Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Matt Green and colleagues at Johns Hopkins University found a nasty bug that allowed iMessage to be seriously compromised. They discovered the flaw several months ago, but it was not fixed until now. Today's article by Ellen Nakashima in *The Washington Post* summarizes the situation and its broader implications. https://www.washingtonpost.com/world/national-security/johns-hopkins-researchers-discovered-encryption-flaw-in-apples-imessage/2016/03/20/a323f9a0-eca7-11e5-a6f3-21ccdbc5f74e_story.html
http://www.bloomberg.com/news/articles/2016-03-16/printer-error-set-off-bangladesh-race-to-halt-illicit-transfers
http://www.bloomberg.com/news/articles/2016-03-18/hackers-stalked-bangladesh-bank-for-two-weeks-before-big-heist
The 'Aadhaar' bill has passed in the Indian parliament without any privacy measures recommended by the parliamentary opposition. As Jean Drèze pointed out, Jean Drèze, *The Hindu*, 15 Mar 2016 The Aadhaar coup http://www.thehindu.com/opinion/lead/jean-dreze-on-aadhaar-mass-surveillance-data-collection/article8352912.ece The Aadhaar Bill opens the door to mass surveillance. This danger needs to be seen in the light of recent attacks on the right to dissent. No other country, and certainly no democratic country, has ever held its own citizens hostage to such a powerful infrastructure of surveillance. Even before the bill passed, Indian companies were advertising products relying on their access to the identity database, which includes biometric information. Usha Ramanathan, *Scroll.in*, 15 Mar 2016, The future is here: A private company claims it can use Aadhaar to profile people http://scroll.in/article/805201/the-future-is-here-a-private-company-claims-to-have-access-to-your-aadhaar-data
http://www.nytimes.com/2016/03/20/world/europe/a-view-of-isiss-evolution-in-new-details-of-paris-attacks.html A 55-page French report details how the attackers used disciplined communications, identified soft targets and perfected bomb-making techniques after two years of failures.
911 is the phone number for emergency services in the US and Canada, but because of fears that someone might not be able to "find the 11 key", it is sometimes spelled 9-1-1. (Apparently there is no concern for people who might not be able to find the hyphen key.) Last night in Toronto the father of a 3-month-old baby stepped out of his car and left the engine running, and the car was stolen with the child inside. In due course the police issued an AMBER Alert, which included an automated announcement broadcast on radio stations, and the baby was found safe, asleep in the abandoned car. Now I never listen to radio if I can avoid it, but my wife told me about this this morning: the AMBER announcement on the radio was not recorded, but voice-synthesized. And in the part where it said to call the police if you had information, it gave the number to call as "September 1, 2001". (But if it had been entered as 911, would the synthesized speech have pronounced it "nine hundred eleven"?)
http://www.nytimes.com/2016/03/20/opinion/sunday/how-a-fitbit-may-make-you-a-bit-fit.html Millions now have fitness-tracking devices. But are they any use?
It lacks only one feature—automatically sending notifications to your medical and car insurance companies and your employer. https://www.technologyreview.com/s/601051/machine-learning-algorithm-identifies-tweets-sent-under-the-influence-of-alcohol/
Most new forms of crime start small, experiment with approaches, to become polished, then grow into many areas. This one has been around for a few years, and now is growing. Crooks easily learn how they can pretend to be the top boss of some outfit, as that is usually public info, then they fake out various departments to send them the company's crown jewels . lots of money, and lots of employee PIII, for more stealing. It is called the CEO scam, because it works when the top boss has not authorized sufficient security training for the work force to be able to resist this form of phishing. In addition to a lack of good training, and testing to verify the training "took," companies can be more vulnerable to this if the top boss is not approachable, to ask for verification of strange instructions, or if corporate culture means it does not seem unusual for something confidential going on, which they want you to handle. https://www.riskbasedsecurity.com/2016/03/hr-departments-gone-phishing/ Within a week, another dozen outfits had been identified, which had fallen victim to similar spoofing, exploiting workers whose employers have not provided adequate security training. Some of them have additional departments with data these crooks might want, such as Customer PII, Student PII, Patient PII. If the crooks were more skilled, they should have gone after all of this at one time, because some of these targets may learn from one breach how to prevent more. As of 10 weeks into 2016, this RISK BASED SECURITY outfit has found there have already been over 535 data breaches disclosed and more than 175 million records compromised. https://www.riskbasedsecurity.com/2016/03/hr-departments-part-2-still-out-phishing/ KREBS ON SECURITY reminds us that when companies fall victim to this corporate phishing, their cyber security insurance policy is no help, because this is not considered to be a breach of the computer systems, rather it is a breach of human behavior policies. http://krebsonsecurity.com/tag/ceo-fraud/ CEO Scam falls within a larger category of phishing known as business e-mail compromise (BEC). In France, it is called "fraude au president," or "fake President fraud" http://www2.deloitte.com/lu/en/pages/about-deloitte/articles/fake-presidents.html It can come in many forms. 1. Someone poses as a boss of a company instructing staff to make a wire transfer into the fraudster's account 2. Fraudsters pose as the IT services department of a bank saying they want to make a test transfer - but it's not a test 3. Fraudsters claim to be a supplier and ask for outstanding invoices to be paid into a new bank account 4. Employees click on links within phishing emails containing malware which authorizes many small payments to the fraudster's account Over a year ago, the FBI said that US businesses had lost about $ 750 million and counting, thanks to this form of fraud, with the total being about $2 billion worldwide. https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise http://krebsonsecurity.com/2015/08/fbi-1-2b-lost-to-business-email-scams/ http://www.bbc.com/news/business-35250678 Many corporate leaders do not believe in good security, because they believe their companies do not have much worth stealing. Well, if they have employees, customers, money in banks, assets of any kind, those are targets for future fraud. Crooks steal payroll data, and company bank accounts, by pretending to be the top boss of company with a special request. Now they steal from banks by pretending to be the Central Bank, of a nation. What next? From which government agencies, are we most likely to jump, rather than questioning their credentials, when they issue us commands? http://www.bankinfosecurity.com/russian-banks-targeted-by-fake-security-alerts-a-8975
Investigators, into the Ukraine Electric Grid attack, have issued reports answering some questions with technical details, where many earlier articles had only speculation and assumptions on how perhaps it could have happened. http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-ukrainian-power-outage-us-report-concludes/ The Ukraine government continues to blame Russia, not yet proven. Clues to the attackers are a choice of attacks seemingly to highlight apparent incompetence, and who has obvious motivation. But attribution is secondary to what happened, and what steps are needed to prevent that ever happening again. https://swannysec.net/ http://www.robertmlee.org/the-problems-with-seeking-and-avoiding-true-attribution-to-cyber-attacks/ * Attackers used stolen user credentials to remotely access and manipulate the industrial control systems (ICS) and shut down power for some 225,000 Ukrainian power customers on Dec. 23, 2015. There were similar attacks on other companies, with less devastation. * Like many targeted attacks, the Ukraine power grid attack began with spearphishing email containing a malware-rigged attachment. In this case, Word Documents and Excel spreadsheets that when opened by users in the companies' business network, dropped BlackEnergy3 malware that lurked around and stole legitimate user credentials. * Firewalls separated the Business Networks from the Power Control System. But the attackers used stolen Virtual Private Network (VPN) credentials to reach the industrial control systems (ICS) network, and remote access tools to control the HMIs and pull the breakers. VPN connections between the Ukraine power companies' ICS and enterprise networks did not appear to use two-factor authentication. At my day job we had VPN credentials not stored anywhere unencrypted on our systems, so they could not be easily stolen by normal intruders. * There were related attacks: installing their custom firmware on substations; disconnecting Uninterruptible Power Systems (UPS) to delay restart (using a remote interface); destroying evidence of what they had done; and denial-of-service attack on the power companies' telephone systems. The customized firmware meant that even if HQ personnel had regained remote access to the Supervisory Control and Data Acquisition (SCADA) systems, power could not be restored, except by visiting in person. * The firewall allowed the adversary to remote admin out of the environment utilizing a remote access capability native to the systems. * The Ukraine power grid attackers hid in plain sight for six months, gradually gathering enough intelligence and knowledge to figure out how to access and manipulate the HMI and turn out the lights. Had the power companies been running network security monitoring tools, they could have spotted that activity. Also, if National Security in Europe, has surveillance up to NSA standards, they probably could back trace whether the hacking came from Russian government, or private entities. If so, they probably won't make that public info. SANS <https://ics.sans.org/blog/2016/02/25/thoughts-on-the-ics-cert-ukraine-cyber-attack-report/> , in conjunction with the North American Reliability Corporation (NERC <http://www.nerc.com/AboutNERC/Pages/default.aspx> )'s E-ISAC <http://www.nerc.com/pa/CI/ESISAC/Pages/default.aspx> , published an in-depth postmortem analysis by SANS ICS experts of the attack <http://www.darkreading.com/threat-intelligence/more-signs-point-to-cyberattack-behind-ukraine-power-outage/d/d-id/1323927> , based on details revealed by ICS-CERT <https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01> late last month as well as other public information. I could not find link to the actual report on E-ISAC nor SANS. http://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743?_mc=RSS_DR_EDT http://www.tripwire.com/state-of-security/latest-security-news/u-s-ics-cert-confirms-cyber-intrusions-behind-ukraine-power-outages/ Several cyber security companies have issued info clarifying what is known so far about the attack on the Ukrainian Electric Grid, and challenges for getting all desired answers. http://www.archerenergysolutions.com/lights-out-researcher-says-he-knows-how-cyber-invaders-attacked-ukraine-power-companies/ http://www.antiy.net/p/comprehensive-analysis-report-on-ukraine-power-system-attacks/ Questions I would like to see answered: * How often are critical infrastructures supposed to have security audits? * If & when a place gets a poor result from an audit, are government regulators, customers, and investors kept informed? * Some of the attack was witnessed by an operator, who realized he no longer had control of the computer in front of him. What are we supposed to do when that happens? Disconnect our terminal? Power down the computer network? Notify what authority? * Is it true that some US electric grid facilities have weaker defenses than in the Ukraine? * What other nations have similar vulnerabilities? * Are electric companies, around the world, learning from what happened in the Ukraine, like our nuclear industry learned from Fukushima? http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ http://www.nytimes.com/2016/03/01/us/politics/utilities-cautioned-about-potential-for-a-cyberattack-after-ukraines.html http://www.bbc.com/news/technology-35686493 https://www.lawfareblog.com/hot-commodities-what-comes-down—this link reviews many topics in the news—scroll about 1/3 down to Denial of Service. http://www.worldfinance.com/markets/our-critical-infrastructure-could-be-the-next-target-for-cyber-attackers
American Express notice of 3rd-party data breach, via a not yet named service provider, used by some retailers. American Express owned and controlled systems were not affected. It is still uncertain what all has happened. Data, associated with current or previously issued American Express cards, may have been hacked, including account numbers, names, and expiration dates. http://securityaffairs.co/wordpress/45387/cyber-crime/american-express-data-breach-notice.html http://www.infosecurity-magazine.com/news/amex-investigates-possible-data/ Previous AmEx breaches occurred on 18 Oct and 21 Dec 2014, and on 22 Mar 2015, according to notifications on the California AG. <http://oag.ca.gov/system/files/CA%20AG%20Online%20Submission%20-%20Customer%20Letter_C2015080150_0.pdf?> <http://oag.ca.gov/system/files/C2015020361%20CA%20AG%20-%20Customer%20Letter_0.pdf?> <http://oag.ca.gov/system/files/CA%20AG%20-%20Customer%20Letter%20-%20C2015060341_0.pdf?> <https://oag.ca.gov/ecrime/databreach/list> website. Account numbers, names and other card information such as the expiration dates were believed to have been exposed in all of the breaches while four-digit security codes printed on the front of the cards were compromised as well in the Dec 2014 and March 2015 incidents. http://www.scmagazine.com/a-trio-of-breaches-hit-amex-travel-related-services-company/article/464686/ Comments on this next article, about the 3rd-party breach, debate whether CHIP & PIN is a security improvement for the USA. In my opinion, a major weak link is at the retailer. Many, in my area, do not ask for a signature on check out, if the purchase is below some $ amount. When I asked why, at one store, the cashier showed that I had already signed the back of the card. That shows to them that they have my signature & that's the only proof needed, much simpler than applying our signature with every purchase, she said. I complained about this policy at my bank which issued the credit card . if a card is stolen, and has been signed on the back by the correct owner, then this policy does not stop account fraud. The bank informed me that it is totally up to the retailer what kinds of security policies they will have. So long as we have a credit card, stores with policies like this can accept usage by crooks, so we need to be vigilant about checking our statements, and keeping track of our plastic. I have no idea how many retailers behave like this. Does anyone sell a pocket sized faraday cage to hold our plastic, without wiping it, or shocking us? That way, no one can read the plastic until we actually take it out to make a purchase. https://threatpost.com/american-express-notifies-cardholders-of-third-party-breach/116817/
FBI director Comey - "Before these devices came around, there was no closet, basement or drawer in America that could not be entered with a judge's order." Mr. Comey does not know enough about PGP. I have many PGP encrypted files, and if I die tomorrow, the clear text content of those files will be permanently lost, and no order from a judge will change that.
It took the resultant furore to get the problem fixed—the skipper resorted to that tactic because previous complaints had just been ignored. From what I recall, it was either the depth-tracking gear didn't work, or more likely the impact fuzes were at fault.
> US defendants have a right to face their accusers, which includes how the > evidence was obtained, so when the government's evidence was obtained by > new technologies they want to keep secret, they have a choice: > ... [4 suggested options] There is at least one more option available to them: that of parallel construction ( https://en.m.wikipedia.org/wiki/Parallel_construction ). Parallel construction is a method used by law enforcement agencies wishing to hide their own unlawful activities when it comes to evidence gathering. Once illegally obtained evidence points to a crime, the agency works backward to create an alternate path that will be acceptable to courts, without risking exposure of the techniques or technologies involved in their unlawful primary investigation.
> https://www.youtube.com/watch?v=zsjZ2r9Ygzw There's a RISK in assuming the whole world sees things on the Internet the same way. Visitors from UK IP addresses visiting that link are told: "The uploader has not made this video available in your country. Sorry about that."
Please report problems with the web pages to the maintainer