Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/ The FBI director wants the keys to your private conversations on your smartphone to keep terrorists from plotting secret attacks. But on Tuesday, the former head of the U.S. National Security Agency—the supreme experts on communications—said that would be a terrible idea. General Michael Hayden, now retired, was speaking at a cybersecurity conference in Miami Beach. He expressed his unwavering support for encryption, a feature that protects voice calls or texts by turning data into nonsensical, indecipherable code. "I disagree with [FBI director] Jim Comey," Hayden said in a speech. "I actually think end-to-end encryption is good for America."
Recently Ted Koppel was in the news with "Lights Out" book on US electric power grid vulnerabilities to: hacking; snipers; EMP; other troubles. Many people, in discussion lists, argued against Ted's position, using arguments, which were disproven by his book, and its citations. Now here comes an incident in the Ukraine. This is not the first cyber attack on critical infrastructure blamed on Russians. Russia has previously been blamed for Black Energy Trojans malware, used in this attack, and for cyber attacks on critical infrastructure of other European nations in past years. http://www.databreachtoday.com/ukrainian-power-grid-hacked-a-8779 Contrary to Data Breach Today "first use" speculation, a Saudi oil refinery was attacked with the Shamoon virus, allegedly by Iran in retaliation for US Israel Stuxnet attack. [...] https://en.wikipedia.org/wiki/Saudi_Aramco#Cyber_attack https://en.wikipedia.org/wiki/Shamoon
The Fed is the US Central Banking system, where the governors are appointed by the US government, on those rare occasions when the President and Congress can come to an agreement, and come from the nation's largest banks. A US inspector general report on a Federal Reserve audit raises more questions than it answers regarding the security risks facing one of the Fed's systems. <https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm> The Office of the Inspector General for the Board of Governors of the Federal Reserve System and Consumer Financial Protection Bureau recently issued an executive summary of the audit, which focuses on the Fed's Statistics and Reserve System, or STAR. It recommends the Fed strengthen information controls related to planning; security assessment and authorization; contingency planning; auditing; access control; risk assessment; and system and information integrity. STAR is a mainframe system developed in 1998 that supports the statistics and reserves functions at the Federal Reserve's Board and banks. The system collects and edits more than 75 periodic statistical reports that are received from financial institutions, according to OIG. In addition, the system manages financial institutions' reserve requirements and term deposits. The system, which is being modernized to a Web-based application, is deemed a moderate-risk system, meaning a breach could place the agency at a significant disadvantage or result in major damage, requiring extensive repairs to assets or resources. The IG says it did not publish the full audit—even a redacted version -- "given the sensitivity of information security review work." So, we do not know, for sure, what problems were found, can only speculate. IGs need to find a way to describe in all their audits more details on how to address IT security weaknesses while protecting sensitive information. Massive economic info comes from the US Fed, which people want to be able to reply upon. Tons of things can go wrong, if this data can be manipulated by hackers. http://www.govinfosecurity.com/blogs/federal-reserve-infosec-concerns-raised-p-2024 https://oig.federalreserve.gov/reports/board-star-security-control-review-summary-dec2015.htm http://www.federalreserve.gov/econresdata/default.htm
The US State of Oregon appears to be engaged in a failed conversion effort, with the department which helps Oregon citizens find new jobs, and get unemployment compensation after losing old jobs. Here is the latest in a series of cyber security audits: http://sos.oregon.gov/audits/Documents/2015-31.pdf This audit focuses on two systems, The Oregon Benefit Information System (OBIS), which processes unemployment benefits, and the Oregon Automated Tax System (OATS), which deals with unemployment tax reports from employers. The Oregon Employment Department is converting from a 1990's mainframe system, where essential documentation was inadequately maintained, and there does not seem to be an effort to regenerate what's needed for better cyber security. They estimate it will take at least another decade to complete this conversion, at which point the old system will be at least 30 years old. There is work to be done, which the old system allegedly cannot handle, or the staff does not know how to make it handle, so a lot of work is being done manually. There may be many people who used to work on that kind of system, qualified for what's needed, some of them part time, and for which a state employment office is eminently qualified to locate & hire, but instead they say they have no current employees with the necessary know-how. They had an Oct 2014 breach <http://www.oregonlive.com/money/index.ssf/2014/10/security_breach_discovered_at_oregon_employment_department_investigation_into_scope_source_continues. html> involving over 800,000 citizens: names; addresses; SS#. The associated cyber security vulnerabilities have not yet been fixed. Allegedly either they cannot be fixed on their old system, or no-one knows how, or the state budget is too inadequate to resolve this. The articles do not identify what KIND of mainframe system. http://portlandtribune.com/pt/9-news/287226-164243-brown-replaces-employment-department-director-after-critcal-audit http://www.oregonlive.com/politics/index.ssf/2016/01/kate_brown_replaces_head_of_em.html http://www.wweek.com/2015/12/31/audit-says-oregon-employment-department-computer-systems-should-be-replaced/ I do not understand how come 50 US states, with very similar responsibilities, have to have 50 different computer systems, managed independently. A close Oregon neighbor is Silicon Valley. Surely they can get professional help, if they want it. I do not even know if the Oregon system really is a mainframe system. I worked for 55+ years on systems, which were NOT mainframes, but most everyone who works from a PC, labels anything larger than a PC as a main frame. After a while, I gave up on correcting people. I have written and modified tens of thousands of programs in my career. At every employer, any given program can be modified hundreds of times, in its life time, thus designing software so that it is easy to modify and test, has always been an important criteria for me. Apparently this is not a common standard. Blaming difficulty in modifying programs is the same as saying the place has had a lack of standards for normal software support. In my career I've done dozens of conversions across: OS versions; platforms; hardware; software; data base systems; how data stored, accessed. A successful conversion should take no more than 2 years from start to finish. I've done a few that took only a few months. I have also been involved in conversions which got abandoned, thanks to inadequate resources, change in management personnel & their desires, and poor planning which I was not allowed to have a say about. There are generally two main stages. . Preparation & training - we get the qualified people, tools, documentation, budget, schedule, all planned out, how the implementation and testing is to be conducted, decide strategies such as how long to run in parallel, or which systems will be totally cut-over. For a major conversion, this can take a year or more. A major goal is to figure out how to do the implementation in as short a time period as practical. Some tools may be purchased,, some may need to be developed in house. Auditors should be consulted, to be sure the final design can meet their standards. When there is PII data involved, tests will need a data base of bogus info, because a failed test can mean a breach of the data being tested. . Actual implementation, testing should take no more than 6 months to a year, during which time part of the budget pays for rank and file work force to get training in the new systems..
The State of Michigan had an IT audit, with poor results. But the Governor is taking them seriously. 80% of Michigan state gov is on Windows servers, which were not audited at this time. 20% of Michigan state gov is on 950 UNIX servers. (I believe UNIX was originally designed more for access than for security.) 63 of the 950 were selected by MI Auditor General for a detailed audit. (Other states & local governments should also audit their cyber security.) Critical state operations are on 30 unsupported (obsolete) versions of UNIX. ( 30 / 63 up-to-date is better than what I have witnessed in my IT career). 5 of the unsupported versions had been that way for over 10 years. 90 % of the servers are not kept current with patches. If they get hacked, they don't have the controls to detect that. (very unhealthy) There was no segregation of duties to protect against insider misbehavior, like embezzlement, id theft, do proper change management, etc. (this audit obviously long overdue) 84% of the servers had not had passwords changed in a timely fashion, with one had not been changed in nine years. (I have seen worse.) 47% of the tested servers had had no vulnerability scans in over a month. When that was done at the IG auditor request, an average of 77 vulnerabilities was found on these servers with 420 being the largest #. (But how serious were they, and was there any budget to avoid this?) Some servers had not been scanned in 2 years. $2.9 million had been spent on a security tool, not installed on all servers, for which this tool was paid for. http://www.freep.com/story/news/local/michigan/2015/12/17/report-rips-security-state-computer-systems/77409208/ http://audgen.michigan.gov/finalpdfs/15_16/r071056315.pdf State & Local governments, in the USA, have been hurting due in part to reduced tax revenues from the Great Recession, followed by a tepid recovery, with more financial bubbles at risk of bursting. But all along, funding leaders of private and public operations have typically treated IT as an expense to minimize, not insurance needing minimum protection standards, nor tool to maximize worker productivity. Consequently there are periodic cyber security incidents. . Florida inadvertently exposed PII on children in foster care and/or court cases, we learned Oct 2015. . Georgia accidentally released PII on 6 million voters, we learned Nov 2015. . Indiana had inadequate budget for cyber security, so DMV got breached (Driver & Motor Vehicle licenses), and someone stole corporate taxes paid for Unemployment Compensation. . Illinois state employee payroll system got hacked, with id theft against most all of them. . Maine had to pay ransom April 2015 to recover data smashed by malware. . Minnesota password protection for DMV was inadvertently removed via an Aug 2015 server update. . Ohio had tax data on 50,000 taxpayers "lost" this month, January 2016. . Oregon had a Dec 2015 breach of name, address, SS# & date of birth on almost 1,000 Veterans. . Texas Nov 2015 breach released thousands of SS#s. . Virginia GovWin system used 3rd party Deltek software, breached in 2014, getting user names, passwords on 80,000 users, and credit card info on 25,000 users. . Several states (I do not have a list) had Secretary of State registration of companies, with HQ in that state, hacked, to facilitate id theft against those companies. . Many states have multiple incidents. There are 50 US states, unless you accept the last Puerto Rico vote to become a US state, as valid. (US Senate does not.) About 17% of all cyber breaches are of government systems. http://datalossdb.org/statistics
[TNX to Dr. Deborah Peel" <dpeelmd@patientprivacyrights.org>] http://thehealthcareblog.com/blog/2016/01/11/what-do-we-know-about-medical-errors-associated-with-electronic-medical-records/ The dangers of US electronic health systems are hidden and have never been systematically studied. There is no meaningful federal oversight or regulation of EHRs to protect the public. Health IT vendors voluntarily report flaws in their products. Yet healthcare is the largest sector of the economy. Is it unsafe at any speed? Quotes from Ross Koppel: * "Considerably over 80% of the reported errors involve horrific patient harm: many deaths, strokes, missed and significantly delayed cancer diagnoses, massive hemorrhage, 10-fold overdoses, ignored or lost critical lab results, etc. * Central to this article's contribution is its data source and an understanding of the direction of causation of the findings: These errors came to light not because a healthcare provider noted an EHR-related problem, but because the patient was harmed, the provider was sued and there was an insurance payment." The HITECH portion of the 2009 stimulus bill mandated national use of EHRs without prior clinical trials. EHRs were not comprehensively and thoroughly tested for effectiveness, safety, usability, reliability, accuracy, security, or privacy. Besides causing bodily harms and deaths, US EHRs destroy the right to health privacy: the data holders control all uses, disclosures and sales of personal health data, not patients. See: https://patientprivacyrights.org/2014/01/ims-health-files-ipo-legal/ We can't opt-out of EHRs, nor is it easy to find physicians who don't use them. What if you don't have a physician-friend to stay with you 24/7 if you're hospitalized? www.patientprivacyrights.org<http://www.patientprivacyrights.org/>
Ars Technica reports that multiple organizations have uncovered a problem with Intel's Skylake series processors when running complex computational workloads. >From the article: "Intel has identified an issue that potentially affects the 6th Gen Intel Core family of products. This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour. Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update. No reason has been given as to why the bug occurs, but it's confirmed to affect both Linux and Windows-based systems. Prime95, which has historically been used to benchmark and stress-test computers, uses Fast Fourier Transforms to multiply extremely large numbers. A particular exponent size, 14,942,209, has been found to cause the system crashes." The complete Ars Technica article is at: http://arstechnica.com/gadgets/2016/01/intel-skylake-bug-causes-pcs-to-freeze-during-complex-workloads/
Matt McFarland, *The Washington Post*, 12 Jan 2016 via ACM TechNews; 13 Jan 2016 Google's fleet of automated vehicles, currently undergoing testing on roads in California and Texas, have had 13 near-misses in which a driver had to intervene to prevent a collision, according to a new Google report on the tests in California. The study estimated on 272 occasions in the 14-month test period drivers commandeered the cars due to software failure, while in 69 other incidents the drivers opted to take control to ensure the vehicles operated safely. The report points to a general decline in technology malfunctions since the fall of 2014. "It seems to be a pretty good sign of progress," says Chris Urmson, director of Google's self-driving car project. However, Princeton University's Alain Kornhauser cautions the cars' performance under easy or favorable road conditions can be deceiving. "It's informative, but it shouldn't be treated as a true measure of the vehicle's safety," says Carnegie Mellon University professor Aaron Steinfeld. The Google report cited the rate of disengagement, when the cars sense a system failure and ask the test driver to take over, as the most significant area of progress. Although this rate fell in early 2015, it increased late in the year, with Google attributing it to more difficult conditions under which cars were being tested, such as in heavy traffic and inclement weather. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2dae4x065853&
https://blog.malwarebytes.org/fraud-scam/2016/01/clickjacking-campaign-plays-on-european-cookie-law/ "We've spotted an advertising campaign that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services). The rogue actors behind this fraudulent activity are cleverly leveraging a European law on the use of cookies to seemingly prompt visitors to answer a question." I've been saying all along that the EU cookie notification law was useless, nonsense, or worse. Well, here's proof of the worse.
On RISKS, we ironically ask "what could possibly go wrong?" when shown some new hare-brained technology. In the case of "smart" guns, I can't even get past "what could possibly go right?" I haven't performed an exhaustive search, but I can't recall a single instance in which a "smart" gun would have stopped *any* mass shooting instance, nor *any* police shooting of an unarmed suspect. "Smart" guns are an appeal to some God-like "AI" entity that can solve the "Trolley Problem" [0] in microseconds; Google is supposedly working on such technology for self-driving cars—but don't hold your breath waiting for a God-like solution to this Trolley problem any time soon. When it takes an entire legal system, including juries and prosecutors weighing tons of evidence to come to a Monday-morning legal conclusion, how in the world is some "smart gun" going to decide this in microseconds? All that having been said, I'm even more frightened by what can go wrong; in 2016, we're about to harvest the most amazing collection of "Internet of Things" security vulnerabilities that the world has ever seen. However, it's one thing if your Bluetooth pillow is hacked; quite another if your "smart gun" is hacked. [0] https://en.wikipedia.org/wiki/Trolley_problem Terry Collins, CNET, 4 Jan 2016 Obama orders feds to study smart gun technology http://www.cnet.com/news/obama-orders-feds-to-study-smart-gun-technology/
Cathy Farmer, University of Bristol News, 8 Jan 2016 via ACM TechNews; 13 Jan 2016 University of Bristol researchers conducted a brain-imaging study showing technological game-playing can involve brain activity that positively supports learning. The research is linked to a larger classroom study, which will include 10,000 secondary school students across Britain, and it could provide a new perspective on concerns that some children spend too much time playing computer games. The researchers will show how the gamification of learning can reduce the activity of a particular brain network that governs mind wandering. The researchers found when students tried to study by reading notes and looking at example questions, this Default Mode Network portion of the brain was strongly activated. However, when studying became a competitive game, the additional brain activity disappeared and learning increased. "This is evidence that computer games can be good for learning, if we are careful about how we design and develop them," says University of Bristol professor Paul Howard-Jones. As part of the study, 24 student volunteers experienced three types of study sessions while having their brains scanned. The brain-imaging experiment showed how the students concentrated and learned better when studying was part of a game. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e854x2daebx065853&
http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276/ref=sr_1_1?ie=UTF8 Here is what I said on my Blog, essentially what I said on Amazon: http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/ Book Review: Ballot Battles by Edward B. Foley By Luther Weeks <http://ctvoterscount.org/author/lgwadmin/>, 9 Jan 2016 <http://ctvoterscount.org/book-review-ballot-battles-by-edward-b-foley/> I have long been a fan of the papers and other writings of Edward B. Foley of the Moritz College of Law <http://moritzlaw.osu.edu/faculty/professor/edward-b-foley/> . He writes extensively on the issues associated with close elections, how have been decided since the founding of the United States, and how the process might be improved. Last month his book on the subject, Ballot Battles:The History of Disputed Elections in the United States was released. <http://www.amazon.com/Ballot-Battles-History-Disputed-Elections/dp/0190235276> To me, it was a highly fascinating read that kept my interest through every page. It should be required reading for anyone interested in Election Integrity. As I would define it, Ballot Battles is focused on one component of election integrity, i.e. How close elections have been decided in the U.S., rather than if the vote counting itself was accurate. Foley's work is an important component of election integrity. Further along that vein we could say that Fair Elections go beyond Election Integrity to include fair voter eligibility, access to the polls, candidate access to the ballot, access to the press, and campaign financing etc. Ballot Battles follows close elections and the process for deciding the declared winner from 1781 through 2008. While Presidential races from 1800, 1876, and 2000 are important, many other races for the U.S. Senate, U.S. House, and Governors are just as important to history and the challenges remaining today. Reforms have been attempted after major controversies, yet as Foley shows they have been insufficient, including those after 2000. We remain vulnerable. As summarized at one point in Ballot Battles: "the 1960 presidential election must be viewed as a failure of American government to operate as a well-functioning democracy. That failure puts 1960 along-side 1876 - and, as we shall later consider, 2000 - in a disturbing series of instances in which the nation has lacked the institutional capacity to identify accurately the winner of the presidency." There is no easy solution. It would likely require a Constitutional Amendment. Ultimately, as Foley recommends, following successful models of instances of bodies of equal numbers of partisans, with a single respected non-partisan member. That is unlikely to always work, yet that has worked better than the system we are left with for adjudicating close Federal Elections. Ballot Battles thoroughly covers the adjudication process and the risks to which we are exposed. Those seeking information on fraud and error in elections will not find the details here. Likewise, those seeking agreement that the Supreme Court erred or acted responsibly in 2000 will find little agreement here, yet much to ponder, much to learn about the law, and the precedents applied to resolve election challenges.
The golden rule of privacy: Say what you do and do what you say. Violate that rule in the USA, and the gov may come after you, except where you are allowed to keep your business practices confidential. In the USA, medical privacy is governed by HIPAA regulations. <http://www.healthcareinfosecurity.com/hipaa-hitech-c-282> http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/ The US Federal Trade Commission (FTC) on Jan. 5 announced a $250,000 settlement with Henry Schein Practice Solutions, a New York-based provider of practice management software for dental practices, stemming from the company's false advertising about encryption capabilities. The company has been ordered to halt the misleading advertising, and to notify all prior customers of the truth. Schein had been marketing its Dentrix G5 software to dental practices around the USA for two years with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so, ensured that practices using its software would protect patient data as required by HIPAA. Instead, however, the company was offering a less robust "data masking technique using cryptographic technology," the FTC says. <http://dentrix.com/products/dentrix> <http://www.healthcareinfosecurity.com/hipaa-hitech-c-282> http://www.bankinfosecurity.com/ftc-fines-software-vendor-over-encryption-cl aims-a-8782 https://www.ftc.gov/system/files/documents/cases/160105scheincmpt.pdf
I haven't use TurboTax for years, but the last time I did I gave them a gmail address. The address had this form, using my actual first name, middle initial, and last name: firstname.i.lastname@gmail.com. In late March, 2014, I got email from TurboTax saying my tax return had been rejected by the IRS. Since I hadn't submitted one, I was concerned. To make a long story short, I eventually realized that the mail had been sent to firstnameilastname@gmail.com, not firstname.i.lastname@gmail.com. It appears that google considered these to be the same address but TurboTax did not. Someone with my name, including middle initial, had entered that address into TurboTax. All subsequent mail from TurboTax came to me. I decided it was not fraud on his part, just bad luck. He soon fixed his tax return, because I got another email saying that it had been accepted. But later that year, I got a marketing email from TurboTax inviting me to use their services again, and while trying to see if I could resolve the underlying issue, wound up with a link to his tax return! So I called TurboTax again but never felt certain that they really understood. But I do think the other guy has taken care of the problem on his end since I'm no longer getting progress reports on his tax returns. Two morals: be careful how you enter your email address, and uh, don't enter it in a gmail signup page. On the other hand, you could construct all sorts of variants of your gmail address and use those to track who's sharing your email address with whom. Steve B (name withheld to protect the unlucky)
http://recode.net/2016/01/05/twitter-considering-10000-character-limit-for-tweets/ Twitter is building a new feature that will allow users to tweet things longer than the traditional 140-character limit, and the company is targeting a launch date toward the end of Q1, according to multiple sources familiar with the company's plans. Twitter is currently considering a 10,000 character limit, according to these sources. Given their policy of allowing people and organizations you've never followed to contaminate your timeline with commercials and other irrelevant content, with no way for you to disable that pipeline, it's clear this is really all about permitting much vaster contamination of this sort to take place. In the Twitter environment, so deeply saturated with nasty trolls already, this will be a sea change of the worst possible sort. Not the beginning of the end for Twitter, but a major acceleration of the continuing process already leading rapidly toward their demise.
Many times URL query string parameters have got mistreated, making *me* look *bad*. It would be much better if the whole URL failed. * YouTube starting time parameters ignored by players, making grandma think I wanted her to watch the whole movie. * Multiple Google Static Maps API path parameters being thrown away when sharing via Facebook, making people think my map had only one path on it. And I just *bet* the zoom parameter in http://www.heywhatsthat.com/?view=QUPO7R8D&maptype=TERRAIN&zoom&hideprofiles=1 will one day fail, making it look like my noise complaint exhibit I used it for was about a much larger area!
FYI—A bad FICO score could kill your chances of getting a mortgage. A bad 'Beware' score could kill you, period. 'Another program, called Media Sonar, crawled social media looking for illicit activity.' 'But perhaps the most controversial and revealing technology is the threat-scoring software Beware. ... The searches return the names of residents and scans them against a range of publicly available data to generate a color-coded threat level for each person or address: green, yellow or red. Exactly how Beware calculates threat scores is something that its maker, Intrado, considers a trade secret, so it is unclear how much weight is given to a misdemeanor, felony or threatening comment on Facebook. However, the program flags issues and provides a report to the user.' 'Councilman Clinton J. Olivier, a libertarian-leaning Republican, said Beware was like something out of a dystopian science fiction novel and asked Dyer a simple question: "Could you run my threat level now?" Dyer agreed. The scan returned Olivier as a green, but *his home came back as a yellow,* possibly because of someone who previously lived at his address, a police official said.' '"[Beware] has failed right here with a council member as the example."' Justin Jouvenal, *The Washington Post*, 10 Jan 2016 The new way police are surveilling you: Calculating your threat 'score' https://www.washingtonpost.com/local/public-safety/the-new-way-police-are-surveilling-you-calculating-your-threat-score/2016/01/10/e42bccac-8e15-11e5-baf4-bdf37355da0c_story.html
FCC WiFi Router Kerfuffle Coincidence? : https://www.fcc.gov/news-events/blog/2015/11/12/clearing-air-wi-fi-software-updates-0 'Routers, for example, capture 'chatter' from smartphones, tablets and wearables' 'Wi-Fi devices capture a media access control (MAC) address from mobile devices, which are unique identifiers for each phone, laptop or tablet, which try to connect to the network.' 'London's City Airport also recently won £800,000 of funding to develop the tracking technology as part of its Internet of Things. The airport is using the technology to monitor servicing equipment as well as triangulate the location of passengers in the terminal.' Ryan O'Hare for MailOnline, 11 Jan 2016 Forget fingerprints, ROUTERS could soon help police solve crimes: Data collected by Wi-Fi devices can find and identify criminals www.dailymail.co.uk/sciencetech/article-3393878/Forget-fingerprints-ROUTERS-soon-help-police-solve-crimes-Data-collected-Wi-Fi-devices-identify-criminals.html * Wi-Fi devices such as routers could be used by police to access data * Information could place people at the scene at the time a crime took place * Devices such as routers log successful as well as failed attempts to log on * In addition, they can capture unique identifiers from mobile devices [...]
It's not Y2K, it's more amusing than serious, but there are lots of electronically-updatable variable-message signs around the U.S. that display the current jackpot level of the multi-state Powerball lottery, but now that it's hit $1.4 billion, most of the signs are stuck at $999 million. https://www.washingtonpost.com/news/post-nation/wp/2016/01/11/the-powerball-jackpot-is-so-big-it-doesnt-even-fit-on-lottery-billboards/
FYI—This is really insane! How long before this information gets hacked & posted online—a la "Ashley Madison" ? "This course is *mandatory*, and you must complete it by February 9, 2016. If you do not complete the training by this date you will receive a *registration hold* until the training is complete," Anthony Gockowski. Campus Reform http://www.campusreform.org/?IDq55 A mandatory online course at USC asks students to disclose the number of sexual encounters they have had. Many universities require students to complete a course on Title IX, but some students at USC are worried the online course they are required to take is too intrusive. [...]
Security of IoT [Internet of Things] "always listening" devices in the office + "Internet of Thing" Do You Have a Security Policy for "IoT" Gadgetry in the Office? http://www.securityweek.com/when-iot-comes-office But on a serious note—how many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn't be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who's addressing all the other gadgetry? = = "Internet of Thing": [G+ IMAGE] - https://plus.google.com/+LaurenWeinstein/posts/desWQWgwFYG
According to Fortinet via Ars Technica: "This issue was resolved and a patch was made available in July 2014 as part of Fortinet's commitment to ensuring the quality and integrity of our codebase. This was not a "backdoor" vulnerability issue but rather a management authentication issue. The issue was identified by our Product Security team as part of their regular review and testing efforts. After careful analysis and investigation, we were able to verify this issue was not due to any malicious activity by any party, internal or external. All versions of FortiOS from 5.0.8 and later as well as FortiOS 4.3.17 and later are not impacted by this issue." However, the Arstechnica article also states: "According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password. While one researcher told Ars the exploit no longer works in version 5.2.3, that release is still suspicious because it contained the same hard-coded string." Why was such a hardcoded access mechanism included in the first place. The complete Ars Technica article is at: http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/ - Bob Gezelter, http://www.rlgsc.com
Wait, this is a "Privacy Convention" where you can't even get in without showing government-issued photo ID to government employed goons? Held at the "Constitution Center" where everyone is searched without cause before they are permitted to participate? Clearly some apparatchiks with doublethink minds are very busy at the Federal Trade Commission. I guess you won't see anybody there who actually has any personal principles about privacy, because the job of the guards is to keep such people OUT. John PS: Come super early, because (1) the useless suspicionless searches will be slow because the government doesn't care how much of your time they waste; and (2) even though they asked you to send in your information early to "pre-register", they just keep that info and use it for the government's interest—never for your interest. And you perhaps thought the FTC was more on the side of the individual citizen than other government agencies like, say, the TSA, DoJ, or the IRS? Ho, ho, ho.
I'd like to suggest some improvements to the translation of the conclusion of the original letter from the Dutch Government. Google Translate does a reasonable job but still gets some meanings completely wrong: "The government's role is to ensure the safety of the Netherlands and the offenses to detect." should be "The government's role is to ensure the safety of the Netherlands and to investigate criminal activities." and "In the international context, the Netherlands will pronounce these conclusion and the considerations." should be "The Netherlands will advocate this resolution and the underlying considerations in the international context." H.G.J. Kamp is Minister of Economic Affairs.
> FYI—Terrific analysis of the VW Dieselgate software: > The computer software has two different modes, one of which is far more > efficient in its use of the additive Adblue (urea); the less efficient > model is selected only when running the standardized test. The primary/initial culprit in the US is a different VW Diesel - one that does not use Adblue.
In RISKS 29.20, Gene Wirchenko described having relinquished an email address, and then getting it back 20 months later from the ISP. He and I corresponded, and I wrote: "But the real risk is that if someone other than you had recovered your email address, they could have used that access to get access to any accounts (e.g., e-commerce, bank) where you had forgotten to change your address on file. Since very few sites require anything other than access to the email account listed on initial account setup, reallocation of email addresses is a serious risk. I'm really surprised that any ISP would allow it, without clear evidence that you were in fact the same person." Gene clarified that he had proved to the ISP that he was in fact the same person (which is a relief to me!). And he agreed that the risk of account recovery given access to a legitimate email address is a real one, perhaps more serious than the risks he had identified in his message (mailbombing and leaking identifiable information). Of course this isn't a comprehensive list of risks from someone recovering a former email address - we've all experienced scammers using captured accounts for "help, I'm stuck overseas" scams, spear phishing attacks, etc.
> There are also risks here. What it had been someone else who had gotten > that E-mail address? 1) The person gets mailbombed. 2) There might be > >enough identifiable information to cause trouble in some cases. No kidding. A year or so ago Yahoo freed up a bunch of long abandoned account names and it occurred to a lot of people that this could be a problem. It turned out that those particular Yahoo accounts hadn't been used for mail in a very long time, if ever but it's still a problem. So to slap a band-aid on it, the IETF published RFC 7293, which lets a sender add a mail header like this: Require-Recipient-Valid-Since: bob@examp1e.com; Sat, 1 Jun 2013 09:23:01 -0700 That tells the recipient system that if the recipient isn't the same person it was on that date, please don't deliver the mail. (There's also an SMTP extension, see the RFC for details.) This depends on the recipient system implementing it, but it's better than nothing.
> Facial Recognition is unregulated. > Companies may do anything they please with your picture. Prof. Peter Bernard Ladkin points out that this is not true in Europe. Sorry. I am in the USA, summarizing what was in a USA publication. Pages 40-45 of the Feb 2016 issue of Consumer Reports magazine. It includes US privacy advocates attempting to reform this system, corporate interests not complying, a lack of meaningful US regulations, implied consent, with zero explicit warnings. It gives examples of how Facial Recognition has allegedly been used in several international venues, including: cruise ships; Germany; Latin America; Singapore; South Korea; Spain; UK; USA. Be warned Europeans, if you visit the USA. You won't have privacy rights you are accustomed to.
Please report problems with the web pages to the maintainer