Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
John Markoff, *The New York Times*, 3 Nov 2016 Researchers report in a paper <http://iotworm.eyalro.net/> that they have uncovered a flaw in a wireless technology that is often included in smart home devices like lights, switches, locks, thermostats and many of the components of the much-ballyhooed "smart home" of the future. The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs, according to researchers at the Weizmann Institute of Science near Tel Aviv and Dalhousie University in Halifax, Canada. <http://www.nytimes.com/topic/company/koninklijke-philips-electronics-nv?inline=nyt-org> [I wonder how many other brand names are at similar risk.] Imagine thousands or even hundreds of thousands of Internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them. [There is video, in the research paper, showing tests. For example, a drone hovers next to a high rise building, and you see it taking over control of all the lights of the building. Before the test, they had switched one light bulb on ground floor, with one they already could hack.] The new risk comes from a little-known radio protocol called ZigBee. <http://www.zigbee.org/what-is-zigbee/> <http://www.zigbee.org/what-is-zigbee/> <http://www.zigbee.org/what-is-zigbee/> The researcher said they had notified Philips of the potential vulnerability and the company had asked the researchers not to go public with the research paper until it had been corrected. Philips fixed the vulnerability in a patch issued on 4 Oct and recommended that customers install it through a smart phone application. Still, it played down the significance of the problem. [I wonder how many customers learned about this, and implemented the patch.] http://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-hacker-target.html http://iotworm.eyalro.net/ The full results technical paper can be downloaded from this link: IoT Goes Nuclear: Creating a ZigBee Chain Reaction [PDF, 6.7MB] <http://iotworm.eyalro.net/iotworm.pdf> Risks identified by the research: * Brick the lights so they cannot be fixed vs. whatever nuisance the malware has inflicted. * City-wide wireless jamming. * Attack electric grid via manipulating power consumption demands. * Induce epileptic seizures in photosensitive people on a large scale. [Risks thought about by Al Mac: * Kill street lights, and stairwell lights, after dark, then set off fire alarms, sirens, so people can have a hard time exiting safely. * Airport runway lights go out, when most needed for safe landing.] * You know those highway signs, using letters spelling out key words for warnings to drivers, where each letter is combination of lights on & off? The phrases could be altered. * Do emergency responders use the same radio frequencies that can be jammed by this hack?]
In some countries such as Finland, if the underground water pipes freeze, parts of the country can remain without water until summer. http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter
Details: https://twitter.com/Snowden/status/795424579715940352
Lily Hay Newman, wired.com in Ars Technica, 3 Nov 2016 How to block the ultrasonic signals you didn't know were tracking you: Your phone can talk to advertisers behind your back, beyond your audible spectrum <http//arstechnica.com/security/2016/11/how-to-block-the-ultrasonic-signals-you-didnt-know-were-tracking-you/> Dystopian corporate surveillance threats today come at us from all directions. Companies offer *always-on* devices <https://www.wired.com/2015/03/always-listening-tech-isnt-always-creepy/> that listen for our voice commands, and marketers follow us around the web <https://www.wired.com/2016/09/ny-cracks-mattel-hasbro-tracking-kids-online/> to create personalized user profiles so they can (maybe) show us ads we'll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can't. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself. The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound beacons emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you've seen, what sites you've perused, and even where you've been. Now that you're sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices. Beyond the abstract creep factor of ultrasonic tracking, the larger worry about the technology is that it requires giving an app the ability to listen to everything around you, says Vasilios Mavroudis, a privacy and security researcher at University College London who worked on the research being presented at Black Hat. “The bad thing is that if you're a company that wants to provide ultrasound tracking there is no other way to do it currently, you have to use the microphone. So you will be what we call *over-privileged*, because you don't need access to audible sounds but you have to get them.'' This type of tracking, offered by companies like Tapad and 4Info, has hardly exploded in adoption. But it's persisted as more third party companies develop ultrasonic tools for a range of uses, like data transmission without Wi-Fi or other connectivity. The more the technology evolves, the easier it is to use in marketing. As a result, the researchers say that their goal is to help protect users from inadvertently leaking their personal information. “There are certain serious security shortcomings that need to be addressed before the technology becomes more widely used, And there is a lack of transparency. Users are basically clueless about what's going on.'' Currently, when Android or iOS do require apps to request permission to use a phone's microphone. But most users likely aren't aware that by granting that permission, apps that use ultrasonic tracking could access their microphone—and everything it's picking up, not just ultrasonic frequencies—all the time, even while they're running in the background. The researchers' patch adjusts Android's permission system so that apps have to make it clear that they're asking for permission to receive inaudible inputs. It also allows users to choose to block anything the microphone picks up on the ultrasound spectrum. The patch isn't an official Google release, but represents the researchers' recommendations for a step mobile operating systems can take to offer more transparency. To block the other end of those high-pitched audio communications, the group's Chrome extension preemptively screens websites' audio components as they load to keep the ones that emit ultrasounds from executing, thus blocking pages from emitting them. There are a few old services that the extension can't screen, like Flash, but overall the extension works much like an ad-blocker for ultrasonic tracking. The researchers plan to post their patch and their extension available for download after their Black Hat presentation. Ultrasonic tracking has been evolving for the last couple of years, and it is relatively easy to deploy since it relies on basic speakers and microphones instead of specialized equipment. But from the start, the technology has encountered pushback about its privacy and security limitations. Currently there are no industry standards for legitimizing beacons or allowing them to interoperate the way there are with a protocol like Bluetooth. And ultrasonic tracking transmissions are difficult to secure because they need to happen quickly for the technology to work. Ideally the beacons would authenticate with the receiving apps each time they interact to reduce the possibility that a hacker could create phony beacons by manipulating the tones before sending them. But the beacons need to complete their transmissions in the time it takes someone to briefly check a website or pass a store, and it's difficult to fit an authentication process into those few seconds. The researchers say they've already observed one type of real-world attack in which hackers replay a beacon over and over to skew analytics data or alter the reported behavior of a user. The team also developed other types of theoretical attacks that take advantage of the lack of encryption and authentication on beacons. The Federal Trade Commission evaluated ultrasonic tracking technology at the end of 2015, and the privacy-focused non-profit Center for Democracy and Technology wrote to the agency at the time <https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf> that “the best solution is increased transparency and a robust and meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking.'' By March the FTC had drafted a warning letter to developers <https://www.ftc.gov/system/files/attachments/press-releases/ftc-issues-warning-letters-app-developers-using-silverpush-code/160317samplesilverpushltr.pdf> about a certain brand of audio beacon that could potentially track all of a users' television viewing without their knowledge. That company, called Silverpush, has since ceased working on ultrasonic tracking in the United States, though the firm said at the time that its decision to drop the tech wasn't related to the FTC probe. More recently, two lawsuits filed this fall—each about the Android app of an NBA team—allege that the apps activated user microphones improperly to listen for beacons, capturing lots of other audio in the process without user knowledge. Two defendants in those lawsuits, YinzCam and Signal360, both told WIRED that they aren't beacon developers themselves and don't collect or store any audio in the spectrum that's audible to humans. But the researchers presenting at Black Hat argue that controversy over just how much audio ultrasonic tracking tools collect is all the more reason to create industry standards, so that consumers don't need to rely on companies to make privacy-minded choices independently. Mavroudis says, “I don't believe that companies are malicious, but currently the way this whole thing is implemented seems very shady to users. Once there are standards in place, the researchers propose that mobile operating systems like Android and iOS could provide application program interfaces that restrict microphone access so ultrasonic tracking apps can only receive relevant data, instead of everything the microphone is picking up. Then we get rid of this overprivileged problem where apps need to have access to the microphone, because they will just need to have access to this API.'' For anyone who's not waiting for companies to rein in what kinds of audio they collect to track us, however, the UCSB and UCL researchers software offers a temporary fix. And that may be more appealing than the notion of your phone talking to advertisers behind your back—or beyond your audible spectrum.
James Covert, *New York Post*, October 30, 2016 | 10:37pm https://nypost.com/2016/10/30/experts-see-giant-increase-in-digital-scammers/ For tech-focused scammers, knocking off sneakers and handbags is so last decade. Thieves in the digital age are slamming consumers right in the app. A slew of knockoff shopping apps have quietly infiltrated Apple's App Store in recent months, looking to lure unsuspecting iPhone owners with bogus deals on everything from jewelry to designer duds. The fake apps mimic the look of legit apps—and have proliferated since this summer, experts said. It didn't help that earlier this month, Apple introduced search ads in its App Store. The fake apps are buying search terms, it would appear, to increase their exposure to consumers.
http://www.telegraph.co.uk/technology/2016/11/05/gchq-wants-internet-providers-to-rewrite-systems-to-block-hacker/ *The Telegraph*, Nov 5 2016 GCHQ is urging Internet providers to change long-standing protocols to stop computers from being used to set off large-scale cyber attacks. The plan would involve changes to the Border Gateway Protocol (BGP) and Signalling System 7 (SS7) standards that have been in place for decades, and are widely used for routing traffic. GCHQ wants providers to stop the trivial re-routing of UK traffic and help prevent text message scams. The announcement followed the launch of the Government's five-year cybersecurity strategy this week, which includes 1.9bn pounds for bolstering computer security, including provisions to create a national firewall.
(Nove 7+8, ArsTechnica) Kelly Fiveash, Ars Technica, 7 Nov 2016 http://arstechnica.com/security/2016/11/tesco-bank-online-fraudsters-attack-40000-current-accounts/ Tesco Banks promises to issue refunds, track down culprits. Tesco Bank has been forced to suspend its online transactions after fraudulent criminal activity was spotted on thousands of its customer accounts over the weekend. A total of 40,000 current accounts were hit by suspicious transactions. Money was pinched from 20,000 of the affected current accounts, Tesco Bank said on Monday morning.......<more>...... Updated, November 8: Tesco Bank customers remain locked out from making current account transactions, two days after it was revealed that money had been stolen from 20,000 accounts over the weekend. On Tuesday morning, the chief exec of the Financial Conduct Authority told parliamentarians sitting on the treasury committee that "I thought this looked unprecedented in the UK." http://parliamentlive.tv/event/index/59eeb5d2-1add-40ec-83c4-ce0dfd5d3cff Andrew Bailey added that it was "too early to give a comprehensive account of what the root causes are." It's now a race against time for Tesco Bank: it has until the end of Tuesday to reimburse its customers—some of whom say that hundreds of pounds was removed from their accounts. The National Crime Agency is leading a criminal investigation into the attack on Tesco Bank's systems along with GCHQ's National Cyber Security Centre, which opened its doors last month. http://arstechnica.co.uk/security/2016/11/cyber-attacks-uk-vows-1-9-billion-cyber-security-strategy/ Further ReadingCybercrime: 4 million Brits are victims of hacking, viruses, online fraud http://arstechnica.co.uk/tech-policy/2016/07/cybercrime-hacking-computer-viruses-online-fraud-ons/
RISKS occasionally features less-serious computing problems, so here's one: I just went to a talk on the history of platform train describers on the London Underground railway (subway) system—those displays showing "next train to [wherever] in [x] mins". Historically, these had simple signs on each platform listing the regular destinations for trains from that platform, with an indicator light against each one to show where the next train was going (and "special" or "see front of train" for non-standard workings). Nowadays they have conventional LED dot-matrix panels controlled by software, with the big advantage that station staff can type in custom messages when needed. The guy giving the talk commented on the Offensive Words Filter in the software (don't know if this was found to be necessary or just enabled as a precaution); he said that there was some discussion within the management team as to which actual words should be blocked, but he then found that his e-mail system also had an offensive words filter, so compiling the list was somewhat difficult... [Recursively unsolvable by exchanging e-mail!!? PGN]
David Linthicum, InfoWorld, 8 Nov 2016 The common EBITDA metric that financial analysts follow—and which affects executive pay—is biased against operational expenses such as cloud services. http://www.infoworld.com/article/3139047/cloud-computing/executive-dilemma-approve-the-cloud-get-a-pay-cut.html opening text: EBITDA is defined as a company's earnings before interest, taxes, depreciation, and amortization. Although you likely have heard the term before, few people outside the executive suite (other than accountants) really know what it means. It's widely used as a measurement of a company's current operating profitability. But as a company moves to the cloud, your EBITDA numbers could look worse. That's because EBITDA isn't adjusted for operating expenses like cloud services—but is adjusted for the depreciation of capital expenses, which decreases under the use of the cloud. The cloud's effect on EBITDA will matter greatly to publicly traded companies, where senior executives' bonuses and stock grants are determined by EBITDA performance. In some cases, 50 to 75 percent of their total compensation is affected. By moving many workloads to the cloud, your company avoids hardware and software purchases, saving money, but the EBITDA doesn't credit you for those savings. Instead, it penalizes you because it comes from an era where capital-expense depreciation was a common method to boost perceived profitability.
[via NNSquad] http://www.theregister.co.uk/2016/11/07/browsers_ban_web_of_trust_addon_after_biz_is_caught_selling_its_users_browsing_histories/ A browser extension which was found to be harvesting users' browsing histories and selling them to third parties has had its availability pulled from a number of web browsers' add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens' web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. The journalists added that the browsing histories they obtained also identified information about ongoing police investigations, businesses' sensitive financial details and information which suggested the sexual orientation of a judge. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked.
Andy Greenberg, *WiReD*, 3 Nov 2016 Google's Chrome Hackers Are About to Upend Your Idea of Web Security https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
GW> I have had the issue of not being able to report a problem in other areas. GW> Goggle Maps was one. It was confusing NE (Northeast) and SE (Southeast) GW> streets in Salmon Arm, British Columbia, Canada. I could not find a way to GW> report the problem. Then, there are full voice mailboxes and the like. Ah yes, reminds me of "why hasn't Taiwan's cities' imagery been updated in nine years?" Had to get on national TV to get Google to finally come out of their hole and say something... http://www.youtube.com/watch?v=ZlNZ-wrNKaQ&list=PL5F672CDA8BBC6825 http://www.youtube.com/watch?v=nhM8AKDkvAQ&list=PL5F672CDA8BBC6825 And wouldn't you know it now it is ten years...
http://www.nytimes.com/2016/11/03/technology/how-the-internet-is-loosening-our-grip-on-the-truth.html A wider variety of news sources was supposed to be the bulwark of a rational age. Instead, we are roiled by biases, gorging on what confirms our ideas and shunning what does not.
Will they collide? https://www.google.com/search?q=Intelligent+ambulance
http://arstechnica.com/information-technology/2016/11/this-evil-office-printer-hijacks-your-cellphone-connection/
NNSquad http://www.bleepingcomputer.com/news/security/smartphone-wifi-signals-can-leak-your-keystrokes-passwords-and-pins/ The way users move fingers across a phone's touchscreen alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields. This type of attack, nicknamed WindTalker, is only possible when the attacker controls a rogue WiFi access point to collect WiFi signal disturbances.
NNSquad https://threatpost.com/oauth-2-0-hack-exposes-1-billion-mobile-apps-to-account-hijacking/121889/ Third-party applications that allow single sign-on via Facebook and Google and support the OAuth 2.0 protocol, are exposed to account hijacking. Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called "Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0." The paper describes an attack that takes advantage of poor OAuth 2.0 implementations and puts more than one billion apps in jeopardy.
[via Dave Farber. PGN] http://motherboard.vice.com/read/russian-hackers-launch-targeted-cyberattacks-hours-after-trumps-win
> Please do not send the user these ($0.02). > They are due to internal rounding errors. > They happen about once a year. > Please fix the errors. Hello, I am sorry for the problems! I've gone ahead and zeroed out the 2 cent charge. The reason for the charge is because in November, when California ends Daylight Savings Time, the system registers that there is technically one extra hour in the billing cycle—one hour of your VPS costs 2 cents. So it's technically not an error, just an anomaly due to Daylight Savings Time. Hopefully California will get rid of Daylight Savings Time so this extra hour will not occur in the future. If it does happen again next year, you can disregard the requests for payment—or, rather, the notices that payment has been deferred.
It seems to me that regulating the IoT is never going to be the complete solution. Yes, there should be regulation, but the regulations will be slow and the compliance (if any) will be slower. This means there will be plenty of time for flaws to be exploited. It is better for "the network" to defend itself against the easy/common attacks like DDoS. I refer you to US patent 7331060 (I have no relationship except I filed a similar idea before it was published.) It has priority date of Sep 10, 2001 so it should expire in 2021 - around 5 years from now. It appears to be only patented in the US. https://www.google.com/patents/US7331060 Stanley Chow, Formerly of Nortel, Alcatel, Bell Labs
Please report problems with the web pages to the maintainer