Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.aei.org/publication/gen-michael-hayden-on-apple-the-fbi-and-data-encryption/ [Thanks to Marty Hellman for extracting a few pithy comments from Former DIRNSA Michael Hayden video interview about FBI-Apple legal fight.] (0:20) Interviewer: You, one of the great national security leaders of our country, have sort of backed Apple. What's happening here? (0:40) Hayden: I just look at this in the security line, and frankly, given the variety of threats that America faces, one needs to be careful that, in dealing with this threat over here (points to right), we don't make it more difficult to deal with that threat over here (points to left). (1:26) Jim Clapper, the last two or three years in his worldwide threat briefing, the Director of National Intelligence, has said the number one threat facing America is the cyber threat. (1:40) I think the government has the right to demand this. I just don't know that it's a wise thing for the government to demand it. My judgment is that we're probably better served by not punching any holes into a strong encryption system—even well guarded holes. (2:07) [Interviewer says that if he has an alarm on his home and the government gets a warrant, he needs to turn the alarm off and let them in.] The tech companies are building technology that will blow up my home if you try and come in. (2:32) Hayden replies: Actually, in this case, you're asking the tech companies to build a key that opens 320 million houses. That' s really the deal. (3:00) This key isn't just to my house. This key opens everybody's house. (3:26) You play this out two or three moves down the board, we could have a really bad outcome. What if you compel US companies to do this and we drive the highest end encryption on the planet offshore. If you look, Apple has actually been cooperative in all of the other things with regard to the phone. All of what I call the digital exhaust that these folks have been putting out. That was available to Apple and they shared it with the government. It was available to them [the government] because they [the terrorists] used an Apple product. They were in the Apple system. Now, if we make Apple do this and offshore companies don't, we will drive the international market to the offshore companies. And we will now not only not get content, we won't get digital exhaust either. (4:16) Mike McConnell, one of my predecessors at NSA [tried to get Clipper chip baked into the silicon as a back door]. The Clinton administration would have none of it. And Mike then tells the tale, Thus began the greatest fifteen years in the history of electronic surveillance because everyone going to digital devices created this ocean of data, much of it meta as opposed to content. But, with metadata you can do an awful lot. To specifically answer your question, under any circumstances, we're going to get less content [but] it doesn't mean we're going to get less intelligence.
Apple via NNSquad https://apple.slashdot.org/story/16/03/23/2312208/apple-worries-that-spy-technology-has-been-secretly-added-to-the-computer-servers-it-buys According to Business Insider, "[Apple] worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying, according to a report from The Information's Amir Efrati and Steve Nellis." With many of its cloud-based services like iTunes, the App Store, and iCloud requiring enormous data center to operate, Apple hasn't been able to build all the data centers it needs, and has instead been using services from its rivals, namely Amazon Web Services and Microsoft. Google recently landed Apple as a customer for the Google Cloud Platform. "Meanwhile, [Apple] has embarked on yet another attempt to build more of its own data centers to handle all of that, called Project McQueen, reports Jordan Novet at VentureBeat, and the project is having a rough go of it, reports The Information." Apple suspects that backdoors have been added to many of the servers it has been ordering from others. "At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood."
FT via NNSquad Google handed EUR100,000 fine by French data regulator http://www.ft.com/intl/cms/s/0%2Fa0cd2e94-f1e6-11e5-aff5-19b4e253664a.html#axzz43qrXvFNW On Thursday, the Commission nationale de l'informatique et des libertes (CNIL) said this solution did not go far enough, because it "does not give people effective, full protection of their right to be delisted". The watchdog said that for Google to comply with the European court's ruling, links must be fully removed from all versions of its search engine and for all users. Google's supporters claim that giving in to Europe would usher in a new form of censorship. Drawing on the precedent, they say, repressive countries would be able to insist that Google remove links from all its search engines to information they are trying to suppress, extending national censorship regimes around the world. France wants to censor search results GLOBALLY—not just to users in France but for everyone on the planet. And if France gets their way EVERY COUNTRY ON THE PLANET will demand the right to remove search results they don't like. Imagine what Putin, Chinese leaders, and other tyrants will do with such power. I've been predicting this slippery slope all along. IT MUST BE STOPPED.
http://wtop.com/money/2016/03/hard-times-cafe-in-rockville-hit-with-ransomware/ A restaurant in Rockville MD (just outside Washington DC) has been shut down for several days because of ransomware in the point of sale devices (cash registers /ordering) and back office systems. Co-owner Howard: “The FBI tells us they can't keep up with ransomware cases. The advice is either pay the ransom or shut down your entire systems and rebuild from scratch. And that's what we're doing. It's not clear to me why they can't just wipe the point of sale devices and restore them to some predefined configuration (assuming they have backups, of course!), but the back office systems are obviously a bigger issue.
Insurance companies do not pay out claims when the victim had no security, such as leaving building or car unlocked. British Metropolitan Police Commissioner, Sir Bernard Hogan-Howe, has suggested that similar rules should apply to victims of on-line crime who do not take minimum cyber security precautions. http://www.ibtimes.co.uk/victims-online-fraud-should-not-be-refunded-by-uk-banks-says-met-police-chief-1551416 I wonder how well the commissioner has been briefed on the methods of attack. There are constantly new criminal schemes being dreamed up to exploit vulnerabilities, some of which were installed by NSA and GCHQ for their surveillance purposes, refusing to believe that such vulnerabilities could only be used by them. Thus a person can have a good firewall, anti-virus, anti-spam, other security, patched regularly, and still be victimized. In the USA, consumer victims of theft from bank accounts, who report thefts promptly, are limited in their losses, but business accounts have no such protection. There have been law suits proving that banks violated their contracts, but judges ruled in the banks favor when the bank shows that it had industry standard cyber security, which is a very low thresh hold. There are social engineering frauds, delivered by e-mail and phone calls, leading company personnel to deliver large funds and significant assets to crooks, where cyber insurance won't pay off, as this is not a computer breach, but a breach of human practices. There are millions of new victims of id theft every year, whose financial lives are ruined. The state of art of computer crimes policing is such that it is rare that any victim learns what breach or breaches led to them becoming a victim. They are not compensated by anyone for this, unless they were wise enough to have had id theft insurance before they became victimized. There don't seem to be any standards for id theft insurance. Mainstream news media needs to deliver reviews of the quality of what's out there, and the importance of having it, since this is a fast growing crime.
http://qz.com/647064/americas-obsession-with-social-media-is-undermining-the-democratic-process/ In an increasingly saturated online media landscape, the influence of social media may have outlived its usefulness. Voters today are embracing presidential candidates who appeal to their specific passions and ideals without attempting to consider, or even listen to, opposing views. This is perhaps unsurprising, given data about the effect of political polarization and media habits from the Pew Research Center. The 2014 survey found that voters who consistently call themselves conservative or liberal only trust news sources that align with their ideological views. "Our data shows that one of the things that has developed along side of the proliferation of news sources and social media platforms is that the political environment is also becoming more divided rather than more cohesive," Amy Mitchell, Pew's director of journalism research, tells Quartz. Also see: "Search Personalization: Blessing and Trap?" - http://lauren.vortex.com/archive/000757.html (Sept. 2010).
More than half of teachers aware of sexting incidents with most cases involving pupils aged 13 to 16, according to NASUWT. http://www.theguardian.com/society/2016/mar/25/children-young-seven-caught-sexting-school-study-reveals
http://www.nytimes.com/2016/03/24/technology/the-uber-model-it-turns-out-doesnt-translate.html The ride-hailing service is a giant, but companies that aim to get stuff done on demand for customers, like food delivery, grocery shopping and parking, are faltering.
Serdar Yegulalp, InfoWorld, 23 Mar 2016 When a developer 'unpublished' his work from the NPM JavaScript package registry, it broke dependencies for many other projects—and highlighted the fragility of the open source ecosystem. http://www.infoworld.com/article/3047177/javascript/how-one-yanked-javascript-package-wreaked-havoc.html
A person, identified as a cyberinvestigator into the Bangladesh bank heist, gave the media a progress report, then was apparently kidnapped. Why would any investigator talk to the media? Don't organizations have official PR spokespersons? He was traveling home with a friend, when both were stopped by plain clothed individuals, who placed them in custody, and blind folded them, then later the friend was released. The friend has no idea as to the true identity of the individuals. Are Bangladesh police supposed to show id when arresting people, or is this a nation with a secret police? Because the police did not appear to be cooperating with the family, in investigating the apparent kidnapping, they suspected that the he was in secret police custody. What kind of country is this, when government officials are unable to determine if a person is in the custody of the police or not? Another mystery is who he was working for, as one possibility said he was not working for them. It sounds like he now needs medical attention, due to abuse, while in custody of the abductors. Hopefully he gets the needed medical care, and then is able to cooperate with the other investigators. http://www.ibtimes.co.uk/bangladesh-bank-heist-cybersecurity-researcher-found-alive-week-after-abduction-1551294 http://en.prothom-alo.com/bangladesh/news/98327/Tanvir-might-have-been-arrested-says-home http://bdnews24.com/bangladesh/2016/03/14/ict-division-denies-any-link-with-tanvir-hassan-zoha http://www.manilatimes.net/bangladesh-it-expert-missing-after-bank-heist-remarks/251279/ https://www.youtube.com/watch?v=8-PW8ptDypo (interview with the guy, not inEnglish) https://en.wikipedia.org/wiki/Tanvir_Hassan_Zoha https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
Engadget via NNSquad http://www.engadget.com/2016/03/24/verizon-enterprise-solutions-hack/ Verizon suffered a data breach, according to KrebsOnSecurity, but you can breathe easy if you're just one of the carrier's subscribers. What the hacker infiltrated was Verizon Enterprise Solutions, a division that provides services to clients from the business and government sectors. Coincidentally, it's also the task force of sorts Fortune 500 companies call in when their systems get infiltrated. Brian Krebs says a well-known member of a cybercrime forum recently posted a thread selling info on 1.5 million enterprise customers for $100,000. He also offered to share the vulnerabilities he found on Verizon's website for a price.
This article talks about some of the risks of losing critical technology for longer than expected. http://www.theatlantic.com/technology/archive/2016/03/ham-radio-disaster-preparedness/473598/
https://www.washingtonpost.com/news/the-fix/wp/2016/03/22/utah-republicans-are-holding-a-first-ever-online-primary-and-its-not-going-so-well/?hpid=hp_hp-top-table-low_primaries-1105pm%3Ahomepage%2Fstory
http://www.macworld.com/article/3047542/ios/forensics-expert-says-fbi-to-use-nand-mirroring-to-crack-terrorists-iphone.html
Each year, several outfits involved in breach investigations, come out with reports on trends in trouble making, and state-of-art of places needing to defend themselves. Verizon's Data Breach Investigations Report (DBIR) for 2015 is out: http://www.verizonenterprise.com/DBIR/2015/20 Here you can get the full report (3.2 Meg 70 pages), executive summary, statistics, latest lessons. There's registration, but you can bypass that and download without it. A statistic I don't see here—maybe it is there, I have only skimmed the download so far. We know there are 500+ vulnerabilities. The outfits whose hardware, software, apps needed patches for those problems, Do they know: 1. # of downloads of their service which needed later patching. 2. # of downloads of the patches. 3. From there get an idea of what % of their customer base is probably unpatched. It would not be wise to make this public on a vulnerability basis, since that would help the criminals, but it might be useful to know the big picture of the need to remind end users about the importance of staying current on security patches. Similarly there is the issue of legacy & no longer supported products, with exploitable vulnerabilities. The 2015 DBIR report by Verizon, with (I list some high points): * The report is not mere statistics, and trends, but what Verizon calls *before and beyond* the breaches. Techniques being used to fight this cyber crime wave—how effective are they, what guidance can be derived from this analysis? * Contributions from 70 organizations around the world. * Knujon (no junk backwards) has shown that a small number of domain registrars enable over 90% of phishing, and other anonymous cyber crimes. I do not see them in Appendix C list of organizations whose security intelligence was used in this report. I hope that's fixed in future years, since both this report and Knujon's investigations have pieces of a puzzle which I think ought to be correlated. Verizon focuses on how people can better protect themselves from cyber crime, while Knujon is more focused on identifying patterns of how digital criminals are enabled, so that if the authorities were really interested in stamping out cyber crime, this research could contribute to a dramatic rise in the volume of cyber criminals put out of business. Possibly this dimension is off topic for Verizon DBIR evaluation of what techniques are effective in cyber crime fighting, and where there is room for improvement. * $ 400 million is the estimated financial loss from 700 million compromised records. Larger organizations have more records, and higher cost per record. * 78,790 security incidents, 2,122 confirmed data breaches, in 61 nations. * No industry is immune from security failures. There are many different threats, and Verizon evaluates them by industry. * They show trends for 2015, and compare to prior years to see what if anything has changed or evolved, graphing some trends over several years * RAM scraping has grown. 99.99 % of the vulnerabilities were exploited more than a year after they became known. Overwhelmingly, patches had been available before the breach occurred, and had not been implemented by the breached organization. This is not a new statistic, just a confirmation that organizations are not staying current with security patches. Just because a vulnerability is old, does not mean it will not continue to be exploited. However, the newer discovered vulnerabilities are often exploited within a month of discovery. There are hundreds of vulnerabilities out there. My takeaway is that we need to continue having good backups, and stay current with security patches, the backups in case of the occasional flawed patch. * In 60% of the cases, attackers are able to compromise an organization within minutes. There;s a graph (figure 5) showing how long it takes before the attacks are detected, indicating that there is a growing deficit between attackers and defenders. Attackers are getting in undetected is rising, relative to attackers getting discovered. However, detection times are getting better with skimmers, shifting from months and weeks, to hours and days. * In 70% of the cases, where they figure out motive for the attack, there is a secondary victim.. * 75% of attacks spread from victim 0 to victim 1 within 1 day (24 hours). Over 40% hit the second organization in less than an hour. * For 2 years, 2/3 of Cyber-Espionage cases have involved phishing. * 23% of phishing recipients open that e-mail & 11 % of them click on the attachments. Nearly 50% who click on phishing, do so within 1 hour of receiving it. * Mobile is not yet a major vector for breaches. The nuisances are to individual users, not as a larger vehicle of trouble such as thru BYOD. I'd like to see risk evaluation for consumers of devices, web cam hacking, car hacking, IoT, etc., but although I wondered if that is off-topic for Verizon DBIR, they did try to measure the size of mobile problems, and growth in IoT industry. Out of tens of millions of mobile devices, only 0.03 % get infected by malware, so far. Android wins. 96% of mobile malware is aimed at them. More than 5 billion downloaded Android aps have vulnerabilities. 80% of EnPublic apps invoke risky private APIs that are also in violation of Apple's Developer guidelines. Verizon invites feedback: * dbir@verizon.com,find us on LinkedIn, or tweet @VZdbir with the hashtag #dbir. Some of the stories, in there, apparently did not make the mainstream news, until after people started digging into the report. Example: Hackers got into a Water Treatment Plant and manipulated the programmable logic controllers that managed the amount of chemicals used to treat the water to make it safe to drink. (I did not see that, when I was skimming the report.) http://www.watertechonline.com/hackers-change-chemical-settings-at-water-treatment-plant/
My response unfortunately had the first paragraph left off, which led to the second paragraph not making much sense. To repeat ... I read the biography of a US sub captain who got fed up with his torpedoes not exploding, and the higher-ups not listening. So he found a sitting duck of a Japanese target, fired all six of his loaded torpedoes at it one by one, taking photographs as he did so, and then sent them to a newspaper. Six direct hits, and the target still afloat, undamaged, at the end. I think that was some time mid '42.
I think Steven is misunderstanding the nature of the attack. Keyless entry key fobs like this on the Prius don't require any button pushing. Drivers simply approach the vehicle with their key fob in their pocket and grab the door handle (which has a touch sensor on it). Antennas in the exterior of the car determine if the key fob is present, and the doors unlock. Observant drivers may note that the car interior lights turn on as they approach. Likewise, when the Start button is pushed, antennas in the car determine if the key fob (still in the pocket) is inside the car, and allow the car to start and be driven. Again, the driver does not interact with the fob buttons in any way during this process. It might be possible to have the fob sleep based on a lack of motion for a few minutes (presuming a walking motion as the driver approaches the car) but since the driver does not press any buttons on the fob in the current implementation, it can't stop responding on that basis. Additionally, the owner manual indicates that the fob should not be stored overnight in close proximity to a cell phone, because it will prematurely discharge the batteries. Also, Priuses that have the hands-free fob capability have a larger-capacity 12-volt accessory battery installed. These facts suggest to me that the fob responds to a polling signal from the car, and not vice-versa. So the initial amplification being used to break in is likely an amplification of the CAR'S signal to activate the fob, and then an amplification and re-transmission of the fob signal to make the car sensors believe it is next to and then inside the car.
Thanks for the clarification. I think it just shows the presence is not enough for all situations. We don't need to lock the car but we do need to lock the fob. I wonder if one could build a system that would remotely use other peoples RFID or NFC token for payment and or tap and pay. Could a blue tooth card speak to a radio amplifier that would enable a user to appear to tap their card but the signal would travel over blue tooth to an amplifier that would find and use another nearby token. This would make it possible to ride the tube in London or buy a coffee at Starbucks. It is a fun problem and the first fix is to put a switch on the fob that turns it off under user control there is no need for a freezer.
Several years ago I was given a London Underground map etched onto a credit-card-sized sheet of stainless steel—a shiny fun Christmas stocking filler. I tucked it into my wallet and forgot about it; several days later, after the holidays, I needed to use my work MIFARE ID card to open an electronic door lock. It didn't work and I was greatly confused, until I remembered the steel map! Now the steel sheet lives next to my contactless payment card, and the ID card lives in a separate fold of the wallet. I have never actually used it as a map to find my way around London.
Please report problems with the web pages to the maintainer