Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://aviationweek.com/commercial-aviation/ntsb-controllers-software-complicit-wrong-runway-landings In the Atlas incident, the Boeing 747-400LCF set up for a GPS approach to Runway 19L at McConnell Air Force Base near Wichita, Kansas, but ultimately landed on the 6,100-ft.-long Runway 18 at the Col. James Jabara general aviation airport, 8 nautical miles short of McConnell's 12,000-ft.-long runway. While the MSAW [minimum safe altitude warning] system was active, the software was programmed so as to not distinguish between nearby airports and the correct airport, and did not issue an alert even though the 747 was well below the approach path to McConnell. In the Southwest incident, the pilot was on approach to the Branson Airport in Missouri, but was mistakenly redirected to the Downtown Airport, 6 nautical miles short of the intended destination—using up all but the last 629 feet of a much shorter runway than anticipated. [PGN-ed; the article mentions proposed remediation would have controllers withhold landing clearance until nearby airports have been passed.]
http://aviationweek.com/blog/database-error-complicit-turkish-airlines-landing-accident ... the pilots let the autopilot continue the approach until 14 ft. above the ground, where presumably they finally saw the runway and attempted to flare the aircraft a bit too late – it hit the runway with a vertical acceleration of 2.7G. A hard landing on centerline is one thing, but this A330’s nose wheel was offset 85 ft. to the left of the centerline ... ... what put the A330 far off centerline—and pretty much in the exact location of the faulty runway end coordinates, thanks to the advanced navigation and automation systems on modern aircraft like the A330—were some very important missing digits in the degrees, minutes and seconds marking the latitude and longitude of the runway end. Missing were the three digits to the right of the decimal point of the seconds field.
http://aviationweek.com/defense/software-cut-fuel-supply-stricken-a400m The crash of an Airbus A400M airlifter that killed four people on May 9 may have been caused by new software that cut off the engine-fuel supply, industry sources have said. Sources have told *Aviation Week* that aircraft MSN23, destined for Turkey, featured new software that would trim the fuel tanks, allowing the aircraft to fly certain military maneuvers.
http://motherboard.vice.com/read/belgian-physicists-calculate-that-everyone-is-lying-about-the-downed-russian-jet
FYI—[Note to self: mark home in large letters with *infrared visible* paint, so that "Santa Claus" can find it in the dark.] "Since it was night, and the aircrew was working from infrared video, they were *unable to see the markings* on the building identifying it as a hospital." Sean Gallagher, 30 Nov 2015 How tech fails led to Air Force strike on MSF's Kunduz hospital Sensor and network failures put crosshairs on the wrong target. http://arstechnica.com/information-technology/2015/11/how-tech-fails-led-to-air-force-strike-on-msfs-kunduz-hospital/ On November 25, General John F. Campbell, the commander of US Forces in Afghanistan, announced the findings of an initial investigation into the air strike by an Air Force AC-130 gunship that hit a Médecins Sans Frontières (MSF, or Doctors Without Borders) trauma center in Kunduz, Afghanistan on October 3. The strike—in which the AC-130 attacked using its onboard cannon, killing 30 patients and members of the MSF hospital staff and injuring another 34—lasted nearly a half-hour. Campbell called the strike "a tragic, but avoidable accident caused primarily by human error." But among the secondary factors cited in the report, he noted, there were several contributing technical failures, including a networking failure that could have provided information that would have prevented the mistaken targeting of the hospital. Furthermore, information systems available to the command responsible for the aircraft failed to alert those on duty in the operations center that the target selected by the aircraft was on a no-strike list. http://www.defense.gov/News/News-Transcripts/Transcript-View/Article/631359/department-of-defense-press-briefing-by-general-campbell-via-teleconference-fro
The Voting News Weekly, 29 Nov 2015 The Supreme Court's docket is crowded with voter redistricting disputes this term, including a Texas case that could redefine the principle of "one person, one vote". State redistricting battles continue in Florida and North Carolina. Georgia Secretary of State Brian Kemp plans to hire top auditing agency Ernst & Young to review his technology department in the wake of a data breach that exposed private information of more than 6 million voters. Supreme Court Justice Anthony M. Kennedy ordered officials in Hawaii not to count ballots or name the winners of an election there in which only people of native Hawaiian ancestry could vote. Weeks before he leaves office, Kentucky Governor Steven Beshear issued an executive order that immediately granted the right to vote to about 140,000 nonviolent felons who have completed their sentences. Violent protest erupted in Haiti after results were announced for a run-off election that international observers say was marred by systemic fraud, voter confusion and intimidation, and in some areas disenfranchisement, while Pakistan has abandoned plans to offer Internet voting to overseas voters. More: http://thevotingnews.com/tvn-weekly-11292015/ [See Data breach in Georgia could affect 6 million voters, RISKS-29.12. PGN]
Want to learn how to break into the computerized heart of a medical device or an electronic voting machine? Maybe a smartphone or even a car? Thanks to the legacy of military rule and a culture of breaking rules of all sorts, Argentina has become one of the best places on earth to find people who could show you how. http://www.nytimes.com/2015/12/01/technology/in-a-global-market-for-hacking-talent-argentines-stand-out.html?_r=0
Australia's largest supercomputer was hacked, linked to other government agencies as well. Multiple sources. A good place to start might be http://www/ibtimes.com/china-accused-massive-hack-australias-bureau-meteorology-attack-could-impact-other-2207298
WiFi Hello Barbie is a toy doll with conversations with children. It connects with Mattel and ToyTalk to get upgrades of various kinds, such as improving speech recognition state-of-art. It has great educational potential to aid child development, provided it is not taken over by crooks. It is hackable. What hackers can do: * Spy on children, their home, and everywhere the child goes, with audio surveillance. * Over-ride privacy features, communicate directly with the child. * Take over the home's wifi network, of other Internet of Things. * Access the doll's system information, account information, stored audio files, and direct access to the microphone. http://www.msn.com/en-us/news/technology/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children/ar-AAfGyq6 http://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Chicago-353434911.html http://time.com/3740348/privacy-group-eavesdropping-wifi-barbie-is-seriously-creepy/ http://www.nytimes.com/2015/03/29/technology/a-wi-fi-barbie-doll-with-the-soul-of-siri.html?_r=0
Lorenzo Franceschi-Bicchierai, *Motherboard*, 27 Nov 2015 One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier this month after a hacker broke into the servers of a Chinese company that sells kids toys and gadgets, Motherboard has learned. The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids. http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids [Includes a huge list of what was released. PGN]
Holy smokes, Google Maps has been hacked to show "Kalusunan" instead of Luzon! Were talking about the fourth most populous island in the world, right behind Great Britain. It's the main island of the Philippines. https://www.google.com/maps/@16,121,4z http://maps.googleapis.com/maps/api/staticmap?size=340x340&markers=Luzon+Island&zoom=4 Hmmm, their Feedback tool is of course broken. I know, I'll just ummm, email all the newspapers in the Philippines... No this time I don't think I blew it again: https://www.google.com/search?q=Kalusunan About 2,180 results https://www.google.com/search?q=Luzon About 19,600,000 results
At least 4 million embedded devices, exposed on the Internet, from some 50 manufacturers, share the same hard-coded X.509 certificate. This impacts * 3.2 million Secure HTTPS hosts, or 9 % of the web, and * 0.9 million Secure SSH hosts, or 6% of them. * An unknown volume of vulnerable devices are not directly connected to the Internet, but are on local area networks, where if someone is able to penetrate the network, they can also penetrate the vulnerable devices. * Possibly more at risk, not yet uncovered. The firmware is of smart phones, routers, IP cameras, VoIP phones, modems wifi gateways, networking gear, PCs, Internet of Things, etc. Many devices are exposed to the web by vendor choice, without user awareness. http://www.kb.cert.org/vuls/id/566724 Vendors include: ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco, Clear, Comtrend, D-Link, Deutsche Telekom, DrayTek, Edimax, General Electric (GE), Green Packet, Huawei, Infomark, Innatech, Linksys, Motorola, Moxa, NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opengear, Pace, Philips, Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart RG, TP-LINK, TRENDnet, Technicolor, Tenda, Totolink, Unify, UPVEL, Ubee Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and ZyXEL. There may be more. Stefan Viehb=F6ck @ Sec-Consult was able to access firmware images of more than 4,000 embedded devices of over 70 vendors, and found this much trouble. Perhaps if more firmware was available for study, research might find more with similar problems. Typically a certificate is issued to 1 person, or one company, for 1 purpose. It is written into software sold to other companies, as a template of what works. Those other companies bake the software into their firmware without getting certificates unique to their company, devices, models, nor provide other security standards to block unwanted access. Even more companies incorporate the hardware in other devices, without any thought to the security needs of end customers. This reality can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. Find how to access one device, legally purchased, and now in theory able to access many thousands more, deliver fake updates with malware. Some vendors plan to fix this. While waiting, users can manually replace X.509 certificates, or SSH host keys, with unique ones (if they know how, and if the device permits this). It might be wise to seek clarification from manufacturers of all your embedded devices, whether you are still on maintenance support with them, or not. Other solution ideas, and how come millions of devices, on the web, using identical certificates. http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html http://www.net-security.org/secworld.php?id=19159= http://www.itworld.com/article/3009142/millions-of-embedded-devices-use-the-same-hard-coded-ssh-and-tls-private-keys.html http://www.theregister.co.uk/2015/11/26/lazy_iot_skeleton_keys/ http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola/ https://www.sec-consult.com/download/certificates.html https://www.sec-consult.com/download/ssh_host_keys.html https://scans.io/ https://scans.io/series/ssh-rsa-full-ipv4 https://scans.io/study/sonar.ssl https://censys.io/>
MagSpoof device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, predict credit card number and expiration date of Amex cards after they have reported stolen or lost. http://www.net-security.org/secworld.php?id=19155
There are multiple potential problems. * Many people buy what is cheapest, not what is safest, ignoring industry standards like UL or CE. Should such risky devices even be available for consumer sales? * UL = Underwriter Laboratories http://www.ul.com electrical safety standard. * CE = European standard for health, safety and environmental requirements ensuring consumer and workplace safety. * http://www.batteryspace.com/ul-ce-emc-fcc-and-csa.aspx * One Plus website is selling USB Type-C cables and adaptors which are not up to the real USB Type-C standard. * So if someone has a 3A power source, without relevant UL CE CCC logo, in combination with the OnePlus 3A, they could get a damaged power source. OnePlus is offering refunds through its web site for some North American customers. There are strings attached, so check out the details. http://androidcommunity.com/oneplus-type-c-usb-cables-not-compatible-with-some-3rd-party-chargers-20151126/ http://www.techtimes.com/articles/111171/20151127/oneplus-offers-refunds-for-incompatible-usb-type-c-cable-but-won-t-replace-it.htm
https://plus.google.com/+LaurenWeinstein/posts/aHwCRdZg8mt It appears that most or all of the local authorities' tactical discussions during the Colorado Springs domestic terrorism attack yesterday were completely in the clear where scanners and online scanner monitors could hear them. Those channels are fascinating to be sure, but hey, guys, the crooks and murdering domestic terrorists can listen to them too! Get your damned systems into the encrypted late 20th century, already. Law enforcement bitches about civilian use of crypto, then conducts their critical operations totally unencrypted. These were *exactly* the kinds of discussions that would have been most useful to a shooter or other domestic terrorist in such situations.
http://www.newser.com/article/942c0314e6aa400b8125097943b79828/after-paris-attacks-us-politics-shift-on-government-phone-data-collection-rubio-sees-opening.html At the same time, a *Washington Post* poll conducted after the Paris attacks showed a jump in the percentage of voters favoring investigating terrorist threats over protecting personal privacy: 72 percent said the government should investigate threats even at the cost of personal privacy, and 25 percent said the government shouldn't intrude on personal privacy, even if that limits its investigatory abilities. I will quote from my 2013 blog entry: "Why Edward Snowden May Be the Wackos' Dream Come True" ( http://lauren.vortex.com/archive/001047.html ) - "And given one major (or perhaps even minor) new successful terrorist attack, you can bet that we will move backwards in terms of civil liberties at an enormous rate, even though this will not stop terrorism, and will help the terrorists succeed in destroying our country's greatest ideals from within."
[This "john"-shaming has] “the potentially chilling effect that [license plate reader] technology has on freedom of association and freedom of transportation.'' [automatically] send to [each vehicle] owner a letter explaining that the vehicle was seen in area known for prostitution. I wonder whether a politician who happens to be "campaigning" [ahem] in such an area would also receive these letters ? Nick Selby, *Medium* Los Angeles Just Proposed the Worst Use of License Plate Reader Data in History. https://medium.com/@nselby/los-angeles-just-proposed-the-worst-use-of-license-plate-reader-data-in-history-702c35733b50#.c9obzyurl
http://www.nytimes.com/2015/11/29/magazine/the-serial-swatter.html Internet trolls have learned to exploit our over-militarized police. It's a crime that's hard to stop — and hard to prosecute.
http://arstechnica.com/tech-policy/2015/11/uk-isp-boss-points-out-massive-technical-flaws-in-investigatory-powers-bill/ The head of the UK ISP Andrews & Arnold, Adrian Kennard, has pointed out a number of major technical issues with the proposed Investigatory Powers Bill (aka the Snooper's Charter). Kennard and other representatives of the UK Internet Service Provider's Association (ISPA) met with the Home Office on Tuesday, where they presented a number of ethical, technical, and privacy related issues with the incoming new law. These issues, plus some of the Home Office's responses, can be found in written evidence (PDF) penned by Kennard. Kennard's key point is that the Internet Connection Records, which lie at the heart of the UK government's proposals, are largely meaningless for most modern online services. He recounts that, in the Home Office briefing this week, the example of a girl going missing was used once more to illustrate why the authorities want to be able to see which services she accessed just before disappearing, in the same way that they can track her phone calls. But Kennard and the other ISPA members pointed out this example betrayed a lack of understanding of how the Internet works today.
You know those messages you get with Reply-To: reply@not.possible @invalid..., etc. Well one day when they open up all TLDs, all the bad guys need to do is register the domains and set up mail systems, and voila, plenty of misdirected mail with personal details... They can even send a calming bounce message, while keeping a carbon copy...
> Car owners in the United States can soon play Volkswagen engineer, > courtesy of the federal government. [. . .] Just to play Devil's Advocate for the moment, what happens when cars become self-driving? The notion of J Random Hacker "tinkering" with the programming ought to (auto?) give one pause. Of course, the notion of J Random Hacker behind the wheel of a non-self-driving car should probably also give one pause.
Please report problems with the web pages to the maintainer