deciding
the relative importance of defensive measures reduces to a subjective
comparison of assumptions. Relying on such claims is the source of two
problems: once we go wrong we stay wrong and errors accumulate, and we
have no systematic way to rank or prioritize measures.
This is both true and not true.
Mostly, it's true. It's true in cryptography, where we can never say that an
algorithm is secure. We can either show how it's insecure, or say something
like: all of these smart people have spent lots of hours trying to break it,
and they can't—but we don't know what a smarter person who spends even
more hours analyzing it will come up with. It's true in things like airport
security, where we can easily point out insecurities but are unable to
similarly demonstrate that some measures are unnecessary. And this does lead
to a ratcheting up on security, in the absence of constraints like budget or
processing speed. It's easier to demand that everyone take off their shoes
for special screening, or that we add another four rounds to the cipher,
than to argue the reverse.
But it's not entirely true. It's difficult, but we can analyze the
cost-effectiveness of different security measures. We can compare them with
each other. We can make estimations and decisions and optimizations. It's
just not easy, and often it's more of an art than a science. But all is not
lost.
Still, a very good paper and one worth reading.
Blog entry URL:
https://www.schneier.com/blog/archives/2016/05/the_unfalsifiab.html
Unfalsifiability of security claims:
http://research.microsoft.com/pubs/256133/unfalsifiabilityOfSecurityClaims.pdf
In a series of four articles in *The Atlantic*, Sarah Jeong argues conclusively that the systems of financial surveillance originally intended for determining credit-worthiness of corporations and rich individuals have been extended—thanks to the cost-effectiveness of IT & Internet technology—to even the poorest of the poor. Furthermore, this surveillance exercise has been converted into a form of coercive social control on legal activities which have been politicized. The use of financial controls to punish Wikileaks today can also be used to punish those seeking and providing abortions tomorrow. While Sarah does not mention "civil asset forfeiture" (CAF) in this particular series, it is easy to see that CAF is the obvious next step in closing the surveillance/control loop. "See Something, Say Something" inevitably becomes "See Something, Take Something". Some libertarians have advocated the use of Bitcoin-type protocols to avoid this financial surveillance. Sarah argues that—far from saving us from surveillance, a cashless society (advocated by state-nanny Cass Sunstein) will allow essentially complete surveillance and control. - - - The "War on Drugs" was the excuse for much of this financial surveillance & control system; the "War on Terror" is now the excuse for extending it for total surveillance and total control. Within a few years, the President won't require a drone strike to disable a domestic dissident; that "Red Button" on her desk will disable the dissident's ability to financially function in society, and instantly strip all financial assets—without any presumption of innocence. "Look ma, no due process!" Bottom line: allowing the government a pass on the ubiquitous surveillance of financial transactions is akin to providing the govt a "metadata loophole" aka "third party doctrine"; fine-grained financial data provides all of the metadata information, so this becomes a distinction without a difference. http://www.theatlantic.com/technology/archive/2016/04/mass-surveillance-was-invented-by-credit-bureaus/479226/ Also by Sarah Jeong: Credit Bureaus Were the NSA of the 19th Century http://www.theatlantic.com/technology/archive/2016/04/credit-reporting-spying/480510/ You Can't Escape Data Surveillance In America http://www.theatlantic.com/technology/archive/2016/04/rental-company-control/478365/ How Technology Helps Creditors Control Debtors http://www.theatlantic.com/technology/archive/2016/04/cashless-society/477411/ How a Cashless Society Could Embolden Big Brother Sarah Jeong Apr 8, 2016 Technology
With ever-advancing auto-automation, surely it is not beyond the wit of Man to ensure that such vehicles are thoroughly instrumented and the data are retained in black boxes, if not systematically uploaded for further analysis? A moment's idle and ill-informed conjecture suggests the possibilities of: identifying failure modes; diagnosing driver and vehicle errors; spotting opportunities for safer, more fuel-efficient driving; forensic evidence concerning incidents; compliance with road laws; indications of drivers' failing eyesight/health/impairment/incompetence . Aren't there suitable standards in this area already? If not, why not? Isn't anyone driving them? It's such an obvious avenue, a clear route ahead. [Standards? We are probably still in the period where each company is trying to roll its own, although there is supposedly some standardization on interfaces. However, think about the composition problem of having different components from different vendors (including the ubiquitous entertainment system that is a culprit in airliners) supposedly seamlessly integrated, and the communication problem among vehicles when we get to the automated highway (!), and the need for monitoring and oversight to ensure everything is working properly, or remediating when it is not, ... PGN] Dr Gary Hinson PhD MBA CISSP, CEO of IsecT Ltd., New Zealand http://www.isect.com/ Passionate about information risk and security awareness, standards and metrics <http://www.noticebored.com/> www.NoticeBored.com <http://www.iso27001security.com/> www.ISO27001security.com <http://www.securitymetametrics.com/> www.SecurityMetametrics.com
Ars Technica reports that "Guccifer 2.0" claims responsibility for the attack on the DNC, Clinton, and Trump sites. Guccifer includes the purloined data as "proof". http://arstechnica.com/security/2016/06/lone-wolf-claims-responsibility-for-dnc-hack-dumps-purported-trump-smear-file/#p3 https://guccifer2.wordpress.com/2016/06/15/dnc/
The immediate cause of the power loss was flooding of the main subsystem next to the River Lune, which reached a peak flow of 1,742 cubic meters of water per second. The connection between rainfall level of 150 to 200mm and a record peak water flow in the river may seem obvious and inevitable: but in fact is exacerbated by successive Governments' handling of the upland areas: (1) A study in mid-Wales suggests that rainwater’s infiltration rate into the soil is 67 times higher under trees than under sheep pasture. Yet farmers are subsidised for keeping sheep and rewarded for removing "unwanted vegetation" (i.e. trees) from land which is not being farmed. (2) Rivers that have been dredged and canalised to protect farmland rush the water instead into the nearest town. (3) In June 2014 the environment department proposed to deregulate dredging, allowing landowners to strip the structure and wildlife habitat out of ditches and rivers. There could be no better formula for disaster downstream. Once water is in the rivers, it has to go somewhere. If you don’t hold it back in the fields, it will tumble into people’s homes instead. (4) Internal drainage boards—which are public bodies but tend to be mostly controlled by landowners—often prioritise the protection of farmland above the safety of towns and cities downstream. (5) The Government was instrumental in destroying the proposed European soil framework directive, which would have reduced flooding by preventing the erosion and compaction of the soil. http://www.theguardian.com/commentisfree/2015/dec/07/hide-evidence-storm-desmond-floods-paris-talks http://www.theguardian.com/commentisfree/2015/dec/29/deluge-farmers-flood-grouse-moor-drain-land Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
Please report problems with the web pages to the maintainer