On Monday, *The WashPost* reported that MedStar had "shut down its email and vast records database" after a virus got into their systems. Reports were that medical staff were going back to paper & pencil medical charts. https://www.washingtonpost.com/local/virus-infects-medstar-health-systems-computers-hospital-officials-say/2016/03/28/480f7d66-f515-11e5-a3ce-f06b5ba21f33_story.html On Tuesday, they reported that MedStar is still without their computer systems, and is turning away patients. https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html The risks are obvious - reliance on vulnerable systems without adequate backup/recovery processes. Whether this was a deliberate or accidental case is unclear to me. But the fact that it's Washington DC area hospitals being affected seems to emphasize the risk - although I'm biased, being a Washingtonian (well, actually a suburbanite).
US regulation strategy is wait until they catch someone violating a regulation, then punish violators severely, expecting news coverage to put a chilling impact to discourage others. That approach does not work in many cases, especially when there are new regulations coming out all the time, not well covered by the news media. At what age do children start watching the news? There is no minimum age to operate a drone, they are getting cheaper, dangerous incidents are growing. We are now up to 100 reports / month to the FAA, about drones flying illegally close to manned flight. Before long we can expect to read about 100+ people killed in an airline crash caused by illegal and irresponsible drone usage. The FAA just released a report of dangerous drone incidents from Aug-22, 2015 thru Jan 31, 2016, in the USA. http://www.faa.gov/news/updates/?newsId=85229 http://www.faa.gov/uas/law_enforcement/uas_sighting_reports/ http://www.faa.gov/uas/media/UAS_Sightings_report_21Aug-31Jan.xlsx Reported UAS Sightings (August 2015-January 2016) (MS Excel) http://www.faa.gov/uas/media/UASEventsNov2014-Aug2015.xls Reported UAS Sightings (November 2014-August 2015) (MS Excel) I believe the authorities should attempt to get outfits, which are selling drones, to include a heads up to purchasers that: * There are federal registration requirements for various drone sizes, uses, and locations. * Flying drones in violation of federal regulations can result in fines of $ 10,000 per day of violation, and prison time for some offenses. * There are also laws governing drone use, in most every state in the USA. * Here's where to go, to learn what the rules are, so you can stay out of trouble. Under current US laws, regulations, and court precedents, drones are considered to be aircraft, and it is illegal to interfere with an aircraft in flight, by any means, with penalty being many years in prison. I hope that Congress can change that law, to lower penalties for interfering with a drone whose activity is violating people's privacy, or engaged in other illegal or dangerous activity.
http://losangeles.cbslocal.com/2016/03/28/fbi-unlocks-san-bernardino-attackers-iphone-without-apples-help-ending-court-case/ The U.S. government said Monday afternoon it has unlocked the iPhone owned by one of the terrorists involved in the San Bernardino massacre, ending the legal battle pitting Apple against the government over whether the tech giant should be required to help the FBI unlock the device. - - - Nobody is saying outright, but reading between the lines it sounds like nothing of major significance was found on there. [See also Danny Yadron, US ends case against Apple after pulling data from San Bernadino iPhone, *The Guardian*, 28 Mar 2016 http://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone Joel Rubin and James Queally, *L.A. Times*, 28 Mar 2016 http://www.latimes.com/local/lanow/la-me-ln-fbi-drops-fight-to-force-apple-to-unlock-san-bernardino-terrorist-iphone-20160328-story.html Also, see Bruce Schneier's *WashP* Op-ed today. Bruce makes a nice distinction between Apple's handling of the iMessage flaw (which was detected by Matt Green's team and reported privately to Apple for remediation—see RISKS-29.37) and the San Bernadino phone situation (where the FBI is apparently trying to keep the successful technique secret so that it can be reused as needed). https://www.washingtonpost.com/posteverything/wp/2016/03/29/your-iphone-just-got-a-lot-less-secure-and-the-fbi-is-to-blame/ PGN]
http://wtop.com/science/2016/03/law-enforcement-investigators-seek-out-private-dna-databases/ Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual's genetic information stored in their DNA databases. - - - Also see: https://www.youtube.com/watch?v=k5VZjT0JE70 (3 seconds).
Amid stories of many institutions faced with ransomware demands, and having to pay to stay in business, here is a story of a place which could stay in business without paying, because they had competent backup. Before restoring to backup, they had to wipe their hard drives. I don't know how they know no data was taken in the attack. http://www.campussafetymagazine.com/article/canadian_hospital_effectively_responds_to_ransomware_attack#t http://ottawacitizen.com/news/local-news/ottawa-hospital-hit-with-ransomware-information-on-four-computers-locked-down
Ground drones have fewer security implications than flying ones, which have been touted as a potential delivery breakthrough. There are some concerns an airborne delivery could potentially "go over the White House fence," she said. But "this would stop at the fence. It seems so much more benign and easy to control." As for run-of-the-mill thieves and vandals, Martinson said he's not worried. A hitchhiking robot was destroyed in Philadelphia last year, bumming out the Canadian researchers who built it. But Starship's machines have 9 cameras, stream live video back to their base, and can easily call for police, or other, backup, Martinson said. "We can send other robots in the area. They would come to help the robot in distress," Martinson said. https://www.washingtonpost.com/news/dr-gridlock/wp/2016/03/23/driverless-delivery-robots-could-be-hitting-d-c-sidewalks-soon/ What could go wrong? There's nothing about them being weaponized so who's afraid of a posse of 4 MPH robots? How many will go missing how soon? They're autonomous but can be remotely guided—how will they authenticate intended recipient? Are they hackable? Can they open doors, climb stoops, summon elevators, ring doorbells, tip doormen? Plenty fun to be had. Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
NYTimes via NNSquad http://www.nytimes.com/2016/03/28/technology/american-tech-giants-face-fight-in-europe-over-encrypted-data.html This week, French lawmakers are expected to debate proposals to toughen laws, giving intelligence services greater power to get access to personal data. The battle has pitted Europe's fears about the potential for further attacks against concerns from Apple and other American technology giants like Google and Facebook that weakening encryption technologies may create so-called back doors to people's digital information that could be misused by European law enforcement officials, or even intelligence agencies of unfriendly countries. The recent attacks have pushed many Europeans to favor greater powers for law enforcement over privacy. But opponents say such measures should not undermine the region's tough data protection rules that enshrine privacy on par with other rights like freedom of expression. This balance between national security and privacy has put major countries in the region on opposite sides of the debate, with Germany and the Netherlands dismissing new encryption laws being considered by Britain and France.
Various outfits come out with annual reports on various aspects of cyber security. We can download the 2016 Cyber Threat Defense Report (CTDR) from Cyber Edge Research. (1.5 Meg PDF 36 page) http://f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/2016-cyberthreat-defense-report-pdf-5-w-2279.pdf This includes: (some highlights I found) * Results of a survey of what threats are being faced by 1,000 people working in IT cyber security, at companies with 500 or more employees in 19 industries across 10 nations. * These people think Mobile devices and social media applications are IT security's weakest links (2015), which is rather different from what was found via the latest Verizon DBIR. http://catless.ncl.ac.uk/Risks/29.40.html#subj15 * [Garbled] of them suffered one or more successful cyber attacks in the past 12 months. * Pessimism, about their company's ability to resist the next attacks, is rising. * Only 1/3 have the tools they need to protect their companies. * Cyber Security defense expenditures are on the increase. * An assessment of the respondents' perception of the effectiveness of their investments and strategies relative to the prevailing threat landscape. * The types and sources of cyber threats that concern today's organizations the most. * Tactics to help organizations reduce their attack surface. * The network, endpoint, mobile, and application security technologies planned for acquisition in 2016, * What % of the companies are doing various protection measures are graphed. For example 80% of companies, in health care, regularly backup laptops of mobile users—that's the highest score. One of the lowest is 10% in France do regular backups of mobile user=92s laptops, and then only 80% of them. Data Breach Today supplies links to many such downloadable cyber security reports. That's where I found the link to download the above. http://www.databreachtoday.com/whitepapers.php
There's a reason why companies that handle sensitive billing information may ask customers to verify their email addresses before sending any communications. It's to prevent customers from seeing things they shouldn't. So why doesn't AT&T have such a safeguard in place for its customers? https://consumerist.com/2016/03/24/why-doesnt-att-require-email-verification-before-sending-sensitive-account-information/ The risks? Described in nice detail. Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
The White House says US gov agencies reported 77,183 cyber incidents in fiscal 2015, up 10% from 2014. Section 3553 of the Federal Information Security Modernization Act (FISMA) of 2014 (P.L. 113-283), requires the Office of Management and Budget (OMB) to submit an annual report to Congress on the effectiveness of information security policies and practices during the preceding fiscal year and a summary of the evaluations conducted by agency Inspectors General. Here is that report: https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/final_fy _2015_fisma_report_to_congress_03_18_2016.pdf (95 page PDF 3.5 Meg) The US gov fiscal year runs from Oct to Sept. There's a lot of data here to digest, complicated by the phenomena of high acronym density common with many gov reports. Several appendixes spell out agency names in full, then what is the abbreviation or acronym used for them, sequenced by the text name. Appendix 7 has other stuff alphabetized by acronym. Figure 2 shows 363 known active critical vulnerabilities on Federal systems, reduced to 3 by Dec 2015. As impressive as that progress is, later charts in the report, show progress various agencies have made in providing cyber security defense against various threats. As the GAO would say "Progress has been made, but there is room for improvement" massive improvement for some agencies. Table 2 provides definitions for 11 different categories of cyber incident, then Table 3 has a bar chart with how many of each of them occurred, color coded for the fiscal years 2013-grey 2014-green 2015-red. The highest bar for 2015 is 25,765 "Other" or 34% of FY 2015 incidents, 77% increase over 2014. scans, probes and attempted access, incidents under investigation, and incidents categorized as miscellaneous. Approximately 59% of 'Other' incidents fall within the attempted access subcategory due to the high volume of scans and probes. Second highest bar is Non-Cyber, which includes incidents involving the mishandling of sensitive information without a cyber security component, such as the loss of hard copy PII records. This category represented 12,217, or 16% of reported incidents. The third most reported category was Policy Violations, which represent 10,408 reported incidents, or 14% of total incidents reported. The report also breaks this down by gov agency, with very different graph appearances. * Dept of Agriculture is dominated by malware and equipment challenges. * Dept of Defense biggest problem is policy violations. * Many have problems all over the place. Some of the incidents were classified secret. Here is where we may find info on the unclassified ones. https://www.archives.gov/cui Every new technology brings with it new cyber security challenges. The US gov recognizes that this is the case with smart phones, so during FY 2015, NIST published Special Publication (SP) 800-163, "Vetting the Security of Mobile Applications," along with open source test code and guidance for constructing a mobile application-testing program. These guidelines describe vulnerabilities and poor programming practices for both Android and iOS devices, which entities can mitigate through other described security technologies. NIST also addressed the issue of Strong Authentication with mobile devices through the release of SP 800-157, "Guidelines for Derived Personal Identity Verification Credentials." http://www.nextgov.com/cybersecurity/2016/03/white-house-says-agencies-exper ienced-77200-cyber-incidents-2015/126810/
In a TedTalk about interaction of different medicines, I found this: We said, well, what do you do? You're taking a medication, one new medication or two, and you get a funny feeling. What do you do? You go to Google and type in the two drugs you're taking, or the one drug you're taking, and you type in "side effects." What are you experiencing? So we said OK, let's ask Google if they will share their search logs with us, so that we can look at the search logs and see if patients are doing these kinds of searches. Google, I am sorry to say, denied our request. So I was bummed. I was at a dinner with a colleague who works at Microsoft Research and I said, "We wanted to do this study, Google said no, it's kind of a bummer." He said, "Well, we have the Bing searches." (Laughter) Yeah. That's great. Now I felt like I was talking to Nick [Nick is the patient discussed in the talk] again. He works for one of the largest companies in the world, and I'm already trying to make him feel better. But he said, "No, Russ—you might not understand. We not only have Bing searches, but if you use Internet Explorer to do searches at Google, Yahoo, Bing, any ... Then, for 18 months, we keep that data for research purposes only." I said, "Now you're talking!" This was Eric Horvitz, my friend at Microsoft. [The remainder of the talk addresses what they did with this data, so it is clear that they actually got the Google data from Microsoft] http://www.ted.com/talks/russ_altman_what_really_happens_when_you_mix_medications
How health-tracking apps reveal new truths about our bodies. http://www.nytimes.com/2016/03/27/magazine/were-more-honest-with-our-phones-than-with-our-doctors.html
Amazon Echo's next frontier is banking http://www.businessinsider.com/amazon-echo-capital-one-integration-2016-3
http://www.nytimes.com/2016/03/29/nyregion/hacker-weev-says-he-printed-anti-semitic-and-racist-fliers-at-colleges-across-us.html A computer hacker who goes by the name of Weev said he sent the fliers last week to all publicly accessible printers in North America, but it is not clear whether he could face charges.
IT Security Vendor Industry Statistics, are possibly off-topic. Stiennon's Security Scorecard <http://www.csoonline.com/blog/stiennons-security-scorecard> . 1,325 of them world wide and growing . 854 (60%) in USA . 144 in Israel . 82 UK . 48 Canada . 33 Germany Of those in USA . 325 California . 91 DC area . 69 Massachusetts . 52 Texas . 42 NY There is no consolidation. There is an out pouring of start ups. If this was a mature industry, there would be 4 big vendors period. The industry is growing by about 24% per year, estimated to be 6 times as large in 7 years. Market size reports <http://www.ith-research.com/> available for $ 500 - 1,500. But a lot of the totals are at the other links here. How long until market saturation = when every outfit and individual, who ought to be protected, is protected, or there has been successful effort to chop down the very successful cyber criminal industry? https://www.linkedin.com/pulse/entire-security-space-richard-stiennon
Newer SOC processors have protection that will not allow copying through the JTAG port, or through code executing in RAM. The description in the article is unlikely to work—you can't simply copy the internals that easily. Perhaps the main storage is an external chip, with a simple SPI port; in that case, if Apple has encrypted it, even using standard SSL, it can be cracked in a few centuries ... From ST Micro: http://www.st.com/web/en/resource/technical/document/application_note/DM00075930.pdf Flash code protection The STM32 microcontroller family is provided with the following code protection features: 1. Global Read-out Protection (RDP) 2. Write protection 3. Proprietary Code Read Out Protection (PCROP) These features are meant to protect the intellectual property of the embedded firmware code, which represents an increasing interest for complex embedded systems.
> Google handed EUR100,000 fine by French data regulator > France wants to censor search results GLOBALLY—not just to users in > France but for everyone on the planet. And if France gets their way EVERY > COUNTRY ON THE PLANET will demand the right to remove search results they > don't like. Imagine what Putin, Chinese leaders, and other tyrants will do > with such power. I've been predicting this slippery slope all along. IT MUST > BE STOPPED. Good luck. In the UK there's been a scandal over last winter in which the police have been investigating allegations of historic child sexual abuse (the 'Nick' case) by various senior politicians and other establishment figures; the authorities have been accused of being too casual about acting on similar allegations in the past, so this time enquiries have been done in an aggressive, high-profile way (e.g. house searches with plenty of publicity), along with the usual feeding frenzy on social networking web sites of course. The investigation has reportedly been closed without finding anything worthwhile, but it's left a lot of collateral damage in terms of wrecked reputations, lingering suspicions, loss of trust, and so forth. One of the politicians questioned but not arrested or charged quite reasonably wants better protection for those in the same position as him, but wrote in a newspaper last week: "... Google and other Internet providers should... be regarded as publishers and brought within the the same laws of defamation. Free speech is not free if it allows people to defame others with impunity. These companies should be 'publishing' within a fair legal framework." Loads of problems here which have been discussed in RISKS before, e.g. what about information on other countries' sites (it's called the World Wide Web for a reason), and why do so many people assume that Google somehow runs the Internet? However, if enough irritated politicians get together, it's easy to see how they could pass laws attempting to regulate what goes on line, or at least have somebody legally liable who could be sued, and probably include right-to-be-forgotten measures as well.
> ... it broke dependencies for many other projects ... I'm sorry, but I have to disagree a little bit—this has NOTHING to do with any presumed 'fragility' of open source, but rather has to do with the paucity of thought on the part of the developers in question. They depended on a package, and instead of insuring that they had their dependencies under control, they simply referenced it's URL. The problem here is developers who have no idea how to do development properly being allowed (by their peers) to handle packages that become important. (For the record, I write software for medical monitoring systems. We run on top of Linux, and pull copies of the relevant distribution repos so that we can go back to the source packages if things go wrong).
Beginning in early 2000s, I witnessed first hand what happens when Silicon Valley tech companies, focused almost exclusively on the near-term bottom-line, bringing in massive numbers of guest workers as a prelude to offshoring later development and manufacture. Cypress Semi was a leader in convincing Congress that there weren't enough domestic engineers to meet their needs. In fact, there were but many had families and weren't willing to work, day-in-and-day-out, the often very long hours some SV companies desired and even for those that were amenable companies weren't willing to offer adequately compensation. Companies also weren't willing to adequately encourage education and grooming of domestic engineers. Instead, they got the H1B visa program greatly expanded at the same time senior domestic engineers were furloughed many never to work again in tech. These foreign engineers, mostly new graduates working (in overtime exempt positions) through jobs shops, were (as required by law) paid the same as the domestic engineers they had replaced but they forced to work more hours (often nearly double). For years I would watch these workers on their way back to their flats in the East Bay late into the evening on BART. In this way tech companies were able to stay within the letter of the law (equal pay to domestic workers) while exacting many more labor hours than they otherwise could. Many of these foreign engineers would later return (not all by choice) to their countries where SV companies had set up subsidiaries or made arrangements with local industry to continue follow-on design, development or manufacture. > Andy Grove's Warning to Silicon Valley > Teresa Tritch, Editorial Observer, *The New York Times*, 25 Mar 2016 > <http://www.nytimes.com/2016/03/26/opinion/andy-groves-warning-to-silicon-valley.html>
Please report problems with the web pages to the maintainer