Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Company Demolishes Wrong Housing Duplex Following Google Maps Error Wrecking crew forgets to double-check location http://news.softpedia.com/news/company-demolishes-wrong-housing-duplex-after-google-maps-error-502188.shtml A wrecking company has demolished the wrong housing duplex after one of its employees was misled by a Google Maps error. In December 2015, the city of Rowlett, near Dallas, Texas, was hit by a tornado that destroyed or damaged multiple houses. Some of the unlucky homeowners who had their houses damaged beyond repair contacted demolition companies to have their house lots cleared in order to start rebuilding their new homes. One of the contacted companies was Billy L. Nabors Demolition, who was contracted to demolish the house at 7601 Cousteau Drive... Never, ever, hire a demolition company from another town...
*WiReD* http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/
Ransomware that locks up patient data in hospitals is disrupting medical care, and the problem is set to get worse. https://www.technologyreview.com/s/601143/with-hospital-ransomware-infections-the-patients-are-at-risk/
Some 29 federal agencies reported they were targeted with ransomware 321 times between June and early December 2015, according to a Department of Homeland Security response to an inquiry by Sen. Tom Carper. The Delaware Democrat, who serves as the ranking member of the US Senate Homeland Security and Governmental Affairs Committee, had requested information about the government's ransomware defenses as part of the panel's oversight of government IT security. <https://www.hsgac.senate.gov/download/dhs-responds-to-carper-inquiries-on-response-to-threat-of-ransomware> <http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=01C0457D-DF6D-47E1-9096-07413536C080> Assistant Attorney General Peter Kadzik, in the DOJ's response to Carper's inquiry, said the FBI's Internet Crime Complaint Center (IC3) received 7,694 ransomware complaints in 2015, with losses from these attacks costing victims an estimated $57.6 million. In addition to federal agencies, state and local governments are also being targeted. The Multistate Information and Analysis Center told DHS that MS-ISAC's associated Computer Emergency Response Team identified and addressed 40 incidents related to ransomware-associated activity on state, local, tribal and territorial governments' systems. We do not know if recent occasional news stories about ransomware attacks on local institutions, are included in those statistics. http://www.govinfosecurity.com/ransomware-attacks-against-government-agencies-widespread-a-9005 To boost profits, operators of ransomware are hiring and funding their own development teams to fashion new variants of malware, according to Cisco's latest Midyear Security Report. <http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html> https://fcw.com/articles/2015/12/04/lyngaas-congressmen-ransomware.aspx Senator Carper's inquiry was sent December 2015. According to the DHS 7 page (50 k PDF) report: The Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) has received reports of 337 ransomware-related incidents since June 2015. The NCCIC received these reports from federal government agencies, the private sector, international partners, and the general public. The DoJ report is 8 pages (5.8 meg), part of which is redacted in the general public edition. There is more info in these 2 reports, than the ransomware statistics I am citing.
The US State Dept has a system, for tracking people who wish to travel to and from the USA, which has been found to have vulnerabilities exposing a billion people to hackers, and alter applications of potential visitors to the USA, potentially opening the border to terrorists. In 2015 alone, the State Department denied more than 2,200 applications from people with a *suspected connection to terrorism,* a senior homeland security official told lawmakers last month. It is the Consular Consolidated Database (CCD). It holds current and archived visa records and data, including names, photos, addresses, biometric data and identification numbers from the Bureau of Consular Affairs (BCA) and is key to processing passport applications for visa applicants and travelers. Visit search engines looking for info on this, and we find this is not the first instance of cybersecurity problems with the CCD. http://abcnews.go.com/US/exclusive-security-gaps-found-massive-visa-database/story?id=38041051 http://thehill.com/policy/cybersecurity/274819-security-holes-found-in-state-department-visa-database-report http://fortune.com/2016/04/02/data-sheet-saturday-april-2-2016/ https://fcw.com/articles/2016/04/01/visa-state-vulnerable.aspx http://cio.economictimes.indiatimes.com/news/digital-security/security-vulnerabilities-found-in-us-visa-database-report/51657905 https://travel.state.gov/content/visas/en/law-and-policy/bulletin.html
As President Obama prepares to leave the White House, one of his legacies will be the office information technology upgrade that his staff has finally begun. http://www.nytimes.com/2016/04/04/us/politics/technology-upgrades-get-white-house-out-of-the-20th-century.html Risks? Distributed/conflicting technology teams/ agendas/ authorities/ abilities, plus a nice dose of politics and national security. Stir vigorously until catastrophe ensues.
[Also in Cryptography] https://www.lawfareblog.com/lawfare-podcast-general-michael-hayden-discusses-american-intelligence-age-terror Highly recommended, *especially* if you disagree with Hayden. Basically, Hayden is ok with just about anything—including torture—so long as it is approved by someone higher up. Methinks he might not fare so well in a Nuremberg-type trial, but perhaps those ethics are sooo last century. However, Hayden does think that the FBI is p*ss*ng into the wind on encryption, because any restrictions on encryption will drive technology overseas & weaken the U.S. tech economy. Hayden is basically agreeing with the statement "we kill people based on metadata", so you'd better believe that social graphs, GPS coordinate positions, etc., are being hoovered up, big time. Perhaps the FBI will be forced to de-parallel-construct their DRT-bag data for the U.S. courts, but I suspect that NSA has no such scruples. There was an unclassified program by a small midwest company a couple of years ago that did 2 things: collected huge amounts of continuous hires video surveillance imagery and built a time-line database. Subsequently, an inquiry about the position of a car a 2:17pm at such-and-such a location could be run *backwards* in time to see where the car came from. Although this data was used to catch a few very surprised criminals who found the police patiently waiting for them at their homes, it was either deemed too creepy (hard to believe!) or too expensive to continue. However, I think the real reason why this surveillance technique was dropped (from public discussion, anyway) is that exactly the same database technology is *already* in use to track cellphones backwards in time. This can be done with cheap, ubiquitous NSA junior-varsity-type technology -- collect cellphone signals, wifi signals, Bluetooth signals. Thus, if person X is noticed at location Y at time T, then the database can track person X backwards over the past hours, days, months to see if person X ever came close to person Y. If this happens in some locations on the globe, and if person Y is considered a "bad guy/gal", then person X is now considered to be a "bad guy/gal". Hayden may not even know person X's name or gender, but the U.S. might still target person X for killing simply on the basis of this metadata. Hayden seems completely ok with this sort of thinking, but then he has lime on his cleats (his too cute football analogy re coming too close to getting out of bounds). So while the encryption fight is going on, a far more insidious type of surveillance is taking place, but without being discussed or approved by anyone in Congress or the courts. I believe that this type of system is what Hayden is referring to when he says that—far from "going dark"—this is currently the "golden age" of surveillance.
11.5 million documents leaked, estimated to contain about 2.6 terabytes of data. They were at a law firm in Panama. Contents cover off-shore accounts, and financial activities which may be illegal for some of the participants, depending on their home nations, where the money went, and if proper tax reporting was done. Many allegations, in the papers, need confirmation. The named individuals are denying this info. The law firm says they are a victim, in this leak. https://www.reddit.com/live/wp1fvdxxwb45/ https://panamapapers.icij.org/graphs/ http://www.usatoday.com/story/tech/news/2016/04/04/stealing-115-million-documents-panama-papers-snowden-sony-hack-leak/82613940/ http://www.reuters.com/article/us-panama-tax-idUSKCN0X10C2
50 plus law firms got hacked, including the most prestigious, of several nations. The good news is that many law firms are waking up to their fiduciary cyber security responsibilities, much more rapidly than we have seen for other industries.. Firms are also signing up to join the information-sharing group about cyberthreats formed by Financial Services Information Sharing and Analysis Center (FS-ISAC). https://www.fsisac.com/ http://abovethelaw.com/2016/03/beware-of-big-hacking-in-biglaw/ See page 2 of above link, for where I got this list of 47 of the law firms involved. This list was compiled by Flashpoint (via Crain's Chicago Business). <http://www.chicagobusiness.com/article/20160329/NEWS04/160329840/russian-cyber-criminal-targets-elite-chicago-law-firms?X-IgnoreUserAgent=1> Akin Gump Strauss Hauer & Feld Allen & Overy Baker & Hostetler Baker Botts Cadwalader Wickersham & Taft Cleary Gottlieb Steen & Hamilton Covington & Burling Cravath Swaine & Moore Davis Polk & Wardwell Debevoise & Plimpton Dechert DLA Piper Ellenoff Grossman & Schole Freshfields Bruckhaus Deringer Fried Frank Harris Shriver & Jacobson Gibson Dunn & Crutcher Goodwin Procter Hogan Lovells Hughes Hubbard & Reed Jenner & Block Jones Day Kaye Scholer Kirkland & Ellis Kramer Levin Naftalis & Frankel Latham & Watkins McDermott Will & Emery Milbank Tweed Hadley & McCloy Morgan Lewis & Bockius Morrison & Foerster Nixon Peabody Paul Hastings Paul Weiss Rifkind Wharton & Garrison Pillsbury Winthrop Shaw Pittman Proskauer Rose Ropes & Gray Schulte Roth & Zabel Seward & Kissel Shearman & Sterling Sidley Austin Simpson Thacher & Bartlett Skadden Arps Slate Meagher & Flom Sullivan & Cromwell Vinson & Elkins Wachtell Lipton Rosen & Katz Weil Gotshal & Manges White & Case Wilkie Farr & Gallagher Apparently some crooks were seeking info on mergers & acquisitions, for the purpose of insider trading. Law firms have also been victimized by ransomware. Law firms have also been recipients of the CEO scam [browse on "Fake President Scam"], where a junior executive is ordered by the higher one to transmit some money some place, and keep this confidential, when the order is really coming from someone faking out the senior executive. If all their security rules, and normal e-mail traffic, are on the computer network, and the computer network is hacked, then this kind of scam is easy to perpetrate. A problem common to many companies, including law firms, is that senior leaders of the companies are free to disregard security rules which apply to lower level employees, but they are above the company laws & regulations. If they had proper security audits, this would be revealed, and if the law required that they show the results of audits to their clients, then such behavior would cease, and the whole industry would become more secure. http://www.lawgazette.co.uk/practice/ma-hack-attack-on-48-elite-law-firms/5054524.article http://www.americanlawyer.com/id=1202753706763/Cravath-Admits-Breach-as-Law-Firm-Hacks-Go-Public-?slreturn=20160305150736 http://www.bbc.com/news/technology-35933246 A common claim by hacked outfits, is that no data was taken, and we always wonder how they know this. Breach laws only require that non-government organizations truthfully report when the data taken is PII of humans. There are many forms of breaches, for which the breached institution has no legal obligation to report the event to anyone, and many reasons to cover it up, so as not to have their reputation impaired. Government organizations are generally required to report breaches to whatever government agency tracks security problems, and tries to manage their mitigation. Most of this never gets to the general public beyond some statistics. Due Diligence when we contract with some place for business, includes finding out if they have good security. But just as good security requires layered protection, cover-ups also involve layers, so potential customers, of outfits which are good at cover-ups, will probably never learn about security breaches there. Who financed the implementation of IT security, at the hacked law firms? In the business world there are many professions. We trust lawyers to know the law. We trust accountants to balance the books. We trust IT security professionals to know what is needed, and to do the job right, provided they get the resources they need to implement good security. We do not trust people to perform jobs for which they have not had the proper training. We do not trust people, who do not have training, to know what they are missing out, by not having the training. Unfortunately, many business leaders lack the understanding I have stated above.
For people wondering how secure their newly purchased car is, why not take a look at the manual on the "media centre", a manual which is now bigger than one on "driving your vehicle safely to your chosen destination" I was certainly surprised to see a section on how to disable flash in the manual of a 2012 car we had just purchased second-hand. https://www.flickr.com/photos/steve_l/25625279674/in/album-72157623050830883/ I've been trying very had to have a vaguely secure house, with "removing flash off all devices" being one of the tasks undertaking. The fact that it's being built into vehicle entertainment systems means I appear to be fighting a losing battle. An emergency check of the vehicle showed me that, fortunately, the previous owner had not opted for the "web browser" feature when buying their vehicle. As well as keeping flash out the vehicle, it meant their web browsing history and cookies were not available to me. The fact that car manufacturers are putting software with such an awful track record of security into the firmware of their systems is not a good sign for future vehicle security
http://www.nytimes.com/2016/03/27/your-money/why-i-dont-make-financial-decisions-on-my-smartphone.html
Just spotted this on a newspaper web site—don't know if it's for real (but it's not April 1st yet!): Caroline Mcguire for MailOnline <http://www.dailymail.co.uk/travel/travel_news/article-3513652/The-cleverest-time-Man-gets-free-holidays-car-rentals-changing-surname-Null.html> People will go to extreme lengths to bag themselves a freebie these days, but one American has come up with the ultimate bag to get free holidays - a name change. The man claims to have been given seven free nights at seven different hotels and free-of-charge car rental after changing his surname to 'Null'. Raven Felix Null, 24, from the United States, says he changed his surname after becoming an adult and claims the word 'Null' is incompatible with a lot of computer programming, leading to many systems not recognising him as a person.
http://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/
Washington, DC—In a first-of-its-kind program for the federal government, the *Department of Defense* has selected San Francisco-based *HackerOne* to operate its "Hack the Pentagon" bug bounty pilot, aimed at bolstering the department's cybersecurity. Under the program, the company will invite qualified hackers to participate in a 20-day bug bounty pilot beginning April 18. The goal will be to find and report security vulnerabilities within DoD websites so they can be safely resolved. Individual bounty payments will depend on a number of factors, but will come from the $150,000 in funding for the program. "This initiative will put the department's cybersecurity to the test in an innovative but responsible way," said Defense Secretary *Ashton Carter.* "I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot." A registration site is now live and can be accessed at the top link below. https://hackerone.com/hackthepentagon
http://www.nytimes.com/2016/04/03/upshot/satellite-images-can-pinpoint-poverty-where-surveys-cant.html Information that can be gathered from novel sources, using algorithms, can help determine the best places to spend limited resources.
Fahmida Y. Rashid, InfoWorld, 28 Mar 2016 Node.js developers, run NPM install at your own risk—a self-replicating worm can easily spread through the ecosystem http://www.infoworld.com/article/3048526/security/nodejs-alert-google-engineer-finds-flaw-in-npm-scripts.html
The Net appears awash with reports about a Google Mail prank that backfired: http://techcrunch.com/2016/04/01/google-reverses-gmail-april-1-prank-after-users-mistakently-put-gifs-into-important-emails/ It appears Google took it upon itself to replace various buttons in their user interface with some that added information to email. I am aware that it's April 1st so even the news stories could be pranks themselves.
With apologies to Arthur C Clarke: "any description of sufficiently advanced
technology is indistinguishable from an April Fool."
[Note: The Silver Swan, 1611 madrigal by Orlando Gibbons, words allegedly
by Sir Christopher Hatton, the last line of which is
More Geese than Swans now live, more Fools than Wise ... PGN]
Please report problems with the web pages to the maintainer