Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Today's hearing of a House Committee panel: WASHINGTON—Technology that connects cars to the Internet has the potential to prevent crashes and save thousands of lives, but it also could allow hackers to grab control of vehicles, experts say. http://www.usatoday.com/story/news/2015/11/18/house-panel-examines-safety-risks-and-benefits-internet-cars/76001022/ http://usat.ly/1O3Ekgy
According to this article they didn't use encryption: https://theintercept.com/2015/11/18/signs-point-to-unencrypted-communications-between-terror-suspects/>
Charlie Firestone (Executive Director, Aspen Institute), *Huffington Post*, 18 Nov 2015 Anonymous vs. ISIS: Netpolitik After the Paris Attacks There have been many government and citizen reactions to the horrors of the Paris attacks of November 13, 2015. France is effectively declaring war on ISIS, legislatures debate their nation's role in response, and many people around the globe show solidarity with the French people by personal acts such as laying wreaths or superimposing French flags on their Facebook profile pictures. But there is one reaction that so exemplifies the current state of the networked world that it warrants closer analysis. That is the filmed declaration of Anonymous to take down ISIS. It is the epitome of the theory of Netpolitik, which Leshuo Dong and I wrote about earlier this year. In that piece, entitled, "Netpolitik: What the Emergence of Networks Means for Diplomacy and Statecraft," we postulated that "realpolitik" and "international liberalism" no longer sufficed as diplomatic models to resolve world problems. The Westphalian concept of sovereign nations dealing with each other as states has limited application to a world where networks are the dominant form of organization. Borders are porous to different degrees when it comes to keeping out climate, disease, pollution, crime, currencies, economic effects, and information. Networks of people, organizations, and even governments transverse borders as well. If our businesses rely on the network organizational form, our military engages in net-centric warfare, and even our enemies persist as networks, we postulated, then governments should employ network principles to assert national interests in the world of diplomacy. Now, however, we see a wrinkle: the cyber-vigilante group Anonymous has declared war on ISIS. That is, a non-governmental network of anonymous hackers will fight against an international network of violent terrorists on the cyber-war field. They will no doubt employ those network principles we mentioned in "Netpolitik", and many more that we can learn from them, in pursuit of the new global bad guy. For example, just as biological organisms have to fight against viruses, communications networks become vulnerable at their weakest spot. The terrorist network that has been so savvy with new media now faces a network of accomplished hackers in a potentially formidable challenge to the group. This, then, is a prime example of netpolitik, the engagement of networks to counter networks - though in this case it goes beyond diplomacy. It is an early episode in guerilla cyber-warfare. At the least this development bears close watching. Hopefully, Anonymous will announce its victories as ISIS does theirs. The fight against ISIS will take all kinds of efforts, in the air, on the ground, and now, over the ether. But who do you have confidence in to make a significant dent in the job? The countries that have professed to defeat ISIS and its antecedents again and again? (Not that I think they are shirking from their responsibilities.) Or a cyber-savvy network who can find another net's vulnerability and dismantle its communications capabilities? Today, nations should not have to rely on the white masks of digital vigilantes. Rather, they need cyber-rangers with the capabilities - talent, resources, resolve - to defeat their enemies, who more likely than not, will be networks, not nations.
I'm having a hard time understanding how making our phones and computers vulnerable to Russian and North Korean criminals will make us all safer from the ISIS jihadis. Also, the ISIS "junior varsity" appears to be quite sophisticated about using computers; that "backdoor" Brennan, Comey, et al, crave is just the ticket for an ISIS "cyber Pearl Harbor" within a year or so. Revenge is a dish best served cold. First, do no harm. Good advice for those contemplating possible responses. Ashley Carman, The Verge, 18 Nov 2015 Encryption is enemy number one; The U.S. government doesn't know what technology to blame for the Paris attacks https://www.theverge.com/2015/11/18/9755582/paris-attacks-cause-investigation-cia-fcc-encryption-internet First they blamed encryption. Then they wanted websites taken down. Now, they're proposing additional legislation. Just days after the shocking attacks in Paris, there's a new push in Washington to crack down on encryption and other security tools in an effort to prevent future attacks. Members of Congress have proposed mandatory backdoor provisions, website shutdowns, and expanded surveillance powers. But none of the suggestions have any clear connection to methods used in the attacks, which is resulting in a strange hodgepodge of ideas. Many in the government aren't sure which technologies to blame. The loudest voice so far comes from CIA director John Brennan, who blames encryption for intelligence failures leading up to the attacks. "There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it," he said during a speech at the Center for Strategic and International Studies. "And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve." http://csis.org/files/attachments/151116_GSF_OpeningSession.pdf Despite Brennan's assertions, investigators still don't how these attacks were planned. There was initial speculation the terrorists communicated via the unencrypted PlayStation Network, which turned out to be false. In another twist, given the physical proximity of many of the already-named attackers, it's unclear if electronic devices were used at all during planning. Others have sought to blame disk encryption, particularly the security measures protecting iPhones, which law enforcement officials have been looking to circumvent for years. Many in law enforcement, including the Manhattan District Attorney today, have pushed for a universal power that would allow police to unlock any disk-encrypted device once the appropriate legal rulings were obtained. However, early reports from Paris indicate disk encryption wasn't protecting the attackers' phones, which makes it unlikely those powers would have helped prevent these attacks or catch perpetrators afterward. http://manhattanda.org/sites/default/files/11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety.pdf At the same time, other legislators have focused on ISIS's web presence. Yesterday, during a hearing with the Federal Communications Commission (FCC), US Representative Joe Barton (R-TX) suggested shutting down ISIS websites and social media networks. "They're using the Internet in extremely offensive and inappropriate ways against us," he said after noting websites "pop up like weeds" and asking if the government could just "shut those Internet sites down." FCC Chairman Tom Wheeler responded, "I'm not sure that our authority extends to picking and choosing among websites, but I do think there are specific things that we can do." Among those things the agency could do is have Congress update the definition of a "lawful intercept" under the Communications Assistance for Law Enforcement Act (CALEA), which could force companies to build backdoors into their technology and decrypt any encrypted communications. When asked if Wheeler and his agency would help lawmakers update that law, Wheeler replied, "A capital yes, sir." Reports out of Washington indicate Wheeler might just get that opportunity with interest in CALEA building, along with further anti-encryption legislation. http://csis.org/files/attachments/151116_GSF_OpeningSession.pdf While investigators sort through evidence and determine how these events transpired, even if the attackers used an encrypted chatting app, such as WhatsApp, plenty of non-terrorists use it, too, and want their communications kept private. Plus, a backdoor built for law enforcement can be used by anyone who discovers it, which makes many in the technology world reluctant to build one. Paris hasn't changed the fundamental question of whether strong privacy protections should be allowed on the web for most privacy advocates. "These [Paris] attacks are reprehensible," said Harley Geiger, senior counsel and advocacy director at the Center for Democracy & Technology, in an interview with The Verge. Noting the investigations are ongoing, he continued, "the debate about government-mandated cybersecurity vulnerabilities in this country has been going on for many years, and the dangers of a government-mandated backdoor into encryption have not changed simply because we've had these reprehensible attacks."
[Thanks to Marc Rotenberg, head of the Electronic Privacy Information Center.] The NY Times calls out CIA Director Brennan regarding the hacking of Senate staff. It was an EPIC FOIA lawsuit that uncovered the facts of that case: CIA Releases Redacted Report on Surveillance of Congress Several months after EPIC filed a Freedom of Information Act lawsuit against the Central Intelligence Agency, the agency has released the Inspector General's report on the agency's surveillance of Congress. The Inspector General launched an investigation after the Senate accused the CIA of improperly accessing the computers of Senate staff who were investigating CIA torture practices. The Inspector General found that CIA personnel improperly accessed Senate computers multiple times. The Inspector General also found that the CIA's accusations that Senate staff had improperly removed CIA files were baseless. EPIC will pursue release of the full, unredacted report. (Jan. 15, 2015) https://epic.org/2015/01/cia-releases-redacted-report-o.html http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-answer-to-fighting-terrorism.html Mass Surveillance Isn't the Answer to Fighting Terrorism *The New York Times*, Editorial Board, 17 Nov 2015 It's a wretched yet predictable ritual after each new terrorist attack: Certain politicians and government officials waste no time exploiting the tragedy for their own ends. The remarks on Monday by John Brennan, the director of the Central Intelligence Agency, took that to a new and disgraceful low. Speaking less than three days after coordinated terrorist attacks in Paris killed 129 and injured hundreds more, Mr. Brennan complained about “a lot of hand-wringing over the government's role in the effort to try to uncover these terrorists.'' What he calls hand-wringing was the sustained national outrage following the 2013 revelations by Edward Snowden, a former National Security Agency contractor, that the agency was using provisions of the Patriot Act to secretly collect information on millions of Americans' phone records. In June, President Obama signed the USA Freedom Act, which ends bulk collection of domestic phone data by the government (but not the collection of other data, like emails and the content of Americans' international phone calls) and requires the secretive Foreign Intelligence Surveillance Court to make its most significant rulings available to the public. These reforms are only a modest improvement on the Patriot Act, but the intelligence community saw them as a grave impediment to anti-terror efforts. In his comments Monday, Mr. Brennan called the attacks in Paris a wake-up call, and claimed that recent policy and legal actions “make our ability collectively, internationally, to find these terrorists much more challenging.'' It is hard to believe anything Mr. Brennan says. Last year, he bluntly denied that the C.I.A. had illegally hacked into the computers of Senate staff members conducting an investigation into the agency's detention and torture programs when, in fact, it did. In 2011, when he was President Obama's top counterterrorism adviser, he claimed that American drone strikes had not killed any civilians, despite clear evidence that they had. And his boss, James Clapper Jr., the director of national intelligence, has admitted lying to the Senate on the N.S.A.'s bulk collection of data. Even putting this lack of credibility aside, it's not clear what extra powers Mr. Brennan is seeking. Most of the men who carried out the Paris attacks were already on the radar of intelligence officials in France and Belgium, where several of the attackers lived only hundreds of yards from the main police station, in a neighborhood known as a haven for extremists. As one French counterterrorism expert and former defense official said, this shows that “our intelligence is actually pretty good, but our ability to act on it is limited by the sheer numbers.'' In other words, the problem in this case was not a lack of data, but a failure to act on information authorities already had. In fact, indiscriminate bulk data sweeps have not been useful. In the more than two years since the N.S.A.'s data collection programs became known to the public, the intelligence community has failed to show that the phone program has thwarted a terrorist attack. Yet for years intelligence officials and members of Congress repeatedly misled the public by claiming that it was effective. The intelligence agencies' inability to tell the truth about surveillance practices is just one part of the problem. The bigger issue is their willingness to circumvent the laws, however they are written. The Snowden revelations laid bare how easy it is to abuse national-security powers, which are vaguely defined and generally exercised in secret. Listening to Mr. Brennan and other officials, like James Comey, the head of the Federal Bureau of Investigation, one might believe that the government has been rendered helpless to defend Americans against the threat of future terror attacks. Mr. Comey, for example, has said technology companies like Apple and Google should make it possible for law enforcement to decode encrypted messages the companies' customers send and receive. But requiring that companies build such back doors into their devices and software could make those systems much more vulnerable to hacking by criminals and spies. Technology experts say that government could just as easily establish links between suspects, without the use of back doors, by examining who they call or message, how often and for how long. In truth, intelligence authorities are still able to do most of what they did before—only now with a little more oversight by the courts and the public. There is no dispute that they and law enforcement agencies should have the necessary powers to detect and stop attacks before they happen. But that does not mean unquestioning acceptance of ineffective and very likely unconstitutional tactics that reduce civil liberties without making the public safer.
FYI -- BTW, have you ever wondered about the expectation of privacy in: * an airline seat * a restaurant * a hotel lobby * a park bench * a city bus * a ball game * a hotel room Dan Goodin, Ars Technica, 17 Nov 2015 http://arstechnica.com/tech-policy/2015/11/feds-bugged-steps-of-silicon-valley-courthouse/ Defense claims covert recordings violated Constitution, moves to have them thrown out. Defense attorneys have asked a federal judge to throw out more than 200 hours of conversations FBI agents recorded using hidden microphones planted near the steps of a county courthouse in Silicon Valley. The lawyers are representing defendants accused of engaging in an illicit real estate bid-rigging and fraud conspiracy. The steps to the San Mateo County courthouse are frequently the scene of public auctions for foreclosed homes. Federal prosecutors have admitted that on at least 31 occasions in 2009 and 2010, FBI agents used concealed microphones to record auction participants as they spoke, often in hushed voices with partners, attorneys, and others. Because the federal agents didn't obtain a court order, the defense attorneys argue the bugging violated Constitutional protections against unreasonable searches and seizures. In a court brief filed Friday in the case, attorneys wrote: http://ia601404.us.archive.org/35/items/gov.uscourts.cand.281645/gov.uscourts.cand.281645.58.0.pdf It bears repeating that this particular public place was immediately outside a courthouse. Defendants' expectation that discreet conversations outside a courthouse would remain private is surely one that society is prepared to recognize as reasonable. Private affairs are routinely discussed as citizens, their lawyers, and even judges walk to and from court, and lawyers often take clients aside outside the courthouse for privileged conversations. Common experience and everyday expectations teach that individuals frequently have private conversations near the courthouse despite the public's access to this location, and expect that such conversations are not subject to the type of dragnet electronic eavesdropping that took place in this case. A metal sprinkler box, a planter box and nearby vehicles According to the filing, agents planted eavesdropping devices in at least three locations: a metal sprinkler box attached to a wall near the courthouse entrance, a large planter box to the right of the courthouse entrance, and vehicles parked on the street in front of the courthouse entrance. All three areas are locations where people have a reasonable expectation to have private conversations and where lawyers and clients could reasonably be expected to have privileged conversations, the defense argued. According to the court filing: Generally, the recording devices were activated more than an hour before the auctions began, and they would run for a period of time after the auctions had concluded. Some of the devices intercepted every communication that occurred in their vicinity over a period of more than five hours. For example, the Government recorded individuals having private conversations on their cellphones in an area away from the auctions. In one instance, the Government was able to capture an alleged co-conspirator talking on his cell phone with the other party to the call partially audible through the cellphone's receiver. And the Government repeatedly hid an eavesdropping device immediately adjacent to the spot where one of the bidders usually set up a chair from which he conducted business and communicated with his joint venture partners. These recordings captured far more than just the bids and public pronouncements that were made during the auctions. The surreptitious recording came in addition to a confidential informant and undercover agent who were regularly on the steps monitoring the auctions. The FBI's decision to covertly record conversations those individuals couldn't hear is tacit admission the intercepted communications were private for purposes of the Fourth Amendment, the brief argued. It's unclear when US District Judge Charles R. Breyer will rule on the motion. The court challenge was reported earlier by *The Recorder*.
When terrorists strike, television networks respond, sometimes sensitively and other times perhaps unnecessarily. http://www.nytimes.com/2015/11/18/arts/television/after-bloodshed-tv-can-be-cathartic-or-insensitive.html
FYI—Translation: $1 million from the FBI—we only wish! "The university ... complies with lawfully issued subpoenas and *receives no funding for its compliance*." CMU,18 Nov 2015 https://www.cmu.edu/news/stories/archives/2015/november/media-statement.html MEDIA STATEMENT There have been a number of inaccurate media reports in recent days regarding Carnegie Mellon University's Software Engineering Institute work in cybersecurity. Carnegie Mellon University includes the Software Engineering Institute, which is a federally funded research and development center (FFRDC) established specifically to focus on software-related security and engineering issues. One of the missions of the SEI's CERT division is to research and identify vulnerabilities in software and computing networks so that they may be corrected. In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed. The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance. CMU NEWS, 5000 FORBES AVENUE, PITTSBURGH, PA 15213, (412) 268-2900
[Re: Tor Users Matter, RISKS-29.09] Ashley Carman, *The Verge*, 18 Nov 2015 (via Dave Farber) It might have done the FBI's work for free, though http://www.theverge.com/2015/11/18/9757904/Carnegie-Mellon-Tor-Anonymous-Research Following reports it was paid $1 million to crack anonymous browser Tor for the FBI, Carnegie Mellon University has denied any wrongdoing. Kind of. While the university says there has been a number of "inaccurate media reports" surrounding its cybersecurity research, it also clarified that it occasionally receives subpoenas for its researchers' work and is legally obligated to turn over information and findings for free. "The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance," the school said. Tor wrote in a post this past week that more than a year ago, it discovered a publicly known vulnerability in its browser, one that could de-anonymize users. Information collection went on for approximately half a year, from early February to July 4th of 2014. The university's wording suggests it's only dismissing The Tor Project's claims that it accepted $1 million from the FBI—not that it disclosed research that led to the unmasking of possible criminal users. In its original post from this past week, Tor said it doubted the FBI would have received a valid warrant because the research and vulnerability exploitation was not "narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once." It also said, if proven true, this attack and fruitful law enforcement / university relationship would set a "troubling precedent." We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor—but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of legitimate research, the blog post says.
Weary of staging their lives for social media, young people are presenting their true selves on locked instagram accounts. http://www.nytimes.com/2015/11/19/fashion/instagram-finstagram-fake-account.html
This would be a good time to actually read some of the material the previous article linked to. The problem isn't mag stripes, it's poor implementations of EMV specs, "tamper resistant" terminals you can open up with a strategically placed paper clip, and threats they hadn't anticipated like terminals being modified in the warehouse on the way from the manufacturer to the merchant.
Please report problems with the web pages to the maintainer