The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 61

Friday 15 July 2016

Contents

New Micro-Cameras... Pose Surveillance Concerns
SlashDot
Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks
SlashDot
UK surveillance bill includes powers to limit end-to-end encryption
Techcrunch
UK cops routinely raided police databases to satisfy personal interest or make money on the side
BoingBoing
America Expands Its Freedom of Information Act
SlashDot
China restricts online news sites from sourcing stories on social media
Ars Technica
American Cities Are Installing DHS-Funded Audio Surveillance
Christian Science Monitor
Europol's online censorship unit is haphazard and unaccountable says NGO
Ars Technica
Facebook/Twitter/YouTube blocked in Turkey during coup attempt
Techcrunch
"Facebook wins appeal over tracking non-members in Belgium"
Peter Sayer
Bulgaria Got a Law Requiring Open Source
Bozhidar Bozhanov via Henry Baker
"US courts didn't reject a single wiretap request in 2015"
Zack Whittaker
"Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze"
Martyn Williams
"Eyefi leaves some card owners stranded, highlighting IoT hazards"
Stephen Lawson
Liability of Internet 'intermediaries' in developing countries
Science Daily
Spam filters and state departments and Clintons--oh, my!
Rob Slade
FBI director says Guccifer admitted he lied about hacking Hillary Clinton's email
Daily Dot
Re: "We mustn't open a chasm with Europe on data protection"
Chris Drewe
Re: "Over half of world's top domains weak against email spoofing"
John Levine
Re: Great, Now Someone Can Steal Your Car Using A Laptop Computer
Lars Poulsen
Info on RISKS (comp.risks)

New Micro-Cameras... Pose Surveillance Concerns (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 21:48:52 +0200
Micro-Camera Can Be Injected With A Syringe—May Pose Surveillance
Concerns
<https://science.slashdot.org/story/16/06/28/2041249/micro-camera-can-be-injected-with-a-syringe----may-pose-surveillance-concerns>
(Posted by BeauHD on Tuesday June 28, 201)

Taco Cowboy quotes a report from ABC Online:

German engineers have created a camera no bigger than a grain of salt
<http://www.abc.net.au/news/2016-06-28/3d-printed-injectable-micro-camera/7548966>
...that could change the future of health imaging—and clandestine
surveillance.

Using 3D printing, researchers from the University of Stuttgart built a
three-lens camera, and fit it onto the end of an optical fiber the width of
two hairs. Such technology could be used as minimally-intrusive endoscopes
for exploring inside the human body, the engineers reported in the journal
Nature Photonics.
<http://www.nature.com/nphoton/journal/vaop/ncurrent/full/nphoton.2016.121.html>

The compound lens of the camera is just 100 micrometers (0.1 millimeters)
wide, and 120 micrometers with its casing. It could also be deployed in
virtually invisible security monitors, or mini-robots with "autonomous
vision." The compound lens can also be printed onto image sensor other than
optical fibers, such as those used in digital cameras.  The researchers said
it only took a few hours to design, manufacture and test the camera, which
yielded "high optical performances and tremendous compactness."
<http://phys.org/news/2016-06-micro-camera-syringe.html> They believe the 3D
printing method—used to create the camera—may represent "a paradigm
shift."


Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks (SlashDot)

Werner <werneru@gmail.com>
Wed, 29 Jun 2016 21:04:08 +0200
(Posted by BeauHD on Monday June 27, 2016)
<https://news.slashdot.org/story/16/06/27/2157204/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks>

"A botnet of over 25,000 bots is at the heart of recent DDoS attacks that
are ferociously attacking businesses across the world with massive Layer 7
DDoS attacks that are overwhelming Web servers, occupying their resources
and eventually crashing websites," reports Softpedia. This botnet's
particularity is the fact that attacks never fluctuated and the attackers
managed to keep a steady rhythm. This is not a classic botnet of infected
computers that go on and off, but of compromised CCTV systems that are
always on and available for attacks.
<http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml>

The brands of CCTV DVRs involved in these attacks are the same highlighted
in a report by a security researcher this winter, who discovered a backdoor
in the firmware of 70 different CCTV DVR vendors.
<https://hardware.slashdot.org/story/16/03/24/002255/cctv-dvr-vulnerabilities-traced-to-chinese-oem-which-spurned-researchers-advice>
These companies had bought unbranded DVRs from Chinese firm TVT. When
informed of the firmware issues, TVT ignored the researcher and the issues
were never fixed, leading to crooks creating this huge botnet


UK surveillance bill includes powers to limit end-to-end encryption (Techcrunch)

Lauren Weinstein <lauren@vortex.com>
Fri, 15 Jul 2016 10:28:20 -0700
https://techcrunch.com/2016/07/15/uk-surveillance-bill-includes-powers-to-limit-end-to-end-encryption/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

  The UK government has explicitly confirmed that a surveillance bill now
  making its way through the second chamber could be used to require a
  company to remove encryption. And even, in some circumstances, to force a
  comms service provider not to use end-to-end encryption to secure a future
  service they are developing. The details were revealed during debate of
  the Investigatory Powers Bill at a committee session in the House of Lords
  this week.

That's "limit it for honest users, not for crooks or terrorists who will
of course continue to use strongly end-to-end encrypted apps."  Great work
UK!  Continue sliding down that razor blade you're straddling.


UK cops routinely raided police databases to satisfy personal interest or make money on the side (BoingBoing)

Lauren Weinstein <lauren@vortex.com>
Tue, 5 Jul 2016 12:21:19 -0700
http://boingboing.net/2016/07/05/uk-cops-routinely-raided-polic.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29

  Between 2011-2015, there were more than 800 individual UK police personnel
  who raided official databases to amuse themselves, out of idle curiosity,
  or for personal financial gain; and over 800 incidents in which
  information was inappropriately leaked outside of the police channels.
  The incidents are reported in a new Big Brother Watch publication, which
  also reports that in most cases, no disciplinary action was taken against
  the responsible personnel, and only 3% resulted in criminal prosecution or
  conviction.


America Expands Its Freedom of Information Act (SlashDot)

Werner <werneru@gmail.com>
Mon, 4 Jul 2016 22:57:38 +0200
[ the RISKS of Finding Out more (the truth?) about those 'Interesting
Years'...]

America Expands Its Freedom of Information Act
<https://yro.slashdot.org/story/16/07/04/0326207/america-expands-its-freedom-of-information-act>
(Posted by EditorDavid on Monday July 04, 2016)

An anonymous reader writes:

As America headed into its "Independence Day weekend," the U.S. Congress
passed—and President Obama signed—the "FOIA Improvements Act of 2016".
<https://www.congress.gov/bill/114th-congress/senate-bill/337/>
It now establishes a "presumption of disclosure"
<https://www.whitehouse.gov/the_press_office/FreedomofInformationAct>
...by law, and will even allow the disclosure of "deliberative process"
records after 25 years, meaning those records from the Reagan (and
prior) administrations should now become open, according to the
Washington Post.
<https://www.washingtonpost.com/opinions/foia-at-50/2016/07/03/6283af88-3fb0-11e6-a66f-aa6c1883b6b1_story.html>
In addition, the law also creates a comprehensive new "online request
portal" for requesting records from all agencies, and even requires
those agencies to make digital copies available for any records
requested three or more times.

"By updating FOIA for the digital age, our law puts more government
information than ever before online
<https://www.leahy.senate.gov/press/statement-of-senator-patrick-leahy-on-presidential-signing-of-s-337-the-foia-improvement-act-of-2015>
...in a format familiar and accessible to the American people," said
Senator Leahy, who sponsored the legislation. On the 50th anniversary of
America's original Freedom of Information Act, Leahy added that "a
government of, by, and for the people cannot be one that is hidden from
them... "

EditorDavid comments: It's the law's 50th anniversary, and Leahy
imagined a world 50 years in the future, when the next generation "will
look back at this moment and gauge our commitment to the founding
principles of our democracy. Let them see that we continued striving for
a 'more perfect union' by strengthening the pillar of transparency that
holds our government accountable to "We the People.' "


China restricts online news sites from sourcing stories on social media (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
July 4, 2016 at 11:22:52 AM EDT
China restricts online news sites from sourcing stories on social media
http://arstechnica.com/tech-policy/2016/07/china-social-media-news-source-ban/

The latest crackdown on Internet media comes just days after Xu Lin,
formerly the deputy head of the Cyberspace Administration of China, replaced
his boss, Lu Wei, as the guardian of China's online world.  The SCMP notes:
"Xu is regarded as one of President Xi Jinping's key supporters," and this
move is seen as a further tightening of Xi's grip on cyberspace.  Back in
February, Ars reported on new regulations that made it much harder for
Western media to operate in China. Before that, wide-ranging powers were
introduced in 2015 to increase the authorities' control over the Internet in
the country.

  [Werner also noted this topic, cited by manishs on SlashDot posts:]
<https://thestack.com/world/2016/06/28/china-tells-app-developers-to-increase-user-monitoring/>
<http://betanews.com/2016/03/06/china-surveillance-anti-terrorism/>
<http://betanews.com/2016/07/04/china-social-media-news-ban/>
<http://betanews.com/2016/05/20/china-fake-social-media-posts/>


American Cities Are Installing DHS-Funded Audio Surveillance (Christian Science Monitor via SlashDot)

Werner <werneru@gmail.com>
Tue, 5 Jul 2016 00:00:00 +0200
(Posted by EditorDavid on Sunday July 03, 2016)
<https://yro.slashdot.org/story/16/07/03/0913203/american-cities-are-installing-dhs-funded-audio-surveillance>

"Audio surveillance is increasingly being used on parts of urban mass
transit systems," reports the Christian Science Monitor.

SlashDot reader itwbennett writes "It was first reported in April that New
Jersey had been using audio surveillance on some of its light rail lines,
raising questions of privacy. This week, New Jersey Transit ended the
program, following revelations that the agency 'didn't have policies
governing storage and who had access to data.'"
<http://www.csoonline.com/article/3090502/security/big-brother-is-listening-as-well-as-watching.html>
<http://nj1015.com/nj-transit-defends-use-of-audio-surveillance-on-some-trains/>
<http://www.nj.com/traffic/index.ssf/2016/06/a_quiet_end_to_nj_transits_controversial_audio_surveillance_of_riders.html>

>From the article:
New Jersey isn't the only state where you now have even more reason to
want to ride in the quiet car. The Baltimore Sun reported in March that
the Maryland Transit Administration has used audio recording on some of
its mass transit vehicles since 2012.
<http://www.baltimoresun.com/news/maryland/bs-md-transit-recording-20160302-story.html>

It is now used on 65 percent of buses, and 82 percent of subway trains
have audio recording capability, but don't use it yet, according to the
Sun. And cities in New Hampshire, Connecticut, Michigan, Ohio, Nevada,
Oregon and California have either installed systems or moved to procure
them, in many cases with funding from the federal Department of Homeland
Security.


Europol's online censorship unit is haphazard and unaccountable says NGO (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Mon, 4 Jul 2016 08:25:33 -0700
via NNSquad
http://arstechnica.com/tech-policy/2016/07/europol-iru-extremist-content-censorship-policing/

  However AccessNow a global digital rights organisation said Europe's
  approach to dealing with online extremism is "haphazard, alarming,
  tone-deaf, and entirely counter-productive."  According to AccessNow, "the
  IRU is outside the rule of law on several grounds. First, illegal content
  is just that--illegal. If law enforcement encounters illegal activity, be
  it online or off, it is expected to proceed in dealing with that in a
  legal, rights-respecting manner.  "Second, relegating dealing with this
  illegal content to a third private party, and leaving analysis and
  prosecution to their discretion, is both not just lazy--but extremely
  dangerous. Third, illegal content, if truly illegal, needs to be dealt
  with that way: with a court order and subsequent removal. The IRU's
  blatant circumvention of the rule of law is in direct violation of
  international human rights standards."


Facebook/Twitter/YouTube blocked in Turkey during coup attempt (Techcrunch)

Lauren Weinstein <lauren@vortex.com>
Fri, 15 Jul 2016 13:49:56 -0700
Facebook, Twitter, and YouTube blocked in Turkey during reported coup attempt
https://techcrunch.com/2016/07/15/facebook-twitter-and-youtube-blocked-in-turkey-during-reported-coup-attempt/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

  The Turkish military have deployed in Istanbul and Ankara, and the
  government has apparently blocked social media in response to what is
  being reported as an attempted coup.  Turkey Blocks, a Twitter account
  that regularly checks if sites are being blocked in the country, reported
  at 1:04 PM Pacific (11:04 PM Istanbul time) that Facebook, Twitter, and
  YouTube were all unresponsive, though Instagram and Vimeo remained
  available.


"Facebook wins appeal over tracking non-members in Belgium" (Peter Sayer)

Gene Wirchenko <genew@telus.net>
Thu, 30 Jun 2016 11:18:53 -0700
Peter Sayer, ComputerWorld
The court also ruled that Belgian courts have no jurisdiction over
Facebook Ireland and its U.S. parent
http://www.computerworld.com/article/3090085/internet/facebook-wins-appeal-over-tracking-non-members-in-belgium.html

opening text:

Facebook can resume tracking Belgians online even if they don't have an
account with the social network, an appeals court has ruled.


Bulgaria Got a Law Requiring Open Source (Bozhidar Bozhanov)

Henry Baker <hbaker1@pipeline.com>
Mon, 04 Jul 2016 16:14:44 -0700
"... require all software written for the government to be open-source and
to be developed as such in a public repository."

"With opening the source we hope to reduce those [security] incidents, and
to detect bad information security practices in the development process,
rather than when it's too late."

https://medium.com/@bozhobg/bulgaria-got-a-law-requiring-open-source-98bf626cf70a#

Bozhidar Bozhanov
Bulgaria Got a Law Requiring Open Source

Less than two years after my presentation titled "Open source for the
government", and almost exactly one year after I became advisor to the
deputy prime minister of Bulgaria, with the efforts of my colleagues and the
deputy prime minister, the amendments to the Electronic Governance Act were
voted in parliament and are now in effect.  The amendments require all
software written for the government to be open-source and to be developed as
such in a public repository.

The text of the Electronic governance act can be found here.  The particular
article is 58a:

  Art. 58a. (New--SG. 50 of 2016, effective 01.07.2016) Upon preparation of
  technical and functional assignments for public procurement to develop,
  upgrade or implementation of information systems and e-services,
  administrative authorities must include the following requirements:

  1. when the subject of the contract includes the development of computer
     programs:

    a) computer programs must meet the criteria for open source software;

    b) all copyright and related rights on the relevant computer programs,
    their source code, the design of interfaces and databases which are
    subject to the order should arise for the principal in full, without
    limitations in the use, modification and distribution;

    c) development should be done in the repository maintained by the Agency
    in accordance with Art. 7c pt. 18;

That does not mean that the whole country is moving to Linux and
LibreOffice, neither does it mean the government demands Microsoft and
Oracle to give the source to their products.  Existing solutions are
purchased on licensing terms and they remain unaffected (although we
strongly encourage the use of open source solutions for that as well).

It means that whatever custom software the government procures will be
visible and accessible to everyone.  After all, it's paid by tax-payers
money and they should both be able to see it and benefit from it.

As for security--in the past "security through obscurity" was the main
approach, and it didn't quite work --numerous vulnerabilities were found in
government websites that went unpatched for years, simply because a contract
had expired.  With opening the source we hope to reduce those incidents, and
to detect bad information security practices in the development process,
rather than when it's too late.

A new government agency is tasked with enforcing the law and with setting up
the public repository (which will likely be mirrored to GitHub).

The fact that something is in the law doesn't mean it's a fact, though.  The
programming community should insist on it being enforced.  At the same time
some companies will surely try to circumvent it.

But in general, I think this is a good step for better government software
and less abandonware and I hope other countries follow our somewhat
"radical" approach of putting it in the law.

  [Also noted by Werner via manishs at SlashDot.  PGN]


"US courts didn't reject a single wiretap request in 2015" (Zack Whittaker)

Gene Wirchenko <genew@telus.net>
Thu, 30 Jun 2016 11:06:32 -0700
Zack Whittaker for Zero Day, ZDNet, 30 Jun 2016
The number of wiretaps rocketed by 17 percent on the year prior.
http://www.zdnet.com/article/us-courts-did-not-reject-a-single-wiretap-last-year-says-new-report/

selected text:

The number of wiretaps authorized by the courts in 2015 rocketed compared to
the year before, says a new report.

But not a single wiretap request was rejected during 2015, the report showed.

The report doesn't take into account classified national security requests,
which typically involve terrorism, submitted to the Foreign Intelligence
Surveillance Court, which were already reported earlier this year.

The government received 1,457 requests from the National Security Agency and
the Federal Bureau of Investigation to intercept phone calls and emails last
year, but too did not reject a single order.


"Fearing surveillance, man allegedly shot at Google and set self-driving car ablaze" (Martyn Williams)

Gene Wirchenko <genew@telus.net>
Wed, 06 Jul 2016 10:11:23 -0700
Martyn Williams, PC World, 5 Jul 2016
Fearing surveillance, man allegedly shot at Google and set
  self-driving car ablaze; Police arrest Oakland man near Google
  headquarters with pipe bomb, firearms in car.
http://www.pcworld.com/article/3091864/internet-of-things/fearing-surveillance-man-allegedly-shot-at-google-and-set-self-driving-car-ablaze.html

selected text:

A man who told police he feared surveillance by Google has been arrested and
charged with arson after one of the company's self-driving cars was
destroyed in an attack in June.

...  They became suspicious because his car matched that spotted at the
scene of several attacks on the company over the preceding six weeks.

The first, on May 19, saw several Molotov cocktails thrown at a Google
Street View vehicle that was parked in a company lot in Mountain View. The
resulting fire didn't damage the car because the bottles bounced off it, but
the ground nearby was burnt.

A second incident on June 4 occurred late at night when someone fired shots
at a Google building in Mountain View. Police found five holes in windows
and damage to window frames.

The third happened on June 10 in the middle of the night when a male in a
similar car used a squirt gun to set alight a Google self-driving car. The
car was destroyed in the fire. Further linking the three crimes, the driver
parked in the same spot as in the original incident and was in a similar
car.


"Eyefi leaves some card owners stranded, highlighting IoT hazards" (Stephen Lawson)

Gene Wirchenko <genew@telus.net>
Fri, 01 Jul 2016 14:58:55 -0700
Stephen Lawson, PC World, 30 Jun 2016
http://www.pcworld.com/article/3090513/eyefi-leaves-some-card-owners-stranded-highlighting-iot-hazards.html
Eyefi leaves some card owners stranded, highlighting IoT hazards
Ending support for some older Wi-Fi flash cards will make them nearly useless

selected text:

Older networked flash cards from Eyefi will become the next IoT devices to
effectively die in consumers' hands when the company cuts off support for
older models in September.

The move came just days after Eyefi's cloud technology was acquired by
camera and imaging company Ricoh. It sparked outrage among many users, some
of them vowing never to buy another Eyefi product.


Liability of Internet 'intermediaries' in developing countries {Science Daily)

Lauren Weinstein <lauren@vortex.com>
Sun, 3 Jul 2016 15:59:13 -0700
via NNSquad
https://www.sciencedaily.com/releases/2016/06/160630145018.htm

  If someone posts illegal content on your website, are you liable? A new
  project addresses that question by examining the potential liability faced
  by website owners and other online service providers in five countries -
  Brazil, Russia, India, China and Thailand. The project provides new
  insight on the murky area of Internet intermediary liability in developing
  countries.


Spam filters and state departments and Clintons--oh, my!

Rob Slade <rmslade@shaw.ca>
Wed, 29 Jun 2016 08:58:19 -0700
In the past couple of weeks, I have noticed a huge number of "news" articles
about spam filters being turned off while Hillary Clinton was Secretary of
State.  For example:

http://arstechnica.com/information-technology/2016/06/clintons-private-e-mail-was-blocked-by-spam-filters-so-state-it-turned-them-off/

To summarize: Hillary Clinton and her staff were having difficulty
communicating with State Department officials by e-mail because spam filters
were blocking their messages. To fix the problem, State Department IT turned
the filters off.

I assume that this spate of articles is prompted by political motivations.
I assume that, because this type of action is normal operating procedure for
anyone involved in infosec.  Spam filters stop legitimate email getting
through?  You stop those filters, until you can get better ones.  Your door
lock is broken?  You leave the door unlocked until you can get a locksmith
in.  A safeguard, control, or countermeasure is preventing normal
operations?  You shut down that control and look for something better:
something that will prevent attacks, but won't impede normal work.

I am not surprised to see this type of furor in the general media.  After
all, we know that most reporters simply don't understand anything about
security.  However, I am astounded to see this report resurfacing and being
recirculated by those who should know better.

rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/


FBI director says Guccifer admitted he lied about hacking Hillary Clinton's email (Daily Dot)

Lauren Weinstein <lauren@vortex.com>
Thu, 7 Jul 2016 18:41:14 -0700
NNSquad
http://www.dailydot.com/layer8/guccifer-clinton-server-hack-lie/

  The Romanian hacker known as Guccifer admitted to the FBI that he lied to
  the public when he said he repeatedly hacking into Hillary Clinton's email
  server in 2013.  Guccifer, real name Marcel Lehel Lazar, told Fox News and
  NBC News in May 2016 about his alleged hacking. Despite offering no proof,
  the claim caused a huge stir, including making headline news on some of
  America's biggest publications.  FBI Director James Comey testified under
  oath before Congress on Thursday that Guccifer never hacked into Clinton's
  servers and in fact admitted that he lied.


Re: "We mustn't open a chasm with Europe on data protection"

Chris Drewe <e767pmk@yahoo.co.uk>
Fri, 01 Jul 2016 21:29:55 +0100
Item in newspaper about new EU data-protection law may be of interest
("Brexit" is the UK's referendum vote to leave the EU):

> http://www.telegraph.co.uk/technology/2016/06/30/we-mustnt-let-brexit-open-a-chasm-with-europe-on-data-protection/
>
>   We mustn't let Brexit open a chasm with Europe on data protection
>   =================================================================

> In less than two years a massive new piece of EU data law, known as the
> General Data Protection Regulation, will
> come into force. The law, designed to replace the disparate collection
> of national data regimes, will enforce strict new rules and give new
> powers to data regulators. Businesses will have to obtain clear consent
> before processing citizens' information, disclose when data breaches
> occur, and could be fined up to 5pc of their global revenues for abuse
> of the regime.
>
> The law had been criticised for being too strict,
> but was set to be adopted wholeheartedly, and compliance would require a
> substantial investment at a time when budgets are squeezed.
   ...
> European officials—suspicious of the American Internet giants and
> their relationship with the US government—have pushed for strong laws
> and fines on data protection and cybersecurity.
   ...
> While technology has no borders, as one investor said last week,
> European law does have strict laws on transferring citizens' information
> outside of the bloc.
> Countries outside the EU that want data to freely flow across borders
> without complicated arrangements must convince Brussels that its privacy
> laws are up to scratch.
>
> Winning this approval is not easy, as the case of America's battle with
> the Austrian law student Max Schrems shows. Schrems successfully
> convinced the European Court of Justice last year to throw out Safe
> Harbour.

Not sure what this may mean for the big global Internet players like Google,
Amazon, social-networking sites, and so forth—if they have to make their
entire operation EU-compliant OR have separate EU and non-EU operations and
keep their EU data only in the EU part OR not have any business in the EU at
all..?  Looks like another culture clash between Europe and America.

As I recall from working in telecomms, it's somewhat reminiscent of the
Sarbanes-Oxley measures for accounting which had to be implemented about 12
years ago; they were required for US companies, but also any others with
interests in the US, i.e. most big firms.  The problem was that designing
compliance with Sarbanes-Oxley into new systems was no big deal, but
re-engineering existing systems to meet the requirements was quite a
challenge.


Re: "Over half of world's top domains weak against email spoofing" (Charlie Osborne, RISKS-29.53,56)

"John Levine" <johnl@iecc.com>
29 Jun 2016 11:34:46 -0000
> By using only a few lines of Python, the firm's researchers found that
> over 50 percent of top 500 Alexa websites were vulnerable to spoofing --
> either through having no authentication configured or by having settings
> misconfigured.

This is a rather silly article.  It just summarizes a third-party report,
and the author of the report doesn't understand the way that SPF works. He
is under the misimpression that using the SPF "softfail" option is a bug.


Re: Great, Now Someone Can Steal Your Car Using A Laptop Computer

Lars Poulsen <lars@beagle-ears.com>
July 6, 2016 at 8:14:06 PM EDT
  [Via Dave Farber]

http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html

*The NY Times* says that one of the mechanisms for stealing newer cars (such as
Prius) is to use an RF power amplifier to extend the reach of the key in
your house (maybe in your pocket in the house, maybe on the kitchen
counter). Normally the transceiver in the door handle has a range of a foot
or so, but with the portable amplifier, this might be extended to 100 feet
or more.

This allows the thief to get in the car (with the key in your pocket, the
door unlocks when you lift the door handle) then start the car (since the
car thinks you have the key in your pocket).

You can then drive away, but if the car is turned off, it will not start
again (since the key is now too far away).

Perfect for a teenage joyride.

Please report problems with the web pages to the maintainer

Top