Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
SWIFT is the international clearing house for bank transactions, and is a cooperative with 3,000 members. One of its members, the state bank of Bangladesh, Bangladesh Bank, recently lost $81m due to fraudulent transactions using SWIFT systems. SWIFT has said that some of its software was compromised on Bangladesh Bank computers in order to cover up the $81m loss, which has led to the resignation of the Bank's governor. It seems that authorised access was used to perform the illegitimate transactions, of which the logs (and thus the visible audit trail) were then hidden somehow by malware. https://www.theguardian.com/technology/2016/apr/26/international-bank-transfer-system-hacked-swift-group-admits BAE systems has some information on malware involved in covering up the fraudulent transactions, but the incident is not yet fully understood. BAE apparently doesn't know how the fraudulent transactions were created and processed. SWIFT says the fraudulent transactions were initiated through authorised access to its systems. Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany [Different source (Reuters 26 Apr 2016 and DATABREACHES) <http://www.databreaches.net/swift-warns-customers-of-multiple-cyber-fraud-cases-issues-software-security-update/> noted by Werner U. PGN]
Cynthia Chen, Symantec Employee, 25 Apr 2016 Presidential primary apps can gather a lot of information and may expose sensitive data. The number of apps related to the presidential primaries has grown considerably. These apps are more popular than ever, thanks mostly to Donald Trump, according to our data. However, we want to remind users that presidential primary apps can gather a lot of information and may expose sensitive data. Most primary apps are unofficial and not affiliated with a campaign, but even official apps have some data exposure, as we found by looking at two primary candidate apps using the Norton Mobile Security with Norton Mobile Insight app. http://www.symantec.com/connect/blogs/what-you-need-know-about-election-apps-and-your-personal-data
Wow. I guess that with the huge amount of oil revenues these days, they don't need a tourist trade, nor do they care if business people go there. http://news.kuwaittimes.net/website/kuwait-to-enforce-dna-testing-law-on-citizens-expats-visitors-tests-wont-be-used-to-determine-genealogy-affect-freedoms/
David Ellis, University of Adelaide, 22 Apr 2016 University of Adelaide researchers have developed an online tool to help build users' trust in the cloud. "Trust management is a top obstacle in cloud computing, and it's a challenging area of research," says University of Adelaide professor Michael Sheng. He attributes this lack of faith in the cloud to minimal transparency, and the difficulty in knowing whether cloud-based applications are malicious or genuine. Sheng has been developing Cloud Armor, which aims to show which cloud sites, applications, or providers are more trustworthy than others. "The basic concept behind this is like the website Rotten Tomatoes, which is widely used by people to review and rank films," Sheng says. Cloud Armor relies on a "credibility model," a crawler engine that scans all of the comments made on the Internet about any aspect of the cloud, and the model determines what feedback is credible and what is not. "We've tested this with and without our credibility model--without the model, some cloud applications receive a maximum score of 100; but with the model, that score might only get to 50 or 60," Sheng says. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e214x065498&
I had not been aware of that site before following the link to an article there in the last RISKS-digest (regarding the Mexican voters list)... Just scanning over the list of the latest articles there (besides the followup regarding the Mexican issue) might touch on topics of interest to you or other RISKS-readers... Latest Posts - Another Greenshades client discloses breach of employee info <http://www.databreaches.net/another-greenshades-client-discloses-breach-of-employee-info/> - Amazon denies Movimiento Cuidadano=E2=80=99s claim that they were hacked <http://www.databreaches.net/amazon-denies-movimiento-cuidadanos-claim-that-they-were-hacked/> - American Samoa Domain Registry Was Exposing Client Data Since the mid-1990s <http://www.databreaches.net/american-samoa-domain-registry-was-exposing-client-data-since-the-mid-1990s/> - Breach Response Portal Added by Massachusetts Regulator <http://www.databreaches.net/breach-response-portal-added-by-massachusetts-regulator/> - Movimiento Ciudadano admits it was their copy of the Mexican voter list on AWS, tries to deflect blame to researcher <http://www.databreaches.net/movimiento-ciudadano-admits-responsibility-for-mexican-voter-data-leak-on-amazon/> - Banks Sue Wendy=E2=80=99s Over Five-Month-Long Data Hack <http://www.databreaches.net/banks-sue-wendys-over-five-month-long-data-hack/> - Vail Valley Medical Center notifies 3,118 patients whose PHI was stolen by departing employee <http://www.databreaches.net/vail-valley-medical-center-notifies-3118-patients-whose-phi-was-stolen-by-departing-employee/> - Rhode Island Attorney General Pushing For A State-Level CFAA That Will Turn Researchers, Whistleblowers Into Criminals <http://www.databreaches.net/rhode-island-attorney-general-pushing-for-a-state-level-cfaa-that-will-turn-researchers-whistleblowers-into-criminals/ - PH: BIR probes employees for leaking sensitive data <http://www.databreaches.net/ph-bir-probes-employees-for-leaking-sensitive-data/> - Norway Starts Requiring Data Breach Notification <http://www.databreaches.net/norway-starts-requiring-data-breach-notification/>
Lorenzo Franceschi-Bicchierai, *Motherboard*, 22 Apr 2016 The Pentagon's blue-sky research program is looking for someone to create the ultimate hacker-proof messaging app. The "secure messaging and transaction platform" would use the standard encryption and security features of current messaging apps such as Signal, but also would use a decentralized Blockchain-like backbone structure that would be more resilient to surveillance and cyberattacks. The goal of the U.S. Defense Advanced Research Projects Agency (DARPA) is "a secure messaging system that can provide repudiation or deniability, perfect forward and backward secrecy, time to live/self delete for messages, one-time eyes-only messages, a decentralized infrastructure to be resilient to cyberattacks, and ease of use for individuals in less than ideal situations," according to a recent notice for proposals. DARPA wants "a public wall anyone can monitor or post messages on, but only correct people can decrypt," says Frederic Jacobs, an independent security researcher. He notes one problem with this approach is the structure would have higher latency and be harder to deploy at scale. DARPA's effort also suggests the rise of encryption apps is inevitable. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e210x065498& [DARPA and DoD and most other government agencies *need* strong encryption. Law Enforcement does not. It's not just a Lexican Standoff. PGN]
The latest automaker scandal has focused attention on the company's struggles in the brutally competitive Japanese microcar market. http://www.nytimes.com/2016/04/22/business/mitsubishi-cheating-fuel-economy-investigation.html
The proposal, discovered as part of the investigations into Volkswagen, provides a direct link to the genesis of the diesel deception. http://www.nytimes.com/2016/04/27/business/international/vw-presentation-in-06-showed-how-to-foil-emissions-tests.html
Two sports journalists decided to publicly address the vile messages they receive on social media, comments like "please kill yourself I will provide the bleach." http://www.nytimes.com/2016/04/29/sports/more-than-mean-women-journalists-julie-dicaro-sarah-spain.html
The City of London Police have an email address for members of the public to report phishing attempts and other malware: https://reportlite.actionfraud.police.uk/Survey.mvc/Tab/1/11 The address is NFIBPhishing@city-of-london.pnn.police.uk. Unfortunately, if you try to report malware to the malware reporting mailbox, by forwarding the malware as requested, the mailbox will reject your malware report: because it contains malware! > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > NFIBPhishing@city-of-london.pnn.police.uk > delivery canceled ... > X-ACL-Warn: X-Virus Scan: Sophos AV 9 > X-ACL-Warn: X-Virus Status: infected by malware (Mal/DrodZp-A) > X-ACL-Warn: X-Virus Note: Certain attachments are not checked for viruses Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
Sarah Wheaton, Politico <swheaton@politico.com> [About the only things more insane than 'smart' guns are 4,000-pound 4-wheel autonomous drone missiles careening through our neighborhood streets at 60 mph... HB] The govt isn't interested in 'smart' guns, so much as 'back-doored' guns that can be silenced using a big red button controlled by a bureaucrat... A truly 'smart' gun would have to solve the 'Trolley Problem' in real time, using the full power of IBM's Watson/Jeopardy technology, but also having the legal wisdom of the U.S. Supreme Court in order to withstand the "Monday Morning Quarterbacks". https://en.wikipedia.org/wiki/Trolley_problem http://www.politico.com/story/2016/04/obama-smart-gun-technology-222574
"Yes, the alleged cost [of the San Bernardino iPhone hack] is staggering" For the FBI to advertise that it paid $1.3 million for a single hack is part of its cynical effort to secure increased funding for next year: https://www.fbi.gov/news/testimony/fbi-budget-request-for-fiscal-year-2017 "$38.3 million for operational technology investments related to the Going Dark initiative" "$85.1 million to enhance cyber investigative capabilities" "$27 million to leverage Intelligence Community Information Technology Enterprise components and services within the FBI" "$8.2 million to enhance surveillance capabilities" "Overall, the FY 2017 request represents an *increase* of $703.6 million over the FY 2016 enacted levels, including an additional $229.1 million for salaries and expenses and $474.5 million for construction." 'nuf said. [Note: The $1.3M figure was an estimate derived from a rather indirect statement from James Comey, and should be considered an imprecise estimate. PGN]
Chris Vickery, Blog MacKeeper Chris Vickery reports on the MacKeeper blog (dated April 27) of another unsecured MongoDB site he discovered and reported in 2015 to their owners (like the Verizon case) which, however, has since become available for purchase on DarkNet... (...with a potential for tragic personal consequences not unlike the Ashley Madison incident) Dating Website Leaks 1.2 million profiles <https://mackeeper.com/blog/post/218-dating-website-leaks-12-million-profiles> Now their data is being sold online in 2016 MacKeeper Security Researcher Chris Vickery discovered the unsecured database in late 2015 and contacted BeautifulPeople.com to secure the user data. The bad part of this story is that the data was downloaded by cyber criminals sometime between this gap of when the database was unsecured, when it was discovered by Vickery, and when beautifulpeople were notified to secure the database. Now those criminals are selling the data of 1.2 million users online. [...] *Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher: Chris Vickery.* [Indeed. We have done so. PGN]
There are (at least) two causes for the huge potential for miscommunication using emoji: (1) There are a huge number of different emoji: Unicode lists over 300 faces and gestures, from U+1F600 (GRINNING FACE) to U+1F574 (MAN IN BUSINESS SUIT LEVITATING), and over 1600 emoji in total. (2) Copyright laws mean that every company has to, or believes that they have to, produce their own designs for each emoji character which are significantly *different* from everyone else's: in order to avoid copyright claims. Also, each company wants to have their own "style" of emoji: even the country flags are. Also some devices interpret the same code as a very different symbol: the "yellow heart" on iOS (which I assume is U+1F49B YELLOW HEART) is interpreted on Android as a red "hairy heart" (or perhaps "heart with black spikes": this does not appear on the Unicode list). The image received could be very different to the one sent: http://www.engadget.com/2014/04/30/you-may-be-accidentally-sending-friends-a-hairy-heart-emoji/ Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
Anthony Cuthbertson, *Newsweek*, 28 Apr 2016 The European Commission's (EC) just-announced Quantum Flagship project will invest $1.13 billion over the next 10 years to place Europe "at the forefront of the second quantum revolution" via quantum technology development, according to an EC spokesperson. The project seeks to encompass not only quantum computers, but also quantum secure communication, quantum sensing, and quantum simulation. Scheduled to launch in 2018, the Quantum Flagship is a response to the Quantum Manifesto urging substantial quantum technology investment, which was endorsed by several thousand individuals from industry, academia, and government institutions. According to the manifesto, quantum technologies will give birth to a "knowledge-based industrial ecosystem," which will generate long-term economic, scientific, and societal benefits. ETH Zurich professor Matthias Troyer thinks Quantum Flagship recognizes quantum technologies are ready to make the transition from research labs to commercial and industrial applications "that within the next decade will be able to perform tasks that classical devices are incapable of." Cambridge Quantum Computing CEO Ilyas Khan agrees with this assessment. "It has become increasingly clear that it is now only a matter of a relatively short time before quantum technologies become of practical importance at the strategic level for governments and large corporations," Khan says. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-efc1x2e20ax065498&
We invite you to submit a position statement to a workshop on Software Measures and Metrics to Reduce Security Vulnerabilities. https://samate.nist.gov/SwMM-RSV2016.html when: Tuesday, 12 July 2016, 9 am to 4:30 pm where: NIST, Gaithersburg, MD, USA The U.S. Federal Cybersecurity Research and Development Strategic Plan seeks to fundamentally alter the dynamics of security, reversing adversaries' asymmetrical advantages. Achieving this reversal is the mid-term goal of the plan, which calls for "sustainably secure systems development and operation." Part of the mid-term (3-7 years) goal is "the design and implementation of software, firmware, and hardware that are highly resistant to malicious cyber activities ..." and reduce the number of vulnerabilities in software by orders of magnitude. Measures of software play an important role. Industry requires evidence to tell how vulnerable a piece of software is, what techniques are most effective in developing software with far fewer vulnerabilities, determine the best places to deploy countermeasures, or take any of a number of other actions. This evidence comes from measuring, in the broadest sense, or assessing properties of software. With useful metrics, it is straight-forward to determine which software development technologies or methodologies lead to sustainably secure systems. The goal of this workshop is to gather ideas on how the U.S. Federal Government can best use taxpayer money to identify, improve, package, deliver, or boost the use of software measures and metrics to significantly reduce vulnerabilities. We call for position statements from one to three paragraph long. Position statements may be on any subject like the following: * existing measures of software that can make a difference in three to seven years, * means of validating software measures or confirming their efficacy (meta-measurements), * properties in software that can be measured, * standards (in both étalon and norme senses) needed for software measurement, * cost vs. benefit of software measurements, * surmountable barriers to adoption of measures and metrics, * areas or conditions of applicability (or non-applicability) of measures, * software measurement procedures (esp. automated ones), or * sources of variability or uncertainty in software metrics or measures. The output of this workshop and other efforts is a plan for how best the U.S. Federal Government can employ taxpayer money to significantly curtail software vulnerabilities in the mid-term. The workshop will be at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. This workshop is open to all. There is no cost to attend the workshop, but prior registration is required to enter NIST grounds. No walk-in (on-site) registration is available. A "position" may include articulations of a problem, an issue to discuss, as well as a solution or opinion. The program committee will review the position statements, and invite some to make a presentation. Position statements will be published if agreed to by both the author and the program committee. Send statements to Elizabeth Fong efong@nist.gov by 22 May 2016. Important Dates May 22 deadline to submit statements June 8 invitations to present sent TBA deadline to register July 12 workshop For more information, go to the web site or contact Elizabeth Fong <efong@nist.gov>, Paul E. Black <paul.black@nist.gov>, or Thomas D. Hurt <thomas.d.hurt.civ@mail.mil>
One of the most relevant RISKS-related books I have ever read has been written by Earl Boebert and James M. Blossom. It provides a DEEP analysis of everything that went wrong, and should be instructive for all RISKS readers. Amazon is now accepting pre-orders for this book, although it will not be released until 6 Sep 2016. I'll write more about the book as the time approaches. (Incidentally, I was not fooled by my search engine offering to correct "Boebert" to "Bieber"—Justin-time spelling correction?)
Lindsay Marshall (who for many years has managed the RISKS repository at Newcastle: catless.ncl.ac.uk) notes that the CATLESS RISKS repository will eventually be rebuilt after the serious water-main break that took down *all* of their servers. (CATLESS apparently has low priority in the crunch to rebuild everything else.) However, we have agreed that there is no longer any reason to ship only one copy of each issue across the pond to Lindsay's CATLESS redistribution service, and so we plan to move *everyone* there onto the regular SRI distribution. However, we cannot do that until CATLESS is reconstituted. PGN
Please report problems with the web pages to the maintainer