FYI—The next time you're lying on a gurney waiting to get an X-ray or MRI scan, contemplate the probability that your X-ray or MRI machine has *already been compromised*. Scott Erven & Mark Collao set up similarly configured honeypots & found them constantly under successful attack due to massive numbers of unpatched vulnerabilities and hardwired credentials. Scott & Mark think that many of these attackers didn't even realize the types of machines that they had successfully attacked; these attacks are apparently large-scale automated attacks on *every* Internet address looking for vulnerable computers. This means that *every* vulnerable machine attached to the Internet will eventually be pwned because every known exploit will eventually be tried on all of them. X-ray and MRI machines have service technician screens including "calibration" interfaces which could be used to override some of the built-in safety mechanisms. I shudder to even think about pwned Lasik machines... https://www.youtube.com/watch?v=qX_dV6LUTdo - - - - Break Me14 Medical Devices Pwnage and Honeypots Scott Erven Mark Collao IronGeek, 27 Sep 2015 These are the videos from Derbycon 2015: http://www.irongeek.com/i.php?page=videos/derbycon5/mainlist Jeff Goldman, Thousands of Critical Medical Devices Exposed Online, 1 Oct 2015 http://www.esecurityplanet.com/network-security/thousands-of-critical-medical-devices-exposed-online.html 'These devices are getting owned repeatedly,' security researcher Mark Collao said. At the DerbyCon security conference in Louisville, Kentucky, security researchers Scott Erven and Mark Collao recently stated that thousands of critical medical devices are connected to the Internet and vulnerable to attack, The Register reports. At one unnamed U.S. healthcare organization with 12,000 staff and 3,000 physicians, Erven and Collao said, more than 68,000 devices are exposed online, including 21 anaesthesia systems, 488 cardiology systems, 67 nuclear medical systems, 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications devices. The researchers discovered the linked devices through the Shodan device search engine. "Once we [started] changing [search terms] to target speciality clinics like radiology or podiatry or pediatrics, we ended up with thousands with misconfiguration and direct attack vectors," Erven said. MRI and defibrillator machine honeypots placed by Erven and Collao attracted 55,416 successful SSH and Web logins and 299 malware payloads. As a result, they said, it's reasonable to assume that there are infected medical devices connecting to command and control servers on a regular basis. "These devices are getting owned repeatedly, and now that more devices and hospitals are Wi-Fi enabled, it's pretty prevalent," Collao said, SC Magazinereports. "Next time you're in a hospital and you're getting hooked up to a machine and you see Ethernet going into a wall, it makes you think twice—is this connected to a command and control server somewhere?" "The Internet of Things is already here, and some of its denizens are already in critical condition," Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email. "Embedded devices are nothing new, and the expansion of Internet connectivity has turned networked embedded devices, from energy to healthcare, into internetworked embedded devices. As the forward end of the industry works to bring the 'things' to the Internet, the Internet has already been brought to the 'things' that were out there." "With embedded devices, it's often not as simple as applying the latest updates," Erlin added. "When those devices interact directly with a human being in a therapeutic task, it's even more complicated to make changes. This isn't a challenge that's likely to go away. It's likely to get worse, and make headlines, when someone hacks a medical device to make a point."
The European Court of Justice has declared the "Safe Harbor" decision, under which personal data of EU citizens could be handed over to US companies provided these companies bound themselves to certain rules, illegal. The indiscriminate access of US authorities to this data is held to contradict fundamental human rights to privacy and to judicial protection. The court's arguments are very strongly worded, and are quite familiar to anybody who has read RISKS for any length of time since 2013. In the argument given prior to the decision, the Advocate General specifically cited PRISM as a reason why US privacy provisions were inadequate. The US government tried to counter this with a statement, but to no avail. Apart from the human rights aspects, this is likely to have a severe impact on Internet commerce. Around 4500 companies transfer personal data of EU citizens to the US for processing under the "Safe Harbor". This legal basis for this has now been removed. Some companies have tried to use other legal grounds for transferring data, but it is at the moment quite unclear which of these are, in fact, legal. Companies operating in Europe might be obliged to state in their conditions of service that may be handed over to US intelligence indiscriminately. Of course, this might put them into the quandry that US law prohibits such revelations. The only way out might be for US Internet companies to move their data centers to Europe, or to stop doing business with EU citizens entirely. As an aside, the negotiations about TTIP are also likely to be held up. So, the NSA scandal is finally going to cost the US (and possibly other) economies a *lot* of money. The strategy of just ignoring the NSA scandal and hoping that it will all go away if all participants simply close their eyes hard enough has not worked. Today might also be remembered as a big step towards the break-up of the Internet into regional networks, which is now a very real possibility following the NSA scandal. The press release itself can be found at http://curia.europa.eu/jcms/jcms/P_180250/ Some key sentences (stressed parts marked with asterisks are from the original): United States public authorities are not themselves subject to it [the agreement]. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound *to disregard, without limitation, the protective rules laid down by tha scheme where they conflict with such requirements.* The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons. [...] legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as *compromising the essence of the fundamental right to respect for private life*. [...] legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, *compromises the essence of the fundamental right to effective judicial protection,* the existence of such a possibility being inherent in the existence of *the rule of law.*
Amar Toor, The Verge, 6 Oct 2015 Decision to invalidate data-transfer agreement could have far-reaching implications for U.S. tech companies in Europe http://www.theverge.com/2015/10/6/9460465/european-court-facebook-safe-harbor-ruling-data-transfer Europe's highest court today ruled that Facebook cannot send personal information on European users to data centers in the US, invalidating a 15-year trans-Atlantic data transfer agreement. In a decision that could have far-reaching implications for many US tech companies, the European Court of Justice said that the EU's Safe Harbor agreement with the US is "invalid" because the country does not guarantee adequate privacy protections. The agreement allows technology companies to transfer data from Europe to the US, provided that certain privacy requirements are met. According to *The Wall Street Journal* today's ruling could impact around 4,500 companies that currently rely on the laws to transfer data to the US. <http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf> <http://www.wsj.com/articles/eu-court-strikes-down-trans-atlantic-safe-harbor-data-transfer-pact-1444121361>, The case was brought before Ireland's high court by Max Schrems, an Austrian activist who argued that Facebook had violated his privacy by processing his personal data in the US, citing recent revelations about the NSA's surveillance programs. The Irish court rejected Schrems' complaint, pointing to the European Commission's Safe Harbor decision, but the European court today ruled that the agreement is invalid, and that EU regulators should be able to restrict data flows as they see fit. In a statement, the court said that Irish authorities are now "required to examine Mr. Schrems' complaint with all due diligence," and can decide whether "transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data." A Facebook spokesperson did not immediately respond to a request for comment.
http://www.nytimes.com/2015/09/29/upshot/how-many-deaths-did-volkswagens-deception-cause-in-us.html Public health researchers have formulas to calculate the lives lost from excess pollution.
http://www.nytimes.com/2015/10/05/business/engine-shortfall-pushed-volkswagen-to-evade-emissions-testing.html The carmaker installed emissions-cheating software in 2008 after realizing that a new diesel motor could not meet pollution standards, people familiar with an internal inquiry said.
[Rob might become the Enemy-of-(the-)Peeple? PGN] I am Rob not-of-Peeple. But resistance is futile. I will be assimilated, whether I like it or not, if anyone knows my phone number. As long as I don't sign up, I will remain in ignorance-is-blissful ignorance of any negative "reviews," or other cyberbullying, taking place on the system. (At the moment I'd have to sign up through Facebook, which is off-putting in any case.) If any troll or malcontent does post anything negative about me, I have 48 hours to ask them nicely to rescind it. If, for any reason, they decide not to, there is absolutely nothing I can do about it. Peeple. When you care enough to post the very worst. https://nakedsecurity.sophos.com/2015/10/02/prepare-to-be-rated-on-a-5-star-scale-by-peeple-like-it-or-not/ Inquiring minds want to know: Do they do any checking on the phone numbers? Can I create an "account" for someone just by putting in a random phone number? Can you use someone's work number? Do they do any sanity checking? Can I create someone with a 555 number? Do they accept international phone numbers? How do they deal with Americans who know nothing about international phone number formats? How hard would it be to mount a major cyberbullying campaign against the founders of the system? So far they are pushing babysitting and teaching, but how hard would it be to create other categories on the system? Could you create a "generally-really-nasty- person" category and then rate people highly on that? Do they have any checks that would prevent you from using "bad words" to create new categories? Can you post pictures? Video? Fake ones? Are they checking for copyright violations? email@example.com firstname.lastname@example.org email@example.com victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/
The Athens Affair shows why we need encryption without backdoors. Revelations about the hack that allowed Greek politicians to be spied on in 2004 come at a time when the White House is set to announce its encryption policy Trevor Timm, *The Guardian*, 30 Sep 2015 http://www.theguardian.com/commentisfree/2015/sep/30/athens-affair-encryption-backdoors Just as it seems the White House is close to finally announcing its policy on encryption—the FBI has been pushing for tech companies like Apple and Google to insert backdoors into their phones so the US government can always access users' data—new Snowden revelations and an investigation by a legendary journalist show exactly why the FBI's plans are so dangerous. One of the biggest arguments against mandating backdoors in encryption is the fact that, even if you trust the United States government never to abuse that power (and who does?), other criminal hackers and foreign governments will be able to exploit the backdoor to use it themselves. A backdoor is an inherent vulnerability that other actors will attempt to find and try to use it for their own nefarious purposes as soon as they know it exists, putting all of our cybersecurity at risk. In a meticulous investigation, longtime NSA reporter James Bamford reported at the Intercept Tuesday that the NSA was behind the notorious Athens Affair. In surveillance circles, the Athens Affair is stuff of legend: after the 2004 Olympics, the Greek government discovered that an unknown attacker had hacked into Vodafone's “lawful intercept'' system, the phone company's mechanism of wiretapping phone calls. The attacker spied on phone calls of the president, other Greek politicians and journalists before it was discovered. According to Bamford's story, all this happened after the US spy agency cooperated with Greek law enforcement to keep an eye on potential terrorist attacks for the Olympics. Instead of packing up their surveillance gear, they covertly pointed it towards the Greek government and its people. But that's not all: according to Snowden documents that Bamford cited, this is a common tactic of the NSA. They often attack the “lawful intercept'' systems in other countries to spy on government and citizens without their knowledge: Exploiting the weaknesses associated with lawful intercept programs was a common trick for NSA. According to a previously unreleased top-secret PowerPoint presentation from 2012, titled “Exploiting Foreign Lawful Intercept Roundtable'', the agency's “countries of interest'' for this work included, at that time, Mexico, Indonesia, Egypt and others. The presentation also notes that NSA had about 60 “Fingerprints''—ways to identify data—from telecom companies and industry groups that develop lawful intercept systems, including Ericsson, as well as Motorola, Nokia and Siemens. It's the exact nightmare scenario security experts have warned about when it comes to backdoors: they are not only available to those that operate them `legally', but also to those who can hack into them to spy without anyone's knowledge. If the NSA can do it, so can China, Russia and a host of other malicious actors. [...]
There was a good article about this in 2007 in IEEE Spectrum. At the time, they didn't know who did it. Vassilis Prevelakis and Diomidis Spinellis, The Athens Affair, IEEE Spectrum, July 2007, http://www.spectrum.ieee.org/jul07/5280
We did something similar at the end of World War II: having broken the Enigma code, the US and the UK rounded up all the Enigma machines we could find, and gave/sold them to many of our allies (but neglecting to tell them the fact that Bletchly had broken the encryption).
Fahmida Y. Rashid, InfoWorld, 30 Sep 2015, via ACM TechNews, 5 Oct 2015 Worchester Polytechnic Institute (WPI) researchers have demonstrated how to use one instance of Amazon EC2 to recover the full 2,048-bit RSA key from a separate Amazon instance. "We exploit the [last-level cache (LLC)] to recover the secret key of a modern sliding-window exponentiation-based implementation of RSA, across cores and without relying on deduplication," the researchers say. They note malicious hackers could use this strategy to intercept the targeted entity's encrypted communications and extract potentially valuable information. For this attack to work, both the attacker's Amazon account and the target Amazon account containing the private RSA key must be on the same hardware chip or chip set. "Everything must work in concert together and it is highly difficult to pull off," notes Comodo's Robin Alden. The researchers say their technique highlights the need for deploying stronger isolation techniques in public clouds. Experts recommend providers patch the weaknesses that make these types of attacks possible, and smarter cache management policies for hardware and software could prevent side-channel leakages and future exploits. "A more random placement policy would make it tougher for attackers to land on the same [central processing unit] or hardware as that of the intended target," says Ciphercloud's Sundaram Lakshmanan. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d540x063483&
Harvard University, 29 Sep 2015, via ACM TechNews, Monday, October 5, 2015 Harvard University researchers have used a pair of experiments to show Resident Registration Numbers (RRNs) used in South Korea can be decrypted to reveal a range of personal information. In the experiments, the researchers were able to decrypt more than 23,000 RRNs using both computation and logical reasoning. The findings suggest that although such identifiers are encrypted to protect privacy, they remain vulnerable to attack and must be designed to avoid such weaknesses. The researchers showed each number in the RRN could be replaced with a letter in a recognizable pattern, which could then be used to decrypt thousands of RRNs, which could reveal personal information about their users. They also found the final RRN digit is a weighted sum of prior digits, meaning it is possible to decrypt the numbers and then use arithmetic to confirm the accuracy of the information. "Our study shows that weak encoding systems, which refer to the very design of the number, render encryptions as poor methods of protecting privacy," the researchers note. The findings are timely, because South Korea is currently debating a redesign of RRNs and other nations, including the U.S., have discussed the use of a single identifier for medical records, according to Harvard professor Latanya Sweeney. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d544x063483&
U.Wash via ACM TechNews, Monday, October 5, 2051 Study Rates UW CSE Software and Engineering Research Most Practically Relevant of the Past Five Years, University of Washington News and Information, 1 Oct 2015 A tool developed by University of Washington (UW) researchers to improve collaboration between software developers has been judged the most practically relevant software engineering research of the last five years. The recognition comes from an industrial relevance study conducted by Microsoft Research and Singapore Management University, which asked more than 500 software developers to rate the relevance to their daily work of 571 research papers. The greatest number of respondents rated the UW project, which generated the Crystal collaboration tool, as an "essential" addition to the practice of software development. The UW research team, led by professors Michael Ernst and the late David Notkin, developed Crystal as a way to help developers who are working on a team in parallel avoid making changes that might be in conflict with each other. Crystal does this by continuously merging every developer's changes into the software so conflicts become apparent and can be quickly addressed. Crystal prevents wasting time returning to the code to rectify conflicts and problems after the fact. The paper on proactive conflict detection was part of the speculative analysis project, led by Ernst at UW's Programming Languages & Software Engineering group. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e275x2d547x063483&
(Papers Please & Mass Private via Black Listed) US Customs is collecting the personal information of every Amtrak passenger 29 Sep 2015 Source: Mass Private I http://massprivatei.blogspot.com/2015/09/us-customs-is-collecting-personal.html According to Papers Please <http://papersplease.org/wp/2015/09/23/does-cbp-have-access-to-domestic-amtr ak-reservations/> : Documents <http://papersplease.org/wp/wp-content/uploads/2015/09/amtrak-21sep2015.pdf> released by Amtrak suggest that since 2012, US Customs and Border Protection (CBP) has had direct access to Amtrak's reservation system, possibly including access to reservations for Amtrak passengers traveling entirely within the USA. The Amtrak documents Papers Please received are the fourth in a continuing series of long-overdue interim responses to a FOIA request they made in October 2014 for records related to Amtrak's data-sharing and other collaboration with DHS and other US and foreign law enforcement agencies: <http://papersplease.org/wp/wp-content/uploads/2015/09/amtrak-21sep2015.pdf> <http://www.papersplease.org/wp/2015/03/20/amtrak-lies-about-police-use-of-passenger-data/> <http://www.papersplease.org/wp/2015/04/23/amtrak-formats-for-passenger-id-data-dumps-to-governments/> <http://papersplease.org/wp/2015/06/21/more-on-amtrak-passenger-data-require ments/> ) <http://papersplease.org/wp/wp-content/uploads/2014/10/amtrak-foia-29oct2014.pdf> http://www.blacklistednews.com/US_Customs_is_collecting_the_personal_information_of_every_Amtrak_passenger/46407/0/38/38/Y/M.html
When an organization gets hacked, ideally they'll realize it promptly and warn their users right away. Take crowdfunding site Patreon, which was hacked on Monday and has already informed the world about the problem. Scottrade, an investment brokerage company, is different, and not in a good way. The company announced Friday that it suffered a security breach over a period of several months from late 2013 to early 2014, affecting approximately 4.6 million customers. But in a statement, Scottrade said it had no idea that the breach had occurred until law enforcement officials told them about it. Remember: This is a company that is charged with storing real money and managing investments. Let that sink in for a second. http://www.pcworld.com/article/2988993/security/scottrade-had-no-idea-about-data-breach-until-the-feds-showed-up.html
http://www.nytimes.com/2015/10/04/books/review/jonathan-franzen-reviews-sherry-turkle-reclaiming-conversation.html Jonathan Franzen reviews a new book based on interviews with people who say they feel controlled by new technologies.
http://bits.blogs.nytimes.com/2015/10/04/business-technology-starts-to-get-personal/ Despite their very different companies, the chief executives of General Electric and Apple have something in common: They believe businesses will increasingly rely upon`personalized' technology to run their operations.
Following https://bugs.launchpad.net/ubuntu/+source/cupsys/+bug/255161, the bug report is dated 2008, so the bug is weird, slipped past checks, but is slightly outdated. Mike R.
Don't blame the ad-blockers or their users. Attention is the resource from which marketers make their living. It's a limited resource. When the volume of advertising is low, a marketer, by putting one more ad on a web page, gets an increase in profits. As the volume of advertising increases, the profit the marketer gains from one more ad decreases, and the ad decreases the amount of attention paid to other marketers' ads, reducing their profits. At some point the profit a marketer gains by placing one more ad is less than the total loss that the ad causes to other marketers. This scenario may sound familiar... https://en.wikipedia.org/wiki/Tragedy_of_the_commons The marketers who will survive are the ones who are willing to use the most obnoxious tactics to take our attention. Anybody with any decency will fail or quit. Web advertising will be dominated by slimeballs whether or not the end users use ad-blockers.
http://www.nytimes.com/2015/10/01/technology/personaltech/ad-blockers-mobile-iphone-browsers.html Two tests were carried out with ad blockers: one to measure how much loading times were improved, and the second to study battery life.
Just to be clear, this is Adblock , not AdBlock Plus , that is the subject of the article  that Lauren linked to. Having said that, it's worth noting the following from said article : What's interesting is six months ago Adblock changed its name suddenly  to BetaFish Adblocker, claiming it was an `experiment'. BetaFish is the name of Gundlach's holding company that owned Adblock and around the same time had applied for a US trademark  on the word `Adblock'. Support staff claimed five months ago that the company was not being purchased by someone or preparing for participation acceptable ad program, but the move may have pre-empted today's deal. The name was later changed back to simply Adblock, without further explanation. Does that mean that AdBlock's new owners want to go after Eyeo , the company that makes AdBlock Plus? I guess we'll find out soon enough!  https://getadblock.com/  https://adblockplus.org  http://thenextweb.com/apps/2015/10/02/trust-us-we-block-ads  http://support.getadblock.com/discussions/suggestions/998-why-did-you-change-adblock-name-to-betafish-adblocker/page/1#comment_36657836  https://tsdr.uspto.gov/#caseNumber†537340&caseType=SERIAL_NO&searchType=statusSearch  https://eyeo.com/ Alan Ralph - Wearer Of Many Hats! firstname.lastname@example.org
Please report problems with the web pages to the maintainer