Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In the spring season when many people travel for sightseeing in Japan, two computer system malfunctions grounded many passengers in the last few weeks. March 22, ANA check-in systems failed to function properly. ANA system glitch grounds 10,000 domestic passengers, is resolved three hours later: URL http://www.japantimes.co.jp/news/2016/03/22/national/system-glitch-temporarily-grounds-anas-domestic-flights/ A google cache of a short notice of the day from ANA (in Japanese): http://webcache.googleusercontent.com/search?q=cache:sbLnVBhAYGEJ:http://www.ana.co.jp/asw/topinfo/info/smartphoneInfo.jsp?id%20160322124041%26language%e%26category%wws_e%2Bana+flight+problem+march+2016&hl=ja&ct=clnk On April first, JAL's system to decide where the passengers and cargoes should be placed inside plane hull stopped working. JAL system glitch causes Haneda flight cancelations http://the-japan-news.com/news/article/0002846877 JAL's short announcement on that day (in Japanese): https://www.jal.co.jp/info/other/160401.html The irate passengers were complaining in TV interviews on that day each, but as a computer professional I was curious what caused the issues. This time something very new happened. Interestingly, the cause and remedy was announced very quickly (well relatively speaking) by ANA and JAL. Not in the exact details that I want (especially in JAL's case), but I think the public in general now understand computer systems better than they did, say, 20-30 years ago, and the companies affected seem to be a little forthcoming about the issues they faced. I am not sure if English translation of the following articles are available, but the Japanese articles I read explained thusly: ANA's case: http://itpro.nikkeibp.co.jp/atcl/ncd/14/457163/033101362/ or http://www.aviationwire.jp/archives/85999 - in ANA's case, the problem was traced to a mal-behaving ethernet switch CISCO 4948E. The switch was used to exchange packets among redundant DB servers to cross check the operation of each server, and when the communication degraded, the system stopped. Once this ethernet switch unit was replaced, the system began operating again after a clean up. The issue that triggered the failure of the system is that the system as a whole could not detect the degrading (not complete shutdown) of the switch and ANA mentioned some measure in the statement. Of course, how the status of the switch was monitored is not explained very well in the press articles. Possible brown-bag type of bug? JAL's case: http://itpro.nikkeibp.co.jp/atcl/news/16/040601011/ * In JAL's case, the problem was traced to a system that decides where to put the load (i.e., passengers, and cargoes) to keep a good balance of the weight on the airplane. This system called NetLine/Load was originally created by by Lufthansa Systems (LHS). According the article above, a critical region handling routine was installed in the week before and this caused a deadlock of the application cache (not sure exactly what/where the cache is) and handling of disk access. There is a stand-by system that tried to take over once the deadlock degraded the primary system. But the stand-by system did not have the peak performance of a primary one, and the system failed to handle the busy requests of the morning rush hour flights although some flight data were processed satisfactorily, and thus many flights were canceled during that time. JAL announced its plan to upgrade the secondary system's capacity to match the primary one. (Why the critical region handler was installed in the previous week was not explained, and it seems to be ripped off from the program under testing.) Interesting that rather well explained review of the incidents appeared in general trade press, although the exact details are still lacking. [CI] PS: That both airlines did not seem to have a foreign-language announcements (maybe I did not search hard enough?) may point to a problem when overseas tourists gather in 2020 when Tokyo Olympics and Paralympic Games will be held.
Columbia, Md.—*MedStar Health*, the Columbia-based healthcare network that operates 10 hospitals in the Baltimore-Washington area, is disputing media reports that last week's crippling malware attack was the result of poor system maintenance. "News reports circulating about the malware attack on MedStar Health's IT system are incorrect," the company said in a statement. "Our partner *Symantec* has been on the ground from the start of the situation and has been conducting a thorough forensic analysis. In reference to the attack at MedStar, Symantec said, `The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.'" The Associated Press, citing an anonymous source, reported Tuesday that the hackers exploited a design flaw in MedStar's system that had persisted since 2007, despite "urgent public warnings in 2007 and in 2010 that it needed to be fixed with a simple update." The attack early last week crippled the company's three main clinical information systems supporting patient care, though MedStar said that no patient or associate data was compromised. http://www.medstarhealth.org/mhs/2016/04/06/medstar-response-incorrect-media-reports/#q http://m1e.net/c?47971208-lT/cm.IZDH29M%40387025170-E4ZjHXELTfVZ6
The issue isn't that the tests are poorly designed, or that they waste teacher time "teaching to the test", or that they don't help students learn. The problem was that the technology wasn't ready for prime time. Among the problems were a "construction worker [who] accidentally cut a fiber optic cable thousands of miles away at the University of Kansas" (presumably blocking access to servers there). They didn't have redundancy for a system that's used by every schoolchild in the state of Alaska? Also bugs that caused the system to repeatedly restart, which caused problems because students weren't permitted to start back at the beginning. At the risk of getting on my hobby horse, given the budget for the system ($5M), what's the odds that any state would get Internet voting right? There's certain similarities (e.g., everyone uses it more-or-less on the same day, makeups are problematic, and issues like security and availability are paramount), but with significant differences (e.g., no secret ballot in test taking!) - and I'm willing to bet that Alaska didn't invest $5M in their Internet voting system. https://www.washingtonpost.com/news/education/wp/2016/04/05/alaska-cancels-all-k-12-standardized-tests-for-the-year-citing-technical-problems/
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/ Snippet: The Kansas house is not the only house to have problems as a result of being a default location in the MaxMind database. I also spoke with a man in Virginia who has experienced similar problems for years. Tony Pav lives in a house at the end of a cul-de-sac in Ashburn, Virginia. Among other things, Ashburn is home to a number of large data center—the giant buildings that companies like Google and Facebook use to store their huge clusters of servers. As a result of all of these data centers, there are a gigantic number of IP addresses associated with Ashburn -- more than 17 million in all. And due to the way MaxMind selected its default locations, all 17 million of these IP addresses appeared to be located in Pav's home. Pav told me he first started experiencing problems four years ago. In 2012, he came home late one night to find the police about to break down his door. They said they were looking for a stolen government laptop with personal information on it. He let them in to search; it wasn't there, even though its IP address was pointing right at his house. ...
NNSquad http://www.theatlantic.com/technology/archive/2016/04/cashless-society/477411/ But wherever information gathers and flows, two predators follow closely behind it: censorship and surveillance. The case of digital money is no exception. Where money becomes a series of signals, it can be censored; where money becomes information, it will inform on you. This is but one example of such technology "bottlenecks" that could put a big smile on Big Brother's face. Concentration of communications resources are another. Yet another will almost certainly be autonomous vehicles, which I'm convinced governments will use both to collect vast quantities of data, and that governments will ultimately demand the ability to remotely control in an array of contexts. [Of course, don't forget that government-mandated backdoors for monitoring would also be useful for nefarious purposes. PGN]
According to CNBC, Tanium commissioned a survey with the Nasdaq. The survey was conducted by Goldsmiths and included responses from 1,530 nonexecutive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries. * 98 percent of the most vulnerable executives have little confidence their firms constantly monitor devices and users on their systems. * More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack. * 40 percent of executives said they don't feel responsible for the repercussions of hackings. * Individuals at the top of an organization - executives like CEOs and CIOs, and even board members - didn't feel personally responsible for cybersecurity or protecting the customer data. http://www.cnbc.com/2016/04/01/many-executives-say-theyre-not-responsible-for-cybersecurity-survey.html Nasdaq report on what the cyber attackers are seeking: http://www.nasdaq.com/press-release/survey-highlights-the-economics-behind-cyberattacks-20160201-00359 [...]
http://arstechnica.com/tech-policy/2016/04/iphone-terror-crypto-uk-police/
http://arstechnica.com/tech-policy/2016/04/judge-calls-uber-algorithm-genius-green-lights-surge-pricing-lawsuit/
FYI—Lemme see. We're recording train passengers, but not airline passengers? More likely, we've *found out* about recording train passengers, but haven't *yet* found out about recording airline passengers. Does anyone seriously believe anymore that airline passengers aren't being recorded *all the time*, including in the restrooms, terminals and frequent flyer lounges? http://www.nj.com/traffic/index.ssf/2016/04/nj_transit_is_recording_the_conversations_of_thousands_of_its_riders.html NJ Transit is recording the conversations of thousands of its riders Who's listening to you on the train? All the conversations between riders are recorded by surveillance equipment aboard NJ Transit light rail trains, which has commuter advocates and the ACLU concerned about privacy. [...] Larry Higgs, NJ Advance Media for NJ.com, 10 Apr 2016
Republicans Hijack an Election Agency, NYTimes Editorial, 10 Apr 2016 http://www.nytimes.com/interactive/opinion/editorialboard.html For 10 years, the Election Assistance Commission, the bipartisan federal agency created after the 2000 election debacle to help make voting easier and more standardized, has made it clear that prospective voters do not need to prove that they are American citizens before they may register. Anyone registering to vote with the federal voter-registration form, which can be used for both federal and state elections, must already sign a statement swearing that he or she is a citizen. Congress rejected a proposal to require documented proof as well, finding that the threat of criminal prosecution for a false statement was enough to deter fraud. This did not satisfy some states, like Kansas and Arizona, where Republican officials have fought for years to block voting by anyone who cannot come up with a birth certificate or a passport. See also: http://www.eac.gov/default.aspx> http://www.nytimes.com/2014/03/21/opinion/suppressing-the-vote.html http://www.nytimes.com/2014/10/13/opinion/the-big-lie-behind-voter-id-laws.html> http://www.nytimes.com/2016/04/09/us/election-assistance-commission-motor-voter-lawsuit.html
Date: April 7, 2016 at 11:01:12 PM PDT From: Randy Livingston <noreply@stanford.edu<mailto:noreply@stanford.edu>> Subject: Notification of Breach To: <employees@stanford.edu<mailto:employees@stanford.edu>> To all Stanford University employees, On Monday, April 4, Stanford's Department of Public Safety and the Information Security Office issued an alert to the university community after receiving a small number of reports from employees of fraudulently filed tax returns. Tax fraud has become a rampant problem across the country, arising from widespread online financial scams and highly publicized cyber breaches that have occurred in recent years. As such, at the time of the university alert, it did not appear that the university was being specifically targeted. University officials began investigating immediately, and that investigation is ongoing. It now appears that the university, among other employers, was a target as a source of W-2 forms. As the investigation proceeded we determined that some Stanford employee W-2 forms were fraudulently downloaded from our third-party vendor. In total, the W-2s of approximately 3,500 current and former Stanford employees were downloaded through the vendor's system. The majority of these downloads are likely legitimate, but I regret to report that we believe that at least 600 were downloaded fraudulently. An affected current or former employee may not yet be aware that his/her records have been compromised. The university will notify all employees whose W-2 forms were downloaded from the vendor's site whether legitimately or not. We intend to issue those notifications early next week. Those notifications will include further instructions for accessing credit monitoring services and other protections at no cost. The university employs a third-party service named W-2Express, which is operated by the credit bureau Equifax, to make W-2 forms accessible online via tax preparation software or for direct download. These downloads required prior knowledge of an individual's Social Security Number and date of birth. The perpetrators were already in possession of this personal information, which was subsequently used to log in and download the W-2 forms. [The rest omitted for RISKS. PGN] Randy Livingston is Stanford Vice President for Business Affairs and CFO
http://www.reuters.com/article/us-cyber-insurance-idUSKCN0WW1X4 The risk? Mistaking a momentary risk reduction (weather) for long-term trend (climate). And underpricing risk insurance.
http://www.nytimes.com/2016/04/06/nyregion/new-jersey-university-was-fake-but-visa-fraud-arrests-are-real.html Federal officials set up the University of Northern New Jersey, which had no real classes, to ensnare brokers who recruited foreigners trying to obtain student visas.
Bob Snodd sends NurdCo Corporation a message and gets back an auto-response: "We at NurdCo are concerned and will get back to you promptly. Yours sincerely, NurdCo Webpage Manager Bob Snodd" So how did it happen? The template's [Given name] and [Surname] give the intended answer when sent a test mail from the Webpage Manager himself's account. OK I'll tell Facebook Pages to clarify whose names they are talking about.
Chuck Collins, *The Nation* 5 Apr 2016 The Panama Papers Expose the Hidden Wealth of the World's Super-Rich The Panama Papers reveal the widespread use of shell corporations in the British Virgin Islands, the Seychelles in the Indian Ocean, and Panama. Historically, North American investors prefer tax havens in the Caribbean or Panama, with an estimated 54 percent of offshore investments going to those areas. The release of the Panama Papers should give a strong boost to US and global campaigns to crack down on these global secrecy jurisdictions and practices. As global wealth concentrates in fewer hands, the world's wealthy are shifting trillions to offshore havens to escape taxation, accountability, and publicity. The just-released Panama Papers—filled with titillating details involving the shady dealings of world leaders and violent traffickers of drugs and slaves—should give a strong boost to US and global campaigns to crack down on these global secrecy jurisdictions and practices. Starting with an anonymous leak to the German newspaper Süddeutsche Zeitung and shared with a consortium of journalists, the Panama Papers initially identify 140 politicians and public officials using off-shore schemes. Leaders named with offshore wealth include current and former members of China's politburo, three members of the UK House of Lords, the president of Ukraine, and the prime ministers of Iceland and Pakistan. Others include movie star Jackie Chan, Argentinian soccer star Lionel Messi, and 29 billionaires from the Forbes global wealth list. Initial media coverage in US major dailies is scant, perhaps due to the conspicuous absence of US citizens named in what The Guardian calls the *first tranche* of disclosures. [Much more... Excellent article.]
http://www.salon.com/2016/04/06/lessons_of_the_panama_papers_yes_the_rich_are_different_from_us_they_stole_our_money/
http://www.nytimes.com/2016/04/05/world/panama-papers-explainer.html The documents name international politicians, business leaders and celebrities in a web of unseemly financial transactions.
The Panama law firm has issued a PR statement to its clients about the condition of its cybersecurity. Other organizations have also issued some info. * 3 year old version of Drupal, known to have many vulnerabilities. They on version 7.23. In 2014, Drupal warned that anyone running on anything below 7.32 can consider themselves to be hacked. * 3 month old version of Word Press. I believe I have seen several stories about vulnerabilities there. I imagine someone could have done a search for all places using a vulnerable application, for the purpose of breaching all of them. * Encryption not used in e-mails. https://www.linkedin.com/pulse/why-should-we-all-care-panamapapers-tara-taubman-bassirian?
As some of you may know, I launched a group on Linked In, last week, to collect links to major stories on this scandal. https://www.linkedin.com/groups/8508998 There are many aspects of this leak, that may be foreign to many members of the general public, so I am on the look out for places that do a good job of explanation, such as this post I made there today: Off Shore Banking explained using a great piggy-bank analogy. Many elements of the PP story need explanations, which are understandable to people inexperienced in the subjects involved. http://www.theguardian.com/world/2016/apr/05/how-to-explain-offshore-banking-and-when-it-is-naughty-to-a-5-year-old
http://www.nytimes.com/2016/04/06/business/media/how-a-cryptic-message-interested-in-data-led-to-the-panama-papers.html "We're very interested," replied an investigative reporter at a German newspaper in response to an email more than a year ago from an anonymous whistle-blower.
Rupert Neate in NY, David Smith in Washington, *The Guardian*, 5 Apr 2016 Unscripted remarks come as Justice Department confirms it is examining US links to leaked documents from Panama-based tax firm Mossack Fonseca http://www.theguardian.com/news/2016/apr/05/justice-department-panama-papers-mossack-fonseca-us-investigation Barack Obama has called for international tax reform in the wake of the revelations contained in the Panama Papers. In an unscheduled appearance in the White House briefing room, Obama described the revelations from the leaks as "important stuff" and said the issue of global tax avoidance was a *huge problem*. Obama's intervention came as the leak of 11.5m files from the Panama-based Mossack Fonseca continued to create uproar and upheaval around the world. [...]
Cute! His name is R.F.Null, which tells me he knows something about radio and/or radio direction finders—those things that the BBC uses to find unpaid radio receivers. [He may have an antagonist named R.F.Interference. PGN]
Not the first time this has happened. See also: http://web.archive.org/web/20090620040005/http://www.wsbtv.com/news/19715994/detail.html http://www.foxnews.com/us/2013/07/16/ft-worth-crews-accidentally-demolish-wrong-house.html Each time, it's either in Texas, or done by a Texan company. [The AIdes of Texas are upun us, I wreckon. Remember the Alamo? PGN]
I received this today from Blendr (like Grindr or Tinder): Make the most of your credits! We've noticed that you haven't used your credits for a while. Did you know that by using your credits you could increase your popularity level with our easy to use, one-click tools? [Tell me more] Use your 0 credits to increase your popularity and meet more people!
https://www.imtlucca.it/news-events/events/research-seminars Interesting seminar at the IMT School for Advanced Studies by Prof. Giuseppe Longo (CNRS et Ecole Normale Superieure, Paris). The title of the talk was: The Deluge of Spurious Correlations in Big Data: Randomness in Nature and Data. The official paper has been published in Springer's Foundations of Science. http://link.springer.com/article/10.1007/s10699-016-9489-4 The paper is *foundational* in the sense that, roughly speaking, it belongs to the category of scientific contributions to algorithms/computability theory in the form of negative results. The main message is simple and clear: whatever correlation you want to consider, if you search for it in a sufficiently large data set, you will find it. This depends only on the size of the dataset and not on the nature of the data; in particular you find the correlation also in data sets made up of random data. From abstract of the paper: Using classical results from ergodic theory, Ramsey theory and algorithmic information theory [=E2=80=A6 ], [f]or example, we prove that very large databases have to contain arbitrary correlations. These correlations appear only due to the size, not the nature, of data. They can be found in *randomly generated, large enough databases, which as we will prove implies that most correlations are spurious. Too much information tends to behave like very little information. The scientific method can be enriched by computer mining in immense databases, but not replaced by. Although the paper addresses mainly the general issue of scientific research, its results apply of course also to political/social science and their implications also for what concerns civil liberties (as they may be affected by decisions based on Big-data techniques). Dott. Diego Latella, CNR-ISTI, Via Moruzzi 1, 56124, Pisa, Italy http://www.isti.cnr.it/People/D.Latella +390506212982
You might find the UK National Audit Office Report on E-borders and successor programmes (December 2015) on PNR based border security programs in UK an interesting one: https://www.nao.org.uk/wp-content/uploads/2015/12/E-borders-and-successor-programmes.pdf = The lesson I've learned (over and over again) is that (far too) often lessons are not learned. Dott. Diego Latella - Senior Researcher CNR-ISTI, Via Moruzzi 1, 56124 = Pisa, Italy (http:www.isti.cnr.it) FM&&T Lab. (http://fmt.isti.cnr.it) http://www.isti.cnr.it/People/D.Latella - ph: +390506212982
Please report problems with the web pages to the maintainer