Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.theguardian.com/world/2015/nov/23/ba-pilots-eye-damaged-by-military-laser-shone-into-cockpit-at-heathrow
http://www.myajc.com/news/news/state-regional-govt-politics/data-breach-in-georgia-could-affect-6-million-vote/npQj8/ Georgia Secretary of State Brian Kemp acknowledged Wednesday that his office last month illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters. Kemp said the data went to 12 organizations who regularly subscribe to "voter lists" maintained by the state, and he was adamant that the "clerical error" did not compromise Georgia's voter registration system. But the problem didn't become public until two voters filed a class-action lawsuit alleging a massive data breach ... "This is a very serious breach involving a huge number of Georgia residents," Vladeck said in an email. "The types of information released—especially SSNs and driver license records (which generally have addresses, dates of birth, pictures and other uniquely identifying information)—are very, very valuable to identity thieves." ... While the AJC and others—including the Georgia GOP and the Democratic Party of Georgia—have since complied with the request, at least one organization—the Libertarian Party—had not as of Wednesday afternoon. "I am out at my daughter's shooting competition," the Libertarian Party's Doug Craig said in a text when asked whether he would return the disc. "Going to tomorrow ... maybe." You *really* think anyone returned the disks before copying off the contents? REALLY?
Dustin Volz, Reuters, 19 Nov 2015 The Information Technology Industry Council (representing Apple, Google, Microsoft, and dozens of other blue-chip tech companies): Weakening encryption to help the government monitor electronic communications in the name of national security "simply does not make sense," http://www.reuters.com/article/2015/11/19/us-tech-encryption-idUSKCN0T82SS20151119#yuz2fj8mOmAbbxZo.97 http://www.reuters.com/article/2015/11/19/us-tech-encryption-idUSKCN0T82SS20151119#gQS27WZkYLzT4mgw.99
Nord has made a webpost describing eDellRoot. He says that though the action performed by eDellRoot are not known at present, it may be in the same category as Superfish. He says, "the eDellRoot certificate is a trusted root that expires in 2039 and is intended for "All" purposes. Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity." The problem with this rogue root level CA is that it is not know what spying activities it will perform unlike the Superfish in Lenovo which was known to inject adware into Lenovo PCs and Laptops without the users consent. http://www.techworm.net/2015/11/dell-pcs-laptops-ship-with-edellroot.html [See also https://www.duosecurity.com/static/pdf/Dude,_You_Got_Dell_d.pdf <https://www.duosecurity.com/static/pdf/Dude,_You_Got_Dell_d.pdf> PGN]
Dell apologizes for HTTPS certificate fiasco, provides removal tool http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certificate-fiasco-provides-removal-tool/ Dell officials have apologized for shipping PCs with a certificate that made it easy for attackers to cryptographically impersonate HTTPS-protected websites and issued a software tool that removes the transport layer security credential from affected machines.
Heads-up regarding certificate changes coming first of the 2016 year. Go to this link: http://sha2test.com/ You should see this result: Your browser supports SHA-2 SSL Certificates The certificate changes do *not* apply just to browsers, but if that test works your OS is probably ok, too. (SSL certificate changes affect other applications, also.) and read that site above for more info, or: https://www.google.com/search?hl=en&as_q=SHA-1+certificate+change+2016&as_epq=&as_oq=&as_eq=&as_nlo=&as_nhi=&lr=&cr=&as_qdr=all&as_sitesearch=&as_occtany&safe=images&as_filetype=&as_rights&as_q=SHA-1+certificate+change+2016&as_epq=&as_oq=&as_eq=&as_nlo=&as_nhi=&lr=&cr=&as_qdr=all&as_sitesearch=&as_occt=any&safe=images&as_filetype=&as_rights
FYI—Hopefully, this decision re: auto SW will set off a new round of innovation similar to what happened to digital networking after the Carterfone decision. HB http://arstechnica.com/tech-policy/2008/06/carterfone-40-years/ Barry Meier and Jad Mouawadnov. *The New York Times*, 22 Nov 2015 For Auto Enthusiasts, the Right to Tinker With Cars' Software http://www.nytimes.com/2015/11/23/business/for-auto-enthusiasts-the-right-to-tinker-with-cars-software.html Car owners in the United States can soon play Volkswagen engineer, courtesy of the federal government. Last month, officials gave auto enthusiasts who want to beef up their car's performance the right to tinker with vehicle software without incurring the legal wrath of car makers. The decision was one of many changes to a federal copyright law, including allowing people to jailbreak their mobile phones and reprogram older video games. Digital-rights activists have applauded the changes, which are scheduled to take effect next year. But environmental regulators and car makers have warned that the decision opens a new front in a cat-and-mouse game with car lovers who soup up their engines—perhaps violating emissions standards. [...] A version of this article appears in print on November 23, 2015, on page B1 of the New York edition with the headline: Car Buffs Get the Keys to Software.
With each new Win flavor, the bad ware community figures out how to corrupt that also. A new version of the Dyre/Dyreza banking Trojan is ready for Win 10 and Microsoft Edge, the browser to eventually replace IE. This new version is out just in time for bad actors to steal from holiday shoppers, as it can take on just about any OS or browser. Dyreza is "Crime as a service network", to get into the bank accounts of anyone who accesses one of the 80,000 web sites they have infected, and also add them to the malware spam delivery botnetwork. http://www.net-security.org/malware_news.php?id156
https://www.washingtonpost.com/news/to-your-health/wp/2015/11/17/federal-privacy-law-lags-far-behind-personal-health-technologies/
http://www.nytimes.com/2015/11/23/opinion/the-911-system-isnt-ready-for-the-iphone-era.html First responders are still relying on an emergency system based on dangerously outmoded technology.
The NYDFS press release explaining the misconduct in detail... http://www.dfs.ny.gov/about/press/pr1511181.htm "In certain instances, Barclays used this Last Look system to automatically reject client orders that would be unprofitable for the bank because of subsequent price swings during milliseconds-long latency (`hold') periods. Furthermore, when clients questioned Barclays about these rejected trades, Barclays failed to disclose the reason that the trades were being rejected, instead citing technical issues or providing vague responses." A description of the misconduct intended for the general public: https://theconversation.com/21st-century-bank-fraud-demands-a-new-generation-of-it-experts-50967
In the USA, the Internal Revenue Service (IRS) is under constant criticism thanks to a variety of government investigations uncovering a stream of new scandals. There is an Office of Inspector General (OIG) at the Dept of the Treasury, devoted exclusively to investigating the IRS. https://www.treasury.gov/tigta/ Many gov agencies are underfunded. When the choice is not doing their core mission, or keeping their security perfect, they choose the core mission, which explains many bad security reports, a steady annual growth in breaches, and other incidents. That's why the US Government Accountability office (GAO) has found cyber security lacking in many gov agencies. http://www.gao.gov/products/GAO-16-194T The GAO found that the IRS is missing security patches going back to 2011, continues to use weak passwords, inadequate audit trails, or monitoring. http://www.govinfosecurity.com/gao-taxpayer-data-at-increased-risk-a-8685 Some of the IRS's trouble arrived thanks to the US Supreme Court ruling in Citizen's United, giving nonprofits more rights than had been in IRS regulations, written by the US Dept of Treasury. Republicans in Congress were so angry with IRS draconian treatment of conservative groups seeking nonprofit status, after Citizen's United, that they cut the IRS budget as punishment. This means the IRS may as well forget about any security upgrades, to avoid sacrificing its core mission.
Craig Timberg, in *The Washington Post* (via DH via Dave Farber) This is a multi-part project on the Internet's inherent vulnerabilities and why they may never be fixed. Part 1: A Flaw in the Design http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/ Part 2: The long life of a quick 'fix' http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/ Part 3: A disaster foretold - and ignored http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/ Part 4: Hacks on the highway http://www.washingtonpost.com/sf/business/2015/07/22/hacks-on-the-highway/ Part 5: The kernel of the argument http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/ Read the eBook. "The Threatened Net: How the Internet Became a Perilous Place" https://ganxy.com/i/107994/the-washington-post/the-threatened-net-how-the-web-became-a-perilous-place
A picture making the rounds in the social media in Greece has a deputy government minister posing in front of a computer monitor featuring a PostIt note with his user name and password [1]. The yellow note contains the text "USER: YPOURGOS [minister]" and "123456", presumably as his password, listed under it. The official in question is Nikos Toskas, the Deputy Minister for the Interior responsible for the police and the country's intelligence agency. Toskas has served the Greek army as well as NATO positions abroad as a high rank officer. The 9 Mpixel photograph adorned the official's CV on the ministry's web site. After the brouhaha it was apparently cropped to remove the monitor with the offending PostIt note [2]. [1] https://twitter.com/gveltsi/status/668415790228643845 [2] http://www.yptp.gr/index.php?option=ozo_content&perform=view&idB87&Itemid@7&lang=GR&lang=?option=ozo_search&lang=EN&lang=GR?option=ozo_search&lang=EN&lang=GR?option=ozo_search&lang=EN
The US maintains many lists of people suspected of being a threat to US National Security, to US persons, and other trouble. Even deadbeat Dads are on some of these lists. Four of the perpetrators of the Paris Attacks were listed in a U.S. intelligence community counterterrorism database before the attacks, and one was on a U.S. no-fly list. The $64 million question is whether the US had shared those databases with EU authorities, so that they could think twice before letting those people arrive, without any hassles. [PGN-ed from what AlMac sent] http://freebeacon.com/national-security/multiple-paris-attackers-were-on-u-s-watch-lists/ See also related items: http://freebeacon.com/national-security/audit-homeland-security-faces-major-performance-issues/ The US Office of Inspector General (OIG) conducted a computer audit of US Department of Homeland Security (DHS) and found serious issues. https://www.oig.dhs.gov/assets/Mgmt/2016/OIG-16-08-Nov15.pdf
At risk of stating the obvious: one thing that I found when I worked in telecomms was how collecting revenues for services in traditional ways is a mighty costly activity. Telecomms and other utility businesses have to sign up customers (and maybe do creditworthiness checks) for a contract initially, measure their useage, periodically compile a bill to notify them of what they owe, get the money off them, chase up late/non-payers, handle any disputes, deal with taxes if applicable, etc. which is a big administrative overhead. For internet-based services it's probably a lot easier to offer a service free of charge to all-comers, then count the clicks-through and analyse usage, and sell onwards the marketing intelligence thus gained—no need to have any direct contact with end-users. This is what people expect nowadays anyway; it's improbable that search engines and social-networking web sites would have thrived if users had to pay bills to use them. (Presumably this is why some newspapers and magazines are now issued free of charge, it's easier to fund them entirely out of advertising than by selling them and having to handle the cash.) The alternative to capitalism is having services provided by Governments. It's interesting to speculate how today's Internet (and smartphones, etc.) may have developed if telecomms service was still provided by PTTs (post/telephone/telegraph administrations) as it was in most countries before the 1980s.
Please report problems with the web pages to the maintainer