Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"Johnson & Johnson on Tuesday issued a warning about a possible cybersecurity issue with its Animas OneTouch Ping Insulin Infusion Pump. [...] Computer security firm Rapid 7 discovered that it might be possible to take control of the pump via its an unencrypted radio frequency communication system that allows it to send commands and information via a wireless remote control. The company alerted Johnson & Johnson, which issued the warning. [...] There have been no instances of the pumps being hacked, Johnson & Johnson said." http://www.usatoday.com/story/tech/news/2016/10/04/johnson-johnson-warns-insulin-pump-hack-risk-animas/91542522/ [See also Johnson & Johnson Discloses That Its Insulin Pump Is Hackable https://science.slashdot.org/story/16/10/04/2123221/johnson-johnson-discloses-that-its-insulin-pump-is-hackable http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L PGN]
LOUISVILLE, KY TV-station Wave 3, 5 Oct 2016 <http://www.wave3.com/story/33322175/update-southwest-says-smoke-in-plane-likely-from-samsung-device?sf37934658=1> and The Verge <http://www.theverge.com/>, in TRANSPORTATION <http://www.theverge.com/transportation>, AVIATION <http://www.theverge.com/label/planes>, TECH <http://www.theverge.com/tech> LOUISVILLE, KY (WAVE) - Louisville Metro Arson investigators confirmed Wednesday that the smoke that caused a Southwest Airlines flight to be evacuated came from an overheated Samsung device. Southwest flight 994, a Boeing 737, was scheduled to depart SDF for Baltimore at 9:30 a.m., but the smoke was discovered at about 9:20 a.m., SDF spokeswoman Natalie Chaudoin said. Passenger Misty Whitaker told WAVE 3 News what the scene was like inside the plane. "I was sitting at the front of the plane and I noticed a flight attendant coming quickly down the aisle saying, 'There's smoke on the plane,'" she said. "(They said), 'Leave all of your bags on the plane and come forward in an orderly fashion.' They said it was a Samsung Galaxy. The last they told us while we were waiting was that the fire had burned through the carpet. I know it was toward the back of the plane but I don't know if it was in an overhead bin or under a seat or what. ... Control tower audio just released indicated that one pilot said "there's smoke in the cockpit." Whitaker said passengers with connections from Baltimore were being re-routed, but that flight 994 itself had been canceled shortly after 11 a.m. The U.S. Consumer Products Safety Commission issued a warning last month to Samsung Galaxy Note 7 users to stop using the phones due to the risk of explosions and fires. The consumer warning came after at least 35 reports of the lithium-ion batteries in the devices overheating and bursting, resulting in fires. Samsung announced a recall affecting all of the 2.5 million Galaxy Note 7 phones worldwide. <http://www.samsung.com/us/note7recall/> All 75 people aboard the plane were evacuated without incident. No injuries were reported. Southwest issued a statement at 11:21 a.m. Wednesday 5 Oct 2016 in response to the incident: Before Southwest Airlines Flight 994 departed from Louisville for Baltimore, a customer's electronic device, believed to be a Samsung, began emitting smoke. All customers and crew deplaned safely via the main cabin door. Customers will be accommodated on other Southwest flights to their final destinations. Safety is always our top priority at Southwest and we encourage our customers to comply with the FAA Pack Safe guidelines. [See also: Replaced Galaxy Note 7 explodes on a Southwest flight http://arstechnica.com/gadgets/2016/10/a-replacement-galaxy-note-7-catches-fire-on-a-plane/ PGN]
Ellen Nakashima, *The Washington Post*, 7 Oct 2016 The Obama administration on Friday officially accused Russia of attempting to interfere in the 2016 elections, including by hacking the computers of the Democratic National Committee and other political organizations. The denunciation, made by the Office of the Director of National Intelligence and the Department of Homeland Security, came as pressure was growing from within the administration and some lawmakers to publicly name Moscow and hold it accountable for actions apparently aimed at sowing discord around the election. “The U.S. Intelligence Community is confident that the Russian Government directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations,'' said a joint statement from the two agencies. “These thefts and disclosures are intended to interfere with the U.S. election process.'' The public finger-pointing was welcomed by senior Democratic and Republican lawmakers, who also said they now expect the administration to move to punish the Kremlin as part of an effort to deter further acts by its hackers. [See also U.S. Says Russia Directed Hacks to Influence Elections, http://www.nytimes.com/2016/10/08/us/politics/us-formally-accuses-russia-of-stealing-dnc-emails.html PGN]
http://www.computerworld.com/article/3126820/election-hacking/if-the-election-is-hacked-we-may-never-know.html
<http://www.purdueexponent.org/campus/article_ec1fe6d4-8bf6-11e6-ac3e-c77a826f28df.html> The search for solutions to increase voter numbers on Election Day continues as states have underwhelming turnouts in both presidential and non-presidential election years. But Eugene Spafford, computer science professor at Purdue, says online voting is not one of those solutions. The most important aspects of an election are privacy and accuracy for citizens and, from the standpoint of candidates, the vote total accountability. However, current online technology available to the average citizen dictates that you can't have it all, says Spafford, the executive director of Purdue's Center for Education and Research in Information Assurance and Security <http://www.cerias.purdue.edu/>. "Voting by Internet sounds attractive, but either we have to give up the anonymity of the ballot, which is not a good practice, or we have to give up the ability to confirm that the count is correct," he said in a release. The question of online voting comes up because many day-to-day activities are handled online. But comparing voting via the Internet to activities such as banking online falls short because, with banking, an account is used to track of transactions. "A record kept of the account—that's not anonymous," Spafford said. "That removes the privacy of the voting booth from voters." For the areas of accuracy and accountability, the potential for election problems go back to two well-known headaches: computer viruses and bugs. A virus or hidden code designed to disrupt vote counts cast online wouldn't be difficult to write, Spafford said, adding such software is expensive and difficult to prevent. "Elections matter," he said. "If one virus or error is detected, it could invalidate the vote, and that's not something we want to do. It would cast enough doubt that the election would be thrown into disarray." Voters need to trust that what they see on their computer screen ballot is what is actually tabulated in the election. A computer virus or hidden, malicious code could be written to change an online ballot after it is cast. Spafford said the level of security in personal computers is safe for a lot of things, but that security still fails regularly—too often to trust with an election. Beyond local computer security is the issue of users falling prey to phishing or fake election websites. The reality is online voting could occur but with a hefty price tag. It is possible that a highly classified, strongly controlled computer system similar to those used by intelligence agencies could be used for online voting. "But it would possibly cut away some of the privacy for voters and it would require people to spend a few hundred thousand dollars on their home computers," he said. "It is much more cost-efficient to spend those resources on verifiable voting systems at monitored election centers, and to encourage voters to use them."
Bruce Schneier, We Need to Save the Internet from the Internet of Things Motherboard Vice, 6 Oct 2016 https://motherboard.vice.com/read/we-need-to-save-the-internet-from-the-internet-of-things Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack. In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other Internet-connected systems to crash by overloading them with traffic. The "distributed" part means that other insecure computers on the Internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire. Basically, it's a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender's capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win. What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the Internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own. The IoT will remain insecure unless government steps in and fixes the problem. Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem. Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software—and, in part, compete on its security. This isn't true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure. Even worse, most of these devices don't have any way to be patched. Even though the source code to the botnet that attacked Krebs has been made public, we can't update the affected devices. Microsoft delivers security patches to your computer once a month. Apple does it just as regularly, but not on a fixed schedule. But the only way for you to update the firmware in your home router is to throw it away and buy a new one. The security of our computers and phones also comes from the fact that we replace them regularly. We buy new laptops every few years. We get new phones even more frequently. This isn't true for all of the embedded IoT systems. They last for years, even decades. We might buy a new DVR every five or ten years. We replace our refrigerator every 25 years. We replace our thermostat approximately never. Already the banking industry is dealing with the security problems of Windows 95 embedded in ATMs. This same problem is going to occur all over the Internet of Things. The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution. What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure. Of course, this would only be a domestic solution to an international problem. The Internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States. Long term, we need to build an[other] internet that is resilient against attacks like this. But that's a long time coming. In the meantime, you can expect more attacks that leverage insecure IoT devices. [This is verbatim from Bruce, except for the up-casing of the Internet in all cases (!) except the one in the last paragraph, which is obviously not The Internet as we know it. PGN]
https://theintercept.com/2016/10/07/ex-yahoo-employee-government-spy-program-could-have-given-a-hacker-access-to-all-email/ Contrary to a denial by Yahoo and a report by *The New York Times*, the company's scanning program, revealed earlier this week by Reuters, provided the government with a custom-built back door into the company's mail service -- and it was so sloppily installed that it posed a privacy hazard for hundreds of millions of users, according to a former Yahoo employee with knowledge of the company's security practices. Alex Stamos, Yahoo's former information security chief who Reuters reported left the company after finding out about its cooperation with the U.S. government's scanning mandate, is said to have taken particular issue with how poorly the scanning tool was installed. "He was especially offended that he was not looped in on the decision," said the ex-Yahoo source. "The program that was installed for interception was very carelessly implemented, in a way that if someone like an outside hacker got control of it, they could have basically read everyone's Yahoo mail," something the source attributed to "the fact that it was installed without any security review." To people whose entire job it is to prevent something like this from happening, the discovery was a shock, and they immediately did what was done for any other uncovered vulnerability, filing a complaint so the problem could be tracked and corrected. "Standard protocol on the security team," the ex-Yahoo source explained, "is to open a security issue and assign it to the team responsible for that component, in this case Mail, saying you have to fix this within 24-48 hours," due to its severity. "At that point [Yahoo Mail] would have had to explain to [them] why they didn't have to fix this, which was because they had installed it." But the source says that after the security team raised an alarm over the email scanning, still thinking it was the work of an outside hacker and not their coworkers, the complaint suddenly went missing from Yahoo's internal tracker: "I looked for the issue and I couldn't find it," said the Yahoo alum. "I assume it was deleted." Eventually, several months after the tool was first installed, some members of Yahoo's security team were filled in about the truth of scanning project, though they were unable to alter it by that point - a decision that left many frustrated or worse. "It was detected early enough that we could have made things better," the ex-Yahoo source said. "I was very upset."
Caroline Craig, InfoWorld, 7 Oct 2016 Yahoo is only the latest tech company to be caught up in a system of secret surveillance and government gag orders InfoWorld Tech Watch http://www.infoworld.com/article/3128849/government/yahoos-email-snooping-its-all-legal.html opening text: The revelation this week that Yahoo scanned the incoming emails of hundreds of millions of Yahoo users set off a storm of condemnation. The real outrage is that this kind of government surveillance, frequently abetted by the collaboration of telecom and tech companies, is pervasive and has little or no oversight. As told by Reuters and the New York Times, Yahoo received a secret order last year from a judge of the Foreign Intelligence Surveillance Court (FISC) that compelled the company to customize an existing scanning system (used to find and report child pornography and malware) to search emails for a computer "signature" tied to the communications of a state-sponsored terrorist organization. Emails containing the signature were turned over to the NSA or FBI—and Yahoo was barred from disclosing the matter. In other words, Yahoo was destined to be the fall guy, left to twist in the wind by a system of secret courts and government gag orders. Its terse statement—"Yahoo is a law-abiding company, and complies with the laws of the United States"—did nothing to defend it against the torrent of calls for users to ditch Yahoo services. But legally, the company could disclose nothing more about what data it did or did not turn over—and why.
http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKCN1241YT Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter. The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events. [...] It seems that PGP had it right: encryption was controlled by the customer. Why can't we have a new standard, designed to work with the major browsers and e-mail vendors—maybe built on PGP—that would take the encryption responsibility out of the hands of the e-mail providers, but allow them to claim, "Complies with independent encryption standard XYZ", and maybe XYZ vendors or some open source projects could provide the plug-in so that Google, Yahoo, and the rest couldn't read the mails? Maybe the e-mail providers might be happy to tell the NSA or FBI or whoever, "we can't read the mail, there's nothing we can do to help..." (There's still the metadata, but it's a start.) I'm not a UI or JavaScript programmer, but if I had to guess, I'd say that the place to start would be an encrypting editor of some sort that the e-mail providers could just plug in to their own e-mail web scripts. It wouldn't be necessarily straightforward (how do we know that the e-mail provider didn't modify the editor script? for example), but if we separate the encryption from the e-mail itself, there might be a fighting chance at success. Yes, I know this has probably been suggested before, but it's not going away until it's fixed.
vocativ.com via *The Register* <https://yro.slashdot.org/story/16/10/04/2252242/apple-google-microsoft-we-have-no-government-email-scanning-program-like-yahoos> (Posted by BeauHD on Tuesday October 04,) Apple, Google and Microsoft have each said they don't scan all incoming messages for the U.S. government <http://www.vocativ.com/364815/yahoo-email-nsa-fbi/> -- which is exactly what Yahoo does. According to Reuters, Yahoo secretly built a custom software program <https://yro.slashdot.org/story/16/10/04/1928232/yahoo-secretly-scanned-customer-emails-for-us-intelligence> last year to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials. The company complied with a classified U.S. government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI. Vocativ reports: * In a statement, a Microsoft spokesperson told Vocativ that "We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo." While Apple declined to give a statement on the record, a representative for the company did, in response to Vocativ's question, refer to CEO Tim Cook's official letter <https://www.apple.com/privacy/> on consumer privacy, which reads in part: "I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will." The fact that both the companies declined further statement means it's not yet known if the NSA or FBI approached them to request they build a program like Yahoo's. * Meanwhile, a spokesperson from Alphabet's Google issued a statement to CNBC <http://www.cnbc.com/2016/10/04/google-and-microsoft-say-email-services-are-spy-free-following-yahoo-report.html?%3Fsource=Twitter>: "We've never received such a request, but if we did, our response would be simple: 'no way.'" [The spokesperson later clarified that the company has not received a "directive" or "order" to that effect, either, according to The Intercept.] <https://theintercept.com/2016/10/04/delete-your-yahoo-account/> But the question is whether or not you believe them. With Yahoo's case, only a handful of employees knew about the program. The same could be true with Apple, Google, Microsoft or any other large tech company. Edward Snowden tweeted <https://twitter.com/Snowden/status/783409733306880000> not too long after Reuters' report surfaced: "Heads up: Any major email service not clearly, categorically denying this tomorrow—without careful phrasing -- is as guilty as Yahoo."
https://blog.mozilla.org/blog/2016/10/06/promoting-cybersecurity-awareness [As Tom Lehrer might have said, in a totally different context, "Be grateful that it doesn't last all year!" But in this case, it needs to be not just an awareness day or month—it needs to be perpetual. PGN]
Michael Kan, InfoWorld, 4 Oct 2016 The Mirai botnet used IoT devices to launch a massive DDoS attack http://www.infoworld.com/article/3127167/password-security/iot-botnet-highlights-the-dangers-of-default-passwords.html selected text: A botnet responsible for a massive DDoS (distributed denial-of-service) attack was created thanks to weak default usernames and passwords found in Internet-connected cameras and DVRs. The Mirai botnet grabbed headlines last month for taking down the website of cybersecurity reporter Brian Krebs with a huge DDoS attack. Unlike most botnets, which rely on infected PCs, this one used IoT devices to target its victims.
Who is behind the source of of botnet Mirai? > Source code_for IoT botnet Mirai Released Krebs 1 Oct Being a Japanese, I could not help but notice that *Mirai* is a Japanese word for the "future", and *Anna-senpai* is a way to address a one's senior whose name is Anna in Japanese, most likely in a school setting or similar closely knit group. I searched the Japanese web, and sure enough there seems to be a light novel with this Anna-senpai figure, and an Anime based on it. (Light novel is a genre of stories that can be read in the small screen of mobile phones easily. "The crime and punishment" is NOT a light novel definitely.) I found the English wiki for this anime/novel. CAUTION: the following page may not be fit for an ordinary office and/or family-oriented environment. For this reason, I intentionally mistyped a component in the URL. You can figure it out. https://en.wikpedia.org/wiki/Shimoneta In the URL https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ the graphics shown as the login logo of the person in the hackerforum screen must be this "Anna-Senpai" figure in the Anime. Oh well, a lame attempt to profile the person who published the source code without bothering to trace IP addresses and stuff. When I grew up watching the original Astro Boy and other cartoons, I never thought that Japanese anime would have such an influence all over the world. It would be interesting, to say the least, to see the eventual damages caused by the large number of these almost orphaned devices with weak security. If the user/password pairs listed in the source code is an indicator, there is no security at all. (There is a link to github in the comment section in krebsonsecuirty web site. You don't have to log in to the Hackerforum website to see the source code.) That adagio, that "History does not repeat itself. Those who cannot remember the past are condemned to repeat it." comes to my mind. Sigh...
http://www.extremetech.com/computing/237117-windows-10-update-traps-some-systems-in-a-boot-loop-microsoft-promises-fix Microsoft insists that this problem only affected people in the Windows Insider Program, though it has not explained why others not in that program would have been impacted by the latest patch. A fix has been pushed out for the issues but the company has provided no details into what went wrong or what the patch fixes. The supposed link to a knowledge base (KB) article that's supposed to describe the problem is actually dead as of this writing. And herein is the fundamental problem. Unlike the hardware scope of a Chromebook, or even an Android phone, a PC's hardware mix can be so varied and complex in terms of driver environments that automatic updates (which are not necessarily a priori always a bad thing!) can become decidedly problematic in the Windows ecosystem.
The FBI is investigating whether Harold T. Martin III, a National Security Agency contractor, stole and disclosed highly classified computer code, officials said. http://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html Later: The FBI seized papers and digital devices from Harold T. Martin III's home in Maryland, but found no indication that he had passed classified information to anyone else. http://www.nytimes.com/2016/10/06/us/politics/harold-martin-nsa-contractor.html
http://arstechnica.com/security/2016/10/making-a-dvr-join-a-ddos-botnet-is-a-piece-of-cake-and-thats-just-sad/
Please report problems with the web pages to the maintainer