Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/ The FBI director wants the keys to your private conversations on your smartphone to keep terrorists from plotting secret attacks. But on Tuesday, the former head of the U.S. National Security Agency—the supreme experts on communications—said that would be a terrible idea. General Michael Hayden, now retired, was speaking at a cybersecurity conference in Miami Beach. He expressed his unwavering support for encryption, a feature that protects voice calls or texts by turning data into nonsensical, indecipherable code. "I disagree with [FBI director] Jim Comey," Hayden said in a speech. "I actually think end-to-end encryption is good for America."
Recently Ted Koppel was in the news with "Lights Out" book on US electric power grid vulnerabilities to: hacking; snipers; EMP; other troubles. Many people, in discussion lists, argued against Ted's position, using arguments, which were disproven by his book, and its citations. Now here comes an incident in the Ukraine. This is not the first cyber attack on critical infrastructure blamed on Russians. Russia has previously been blamed for Black Energy Trojans malware, used in this attack, and for cyber attacks on critical infrastructure of other European nations in past years. http://www.databreachtoday.com/ukrainian-power-grid-hacked-a-8779 Contrary to Data Breach Today "first use" speculation, a Saudi oil refinery was attacked with the Shamoon virus, allegedly by Iran in retaliation for US Israel Stuxnet attack. [...] https://en.wikipedia.org/wiki/Saudi_Aramco#Cyber_attack https://en.wikipedia.org/wiki/Shamoon
The Fed is the US Central Banking system, where the governors are appointed by the US government, on those rare occasions when the President and Congress can come to an agreement, and come from the nation's largest banks. A US inspector general report on a Federal Reserve audit raises more questions than it answers regarding the security risks facing one of the Fed's systems. <https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm> The Office of the Inspector General for the Board of Governors of the Federal Reserve System and Consumer Financial Protection Bureau recently issued an executive summary of the audit, which focuses on the Fed's Statistics and Reserve System, or STAR. It recommends the Fed strengthen information controls related to planning; security assessment and authorization; contingency planning; auditing; access control; risk assessment; and system and information integrity. STAR is a mainframe system developed in 1998 that supports the statistics and reserves functions at the Federal Reserve's Board and banks. The system collects and edits more than 75 periodic statistical reports that are received from financial institutions, according to OIG. In addition, the system manages financial institutions' reserve requirements and term deposits. The system, which is being modernized to a Web-based application, is deemed a moderate-risk system, meaning a breach could place the agency at a significant disadvantage or result in major damage, requiring extensive repairs to assets or resources. The IG says it did not publish the full audit—even a redacted version -- "given the sensitivity of information security review work." So, we do not know, for sure, what problems were found, can only speculate. IGs need to find a way to describe in all their audits more details on how to address IT security weaknesses while protecting sensitive information. Massive economic info comes from the US Fed, which people want to be able to reply upon. Tons of things can go wrong, if this data can be manipulated by hackers. http://www.govinfosecurity.com/blogs/federal-reserve-infosec-concerns-raised-p-2024 https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm http://www.federalreserve.gov/econresdata/default.htm
The US State of Oregon appears to be engaged in a failed conversion effort, with the department which helps Oregon citizens find new jobs, and get unemployment compensation after losing old jobs. Here is the latest in a series of cyber security audits: http://sos.oregon.gov/audits/Documents/2015-31.pdf This audit focuses on two systems, The Oregon Benefit Information System (OBIS), which processes unemployment benefits, and the Oregon Automated Tax System (OATS), which deals with unemployment tax reports from employers. The Oregon Employment Department is converting from a 1990's mainframe system, where essential documentation was inadequately maintained, and there does not seem to be an effort to regenerate what's needed for better cyber security. They estimate it will take at least another decade to complete this conversion, at which point the old system will be at least 30 years old. There is work to be done, which the old system allegedly cannot handle, or the staff does not know how to make it handle, so a lot of work is being done manually. There may be many people who used to work on that kind of system, qualified for what's needed, some of them part time, and for which a state employment office is eminently qualified to locate & hire, but instead they say they have no current employees with the necessary know-how. They had an Oct 2014 breach <http://www.oregonlive.com/money/index.ssf/2014/10/security_breach_discovered_at_oregon_employment_department_investigation_into_scope_source_continues. html> involving over 800,000 citizens: names; addresses; SS#. The associated cyber security vulnerabilities have not yet been fixed. Allegedly either they cannot be fixed on their old system, or no-one knows how, or the state budget is too inadequate to resolve this. The articles do not identify what KIND of mainframe system. http://portlandtribune.com/pt/9-news/287226-164243-brown-replaces-employment-department-director-after-critcal-audit http://www.oregonlive.com/politics/index.ssf/2016/01/kate_brown_replaces_head_of_em.html http://www.wweek.com/2015/12/31/audit-says-oregon-employment-department-computer-systems-should-be-replaced/ I do not understand how come 50 US states, with very similar responsibilities, have to have 50 different computer systems, managed independently. A close Oregon neighbor is Silicon Valley. Surely they can get professional help, if they want it. I do not even know if the Oregon system really is a mainframe system. I worked for 55+ years on systems, which were NOT mainframes, but most everyone who works from a PC, labels anything larger than a PC as a main frame. After a while, I gave up on correcting people. I have written and modified tens of thousands of programs in my career. At every employer, any given program can be modified hundreds of times, in its life time, thus designing software so that it is easy to modify and test, has always been an important criteria for me. Apparently this is not a common standard. Blaming difficulty in modifying programs is the same as saying the place has had a lack of standards for normal software support. In my career I've done dozens of conversions across: OS versions; platforms; hardware; software; data base systems; how data stored, accessed. A successful conversion should take no more than 2 years from start to finish. I've done a few that took only a few months. I have also been involved in conversions which got abandoned, thanks to inadequate resources, change in management personnel & their desires, and poor planning which I was not allowed to have a say about. There are generally two main stages. . Preparation & training - we get the qualified people, tools, documentation, budget, schedule, all planned out, how the implementation and testing is to be conducted, decide strategies such as how long to run in parallel, or which systems will be totally cut-over. For a major conversion, this can take a year or more. A major goal is to figure out how to do the implementation in as short a time period as practical. Some tools may be purchased,, some may need to be developed in house. Auditors should be consulted, to be sure the final design can meet their standards. When there is PII data involved, tests will need a data base of bogus info, because a failed test can mean a breach of the data being tested. . Actual implementation, testing should take no more than 6 months to a year, during which time part of the budget pays for rank and file work force to get training in the new systems..
The State of Michigan had an IT audit, with poor results. But the Governor is taking them seriously. 80% of Michigan state gov is on Windows servers, which were not audited at this time. 20% of Michigan state gov is on 950 UNIX servers. (I believe UNIX was originally designed more for access than for security.) 63 of the 950 were selected by MI Auditor General for a detailed audit. (Other states & local governments should also audit their cyber security.) Critical state operations are on 30 unsupported (obsolete) versions of UNIX. ( 30 / 63 up-to-date is better than what I have witnessed in my IT career). 5 of the unsupported versions had been that way for over 10 years. 90 % of the servers are not kept current with patches. If they get hacked, they don't have the controls to detect that. (very unhealthy) There was no segregation of duties to protect against insider misbehavior, like embezzlement, id theft, do proper change management, etc. (this audit obviously long overdue) 84% of the servers had not had passwords changed in a timely fashion, with one had not been changed in nine years. (I have seen worse.) 47% of the tested servers had had no vulnerability scans in over a month. When that was done at the IG auditor request, an average of 77 vulnerabilities was found on these servers with 420 being the largest #. (But how serious were they, and was there any budget to avoid this?) Some servers had not been scanned in 2 years. $2.9 million had been spent on a security tool, not installed on all servers, for which this tool was paid for. http://www.freep.com/story/news/local/michigan/2015/12/17/report-rips-security-state-computer-systems/77409208/ http://audgen.michigan.gov/finalpdfs/15_16/r071056315.pdf State & Local governments, in the USA, have been hurting due in part to reduced tax revenues from the Great Recession, followed by a tepid recovery, with more financial bubbles at risk of bursting. But all along, funding leaders of private and public operations have typically treated IT as an expense to minimize, not insurance needing minimum protection standards, nor tool to maximize worker productivity. Consequently there are periodic cyber security incidents. . Florida inadvertently exposed PII on children in foster care and/or court cases, we learned Oct 2015. . Georgia accidentally released PII on 6 million voters, we learned Nov 2015. . Indiana had inadequate budget for cyber security, so DMV got breached (Driver & Motor Vehicle licenses), and someone stole corporate taxes paid for Unemployment Compensation. . Illinois state employee payroll system got hacked, with id theft against most all of them. . Maine had to pay ransom April 2015 to recover data smashed by malware. . Minnesota password protection for DMV was inadvertently removed via an Aug 2015 server update. . Ohio had tax data on 50,000 taxpayers "lost" this month, January 2016. . Oregon had a Dec 2015 breach of name, address, SS# & date of birth on almost 1,000 Veterans. . Texas Nov 2015 breach released thousands of SS#s. . Virginia GovWin system used 3rd party Deltek software, breached in 2014, getting user names, passwords on 80,000 users, and credit card info on 25,000 users. . Several states (I do not have a list) had Secretary of State registration of companies, with HQ in that state, hacked, to facilitate id theft against those companies. . Many states have multiple incidents. There are 50 US states, unless you accept the last Puerto Rico vote to become a US state, as valid. (US Senate does not.) About 17% of all cyber breaches are of government systems. http://datalossdb.org/statistics
[TNX to Dr. Deborah Peel" <dpeelmd@patientprivacyrights.org>] http://thehealthcareblog.com/blog/2016/01/11/what-do-we-know-about-medical-errors-associated-with-electronic-medical-records/ The dangers of US electronic health systems are hidden and have never been systematically studied. There is no meaningful federal oversight or regulation of EHRs to protect the public. Health IT vendors voluntarily report flaws in their products. Yet healthcare is the largest sector of the economy. Is it unsafe at any speed? Quotes from Ross Koppel: * "Considerably over 80% of the reported errors involve horrific patient harm: many deaths, strokes, missed and significantly delayed cancer diagnoses, massive hemorrhage, 10-fold overdoses, ignored or lost critical lab results, etc. * Central to this article's contribution is its data source and an understanding of the direction of causation of the findings: These errors came to light not because a healthcare provider noted an EHR-related problem, but because the patient was harmed, the provider was sued and there was an insurance payment." The HITECH portion of the 2009 stimulus bill mandated national use of EHRs without prior clinical trials. EHRs were not comprehensively and thoroughly tested for effectiveness, safety, usability, reliability, accuracy, security, or privacy. Besides causing bodily harms and deaths, US EHRs destroy the right to health privacy: the data holders control all uses, disclosures and sales of personal health data, not patients. See: https://patientprivacyrights.org/2014/01/ims-health-files-ipo-legal/ We can't opt-out of EHRs, nor is it easy to find physicians who don't use them. What if you don't have a physician-friend to stay with you 24/7 if you're hospitalized? www.patientprivacyrights.org<http://www.patientprivacyrights.org/>
Ars Technica reports that multiple organizations have uncovered a problem with Intel's Skylake series processors when running complex computational workloads. >From the article: "Intel has identified an issue that potentially affects the 6th Gen Intel Core family of products. This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour. Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update. No reason has been given as to why the bug occurs, but it's confirmed to affect both Linux and Windows-based systems. Prime95, which has historically been used to benchmark and stress-test computers, uses Fast Fourier Transforms to multiply extremely large numbers. A particular exponent size, 14,942,209, has been found to cause the system crashes." The complete Ars Technica article is at: http://arstechnica.com/gadgets/2016/01/intel-skylake-bug-causes-pcs-to-freeze-during-complex-workloads/
Matt McFarland, *The Washington Post*, 12 Jan 2016 via ACM TechNews; 13 Jan 2016 Google's fleet of automated vehicles, currently undergoing testing on roads in California and Texas, have had 13 near-misses in which a driver had to intervene to prevent a collision, according to a new Google report on the tests in California. The study estimated on 272 occasions in the 14-month test period drivers commandeered the cars due to software failure, while in 69 other incidents the drivers opted to take control to ensure the vehicles operated safely. The report points to a general decline in technology malfunctions since the fall of 2014. "It seems to be a pretty good sign of progress," says Chris Urmson, director of Google's self-driving car project. However, Princeton University's Alain Kornhauser cautions the cars' performance under easy or favorable road conditions can be deceiving. "It's informative, but it shouldn't be treated as a true measure of the vehicle's safety," says Carnegie Mellon University professor Aaron Steinfeld. The Google report cited the rate of disengagement, when the cars sense a system failure and ask the test driver to take over, as the most significant area of progress. Although this rate fell in early 2015, it increased late in the year, with Google attributing it to more difficult conditions under which cars were being tested, such as in heavy traffic and inclement weather. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2dae4x065853&
https://blog.malwarebytes.org/fraud-scam/2016/01/clickjacking-campaign-plays-on-european-cookie-law/ "We've spotted an advertising campaign that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services). The rogue actors behind this fraudulent activity are cleverly leveraging a European law on the use of cookies to seemingly prompt visitors to answer a question." I've been saying all along that the EU cookie notification law was useless, nonsense, or worse. Well, here's proof of the worse.
On RISKS, we ironically ask "what could possibly go wrong?" when shown some new hare-brained technology. In the case of "smart" guns, I can't even get past "what could possibly go right?" I haven't performed an exhaustive search, but I can't recall a single instance in which a "smart" gun would have stopped *any* mass shooting instance, nor *any* police shooting of an unarmed suspect. "Smart" guns are an appeal to some God-like "AI" entity that can solve the "Trolley Problem" [0] in microseconds; Google is supposedly working on such technology for self-driving cars—but don't hold your breath waiting for a God-like solution to this Trolley problem any time soon. When it takes an entire legal system, including juries and prosecutors weighing tons of evidence to come to a Monday-morning legal conclusion, how in the world is some "smart gun" going to decide this in microseconds? All that having been said, I'm even more frightened by what can go wrong; in 2016, we're about to harvest the most amazing collection of "Internet of Things" security vulnerabilities that the world has ever seen. However, it's one thing if your Bluetooth pillow is hacked; quite another if your "smart gun" is hacked. [0] https://en.wikipedia.org/wiki/Trolley_problem Terry Collins, CNET, 4 Jan 2016 Obama orders feds to study smart gun technology http://www.cnet.com/news/obama-orders-feds-to-study-smart-gun-technology/
Cathy Farmer, University of Bristol News, 8 Jan 2016 via ACM TechNews; 13 Jan 2016 University of Bristol researchers conducted a brain-imaging study showing technological game-playing can involve brain activity that positively supports learning. The research is linked to a larger classroom study, which will include 10,000 secondary school students across Britain, and it could provide a new perspective on concerns that some children spend too much time playing computer games. The researchers will show how the gamification of learning can reduce the activity of a particular brain network that governs mind wandering. The researchers found when students tried to study by reading notes and looking at example questions, this Default Mode Network portion of the brain was strongly activated. However, when studying became a competitive game, the additional brain activity disappeared and learning increased. "This is evidence that computer games can be good for learning, if we are careful about how we design and develop them," says University of Bristol professor Paul Howard-Jones. As part of the study, 24 student volunteers experienced three types of study sessions while having their brains scanned. The brain-imaging experiment showed how the students concentrated and learned better when studying was part of a game. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2daebx065853&
http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276/ref=sr_1_1?ie=UTF8 Here is what I said on my Blog, essentially what I said on Amazon: http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/ Book Review: Ballot Battles by Edward B. Foley By Luther Weeks <http://ctvoterscount.org/author/lgwadmin/>, 9 Jan 2016 <http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/> I have long been a fan of the papers and other writings of Edward B. Foley of the Moritz College of Law <http://moritzlaw.osu.edu/faculty/professor/edward-b-foley/> . He writes extensively on the issues associated with close elections, how have been decided since the founding of the United States, and how the process might be improved. Last month his book on the subject, Ballot Battles:The History of Disputed Elections in the United States was released. <http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276> To me, it was a highly fascinating read that kept my interest through every page. It should be required reading for anyone interested in Election Integrity. As I would define it, Ballot Battles is focused on one component of election integrity, i.e. How close elections have been decided in the U.S., rather than if the vote counting itself was accurate. Foley's work is an important component of election integrity. Further along that vein we could say that Fair Elections go beyond Election Integrity to include fair voter eligibility, access to the polls, candidate access to the ballot, access to the press, and campaign financing etc. Ballot Battles follows close elections and the process for deciding the declared winner from 1781 through 2008. While Presidential races from 1800, 1876, and 2000 are important, many other races for the U.S. Senate, U.S. House, and Governors are just as important to history and the challenges remaining today. Reforms have been attempted after major controversies, yet as Foley shows they have been insufficient, including those after 2000. We remain vulnerable. As summarized at one point in Ballot Battles: "the 1960 presidential election must be viewed as a failure of American government to operate as a well-functioning democracy. That failure puts 1960 along-side 1876 - and, as we shall later consider, 2000 - in a disturbing series of instances in which the nation has lacked the institutional capacity to identify accurately the winner of the presidency." There is no easy solution. It would likely require a Constitutional Amendment. Ultimately, as Foley recommends, following successful models of instances of bodies of equal numbers of partisans, with a single respected non-partisan member. That is unlikely to always work, yet that has worked better than the system we are left with for adjudicating close Federal Elections. Ballot Battles thoroughly covers the adjudication process and the risks to which we are exposed. Those seeking information on fraud and error in elections will not find the details here. Likewise, those seeking agreement that the Supreme Court erred or acted responsibly in 2000 will find little agreement here, yet much to ponder, much to learn about the law, and the precedents applied to resolve election challenges.
The golden rule of privacy: Say what you do and do what you say. Violate that rule in the USA, and the gov may come after you, except where you are allowed to keep your business practices confidential. In the USA, medical privacy is governed by HIPAA regulations. <http://www.healthcareinfosecurity.com/hipaa-hitech-c-282> http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/ The US Federal Trade Commission (FTC) on Jan. 5 announced a $250,000 settlement with Henry Schein Practice Solutions, a New York-based provider of practice management software for dental practices, stemming from the company's false advertising about encryption capabilities. The company has been ordered to halt the misleading advertising, and to notify all prior customers of the truth. Schein had been marketing its Dentrix G5 software to dental practices around the USA for two years with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data as required by HIPAA. Instead, however, the company was offering a less robust "data masking technique using cryptographic technology," the FTC says. <http://dentrix.com/products/dentrix> <http://www.healthcareinfosecurity.com/hipaa-hitech-c-282> http://www.bankinfosecurity.com/ftc-fines-software-vendor-over-encryption-cl aims-a-8782 https://www.ftc.gov/system/files/documents/cases/160105scheincmpt.pdf
I haven't use TurboTax for years, but the last time I did I gave them a gmail address. The address had this form, using my actual first name, middle initial, and last name: firstname.i.lastname@gmail.com. In late March, 2014, I got email from TurboTax saying my tax return had been rejected by the IRS. Since I hadn't submitted one, I was concerned. To make a long story short, I eventually realized that the mail had been sent to firstnameilastname@gmail.com, not firstname.i.lastname@gmail.com. It appears that google considered these to be the same address but TurboTax did not. Someone with my name, including middle initial, had entered that address into TurboTax. All subsequent mail from TurboTax came to me. I decided it was not fraud on his part, just bad luck. He soon fixed his tax return, because I got another email saying that it had been accepted. But later that year, I got a marketing email from TurboTax inviting me to use their services again, and while trying to see if I could resolve the underlying issue, wound up with a link to his tax return! So I called TurboTax again but never felt certain that they really understood. But I do think the other guy has taken care of the problem on his end since I'm no longer getting progress reports on his tax returns. Two morals: be careful how you enter your email address, and uh, don't enter it in a gmail signup page. On the other hand, you could construct all sorts of variants of your gmail address and use those to track who's sharing your email address with whom. Steve B (name withheld to protect the unlucky)
http://recode.net/2016/01/05/twitter-considering-10000-character-limit-for-tweets/ Twitter is building a new feature that will allow users to tweet things longer than the traditional 140-character limit, and the company is targeting a launch date toward the end of Q1, according to multiple sources familiar with the company's plans. Twitter is currently considering a 10,000 character limit, according to these sources. Given their policy of allowing people and organizations you've never followed to contaminate your timeline with commercials and other irrelevant content, with no way for you to disable that pipeline, it's clear this is really all about permitting much vaster contamination of this sort to take place. In the Twitter environment, so deeply saturated with nasty trolls already, this will be a sea change of the worst possible sort. Not the beginning of the end for Twitter, but a major acceleration of the continuing process already leading rapidly toward their demise.