Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[AFP via Yahoo!] UK govt accused of covering up failed Trident nuclear missile test London (AFP) - The British government was accused on Sunday of covering up a failed test of its nuclear weapons deterrent last year, just weeks before lawmakers voted to renew the system. [...] *The Sunday Times* newspaper, citing a senior naval source, claimed that the Trident II D5 missile failed after being launched from a British submarine off the coast of Florida in June. The cause of the failure is top secret but the source suggested the missile may have veered off in the wrong direction towards the United States. https://www.yahoo.com/news/uk-govt-accused-covering-failed-trident-nuclear-missile-113729062.html [Nothing in the story about what stopped the missile from reaching the US or, for that matter, how far it flew
Excerpt from Eric Schlosser's "Command and Control," Penguin, 2013, P.475 All of these military computer networks are far more technologically advanced than the gold telephone that used to connect General LeMay to the White House. But sometimes they experience a glitch. In October 2010 a computer failure at F. E. Warren Air Force Base knocked fifty Minuteman III missiles offline. For almost an hour, launch crews could not communicate with their missiles. One third of the Minuteman IIIs at the base had been rendered inoperable. The Air Force denied that the system had been hacked and later found the cause of the problem: a circuit card was improperly installed in one of the computers during routine maintenance. But the hacking of America's nuclear command-and-control system remains a serious threat. In January 2013, a report by the Defense Science Board warned that the system's vulnerability to a large-scale cyber attack had never been fully assessed. Testifying before Congress, the head of the U.S. Strategic Command, General C. Robert Kehler, expressed confidence that no "significant vulnerability" existed. Nevertheless, he said that an "end-to-end comprehensive review" still needed to be done, that "we don't know what we don't know," and that the age of the command-and-control system might inadvertently offer some protection against the latest hacking techniques. Asked whether Russia and China had the ability to prevent a cyberattack from launching one of their nuclear missiles, Kehler replied, "Senator, I don't know."
Scott Shane, David E. Sanger and Andrew E. Kramerjan. *The New York Times*, 27 Jan 2017 http://www.nytimes.com/2017/01/27/world/europe/russia-hacking-us-election.html?smprod=nytcore-iphone&smid=nytcore-iphone-share Two Russian intelligence officers who worked on cyberoperations and a Russian computer security expert have been arrested and charged with treason for providing information to the United States, according to multiple Russian news reports. As in most espionage cases, the details made public so far are incomplete, and some rumors in Moscow suggest that those arrested may be scapegoats in an internal power struggle over the hacking. Russian media reports link the charges to the disclosure of the Russian role in attacking state election boards, including the scanning of voter rolls in Arizona and Illinois, and do not mention the parallel attacks on the D.N.C. and the email of John Podesta, Mrs. Clinton's campaign chairman. But one current and one former United States official, speaking about the classified recruitments on condition of anonymity, confirmed that human sources in Russia did play a crucial role in proving who was responsible for the hacking. [...]
http://www.cnn.com/2017/01/22/travel/united-grounds-domestic-flights-because-of-it-issue/index.html [An outage for 3-plus hours attributed to an "IT problems".
Samsung has concluded its investigation involving the 2016 Galaxy Note 7 fires, and has determined that two different flaws resulted in the conflagrations in the failing devices, with one creeping in after a too-quick investigation: http://appleinsider.com/articles/17/01/22/galaxy-note-7-investigation-concludes-pair-of-issues-will-cost-samsung-5-billion
https://www.nytimes.com/2017/01/22/business/samsung-galaxy-note-7-battery-fires-report.html See also http://arstechnica.com/gadgets/2017/01/galaxy-note-7-investigation-blames-small-battery-cases-poor-welding/
How much true value is there in an expensive product that becomes useless when the original battery needs replacement or is found to be unsafe to use? Normally having a battery is a good thing even if you run on utility power most of the time. I've used employer-supplied laptops with dialup VPN connections to carry on work from during power outages. I also bought a personal use XP laptop with a dead battery, but it still runs with Tails OS, connected to a wall plug, when I travel or have to use a wireless or untrustworthy wired connection during local conferences. The Phoebus Cartel might be considered a historical anomaly but for the Auto Industry Planned Obsolescence was a high priority corporate goal long before Apple began persuading people to purchase and discard electronic gimcracks every year or two. Now we see firmware becoming an integral part of expensive consumer purchases for big ticket Internet connected things such as cars, clothes washers and refrigerators. The VW emissions firmware scandal shows that we should not trust corporations. The right of consumers and consumer protective organizations to analyze firmware and to block unwanted updates should be given legal protection, not restricted. If it isn't we will never know whether our car or clothes washer stopped working because it was worn out, or because the maker told it to stop working.
Agam Shah, InfoWorld, 24 Jan 2017 The move expands a recall that was first announced last year http://www.infoworld.com/article/3161135/computers/hp-recalls-over-100000-more-laptop-batteries-for-fire-hazard.html opening text: HP is expanding its recall of laptop batteries with overheating issues that can cause computer damage and even fire. The company is recalling an additional 101,000 batteries in some laptops sold between March 2013 through October 2016. This is an expansion of the recall initiated in June 2016, which involved HP recalling 41,000 batteries. The batteries are in laptop brands including HP, Compaq, ProBook, Envy, Compaq Presario, and Pavilion laptops. Battery packs sold separately are also affected.
Tim Greene, Network World, 25 Jan 2017 http://www.infoworld.com/article/3161515/security/cisco-scrambling-to-fix-a-remote-code-execution-problem-in-webex.html There's no workaround and no final patch for a critical bug that can open up users' computers to remote code execution attacks opening text: Cisco's Webex Browser Extension contain a critical bug that can open up customers' entire computers to remote code execution attacks if the browsers visit websites containing specially crafted malicious code. The company says it is in the process of correcting the problem, and has apparently made a few initial steps toward a permanent fix. It says there is no workaround available.
I am running a simple website with a number of CGI-based forms for client input or feedback. In these years, I have been blocking Spammers using .htaccess, denying access to IP addresses that spam. Since about one month, the amount of spam via this website has increased an order of magnitude, if not more. A significant increase of spam messages come from Urkraine, Kazachstan, Russia, and other (former) Soviet or East European countries. However, I also see an increase of sites where you wouldn't expect such bad behavior, such as Microsoft and MIT. The response of the abuse departments is that they cannot block them, since these are TOR-based servers. The answer from MIT is copied below: ----start response--- Hello. Thank you for the report. The IP address in question is a Tor exit node. https://www.torproject.org/overview.html There is little we can do to trace this matter further. As can be seen from the overview page, the Tor network is designed to make tracing of users impossible. The Tor network is run by some 5000 volunteers who use the free software provided by the Tor Project to run Tor routers. Client connections are routed through multiple relays, and are multiplexed together on the connections between relays. The system does not record logs of client connections or previous hops. The Tor project does provide an automated DNSRBL for you to query to flag requests from Tor nodes as requiring special treatment: https://www.torproject.org/tordnsel/ Regards, Security Operations, Massachusetts Institute of Technology IS&T | Operations & Infrastructure | Security Operations, security@mit.edu http://ist.mit.edu/secure ---end response--- The risk is that TOR servers with its good intent to help protect anonymity will pollute regular Internet traffic. Gerrit Muller, professor systems engineering, USN-NISE, Kongsberg, Norway
Fahmida Y. Rashid, InfoWorld, 27 Jan 2017 OpenSSL issues new patches as Heartbleed still lurks The latest OpenSSL update may only address moderate-severity vulnerabilities, but admins shouldn't get lax about staying current with the patches http://www.infoworld.com/article/3162426/security/openssl-issues-new-patches-as-heartbleed-still-lurks.html selected text: The OpenSSL Project has addressed some moderate-severity security flaws, and administrators should be particularly diligent about applying the patches since there are still 200,000 systems vulnerable to the Heartbleed flaw. A disproportionate number of systems on this list were servers hosted on Amazon Web Services. That may have more to do with the fact that it's easy for anyone to spin up new AWS instances, than with an actual issue in AWS. With IT security out of the loop, there's no one enforcing security controls on what types of software to install when setting up the server, which means there's nothing stopping the server owner from adding the vulnerable version of OpenSSL to the stack. Some of the virtual servers may be abandoned and forgotten, and since they were created outside of the IT process, no one knows to look for them to check the OpenSSL version. "If there are servers that are vulnerable, then it's because people aren't aware they have them," said Mike Pittenger, vice president of strategy for Black Duck Software.
via NNSquad It appears that the new administration has killed the traditional White House public phone number for citizen comments at (202) 456-1111—now it just tells you to hang up and use Facebook instead. But a new comment line has appeared at a New York City number, which seems somehow appropriate: (347) 781-4664.
[Note: The term "fake news" (originally used to refer what is now sometimes called "alternative news") has also been pre-empted, and used to misrepresent "real news" by those to whom it is unpleasant. PGN] NNSquad Facebook is changing its Trending section to fight the spread of fake news https://www.recode.net/2017/1/25/14376734/facebook-trending-topics-update-fake-news Facebook is updating Trending, the section of the service that highlights popular topics being discussed on Facebook, to better prevent fake news stories from appearing there. As part of the update, Facebook says it's going to stop pulling in trending topics that surface based off a single news report. Instead, it'll feature topics that have been covered by a number of media outlets, an attempt to avoid one-off fake news stories that get lots of people talking but haven't been vetted by other media organizations. "We think it'll help [minimize] cases where maybe one specific story goes viral even if there might not be something real going on in the world about that story," said Will Cathcart, a VP of product management at Facebook. Facebook continues to be in the lead fighting fake news, while Google lags behind.
Via NNSquad http://www.bbc.com/news/technology-38724082 The largest network ties together more than 350,000 accounts and further work suggests others may be even bigger. UK researchers accidentally uncovered the lurking networks while probing Twitter to see how people use it. Some of the accounts have been used to fake follower numbers, send spam and boost interest in trending topics.
Martyn Williams, PC World, 25 Jan 2017 http://www.pcworld.com/article/3161718/government/us-park-service-tweets-were-result-of-old-twitter-passwords.html Two instances of tweets from U.S. National Park Service accounts that became political hot potatoes in the last few days were the result of bad password management, according to officials. "An unauthorized user had an old password in the San Francisco office and went in and started retweeting things that were in violation of their policy," [Sean Spicer] said of Saturday's incident.
via NNSquad Fake news costing advertisers reputation, ad dollars http://www.enterpriseinnovation.net/article/fake-news-costing-advertisers-reputation-ad-dollars-2009959187 Fake new is news today. Since the US presidential began in the US last year, fake news took center stage. However, a new report from Forrester titled "Fake News: More Proof That Advertisers Must Choose Quality Over Quantity" noted that the real targets are advertisers and their purse strings—not the readers. It is also creating a massive headache as ads are running into danger of being placed alongside news that can hurt brand reputations and even derail well-thought out ad campaigns.
NNSquad In honor of the new "alternative facts" White House, you can now report fake news at: https://alt-facts.net
NNSquad https://www.sciencedaily.com/releases/2017/01/170127131306.htm By scanning 66 million tweets linked to nearly 1,400 real-world events, researchers have built a language model that identifies words and phrases that lead to strong or weak perceived levels of credibility on Twitter. Their findings suggest that the words of millions of people on social media have considerable information about an event's credibility -- even when an event is still ongoing.
http://bgr.com/2017/01/26/donald-trumps-android-phone-security/
January 26 2017, 12:54 p.m. https://goo.gl/MYseKG Trump's account is an obviously juicy target for such an attack, representing what BuzzFeed's Joe Bernstein described as “a national security disaster waiting to happen.'' An unauthorized declaration of, say, imminent hostilities or economic sanctions coming from the president'99s official account could destabilize the entire world. [The rest is fairly scary. PGN]
Steve Doocy (Fox News Co-host of Fox & Friends) apparently voted twice in the Republican primaries. https://twitter.com/tbonier/status/824702199678787584
The first article in RISKS-30.09 was about a Tesla driver being stranded because he he was out of cellphone coverage. It was immediately followed by Nissan's "solution" for situations that are too complex for self-driving cars, which relies on their being able to contact a call centre. We seem to be at risk of making our cars cellphone dependent. Regular readers of RISKS will be aware of the limitations of cell phone technology, not just in terms of coverage, but also in their vulnerability to overloading and power loss particularly in crisis scenarios.
I think this link should be included: "Central Intelligence Agency Intelligence Activities: Procedures Approved by the Attorney General Pursuant to Executive Order 12333" https://www.cia.gov/about-cia/privacy-and-civil-liberties/CIA-AG-Guidelines-Signed.pdf
While ease of development may be in the eye of the developer, I certainly wouldn't commend for readability a language in which a blank in the wrong place might completely change the meaning of a routine!
> It's so weird to me that people **** all over leap seconds, but are fine > with leap years and arbitrary timezone changes. They're not at all the same. Leap years are perfectly regular and predictable, and timezones only affect the presentation of time, not the calculations. The problem with leap seconds is that they do affect the calculations, and they're irregular and unpredictable.
> What could possibly go wrong? It is well known that the NSA—as well as > other nation-state actors—place malicious USB chargers in public places > that can infect computers and phones that are attached. As someone who travels a lot for business, sometimes to relatively unknown places for me, this is exactly why I carry such a "condom". It's simply a couple of clearly marked USB cables that don't have any data lines in them. They are power-only. Now I don't have to care what USB port I plug in to, whether it's a public charging station or a friendly stranger's laptop. OK, the problem of a high-voltage USB killer isn't solved by this, but that's not my threat model (yet). http://www.theregister.co.uk/2015/10/14/sneaky_220v_usb_fries_laptops/
Please report problems with the web pages to the maintainer