Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Micro-Camera Can Be Injected With A Syringe—May Pose Surveillance Concerns <https://science.slashdot.org/story/16/06/28/2041249/micro-camera-can-be-injected-with-a-syringe----may-pose-surveillance-concerns> (Posted by BeauHD on Tuesday June 28, 201) Taco Cowboy quotes a report from ABC Online: German engineers have created a camera no bigger than a grain of salt <http://www.abc.net.au/news/2016-06-28/3d-printed-injectable-micro-camera/7548966> ...that could change the future of health imaging—and clandestine surveillance. Using 3D printing, researchers from the University of Stuttgart built a three-lens camera, and fit it onto the end of an optical fiber the width of two hairs. Such technology could be used as minimally-intrusive endoscopes for exploring inside the human body, the engineers reported in the journal Nature Photonics. <http://www.nature.com/nphoton/journal/vaop/ncurrent/full/nphoton.2016.121.html> The compound lens of the camera is just 100 micrometers (0.1 millimeters) wide, and 120 micrometers with its casing. It could also be deployed in virtually invisible security monitors, or mini-robots with "autonomous vision." The compound lens can also be printed onto image sensor other than optical fibers, such as those used in digital cameras. The researchers said it only took a few hours to design, manufacture and test the camera, which yielded "high optical performances and tremendous compactness." <http://phys.org/news/2016-06-micro-camera-syringe.html> They believe the 3D printing method—used to create the camera—may represent "a paradigm shift."
(Posted by BeauHD on Monday June 27, 2016) <https://news.slashdot.org/story/16/06/27/2157204/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks> "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. <http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml> The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. <https://hardware.slashdot.org/story/16/03/24/002255/cctv-dvr-vulnerabilities-traced-to-chinese-oem-which-spurned-researchers-advice> These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet
https://techcrunch.com/2016/07/15/uk-surveillance-bill-includes-powers-to-limit-end-to-end-encryption/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 The UK government has explicitly confirmed that a surveillance bill now making its way through the second chamber could be used to require a company to remove encryption. And even, in some circumstances, to force a comms service provider not to use end-to-end encryption to secure a future service they are developing. The details were revealed during debate of the Investigatory Powers Bill at a committee session in the House of Lords this week. That's "limit it for honest users, not for crooks or terrorists who will of course continue to use strongly end-to-end encrypted apps." Great work UK! Continue sliding down that razor blade you're straddling.
http://boingboing.net/2016/07/05/uk-cops-routinely-raided-polic.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 Between 2011-2015, there were more than 800 individual UK police personnel who raided official databases to amuse themselves, out of idle curiosity, or for personal financial gain; and over 800 incidents in which information was inappropriately leaked outside of the police channels. The incidents are reported in a new Big Brother Watch publication, which also reports that in most cases, no disciplinary action was taken against the responsible personnel, and only 3% resulted in criminal prosecution or conviction.
[ the RISKS of Finding Out more (the truth?) about those 'Interesting Years'...] America Expands Its Freedom of Information Act <https://yro.slashdot.org/story/16/07/04/0326207/america-expands-its-freedom-of-information-act> (Posted by EditorDavid on Monday July 04, 2016) An anonymous reader writes: As America headed into its "Independence Day weekend," the U.S. Congress passed—and President Obama signed—the "FOIA Improvements Act of 2016". <https://www.congress.gov/bill/114th-congress/senate-bill/337/> It now establishes a "presumption of disclosure" <https://www.whitehouse.gov/the_press_office/FreedomofInformationAct> ...by law, and will even allow the disclosure of "deliberative process" records after 25 years, meaning those records from the Reagan (and prior) administrations should now become open, according to the Washington Post. <https://www.washingtonpost.com/opinions/foia-at-50/2016/07/03/6283af88-3fb0-11e6-a66f-aa6c1883b6b1_story.html> In addition, the law also creates a comprehensive new "online request portal" for requesting records from all agencies, and even requires those agencies to make digital copies available for any records requested three or more times. "By updating FOIA for the digital age, our law puts more government information than ever before online <https://www.leahy.senate.gov/press/statement-of-senator-patrick-leahy-on-presidential-signing-of-s-337-the-foia-improvement-act-of-2015> ...in a format familiar and accessible to the American people," said Senator Leahy, who sponsored the legislation. On the 50th anniversary of America's original Freedom of Information Act, Leahy added that "a government of, by, and for the people cannot be one that is hidden from them... " EditorDavid comments: It's the law's 50th anniversary, and Leahy imagined a world 50 years in the future, when the next generation "will look back at this moment and gauge our commitment to the founding principles of our democracy. Let them see that we continued striving for a 'more perfect union' by strengthening the pillar of transparency that holds our government accountable to "We the People.' "
China restricts online news sites from sourcing stories on social media http://arstechnica.com/tech-policy/2016/07/china-social-media-news-source-ban/ The latest crackdown on Internet media comes just days after Xu Lin, formerly the deputy head of the Cyberspace Administration of China, replaced his boss, Lu Wei, as the guardian of China's online world. The SCMP notes: "Xu is regarded as one of President Xi Jinping's key supporters," and this move is seen as a further tightening of Xi's grip on cyberspace. Back in February, Ars reported on new regulations that made it much harder for Western media to operate in China. Before that, wide-ranging powers were introduced in 2015 to increase the authorities' control over the Internet in the country. [Werner also noted this topic, cited by manishs on SlashDot posts:] <https://thestack.com/world/2016/06/28/china-tells-app-developers-to-increase-user-monitoring/> <http://betanews.com/2016/03/06/china-surveillance-anti-terrorism/> <http://betanews.com/2016/07/04/china-social-media-news-ban/> <http://betanews.com/2016/05/20/china-fake-social-media-posts/>
(Posted by EditorDavid on Sunday July 03, 2016) <https://yro.slashdot.org/story/16/07/03/0913203/american-cities-are-installing-dhs-funded-audio-surveillance> "Audio surveillance is increasingly being used on parts of urban mass transit systems," reports the Christian Science Monitor. SlashDot reader itwbennett writes "It was first reported in April that New Jersey had been using audio surveillance on some of its light rail lines, raising questions of privacy. This week, New Jersey Transit ended the program, following revelations that the agency 'didn't have policies governing storage and who had access to data.'" <http://www.csoonline.com/article/3090502/security/big-brother-is-listening-as-well-as-watching.html> <http://nj1015.com/nj-transit-defends-use-of-audio-surveillance-on-some-trains/> <http://www.nj.com/traffic/index.ssf/2016/06/a_quiet_end_to_nj_transits_controversial_audio_surveillance_of_riders.html> >From the article: New Jersey isn't the only state where you now have even more reason to want to ride in the quiet car. The Baltimore Sun reported in March that the Maryland Transit Administration has used audio recording on some of its mass transit vehicles since 2012. <http://www.baltimoresun.com/news/maryland/bs-md-transit-recording-20160302-story.html> It is now used on 65 percent of buses, and 82 percent of subway trains have audio recording capability, but don't use it yet, according to the Sun. And cities in New Hampshire, Connecticut, Michigan, Ohio, Nevada, Oregon and California have either installed systems or moved to procure them, in many cases with funding from the federal Department of Homeland Security.
via NNSquad http://arstechnica.com/tech-policy/2016/07/europol-iru-extremist-content-censorship-policing/ However AccessNow a global digital rights organisation said Europe's approach to dealing with online extremism is "haphazard, alarming, tone-deaf, and entirely counter-productive." According to AccessNow, "the IRU is outside the rule of law on several grounds. First, illegal content is just that--illegal. If law enforcement encounters illegal activity, be it online or off, it is expected to proceed in dealing with that in a legal, rights-respecting manner. "Second, relegating dealing with this illegal content to a third private party, and leaving analysis and prosecution to their discretion, is both not just lazy--but extremely dangerous. Third, illegal content, if truly illegal, needs to be dealt with that way: with a court order and subsequent removal. The IRU's blatant circumvention of the rule of law is in direct violation of international human rights standards."
Facebook, Twitter, and YouTube blocked in Turkey during reported coup attempt https://techcrunch.com/2016/07/15/facebook-twitter-and-youtube-blocked-in-turkey-during-reported-coup-attempt/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 The Turkish military have deployed in Istanbul and Ankara, and the government has apparently blocked social media in response to what is being reported as an attempted coup. Turkey Blocks, a Twitter account that regularly checks if sites are being blocked in the country, reported at 1:04 PM Pacific (11:04 PM Istanbul time) that Facebook, Twitter, and YouTube were all unresponsive, though Instagram and Vimeo remained available.
Peter Sayer, ComputerWorld The court also ruled that Belgian courts have no jurisdiction over Facebook Ireland and its U.S. parent http://www.computerworld.com/article/3090085/internet/facebook-wins-appeal-over-tracking-non-members-in-belgium.html opening text: Facebook can resume tracking Belgians online even if they don't have an account with the social network, an appeals court has ruled.
"... require all software written for the government to be open-source and
to be developed as such in a public repository."
"With opening the source we hope to reduce those [security] incidents, and
to detect bad information security practices in the development process,
rather than when it's too late."
https://medium.com/@bozhobg/bulgaria-got-a-law-requiring-open-source-98bf626cf70a#
Bozhidar Bozhanov
Bulgaria Got a Law Requiring Open Source
Less than two years after my presentation titled "Open source for the
government", and almost exactly one year after I became advisor to the
deputy prime minister of Bulgaria, with the efforts of my colleagues and the
deputy prime minister, the amendments to the Electronic Governance Act were
voted in parliament and are now in effect. The amendments require all
software written for the government to be open-source and to be developed as
such in a public repository.
The text of the Electronic governance act can be found here. The particular
article is 58a:
Art. 58a. (New--SG. 50 of 2016, effective 01.07.2016) Upon preparation of
technical and functional assignments for public procurement to develop,
upgrade or implementation of information systems and e-services,
administrative authorities must include the following requirements:
1. when the subject of the contract includes the development of computer
programs:
a) computer programs must meet the criteria for open source software;
b) all copyright and related rights on the relevant computer programs,
their source code, the design of interfaces and databases which are
subject to the order should arise for the principal in full, without
limitations in the use, modification and distribution;
c) development should be done in the repository maintained by the Agency
in accordance with Art. 7c pt. 18;
That does not mean that the whole country is moving to Linux and
LibreOffice, neither does it mean the government demands Microsoft and
Oracle to give the source to their products. Existing solutions are
purchased on licensing terms and they remain unaffected (although we
strongly encourage the use of open source solutions for that as well).
It means that whatever custom software the government procures will be
visible and accessible to everyone. After all, it's paid by tax-payers
money and they should both be able to see it and benefit from it.
As for security--in the past "security through obscurity" was the main
approach, and it didn't quite work --numerous vulnerabilities were found in
government websites that went unpatched for years, simply because a contract
had expired. With opening the source we hope to reduce those incidents, and
to detect bad information security practices in the development process,
rather than when it's too late.
A new government agency is tasked with enforcing the law and with setting up
the public repository (which will likely be mirrored to GitHub).
The fact that something is in the law doesn't mean it's a fact, though. The
programming community should insist on it being enforced. At the same time
some companies will surely try to circumvent it.
But in general, I think this is a good step for better government software
and less abandonware and I hope other countries follow our somewhat
"radical" approach of putting it in the law.
[Also noted by Werner via manishs at SlashDot. PGN]
Zack Whittaker for Zero Day, ZDNet, 30 Jun 2016 The number of wiretaps rocketed by 17 percent on the year prior. http://www.zdnet.com/article/us-courts-did-not-reject-a-single-wiretap-last-year-says-new-report/ selected text: The number of wiretaps authorized by the courts in 2015 rocketed compared to the year before, says a new report. But not a single wiretap request was rejected during 2015, the report showed. The report doesn't take into account classified national security requests, which typically involve terrorism, submitted to the Foreign Intelligence Surveillance Court, which were already reported earlier this year. The government received 1,457 requests from the National Security Agency and the Federal Bureau of Investigation to intercept phone calls and emails last year, but too did not reject a single order.
Martyn Williams, PC World, 5 Jul 2016 Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze; Police arrest Oakland man near Google headquarters with pipe bomb, firearms in car. http://www.pcworld.com/article/3091864/internet-of-things/fearing-surveillance-man-allegedly-shot-at-google-and-set-self-driving-car-ablaze.html selected text: A man who told police he feared surveillance by Google has been arrested and charged with arson after one of the company's self-driving cars was destroyed in an attack in June. ... They became suspicious because his car matched that spotted at the scene of several attacks on the company over the preceding six weeks. The first, on May 19, saw several Molotov cocktails thrown at a Google Street View vehicle that was parked in a company lot in Mountain View. The resulting fire didn't damage the car because the bottles bounced off it, but the ground nearby was burnt. A second incident on June 4 occurred late at night when someone fired shots at a Google building in Mountain View. Police found five holes in windows and damage to window frames. The third happened on June 10 in the middle of the night when a male in a similar car used a squirt gun to set alight a Google self-driving car. The car was destroyed in the fire. Further linking the three crimes, the driver parked in the same spot as in the original incident and was in a similar car.
Stephen Lawson, PC World, 30 Jun 2016 http://www.pcworld.com/article/3090513/eyefi-leaves-some-card-owners-stranded-highlighting-iot-hazards.html Eyefi leaves some card owners stranded, highlighting IoT hazards Ending support for some older Wi-Fi flash cards will make them nearly useless selected text: Older networked flash cards from Eyefi will become the next IoT devices to effectively die in consumers' hands when the company cuts off support for older models in September. The move came just days after Eyefi's cloud technology was acquired by camera and imaging company Ricoh. It sparked outrage among many users, some of them vowing never to buy another Eyefi product.
via NNSquad https://www.sciencedaily.com/releases/2016/06/160630145018.htm If someone posts illegal content on your website, are you liable? A new project addresses that question by examining the potential liability faced by website owners and other online service providers in five countries - Brazil, Russia, India, China and Thailand. The project provides new insight on the murky area of Internet intermediary liability in developing countries.
In the past couple of weeks, I have noticed a huge number of "news" articles about spam filters being turned off while Hillary Clinton was Secretary of State. For example: http://arstechnica.com/information-technology/2016/06/clintons-private-e-mail-was-blocked-by-spam-filters-so-state-it-turned-them-off/ To summarize: Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off. I assume that this spate of articles is prompted by political motivations. I assume that, because this type of action is normal operating procedure for anyone involved in infosec. Spam filters stop legitimate email getting through? You stop those filters, until you can get better ones. Your door lock is broken? You leave the door unlocked until you can get a locksmith in. A safeguard, control, or countermeasure is preventing normal operations? You shut down that control and look for something better: something that will prevent attacks, but won't impede normal work. I am not surprised to see this type of furor in the general media. After all, we know that most reporters simply don't understand anything about security. However, I am astounded to see this report resurfacing and being recirculated by those who should know better. rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/
NNSquad http://www.dailydot.com/layer8/guccifer-clinton-server-hack-lie/ The Romanian hacker known as Guccifer admitted to the FBI that he lied to the public when he said he repeatedly hacking into Hillary Clinton's email server in 2013. Guccifer, real name Marcel Lehel Lazar, told Fox News and NBC News in May 2016 about his alleged hacking. Despite offering no proof, the claim caused a huge stir, including making headline news on some of America's biggest publications. FBI Director James Comey testified under oath before Congress on Thursday that Guccifer never hacked into Clinton's servers and in fact admitted that he lied.
Item in newspaper about new EU data-protection law may be of interest
("Brexit" is the UK's referendum vote to leave the EU):
> http://www.telegraph.co.uk/technology/2016/06/30/we-mustnt-let-brexit-open-a-chasm-with-europe-on-data-protection/
>
> We mustn't let Brexit open a chasm with Europe on data protection
> =================================================================
> In less than two years a massive new piece of EU data law, known as the
> General Data Protection Regulation, will
> come into force. The law, designed to replace the disparate collection
> of national data regimes, will enforce strict new rules and give new
> powers to data regulators. Businesses will have to obtain clear consent
> before processing citizens' information, disclose when data breaches
> occur, and could be fined up to 5pc of their global revenues for abuse
> of the regime.
>
> The law had been criticised for being too strict,
> but was set to be adopted wholeheartedly, and compliance would require a
> substantial investment at a time when budgets are squeezed.
...
> European officials—suspicious of the American Internet giants and
> their relationship with the US government—have pushed for strong laws
> and fines on data protection and cybersecurity.
...
> While technology has no borders, as one investor said last week,
> European law does have strict laws on transferring citizens' information
> outside of the bloc.
> Countries outside the EU that want data to freely flow across borders
> without complicated arrangements must convince Brussels that its privacy
> laws are up to scratch.
>
> Winning this approval is not easy, as the case of America's battle with
> the Austrian law student Max Schrems shows. Schrems successfully
> convinced the European Court of Justice last year to throw out Safe
> Harbour.
Not sure what this may mean for the big global Internet players like Google,
Amazon, social-networking sites, and so forth—if they have to make their
entire operation EU-compliant OR have separate EU and non-EU operations and
keep their EU data only in the EU part OR not have any business in the EU at
all..? Looks like another culture clash between Europe and America.
As I recall from working in telecomms, it's somewhat reminiscent of the
Sarbanes-Oxley measures for accounting which had to be implemented about 12
years ago; they were required for US companies, but also any others with
interests in the US, i.e. most big firms. The problem was that designing
compliance with Sarbanes-Oxley into new systems was no big deal, but
re-engineering existing systems to meet the requirements was quite a
challenge.
> By using only a few lines of Python, the firm's researchers found that > over 50 percent of top 500 Alexa websites were vulnerable to spoofing -- > either through having no authentication configured or by having settings > misconfigured. This is a rather silly article. It just summarizes a third-party report, and the author of the report doesn't understand the way that SPF works. He is under the misimpression that using the SPF "softfail" option is a bug.
[Via Dave Farber] http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html *The NY Times* says that one of the mechanisms for stealing newer cars (such as Prius) is to use an RF power amplifier to extend the reach of the key in your house (maybe in your pocket in the house, maybe on the kitchen counter). Normally the transceiver in the door handle has a range of a foot or so, but with the portable amplifier, this might be extended to 100 feet or more. This allows the thief to get in the car (with the key in your pocket, the door unlocks when you lift the door handle) then start the car (since the car thinks you have the key in your pocket). You can then drive away, but if the car is turned off, it will not start again (since the key is now too far away). Perfect for a teenage joyride.
Please report problems with the web pages to the maintainer