The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 29 Issue 66

Friday 5 August 2016

Contents

"Commercial drones: Four looming legal concerns"
Mary Schacklett
"Robot control: There's an app for that"
Bob Violino
"NTSB: Tesla in fatal crash was speeding with Autopilot on"
Lucas Mearian
"Hackers hijack Jeeps once more, your brakes belong to them"
Charlie Osborne
Driverless buses in Denmark
CPHPost via Donald B. Wagner
The Russians and the DNC
PGN
NSA Fans: Be careful what you wish for
Henry Baker
FBI took months to warn Democrats of suspected Russian role in hack
Reuters
Australian 2016 census to retain identifying information
William Brodie-Tyrrell
Interpol arrests Nigerian email scammer who swindled $60M
Michael Kan
Hack Brief: Hackers Breach the Ultra-Secure Messaging App Telegram in Iran
WiReD
User Interfaces *designed* to trick you
Ars Technica
"Bitfinex bitcoin exchange offline after potentially costly security breach"
Asha McLean
Social Security Administration cutting off users who can't receive text messages
Lauren Weinstein
Comments on SSA requiring text messaging to access online accounts
LW
SSA launches text message authentication system that doesn't work with Verizon Wireless
LW
Your device's battery status can be used to track you online
TheNextWeb
Frequent password changes are the enemy of security, FTC technologist says
Ars Technica
MS faces two new lawsuits over aggressive Windows 10 upgrade tactics
Ian Paul
"Windows 10 upgrade: Don't use Express settings if you value your privacy"
Jared Newman
"More forced advertising creeps into Windows 10 Pro"
Woody Leonhard
"Microsoft won't fix Windows flaw that lets hackers steal your username and password"
Zach Whittaker
Re: Self-driving cars, accepting the moral dilemma
Martyn Thomas
Re: Detecting When a Smartphone Has Been Compromised
Steven Schear
Re: Pets miss meals after auto-feeding app PetNet glitches
Richard Bos
Re; Mozilla off-by-one error on the Web anniversary!
Larry Werring
Re: Billion dollar shave club risk
Craig Burton
Re: Study: 78% of Resold Drives Still Contain Readable Personal or Business Data
Dan Jacobson
How many geeks does it take to change a lightbulb?
Rob Slade
Info on RISKS (comp.risks)

"Commercial drones: Four looming legal concerns" (Mary Schacklett)

Gene Wirchenko <genew@telus.net>
Fri, 29 Jul 2016 11:10:00 -0700
Mary Shacklett, Tech Pro Research, 29 Jul 2016
Licensing of commercial drones has been limited so far, but it won't be long
before usage starts expanding. In them meantime, CXOs need to assess and
plan for possible legal ramifications.
http://www.techproresearch.com/article/commercial-drones-four-looming-legal-concerns/


"Robot control: There's an app for that" (Bob Violino)

Gene Wirchenko <genew@telus.net>
Fri, 29 Jul 2016 11:29:14 -0700
Bob Violino, ZDNet, 29 Jul 2016
Efforts are underway to build robotics smartphone applications.
http://www.zdnet.com/article/robot-control-theres-an-app-for-that/

selected text:

"Many robots have analog controls on them, which are hard to use and not
very customizable, and you must touch the robot to change anything,"
Moorhead said. "Smartphone control enables control [of robots] away from the
home, and the ability for the manufacturer to more easily provide variables
[to] enhance the experience for the buyer."

The downsides are security issues and the need for the phone. "You don't
want someone hacking in for fun and have your Roomba turn on at 3 am every
morning to wake you up," Moorhead said. "Also, as more vendors move controls
off the robots and onto the smartphone, if you lose it you lost the ability
to control the robot."

  [And if you do not have a smart phone at all, you will not be able to use
  the item.  I have run into this risk in another area.  Despite being a
  loyal 7-11 customer, I can get free Slurpee every so often, because I do
  not have a smart phone.  How companies are cutting off business with this
  forced linkage?]


"NTSB: Tesla in fatal crash was speeding with Autopilot on" (Lucas Mearian)

Gene Wirchenko <genew@telus.net>
Thu, 28 Jul 2016 11:01:53 -0700
Lucas Mearian, Computerworld, 26 Jul 2016
The Tesla's Autosteer lane-keeping assistance and traffic-aware
cruise control system was engaged
http://www.computerworld.com/article/3100650/car-tech/ntsb-tesla-in-fatal-crash-was-speeding-with-autopilot-on.html

selected text:

The National Transportation Safety Board (NTSB) today released a preliminary
report that details the circumstances of the fatal accident involving a
Tesla Model S driving with its Autopilot engaged.

The 18-wheeler semi truck ... sustained minor damage.  [Look at the
picture.  The damage looks very minor.]


"Hackers hijack Jeeps once more, your brakes belong to them" (Charlie Osborne)

Gene Wirchenko <genew@telus.net>
Tue, 02 Aug 2016 16:50:55 -0700
Researchers have once again proved they can take over your vehicle --
but this time, they can kill your brakes. [Updated]
Charlie Osborne for Zero Day, ZDNet, 2 Aug 2016
http://www.zdnet.com/article/hackers-hijack-jeeps-once-more-your-brakes-belong-to-them/

selected text:

... Miller's tampering resulted in the brakes being yanked out of the
driver's control—and the attack at 25mph was almost enough to fully tip
over the Jeep.


Driverless buses in Denmark

"Donald B. Wagner" <zapkatakonk1943.6.22@gmail.com>
Fri, 29 Jul 2016 11:16:23 +0200
http://cphpost.dk/news/municipality-in-northern-jutland-to-start-using-self-driving-buses.html

The Danish municipality of Vesthimmerland in northern Jutland is planning to
introduce autonomous, electric shuttle buses for public transport.

Local politicians hope the initiative will help save both time and money.

"We are a large municipality with long transportation times and our
calculations show that we have 30 to 40 full-time employees who are driving
nonstop," Knud Kristensen, the mayor of Vesthimmerland, told the newspaper
Information.

http://cphpost.dk/news/driverless-electric-bus-to-be-tested-in-aalborg.html

An electric, self-driving shuttle bus is being considered for a public
transport route in the north Jutland city of Aalborg.  If everything goes to
plan in testing, the completely autonomous bus could transport passengers on
a 1.6 km-long route by 2018.

The Arma bus was designed by French company Navya, which introduced the
innovative unmanned vehicle in October 2015.

Don Wagner  http://donwagner.dk


The Russians and the DNC

"Peter G. Neumann" <neumann@csl.sri.com>
Sun, 31 Jul 2016 16:35:22 PDT
The FBI is investigating another apparent hack on Democratic Party support
organizations, this time the DCCC (Democratic Congressional Campaign
Committee), which is distinct from the DNC (Democratic National Committee)
whose email hack is also under separate investigation.  Once again there is
suspicion that this was a Russian attack.

At the event in Aspen on Saturday afternoon, Mr. Obama's homeland security
adviser Lisa O. Monaco sidestepped specific discussion of the DNC hacking,
but acknowledged that the administration might soon have to consider whether
the United States' electoral system constitutes critical infrastructure,
like the power grid or the cellphone network.

http://www.reuters.com/article/us-usa-cyber-democrats-idUSKCN1091Q4

See also:
http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0729/Opinion-How-to-make-democracy-harder-to-hack


FBI took months to warn Democrats of suspected Russian role in hack

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Aug 2016 21:43:46 -0700
http://www.reuters.com/article/us-usa-cyber-democrats-reconstruct-idUSKCN10E09H?feedType=RSS&feedName=technologyNews

  One of the anonymous sources who spoke to Reuters claims that "the lack of
  full disclosure by the FBI prevented DNC staffers from taking steps that
  could have reduced the number of confidential emails and documents
  stolen."  Last fall, the FBI warned DNC employees to keep an eye out for
  "unusual activity on the group's computer network," without letting on the
  potential seriousness of the hack.  The DNC didn't find any suspicious
  activity, but when staffers asked the FBI for more information about the
  attack on its system, the agency declined.


NSA Fans: Be careful what you wish for

Henry Baker <hbaker1@pipeline.com>
Thu, 28 Jul 2016 12:04:38 -0700
What's good for the goose is also good for the gander.  Either way, our
privacy is cooked.

http://www.theatlantic.com/politics/archive/2016/07/hacks-and-cyberattacks-in-an-age-of-mass-surveillance/493364/

Trump Shows the Flaws of NSA Surveillance

His call for Russian hackers to break into Hillary Clinton's email validate
the worst suspicions of security-state critics.

Conor Friedersdorf 8:10 AM ET Politics

PHILADELPHIA--On Wednesday, Leon Panetta, the former director of the CIA,
declared on stage at the DNC that the Republican Party's nominee is unfit
for office.  He was responding in part to news that Donald Trump "hoped
Russian intelligence services had successfully hacked Hillary Clinton's
email, and encouraged them to publish whatever they may have stolen,
essentially urging a foreign adversary to conduct cyber-espionage against a
former secretary of state."

For Panetta, that was unforgivable.

"Donald Trump today once again took Russia's side," he said.  "He asked the
Russians to interfere in American politics.  It is inconceivable to me that
any presidential candidate would be that irresponsible.  I say this out of a
firm concern for the future of my children and my grandchildren: Donald
Trump cannot become our commander in chief.  In an unstable world we cannot
afford unstable leadership."

His outrage is understandable—once again, Donald Trump showed that he
lacks the judgment and self-discipline necessary to be a good president of
the United States.

But Panetta is rather late in foreseeing the possibility of such a leader.

A few short years ago, when Edward Snowden revealed the extent of NSA
surveillance on American citizens, corporations, and other institutions, NSA
defenders insisted that the national security establishment can be trusted,
and that civil libertarians were overly paranoid to worry that unprincipled
elites would, sooner or later, exploit the era of mass surveillance to
manipulate the political process.

With the Republican nominee for the presidency openly yearning for a foreign
intelligence agency to hack a political rival, Trevor Timm, one of those
civil libertarians, took the opportunity to issue a reminder: If elected to
the presidency, "Trump would head a vast NSA apparatus he could turn on his
political enemies."  This was, Timm wrote, "always the overarching concern
about NSA: Even IF it's not being abused now, the system would allow future
leaders to wreak havoc."

And the safeguards that NSA defenders always invoke?

"Hopefully if President Trump ever ordered the NSA to hack into the computer
systems of domestic opponents or critics, NSA leaders would refuse," Tim Lee
noted at Vox.  "But the president has the power not only to choose the NSA
director but also to prosecute whistleblowers for leaking classified
information.  So we shouldn't be too confident that internal resistance at
the NSA would stop him."

Jennifer Granick set forth a specific accounting of weaknesses in NSA
oversight.

"The president isn't required to inform Congress or the PCLOB if she changes
Executive Order 12333," she explained.  "She is not required by law to give
Congress notice of or the opportunity to review new Presidential Policy
Directives affecting surveillance.  The FISA Court still has no role in
supervising overseas spying, nor must the president inform Congress when she
initiates new overseas spying programs.  When Office of Legal Counsel
opinions justifying surveillance proposals are written, Congress need not be
told nor given a copy.  If the DOJ changes minimization procedures or FBI
guidelines, it is not required to inform Congress.  Classification continues
to get in the way of oversight.  There is no punishment for people who
violate the law at a president's behest.  And whistleblowers have less, not
more, reason to believe they will be protected and not prosecuted."

I warned, long before the rise of Donald Trump, that Presidents Bush and
Obama were providing all the infrastructure that a tyrant would need to
perpetrate grave abuses of power.  With his rise, I urged elected officials
to tyrant-proof the White House before it's too late.  If the prudence of
doing so wasn't evident before, is it now, with knowledge that Trump soon
won't need the Russians to secure information about the private
communications of every legislator and judge in America, but will presumably
still want to hack into the communications of his rivals?

This danger would be lessened with reforms to the NSA, including a mandate
to purge old data from its vast stores.  At the same time, Trump's outreach
to the Russians underscores the fact that we're now in a reality where any
candidate for president, or the president herself, can seek data from
foreign-intelligence agencies, data that can almost certainly give them
power relative to political adversaries.

One wonders what the British Government Communication Headquarters knows
about Donald Trump.  Might Hillary Clinton ask one day?

So reforming the NSA isn't enough.  The prudent course, for the
U.S. government, is reorienting the agency so that it spends fewer resources
spying on Americans and more on helping to protect the private details of
our lives from actors foreign and domestic.

And there is more to protect beyond our privacy.  Says Jack Goldsmith of
Harvard Law School, "Does the United States government have a well-worked
out plan to ensure that our highly computerized and highly decentralized
system for electing the president is protected from foreign disruption via
cyber-exploitation or cyber-attack?  I have no idea--but I seriously doubt
it."

Better to address these vulnerabilities before they are exploited than to
invite a crisis of democracy even more alarming than a reality-TV star
seeking the presidency.


Australian 2016 census to retain identifying information

William Brodie-Tyrrell <william.brodie.tyrrell@gmail.com>
Mon, 1 Aug 2016 23:18:16 +0930
A Twitter-rant full of citations regarding the security risks willfully
ignored by the Aus Bureau of Statistics in deciding to retain census PII:

https://twitter.com/LiamPomfret/status/760008536713678848

I'm of two minds here.  Longitudinal data is incredibly valuable and the
ABS has previously handled PII competently, i.e., offline in the national
archives.  It's not clear that that will continue to be the case though.


Interpol arrests Nigerian email scammer who swindled $60M (Michael Kan)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Mon, 1 Aug 2016 18:32:10 -0600
Michael Kan, PC World, 1 Aug 2016
http://www.pcworld.com/article/3102824/interpol-arrests-nigerian-email-scammer-who-swindled-60-million.html

  Interpol has arrested a top Nigerian email scammer who stole more than
  US$60 million by tricking businesses into handing over funds by posing as
  trusted suppliers.  The 40-year-old Nigerian known as Mike is allegedly
  the leader of a criminal ring that targeted hundreds of victims across the
  world, Interpol said on Monday.  He and at least 40 other individuals
  pulled off their scheme by allegedly pretending to be CEOs or suppliers
  using hacked email accounts of legitimate companies.

  The criminals then sent fake emails, asking the victims to wire funds or
  send payment to bank accounts under the scammers' control.

  The Nigerian at one point conned a victim into paying $15.4 million,
  Interpol said. To hack the email accounts, the scammers targeted small and
  medium businesses in the U.S., India, and Romania, among other countries.


Hack Brief: Hackers Breach the Ultra-Secure Messaging App Telegram in Iran (WiReD)

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Aug 2016 16:20:33 -0700
NNSquad
https://www.wired.com/2016/08/hack-brief-hackers-breach-ultra-secure-messaging-app-telegram-iran/

  Amnesty International technologist and researcher Claudio Guarnieri and
  independent security researcher Collin Anderson traced recent Telegram
  account breaches in Iran to the SMS messages Telegram sends to people when
  they activate a new device. The texts contain a verification code that
  Telegram asks people to enter to complete a new device setup.  A hacker
  with access to someone's text messages can obtain these codes and enter
  them to add their own devices to the person's account, thus gaining access
  to their data including chat histories.  The researchers think the Iranian
  hacking group Rocket Kitten is behind the Telegram breaches, based on
  similarities to the infrastructure of past phishing attacks attributed to
  the group. There is widespread speculation that Rocket Kitten has ties to
  the Iranian government.

Yet more examples of SMS text messaging vulnerabilities.


User Interfaces *designed* to trick you

Lauren Weinstein <lauren@vortex.com>
Sun, 31 Jul 2016 08:34:37 -0700
Dark Patterns are designed to trick you (and they're all over the Web).
No, it's not only you--some user interfaces today intentionally want
to confuse and enroll.

http://arstechnica.com/security/2016/07/dark-patterns-are-designed-to-trick-you-and-theyre-all-over-the-web/

  It happens to the best of us. After looking closely at a bank statement or
  cable bill, suddenly a small, unrecognizable charge appears. Fine print
  sleuthing soon provides the answer--somehow, you accidentally signed up
  for a service.  Whether it was an unnoticed pre-marked checkbox or an
  offhanded verbal agreement at the end of a long phone call, now a charge
  arrives each month because naturally the promotion has ended. If the
  possibility of a refund exists, it'll be found at the end of 45 minutes of
  holding music or a week's worth of angry e-mails.


"Bitfinex bitcoin exchange offline after potentially costly security breach" (Asha McLean)

Gene Wirchenko <genew@telus.net>
Wed, 03 Aug 2016 09:19:53 -0700
Asha McLean, ZDNet, 3 Aug 2016
Bitcoin exchange Bitfinex has taken its trading platform offline,
telling users that it suffered a security breach which resulted in
the loss of potentially millions of dollars.
http://www.zdnet.com/article/bitfinex-bitcoin-exchange-offline-after-potentially-costly-security-breach/


Social Security Administration cutting off users who can't receive text messages

Lauren Weinstein <lauren@vortex.com>
Fri, 29 Jul 2016 09:53:50 -0700
via NNSquad
https://plus.google.com/+LaurenWeinstein/posts/DuRiEN9X43j

REPORT - NOT FULLY CONFIRMED: If you don't have a cell phone, or some other
means to receive SMS text messages (and have them enabled, and know how to
deal with them), you won't be able to access your Social Security
Administration "My Social Security" account starting next month. There is a
rumor rapidly spreading on the Net, brought to my attention this morning,
claiming that SSA users have been receiving warnings that they MUST receive
an SMS text message with a two-factor authentication code to access their
accounts starting next month.  While I cannot find an official SSA statement
regarding this, there is testimony at the House Oversight Committee from
late May that appears to confirm the essence of this report:

"Additionally, to protect citizens' personally identifiable information
further, we continue to improve authentication for our online services. In
compliance with Executive Order 13681 ("Improving the Security of Consumer
Financial Transactions"), we are changing our current multifactor
authentication process for my Social Security from optional to mandatory for
all users. Upon implementation this summer, all customers must enter a
username, password, and a one-time passcode texted to a registered cell
phone in order to access their my Social Security account. In the future, we
expect to offer additional multi-factor options, pursuant to Federal
guidelines. The National Institute of Standards of Technology is working on
a revised guideline, and we are providing input into that process."

While the "expectation" of other two-factor options in the future is
interesting, the move to block users who do not have cell phones, or text
message capable cell phones, or do not have text messaging enabled, or do
not know how to access and read text messages—IS UNACCEPTABLE, especially
on such short notice.

Two-factor authentication systems are important, but keep in mind that SSA
by definition is dealing mostly with older users who may have only recently
become comfortable with online services at all, and may not make any use of
text messaging. Many do not have cell phones or somebody to receive text
messages for them.

Additionally—and ironically—text messaging is considered to be a
substandard means of receiving two-factor authentications. And—get this
boys and girls—NIST just a few days ago officially declared that text
messaging based two-factor should no longer be used at all—it's simply
not safe and secure.

It appears that SSA has really mucked this one up. This isn't secure
two-factor, it's a three-ring circus. And if deployed as reported, it's
going to leave many SSA users out in the cold.

Later from Lauren:
  Official Social Security Administration announcement
  regarding the required use of text messaging for account access
  https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html


Comments on SSA requiring text messaging to access online accounts

Lauren Weinstein <lauren@vortex.com>
Sun, 31 Jul 2016 18:15:29 -0700
NNSquad

If you're interested in following more on the controversy regarding the
Social Security Administration requiring that anyone who wants continued
access to their SSA online account *must* be able to receive text messages,
my Friday post on this topic has now attracted almost 30 comments, many from
SSA users who discovered that the requirement is already in place and have
not been able to make it work.

https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages

Comments on my blog are an experiment with which I'm (so far) fairly
satisfied. All comments are moderated before publication, and all from real
people have been suitable for publication. There is also an increasing
volume of spam comment submissions—if these get out of hand I may need to
reevaluate, but right now they are tolerable.


SSA launches text message authentication system that doesn't work with Verizon Wireless

Lauren Weinstein <lauren@vortex.com>
Sun, 31 Jul 2016 19:05:12 -0700
Social Security Administration launches lamebrain 2-factor authentication
system depending on text messages, with only a couple of days warning, and
without verifying that it even worked with Verizon Wireless!

Reference:
https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages


Your device's battery status can be used to track you online

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Aug 2016 19:07:57 -0700
 NNSquad

http://thenextweb.com/mobile/2016/08/02/your-devices-battery-status-can-be-used-to-track-you-online/

  There are a myriad of ways you can be tracked online - from supercookies,
  to canvas fingerprinting and malware. Now you can add your device's
  battery status to the list, according to research by Steve Engelhard and
  Arvind Narayanan - two academics from Stanford University.  The attack
  takes advantage of the HTML5 Battery Status API, which allows servers to
  determine when they need to send an energy-efficient version of a
  website. It lets them see how much charge a laptop, tablet, or smartphone
  has in terms of time remaining until discharge, and as an overall
  percentage.


Frequent password changes are the enemy of security, FTC technologist says (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Tue, 2 Aug 2016 16:23:54 -0700
http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/

  "I saw this tweet and I said, 'Why is it that the FTC is going around
  telling everyone to change their passwords?'"  she said during a keynote
  speech at the BSides security conference in Las Vegas. "I went to the
  social media people and asked them that and they said, 'Well, it must be
  good advice because at the FTC we change our passwords every 60 days."
  Cranor eventually approached the chief information officer and the chief
  information security officer for the FTC and told them what a growing
  number of security experts have come to believe. Frequent password changes
  do little to improve security and very possibly make security worse by
  encouraging the use of passwords that are more susceptible to cracking.
  The CIO asked for research that supported this contrarian view, and Cranor
  was happy to provide it.


MS faces two new lawsuits over aggressive Windows 10 upgrade tactics (Ian Paul)

Gene Wirchenko <genew@telus.net>
Thu, 28 Jul 2016 11:14:30 -0700
Ian Paul, PCWorld, 28 Jul 2016
http://www.pcworld.com/article/3101396/windows/microsoft-faces-two-new-lawsuits-over-aggressive-windows-10-upgrade-tactics.html

opening text:

Microsoft is facing two more lawsuits over the company's questionable
Windows 10 upgrade tactics. Both suits are seeking class-action status.

The first suit was filed in U.S. District Court in Florida. It alleges that
Microsoft's Windows 10 upgrade prompts "violated laws governing unsolicited
electronic advertisements," as reported by The Seattle Times. The suit also
says Microsoft's tactics are against the Federal Trade Commission's rules on
deceptive and unfair practices.

The second suit was filed in June in Haifa, Israel alleging that Microsoft
installed Windows 10 on users' computers without consent.  Microsoft already
paid out a $10,000 award in a previous U.S. suit over similar circumstances.


"Windows 10 upgrade: Don't use Express settings if you value your privacy" (Jared Newman)

Gene Wirchenko <genew@telus.net>
Fri, 29 Jul 2016 11:45:26 -0700
Jared Newman, PCWorld, 29 Jul 2016
Take the time to customize typing, browsing, and other settings from the
get-go.  At the end of the Windows 10 installation, you could hit Express
Settings to finish up fast, but taking the time to customize could save you
some privacy.
http://www.pcworld.com/article/3095284/windows/windows-10-upgrade-dont-use-express-settings-if-you-value-your-privacy.html

selected text:
... offer to install the operating system with "Express settings."

Although Windows 10 Express settings will get you up and running quickly,
that convenience comes at a cost: By skipping over custom settings, you're
agreeing to all kinds of data collection and behavior tracking, much of
which didn't apply in earlier versions of Windows.

Here's our advice: Instead of blindly enabling Express settings in Windows
10, take some time to understand what you're agreeing to.  Click the
Customize settings link (in tiny text at the bottom of the setup screen),
and disable the options you don't want.


"More forced advertising creeps into Windows 10 Pro" (Woody Leonhard)

Gene Wirchenko <genew@telus.net>
Mon, 01 Aug 2016 20:24:33 -0700
  [I missed the opportunity to get the free Windows 10 upgrade.  I am so
  disappointed.  Mind you, the disappointment is at Microsoft's behaviour,
  not at "missing out" on Windows 10.]

Woody Leonhard, InfoWorld, 29 Jul 2016
Starting 2 Aug, admins will not be able to keep Microsoft from pushing the
likes of Candy Crush Soda Saga onto Win10 Pro PCs on their networks because
certain Group Policies will be deactivated.
http://www.infoworld.com/article/3101947/microsoft-windows/more-forced-advertising-creeps-into-windows-10-pro.html

opening text:

If you were wondering whether Microsoft could inflict even more damage to
Windows' reputation, the answer is yes.


"Microsoft won't fix Windows flaw that lets hackers steal your username and password" (Zach Whittaker)

Gene Wirchenko <genew@telus.net>
Tue, 02 Aug 2016 17:03:06 -0700
Zack Whittaker for Zero Day, ZDNet, 2 Aug 2016
The flaw, which allows a malicious website to extract user passwords,
is made worse if a user is logged in with a Microsoft account.
http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/

selected text:

But now a new proof-of-exploit shows just how easy it is to steal someone's
credentials.

The flaw is widely-known, and it's said to be almost 20 years old. It was
allegedly found in 1997 by Aaron Spangler and was most recently resurfaced
by researchers in 2015 at Black Hat, an annual security and hacking
conference in Las Vegas.

The flaw wasn't considered a major issue until Windows 8 began allowing
users to sign into their Microsoft accounts—which links their Xbox,
Hotmail and Outlook, Office, and Skype accounts, among others.

Overnight, the attack got larger in scope, and now it allows an attacker to
conduct a full takeover of a Microsoft account.


Re: Self-driving cars, accepting the moral dilemma (RISKS-29.64)

Martyn Thomas <martyn@thomas-associates.co.uk>
Fri, 29 Jul 2016 14:24:03 +0100
>> If the car is really autonomous, then any "fault" belongs to the
>> manufacturer and the mfgr will have to pay the damages.

And who holds the data and expertise to determine whether an accident was
caused by a "fault"?


Re: Detecting When a Smartphone Has Been Compromised

Steven Schear <steven.schear@googlemail.com>
July 29, 2016 at 1:29:48 AM EDT
  [via Dewayne Hendricks]

While this device may prevent the phone from disclosing its location in
real-time it will not prevent the device from recording the sound in its
vicinity nor prevent it from using its motion sensors as an inertial
navigation system. Later, once its wireless capability is reactivated, it
can report both. It seems to me that of you are concerned enough to see your
threats at this level you need to acquire good security trade-craft and take
other precautions, such as only using a mobile with a removable battery and
pull it out before you set out for a meeting or leave it on (so it looks
like your are at your home or office) and use a "burner"phone that is never
operated near your normal mobile's locations and is discarded after each
meeting.

> Detecting When a Smartphone Has Been Compromised
> By Bruce Schneier
> Jul 27 2016
> <https://www.schneier.com/blog/archives/2016/07/detecting_when_.html>


Re: Pets miss meals after auto-feeding app PetNet glitches (R 29 65)

Richard Bos
Sun, 31 Jul 2016 14:56:06 GMT
Ok, I'm going to be judgmental and potentially controversial here, but:

If you rely on a computerised system to feed your dependents and don't
bother to check in on them yourself, in person, or to have a human pet
sitter do so for you - and that _at least_ once a day - frankly, you are a
horrible person and you shouldn't be allowed to have pets in the first
place.

They're real, live creatures. They're not toys. If you can't take
proper, emotionally invested case of them, get an effing Tamagotchi.

Richard, furious and disdainful


Re; Mozilla off-by-one error on the Web anniversary! (RISKS-29.65)

"Larry Werring" <larry.werring@cyberunitss.com>
Thu, 28 Jul 2016 17:32:11 -0400
2016-07-28 as the 10,001st day of the Web? 1989-03-12 as the start of the
Web? These date seems questionable to me.  According to the History of the
Web at http://webfoundation.org/about/vision/history-of-the-web/, Sir Tim
Berners-Lee, a software engineer at CERN, came up with the concept of the
Web in March 1990 (a year later than mentioned in this post) and it wasn't
until 1991 that people outside of CERN were invited to join the new Web
community.  So where does the March 1989 date come from?


Re: Billion dollar shave club risk (RISKS-29.65)

Craig Burton <craig.alexander.burton@gmail.com>
Fri, 29 Jul 2016 10:06:00 +1000
http://www.nytimes.com/2016/07/27/business/dealbook/1-billion-for-dollar-shave-club-why-every-company-should-worry.html

This NYT article could have been written by Andrew Keen of the breathy "The
Internet Is Not The Answer".  The book cites the death of mighty Kodak as a
tragedy of digitization and nerd billionaires.  Kodak was a creaking
monopoly who's time had come, and so is Gillette.  Gillette just paid a
billion dollar fine for not performing the very same logistic optimisation
Dollar Shave beat them to.  The risk, really, is that Gillette shareholders
might well sack the board for their inertia and short sightedness.


Re: Study: 78% of Resold Drives Still Contain Readable Personal or Business Data (Risks 29.64)

Dan Jacobson <jidanni@jidanni.org>
Mon, 01 Aug 2016 20:27:15 +0800
CB> "dd if=/dev/zero of=/dev/sda bs=1M"

CB> Of course you need to replace sda with the actual device name that connects
CB> to the disk you want to clear.

And if you don't you'll zap your home disk. So I would use 'sdz' in such
examples.


How many geeks does it take to change a lightbulb?

Rob Slade <rmslade@shaw.ca>
Thu, 28 Jul 2016 14:42:13 -0700
http://www.pcworld.com/article/3101008/connected-home/osrams-lightify-smart-bulbs-suffer-from-several-serious-security-flaws.html

A salescritter to convince you that something as simple as a lightbulb needs
to be computerized.

A security geek to think that something may possibly be wrong with that
idea.

A whitehat firm to analyse the attack surface.

Someone to look at the network traffic for disclosures.

Someone to look at the user/management interface.

Someone to look at authentication of commands.

Someone to look at social engineering risks involved in lightbulb jokes.

Someone to note that it is better to light a single candle than to curse the IoT.

Someone else to note that the IoT will soon have many more than a million
points of light.

Someone to pontificate that many IoT devices are not built with security in mind.

Someone else to note that, so far, there are very few actual exploits
available, despite the number of vulnerabilities.

A device systems manager to opine that having a device security manager is not
really necessary.

A device security manager to at least change the passwords that the device
systems manager left on default setting.

A bored teenager to sit and play with the lightbulb for hours trying to
force the "cool light" setting to actually make it turn blue.

An exasperated parent to, very strongly, make the point that a lightbulb
that costs over a hundred dollars every time it burns out is *NOT A TOY*!

Someone to create a Burned Out High Tech Lightbulb account on Twitter.

Someone to propose a "Lightbulb security settings" course to SANS.

Someone at (ISC)^2 to call for CBK entries for a CLBSP (Certified Light Bulb
Security Professional) designation.

Someone to drive a Tesla, on autopilot, through the existing crowd.

Someone to note that a Solo would do far less damage.
https://electrameccanica.com ...

Please report problems with the web pages to the maintainer

Top