Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.theonion.com/article/china-unable-recruit-hackers-fast-enough-keep-vuln-51719 BEIJING --Despite devoting countless resources toward rectifying the issue, Chinese government officials announced Monday that the country has struggled to recruit hackers fast enough to keep pace with vulnerabilities in U.S. security systems. “With new weaknesses in U.S. networks popping up every day, we simply don't have the manpower to effectively exploit every single loophole in their security protocols,'' said security minister Liu Xiang, who confirmed that the thousands of Chinese computer experts employed to expose flaws in American data systems are just no match for the United States' increasingly ineffective digital safeguards. “We can't keep track of all of the glaring deficiencies in their firewall protections, let alone hire and train enough hackers to attack each one. And now, they're failing to address them at a rate that shows no sign of slowing down anytime soon. The gaps in the State Department security systems alone take up almost half my workforce.'' At press time, Liu confirmed that an inadequate labor pool had forced China to outsource some of its hacker work to Russia. [Caveat lector: Your moderator is an Onion Rooter, and appreciates onion routers. PGN]
Electronic Frontier Foundation Media Alert <https://supporters.eff.org/civicrm/mailing/view?reset=1&id=1234>. EFF Wins Petition to Inspect and Modify Car Software Exemption Requests Also Approved for Tweaking Abandoned Videogames, Jailbreaking Phones and Tablets, and Remixing Videos Washington, D.C. - The Librarian of Congress has granted security researchers and others the right to inspect and modify the software in their cars and other vehicles, despite protests from vehicle manufacturers. The Electronic Frontier Foundation (EFF) filed the request for software access as part of the complex, triennial rulemaking process that determines exemptions from Section 1201 of the Digital Millennium Copyright Act (DMCA). Because Section 1201 prohibits unlocking access controls on the software, car companies have been able to threaten legal action against anyone who needs to get around those restrictions, no matter how legitimate the reason. While the copyright office removed this legal cloud from much car software research, it also delayed implementation of the exemption for one year. EFF Staff Attorney Kit Walsh: “This access control rule is supposed to protect against unlawful copying, But as we've seen in the recent Volkswagen scandal—where VW was caught manipulating smog tests—it can be used instead to hide wrongdoing hidden in computer code. We are pleased that analysts will now be able to examine the software in the cars we drive without facing legal threats from car manufacturers, and that the Librarian has acted to promote competition in the vehicle aftermarket and protect the long tradition of vehicle owners tinkering with their cars and tractors. The year-long delay in implementing the exemptions, though, is disappointing and unjustified. The VW smog tests and a long run of security vulnerabilities have shown researchers and drivers need the exemptions now.'' EFF also won an exemption for users who want to play video games after the publisher cuts off support. For example, some players may need to modify an old video game so it doesn't perform a check with an authentication server that has since been shut down. The Librarian also granted EFF's petition to renew a previous exemption to jailbreak smartphones, and extended that to other mobile devices, including tablets and smartwatches. This clarifies the law around jailbreaking, making clear that users are allowed to run operating systems and applications from any source, not just those approved by the manufacturer. EFF also won the renewal and partial expansion of the exemptions for remix videos that use excerpts from DVDs, Blu-Ray discs, or downloading services. EFF Senior Staff Attorney Mitch Stoltz: “We're pleased that the Librarian of Congress and the Copyright Office have expanded these legal protections to users of newer products like tablets, wearable computers, and Blu-Ray discs.'' Today's ruling is a victory for users, artists, and researchers. However, the laborious process required to remove a legal cloud over clear fair uses highlights the need for fundamental reforms. EFF Legal Director Corynne McSherry: “It's absurd that we have to spend so much time, every three years, filing and defending these petitions to the copyright office. Technologists, artists, and fans should not have to get permission from the government—and rely on the contradictory and often nonsensical rulings—before investigating whether their car is lying to them or using their phone however they want, But despite this ridiculous system, we are glad for our victories here, and that basic rights to modify, research, and tinker have been protected.'' EFF's remix petition was drafted and co-submitted with the Organization for Transformative Works. EFF's remaining petitions received invaluable assistance from the NYU Technology Law & Policy Clinic, attorney Marcia Hofmann, and former EFF intern Kendra Albert. For the full ruling from the Library of Congress: http://copyright.gov/1201/2015/fedreg-publicinspectionFR.pdf For more on the DMCA rulemaking: https://www.eff.org/cases/2015-dmca-rulemaking Contacts: Corynne McSherry, Legal Director, corynne@eff.org, +1 415-436-9333 x 122 Mitch Stoltz, Senior Staff Attorney, mitch@eff.org, +1 415-436-9333 x 142 Kit Walsh, Staff Attorney, kit@eff.org, +1 415-436-9333 x 163
After seeing a new medical practice today—one which I'm likely to never visit again—I received this note tonight; Subject was: Your patient portal has a new message. It said: Please use following URL to complete registration process on patient portal for the X X X Center: https://www.xxx.com/web/Account/Register To login, enter your email address as your username, and create a new password of your choice. Please fill out the demographic information if it is not filled out already. Please do not attempt to fill in the insurance information. We will fill it in for you and confirm it during your visit. So anyone intercepting this non-secured note could register as me, impersonate me, establish "my" account and access MY records. My first attempt to register failed because I omitted the essential special character required by their ultra-secure password rules: Password must be at least 8 characters long and include a capital letter, a lower case letter, a number, and a special character (!@#$%^&*). So they sort-of consider security, just incompletely/badly. But wait, it's even lamer. The message I had to register to read was about my UPCOMING (that is, today's, already past) appointment.
[LA Times] Authorities are looking for the pilot of a drone that flew into power lines Monday in West Hollywood and knocked out service to hundreds of Southern California Edison customers, officials said. Witnesses reported seeing a drone buzz into the wires lining Larrabee Street and Sunset Boulevard about 1:15 p.m. knocking one to the ground, said Lt. Edward Ramirez of the Los Angeles County Sheriff's Department. rest: http://www.latimes.com/local/lanow/la-me-ln-drone-power-west-hollywood-20151027-story.html
Fox temporarily lost power on Tuesday night in Kansas City, Mo. http://www.nytimes.com/2015/10/28/sports/baseball/world-series-drama-a-four-minute-blackout.html [The Fox Sports Net TV broadcast had at least TWO power outages, apparently in the truck outside the stadium, each of which caused the coverage to shift back to the studio. PGN]
"Cybersecurity is one of the top global risks today. There have been 80-90 million cybersecurity events per year, or up to 250,000 attacks per day in recent years—with 70% of attacks thought to be going undetected. The global cybersecurity solutions market continues to grow and is estimated at US$75-77 billion in 2015, and is expected to reach US$170 billion by 2020."
SF Chronicle: http://www.sfchronicle.com/politics/article/Allegations-of-voter-fraud-in-Chinatown-surface-6594323.php SF Examiner: http://www.sfexaminer.com/democratic-party-may-amend-unworkable-voter-fraud-fix/ Democratic Club Uncovers Voter Fraud in Chinatown Non-Profit Senior Housing FOR IMMEDIATE RELEASE, October 22, 2015 CONTACT: Tom A. Hsieh, twohsieh@gmail.com, 415-522-7289 The Asian Pacific Democratic Club (APDC) has been gathering reports about widespread voter fraud in buildings owned or connected to the Chinatown Community Development Corporation (CCDC). In recent days, APDC has encountered multiple statements of stolen ballots from Chinese senior residents. In one instance, a blind woman reported her ballot was taken away and filled out by two female individuals. Those two individuals then told the senior that they had voted for Aaron Peskin on her ballot. "Senior citizens in these CCDC non-profit buildings are having their ballots stolen. These seniors are supposed to be protected by their caregivers but instead ballots are being harvested from them on a building-wide scale," said Tom A. Hsieh, a spokesman of the club, which has been chartered since 1992. "We should all be concerned about statements released from CCDC, accusing unnamed individuals of masquerading as CCDC employees and stealing ballots in their secured buildings,'' said Hsieh. "It sounds absurdly like somebody is trying to cover their tracks." Hsieh is referring to a statement made by CCDC that individuals came into CCDC buildings pretending to be CCDC employees and asked for ballots. CCDC buildings are guarded by locked entrances and security personnel and entry by non-residents is unlikely. One senior voter said that every year someone has come to his door to fill out his ballot, and that his ballot was taken in the last three years by the same person. He also stated that this was practiced throughout the whole building, which is managed by CCDC. In another incident, an elderly woman said two women came to her door, asked her to sign a ballot return envelope, and then took her ballot away. She said two women were returning to her building each day to collect ballots from others. The property, known as Chinatown's Orangeland building, has a long history with CCDC. Three buildings managed by or with ties to CCDC have had reports of voter fraud. APDC has evidence that a CCDC-owned building called Broadway Sansome Apartments allowed the Aaron Peskin for Supervisor campaign into the building in late September in apparent violation to their tax-exempt, non-profit rules against candidate electioneering. [...] Other interviews about ballot tampering are even more detailed and describe a group of people who are systemically committing voter fraud [...]
Ars Technica reports that the Xen project has fixed a serious flaw in Xen guest containment, which could lead to arbitrary damage to the host and other guest instances. The flaw, indexed as CVE-2015-7835, is entitled "x86: Uncontrolled creation of large page mappings by PV guests". The Xen description of the flaw is: The code to validate level 2 page table entries is bypassed when certain conditions are satisfied. This means that a PV guest can create writeable mappings using super page mappings. Such writeable mappings can violate Xen intended invariants for pages which Xen is supposed to keep read-only. This is possible even if the "allowsuperpage" command line option is not used. IMPACT: Malicious PV guest administrators can escalate privilege so as to control the whole system. VULNERABLE SYSTEMS: Xen 3.4 and onward are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only PV guests can exploit the vulnerability. Both 32-bit and 64-bit PV guests can do so. ..." The complete Ars Technica article is at: http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/ Bob Gezelter, http://www.rlgsc.com
research shows that the technology can be a powerful distraction, and a lingering one. http://www.nytimes.com/2015/10/22/science/cars-voice-activated-systems-distract-drivers-study-finds.html
I appreciate responses from several readers who reacted strongly to my including Lauren's comments on the Daily Dot item in RISKS-29.05. Although he did not submit that item to RISKS, it is entirely my fault that I did not excise his comments about Fox News. What he wrote exhibited a bias that I almost always try to eliminate—even if some readers might agree with it. I apologize for my error of non-omission. However, I would note that I do devote considerable effort in "moderating" RISKS that results in what some of you might call "censorship". I think that has to be the privilege of a "moderator".
Zakir Durumeric et al. [with Alex Halderman as the 10th author], Neither Snow Nor Rain Nor MITM ...: An Empirical Analysis of Email Delivery Security, SIGCOMM 2015 http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf "We find that the top mail providers (e.g., Gmail, Yahoo, and Outlook) all proactively encrypt and authenticate messages. However, these best practices have yet to reach widespread adoption in a long tail of over 700,000 SMTP servers, of which only 35% successfully configure encryption, and 1.1% specify a DMARC authentication policy. This security patchwork -- paired with SMTP policies that favor failing open to allow gradual deployment—exposes users to attackers who downgrade TLS connections in favor of cleartext and who falsify MX records to reroute messages. We present evidence of such attacks in the wild, highlighting seven countries where more than 20% of inbound Gmail messages arrive in cleartext due to network attackers." "In this [downgrade] attack, a network actor takes advantage of the fail-open design of STARTTLS—where SMTP servers fall back to cleartext if any errors occur during the STARTTLS handshake—to launch a downgrade attack. A network actor can manipulate packets containing the STARTTLS command to prevent mail servers from establishing a secure channel, or alter a mail server's EHLO response to remove STARTTLS from the list of server capabilities." "The STARTTLS RFC does not define how clients should validate presented certificates. ... However, it also enables network-level attackers to falsely report MX records that point to an attacker-controlled domain. Without additional security add-ons (e.g., DANE), this attack remains a real threat." Joseph Cox, Email Encryption Is Broken, Motherboard, 28 Oct 2015 http://motherboard.vice.com/read/email-encryption-is-broken Email was never designed to be private. When the Simple Mail Transfer Protocol (SMTP) was first invented, it didn't come with protections or ways to check that a message really came from where it claimed to. Those came later, with the addition of extensions like STARTTLS for encrypting communications and others for authenticating messages. Now a study has found that despite those inventions, large chunks of email traffic are being deliberately stripped of their encryption, or just sent without any in the first place, leaving them totally open to passive eavesdroppers. Some of the findings are truly staggering, with over 95 percent of email sent from Tunisia to Gmail having its protections removed, or more than 20 percent of inbound Gmail messages in seven countries arriving in clear text because of network attacks. The findings come from what researchers at the University of Michigan, Google, University of Illinois, and Urbana Champaign say is the first report on global adoption rates of email security extensions. The researchers had access to some impressive data sets: logs of SMTP traffic sent to and from Gmail from January 2014 to April of this year, as well as a snapshot of the configurations of email servers belonging to the Alexa Top Million domains. Alexa is a site that ranks the world's websites by traffic. They found some pleasant news: "from Gmail's perspective, incoming messages protected by TLS have increased 82% over the last year," the researchers write, who add that a lot of this is due to several big providers, such as Yahoo and Outlook, encrypting its traffic. TLS stands for Transport Layer Security, and is the cryptographic protocol used to encrypt all sorts of data, be that web browsing or email. But that's about it for the good stuff. For the 700,000 SMTP servers associated with the top million domains, only 82 percent support TLS, and 35 percent allow proper server authentication. The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor. But this paper is the first indication of how widespread it is. And it appears that pretty much everyone, from governments to academic institutions, is getting in on the act. "Overall, no single demographic stands out; the distribution is spread over networks owned by governments, Internet service providers, corporations, and financial, academic, and health care institutions. We note that several airports and airlines appear on the list, including an AS belonging to a subsidiary of Boingo (AS 10245), a common provider of in-flight and airport WiFi, ... These attacks are both readily found in the wild and pose a real threat to users, with more than 20% of mail being sent in cleartext within seven countries" ... "And although some of this stripping may be done to facilitate legitimate filtering, perhaps for corporate networks to check for malicious content, "this technique results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks." This should act as a reminder that because of the nature of STARTTLS, even if Google or anyone else implements encryption onto their email traffic, someone else can simply reverse all of that work—possibly leaving your emails open to snooping by whatever server they happen to slip through. There are solutions, though they are unlikely to spring up over night. ... But for the time being, large sections of email traffic are totally vulnerable to being spied on, something that leads the researchers to describe the current state of email as a security patchwork.
"Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks" was published at IEEE Security & Privacy 2011. There's also a video of Fabian Monrose's NSF talk about the paper at http://www.nsf.gov/cise/cns/watch/talks/monrose.jsp
Thanks, Jeremy! Some people (like me) are a little slow. Let's see: 2011 was pre-Snowden, and pre Microsoft's (5/10/2011) acquisition of Skype, after which Microsoft gave the U.S. govt full unencrypted access to all that supposedly private&secure Skype traffic. But we didn't know that then. Fast forward to 2015. We can now assume that most/all VoIP is now completely broken, either because govt's have access to unencrypted traffic, or because they can read all the encrypted traffic. SS7 security is a nonsequitur, so SS7+broken VoIP means that most voice traffic around the world is broken. Still "going dark", are we, Mr. Comey?
Both Ancestry.com and 23andMe should seriously consider *selling* the entire database of records, to a corporation in another country, such as Ireland, and keep *none* of the data in the US. Since the genetic data is tied to 'personal information' it is highly unlikely that an Irish court could or would order release of the data for what is obviously 'fishing expedition' level matters. And even in the case of serious crimes, a warrant would *probably* not be available there, in respect of a crime alleged to occurred here. BTW, I thought that probable cause for a warrant required that the place to be searched might produce evidence about the crime, not evidence connecting an unknown person to the crime. Any Fourth Amendment specialists care to comment?? R. Geoffrey Newbury (who is an Ontario lawyer, and who does not do criminal law)
Henry Kressel and Norman Winarsky have just had their book published, with the subject-line title, and a subtitle—A Guide to Creating, Building, and Sustaining Breakthrough Ventures, Harvard Business Review Press. xii+215, 2015. These two men really know whereof they write, speak, and practice. For example, Norman was the person at SRI who led the creation of more than sixty ventures, worth over $20 billion—including Nuance, Intuitive Surgical, Siri, and Fair Issac. If you are involved in a start-up or contemplating one with really hot innovative ideas, this book should be mandatory reading—despite the fact that a Google search might turn up tens of thousands of other books on the subject. Perhaps most valuable are the chapter on Five Fatal Mistakes of Start-Ups, subtitled The most common venture killers are avoidable, and the chapter on Ensuring the Future. with seven basic principles. Overall, the experience distilled by the two authors is remarkably pithy. There are also many of you in the research community who believe in changing the computer world more altruistically—perhaps with open-source developments. The prevalence in all development efforts of the five fatal mistakes described in the book—whether open-source or proprietary -- suggests that there is something in this book for everyone involved in innovation, helping avoid many of the inherent problems. It might also encourage you to do what you are already doing even better.
Please report problems with the web pages to the maintainer