Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
London City first in UK to get remote air traffic control
BBC, 19 May 2017
http://www.bbc.com/news/uk-39960993
London City is to become the first UK airport to replace its air traffic
control tower with a remotely operated digital system.
Instead of sitting in a tower overlooking the runway, controllers will be
120 miles away, watching live footage from high-definition cameras.
The new system, due to be completed in 2018, will be tested for a year
before becoming fully operational in 2019. It has already been tested in
Australia, Sweden, Norway and Ireland.
The technology has been developed by Saab, the Swedish defence and security
company, and will be introduced as part of a UKP350m development programme
to upgrade London City Airport.
[Perhaps next we will have blind controllers playing it by ear?]
Mary Grady https://cdn.avweb.com/media/newspics/170/p1bge40nmn1gvbkop1dove4j1kma6.png Aurora Flight Sciences has successfully tested a robotic copilot in a Boeing 737 simulator, demonstrating that it can safely land the airplane on its own, the company said this week. The system is designed to function as a second pilot in a two-crew aircraft, enabling reduced crew operations while ensuring that aircraft performance and mission success are maintained or improved. Aurora is working with the Defense Advanced Research Projects Agency to develop the technology. DARPA has said their goal is to test “a tailorable, drop-in, removable kit that would promote the addition of high levels of automation into existing aircraft.” Aurora has previously tested the system in a Diamond DA42, Cessna 208 Caravan, UH-1 Iroquois and DHC-2 Beaver. “Having successfully demonstrated on a variety of aircraft, ALIAS (Aircrew Labor In-Cockpit Automation System) has proven its versatile automated flight capabilities,” said John Wissler, Aurora's vice president of research and development. “As we move towards fully automated flight from takeoff to landing, we can reliably say that we have developed an automation system that enables significant reduction of crew workload.” Aurora's technology includes the use of in-cockpit machine vision, robotic components to actuate the flight controls, an advanced tablet-based user interface, speech recognition and synthesis, and a knowledge-acquisition process that facilitates transition of the automation system to another aircraft within a 30-day period. Aurora is also working on a version of the system without robotic actuation that instead aims to support the pilot by tracking aircraft physical, procedural and mission states, increasing safety by actively updating pilot situational awareness. Video: https://www.youtube.com/watch?v=om18cOWFL3Q The risk? Second Officer Robo Pilot not having been programmed for an unusual and very bad situation. Say, a bird strike on both engines leaving NYC's LaGuardia Airport or an incapacitated human pilot. Nice corporate goal, "reduced crew operations while ensuring that aircraft performance and mission success are maintained or improved"—and it does mention safety -- but I wonder about handling those occasional oddities where human experience shines.experience. Aren't some aircraft designated two-crew for good reasons?
https://www.theguardian.com/world/2017/may/27/british-airways-system-problem-delays-heathrow BA has canceled all flights from Britain's two largest airports, Heathrow and Gatwick, until 6pm Saturday on one of the busiest flying days of the year - as in the US, Monday is a holiday. Arriving planes, particularly at LHR T5, were left sitting on the tarmac. It appears that BA off-shores its IT systems, and not long ago cut a number of IT jobs to Tata: https://www.theregister.co.uk/2016/02/25/ba_tata_consultancy_service/ https://www.theregister.co.uk/2017/04/11/british_airways_website_down/ https://www.theregister.co.uk/2016/06/13/british_airways_slaps_at_risk_sticker_on_nearly_half_of_app_delivery_depo/ https://www.theregister.co.uk/2016/06/24/ba_job_offshoring_gmb_union_hand_delivered_letters/ LATER: All fights now canceled for the rest of today. The scenes at LHR shown on Twitter look awful. More discussion of the IT system at PPrune (the pilots' rumors network): http://www.pprune.org/rumours-news/595169-ba-delays-lhr-computer-issue.html As Edward Hasbrouck (www.hasbrouck.org) always advises: have a printed copy of your ticket and boarding pass.
Returning from the toilet, second officer Ross Hales straps into the right-hand-side seat beside Captain Kevin Sullivan in the Qantas jet's cockpit. "No change," Sullivan tells him in his American accent. He is referring to the Airbus A330-300's autopilot and altitude as it cruises at 37,000 feet above the Indian Ocean on a blue-sky day. Within a minute, the plane's autopilot disconnects. It forces Sullivan to take manual control of Qantas Flight 72, carrying 303 passengers and 12 crew from Singapore to Perth. Five seconds later, stall and over-speed warnings begin blaring. St-aaa-ll, st-aaa-ll, they screech. The over-speed warnings are louder, sounding like a fire bell. Ding, ding, ding, ding. Caution messages light up the instrument panel. "That's not right," Sullivan exclaims to Hales, who he met for the first time earlier in the day on a bus taking crew from a Singapore hotel to Changi Airport. His reasoning is simple: how can the plane stall and over-speed at the same time? The aircraft is telling him it is flying at both maximum and minimum speeds. Barely 30 seconds earlier, nothing was untoward. He can see the horizon through the cockpit windows and cross-check instruments to determine that the plane is flying as it should. "You'd better get Peter back," Sullivan says, urgency in his voice. Minutes earlier, first officer Peter Lipsett, a former Navy Seahawk pilot, left for his scheduled break. Hales picks up the plane's interphone to call the customer service manager to track down the first officer. http://www.smh.com.au/good-weekend/the-untold-story-of-qf72-what-happens-when-psycho-automation-leaves-pilots-powerless-20170510-gw26ae.html
https://www.theguardian.com/technology/2017/jun/03/self-driving-cars-high-speed-lane-berkeley-california "Barrs and Chen said vehicles would travel at speeds up to 120mph, and that the centralized computer control—which would be in constant communication with each vehicle using emerging 5G technology—would allow for a more tightly-packed traffic pattern." Hmmm. Single, centralized computer with fulltime, real-time reliance on perfect, metropolitan area wireless communication between that computer and every vehicle under its control? This proposal might need a bit of deeper thinking about the design of the command and control architecture. Something more distributed, and with more modest assumptions about lane occupancy percentages will likely produce a far more robust (and safer) service with surprisingly similar level of utility. Dave Crocker, Brandenburg InternetWorking, bbiw.net
[Epic First-World #fail!!!] A Starbucks spokesperson said the problem came about as a result of a "technology update" to store registers and that a limited number of the country's 14,000 North American locations are affected. http://fortune.com/2017/05/16/starbucks-computers/ The risk? Technology, technology updates, and cash registers lacking old-school mechanical push buttons and large crank handles.
Lack of encryption and authentication, simple bugs in the code and poor design can put patient lives at risk. <https://drive.google.com/file/d/0B_GspGER4QQTYkJfaVlBeGVCSW8/view> A recent report from security firm WhiteScope describes more than 8,600 flaws in pacemaker systems and the third-party libraries that power various components of the devices. The broad list of flaws includes a lack of encryption and authentication, simple bugs in the code and poor design that can put patient lives at risk. These vulnerabilities were associated with outdated libraries used in pacemaker programmer software. http://www.healthcareitnews.com/news/pacemaker-device-security-audit-finds-8600-flaws-some-potentially-deadly No real clue given regarding what they counted in that broad list to reach 8,600.
America needs a hero, and though Mats Järlström hails from Sweden, he might be it. He won't reverse climate change or close the wealth gap, but he may help unmake another injustice: that of the ticket-slinging red light camera. https://www.wired.com/2017/05/red-light-cameras-may-issuing-tickets-based-bogus-math/
Chipotle Mexican Grill, Inc. (Chipotle) is providing further information about the payment card security incident that Chipotle previously reported on 25 Apr 2017. The information comes at the completion of an investigation that involved leading cyber security firms, law enforcement, and the payment card networks. The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected. A list of affected Chipotle restaurant locations and specific time frames is available here <https://www.chipotle.com/security#security>. Not all locations were involved, and the specific time frames vary by location. It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take. During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement's investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring. https://www.chipotle.com/security#security Don Gilman http://www.linkedin.com/in/TXAggieSE
MasterCard Serbia asked ladies to share FB photos of, among other things, their credit card Credit card companies should know all about phishing, right? McCann should know all about marketing, right? Combine the two in Serbia and you will get a marketing campaign that just went viral, although for the wrong reasons. Mastercard Serbia organised a prize contest that asks female customers to share contents of their purse on Facebook. Their announcement post clearly shows the credit card details of a fictive customer. http://svedic.org/programming/mastercard-serbia-asked-ladies-to-share-fb-photos-of-among-other-things-their-credit-card The risk? Quoting article: In my modest opinion, the lesson of this story is to be careful how you hire. I am biased because I run an employee assessment company, but smiling people with lovely résumés can still be bozos. And when you have incompetent people in the company, it doesn't matter what formal company procedures you have in place.
Cybersecurity experts were shocked Tuesday when a sixth grader showed them just how easy it would be to hack their mobile devices and weaponize a seemingly innocuous item—in this case, his smart teddy bear. At a cyber safety conference in the Hague, Netherlands, 11-year-old prodigy Reuben Paul used a small computer called a "raspberry pi" to hack into audience members' Bluetooth devices and download phone numbers, Agence France-Presse reports. Paul then reportedly used one of the numbers to hack into the teddy bear, which connects to the Internet via Bluetooth or WiFi, and used the toy to record a message from the audience by using a computer language program called Python. http://fortune.com/2017/05/17/reuben-paul-cybersecurity-hacking/
John Ribeiro, InfoWorld, 16 May 2017 Digital signature service DocuSign hacked and email addresses stolen DocuSign had last week warned of phishing emails that spoofed its brand http://www.infoworld.com/article/3196859/hacking/digital-signature-service-docusign-hacked-and-email-addresses-stolen.html opening text: Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems. The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security numbers, credit card data, or other information.
via NNSquad https://motherboard.vice.com/en_us/article/russian-hackers-are-using-googles-own-infrastructure-to-hack-gmail-users Russian government hackers seem to have figured out that sometimes the best way to hack into people's Gmail accounts is be to abuse Google's own services. Not really new, but always worthy of note.
via NNSquad https://www.nytimes.com/2017/05/31/technology/how-twitter-is-being-gamed-to-feed-misinformation.html?_r=0 Though the 140-character network favored by President Trump is far smaller than Facebook, it is used heavily by people in media and thus exerts perhaps an even greater sway on the news business. That's an issue because Twitter is making the news dumber. The service is insidery and clubby. It exacerbates groupthink. It prizes pundit-ready quips over substantive debate, and it tends to elevate the silly over the serious -- for several sleepless hours this week it was captivated by "covfefe," which was essentially a brouhaha over a typo. But the biggest problem with Twitter's place in the news is its role in the production and dissemination of propaganda and misinformation. It keeps pushing conspiracy theories—and because lots of people in the media, not to mention many news consumers, don't quite understand how it works, the precise mechanism is worth digging into.
via NNSquad https://www.nytimes.com/2017/05/27/technology/china-us-ai-artificial-intelligence.html The balance of power in technology is shifting. China, which for years watched enviously as the West invented the software and the chips powering today's digital age, has become a major player in artificial intelligence, what some think may be the most important technology of the future. Experts widely believe China is only a step behind the United States. China's ambitions mingle the most far-out sci-fi ideas with the needs of an authoritarian state: Philip K. Dick meets George Orwell. There are plans to use it to predict crimes, lend money, track people on the country's ubiquitous closed-circuit cameras, alleviate traffic jams, create self-guided missiles and censor the Internet.
You might be interested in the following GAO report: Technology Assessment: Internet of Things: Status and implications of an increasingly connected = world GAO-17-75: Published: May 15, 2017. Publicly Released: May 15, 2017. http://www.gao.gov/products/GAO-17-75?utm_medium=email&utm_source=govdelivery Dott. Diego Latella - Senior Researcher CNR-ISTI, Via Moruzzi 1, 56124 Pisa, Italy http://www.isti.cnr.it/People/D.Latella http://fmt.isti.cnr.it
via NNSquad https://arstechnica.com/security/2017/05/yahoobleed-flaw-that-festered-for-years-leaked-private-yahoo-mail-data/ For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.
via NNSquad https://techcrunch.com/2017/06/01/onelogin-admits-recent-breach-is-pretty-dang-serious/?ncid=rss OneLogin, a major access management service (think corporate-level password manager) alerted its users yesterday of "unauthorized access" to the data of its US-based users. That kind of thing isn't always serious... but it turns out this one sure was. An update posted today reveals the hacker may have had very deep access indeed.
The WannaCry outbreak has inspired some particularly poor in-fighting, but Steve Bellovin has an intelligent blog posting up asking who should pay for updating outdated software: https://www.cs.columbia.edu/~smb/blog/2017-05/2017-05-16.html He proposes four options: > We can demand that vendors pay, even many years after the software has > shipped. We can set up some sort of insurance system, whether run by the > government or by the private sector. We can pay out of general revenues. > If none of those work, we'll pay, as a society, for security failures. ...because, as I wrote in 2014, when Microsoft discontinued support for XP, software is forever: http://www.pelicancrossing.net/netwars/2014/05/software_is_forever.html
As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable. Patching is how the computer industry maintains security in the face of rampant internet insecurity. Microsoft, Apple and Google have teams of engineers who quickly write, test and distribute these patches, updates to the codes that fix vulnerabilities in software. Most people have set up their computers and phones to automatically apply these patches, and the whole thing works seamlessly. It isn't a perfect system, but it’s the best we have. But it is a system that's going to fail in the Internet of Things: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don't have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don't even have the ability to be patched. https://www.nytimes.com/2017/05/19/opinion/what-happens-when-your-car-gets-hacked.html Most of our web-connected products don't have a team of engineers working to make them more secure. That's a problem.
https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine translated versions of the other notes. The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note. Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out. It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead. WannaCry had ransom notes in 28 different languages. The analysis was of the ransom notes, not of the code itself.
Is this true, or fake news, or misquoting? FBI Gives Hollywood Hacking Victims Surprising Advice: "Pay the Ransom" Hollywood Reporter, 12 May 2017 http://www.hollywoodreporter.com/news/fbi-gives-hollywood-hacking-victims-surprising-advice-pay-ransom-1001515 This isn't a change in policy. The FBI has been recommending payment of ransom since at least October, 2015: FBI's Advice on Ransomware? Just Pay The Ransom. Security Ledger, 22 Oct 2015 https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/
Alister was a close friend, and I had the pleasure of meeting him and visiting him in his home years ago. He was unfailingly kind and pleasant, always giving and hoping for the best for others. He gave generously of his time and knowledge and asked for little in return except kindness and an open mind. He will be missed by everyone who ever knew him. [Al Mac was also a prolific contributor to RISKS since June 2005, with his last posting (above) just three days before his passing. PGN] An obituary is available here: http://obits.dignitymemorial.com/dignity-memorial/obituary.aspx?n=Alister-Macintyre&lc=2683&pid=185575314&mid=7416639 That's not a very graceful URL, but it was obtained by going to www.alexandereastchapel.com and searching for Al. There's a link to a Guest Book at the site. http://www.legacy.com/guestbook/DignityMemorial/guestbook.aspx?n=alister-macintyre&pid=185575314
> In DB2 the running process would have to be authorised for the DROP Table > action in that particular named Tablespace. How common is that? Is Drop > Table less Restricted in other Relation DB Management Systems? [...] Yes, it should not happen. RISKS exists, because such things do happen. Personally, I would rather be in the situation of saying, "There was a failed, injected drop table. You win the bet. Here is your $20." than "There was a injected drop table. I win the bet. $20, please. And where is the backup?"
Maybe I have presently too much blood in my caffeine, but I don't really see the strength of the argument. Lauren's proposed approach would work only if The Cloud (et al.) would be able to distinguish between benign access by the user and malicious access by ransomware with the same privilege levels to encrypt user files. As far as I'm aware, nobody has managed that yet. As for keeping *software* up to date, nobody executes directly from Cloud facilities, it is always cached locally for reasons of speed (and offline use) which puts you pretty much in an identical situation to patching as and when such becomes available.
On 14/05/17 06:46, RISKS List Owner wrote: > Vodafone wanted to transfer its 1,000 users to > PageOne, but the UK Competition and Markets Authority objected and wanted a > full investigation The perils of not learning from experience ... This EXACT SAME scenario played out in the shoe-polish market recently. The owners of Cherry and Kiwi wanted to merge. (Or rather, one of them wanted to get out of the business and, to save jobs, wanted to sell as a going operation to the other.) The competition people insisted on doing a full market investigation, so the company that wanted out just shut the whole lot down.
As if on cue: IBM wheels out bleedin' big 15TB tape drive Proprietary tape format bits shrink while capacity bulks up IBM has brought out a TS1155 tape drive as an update on the existing TS1150, offering 15TB raw capacity, half as much again. These are proprietary IBM format tape drives. For comparison the open standard LTO-7 format offers 6TB raw capacity (15TB compressed at 2.5:1), with the coming LTO-8 reaching 12TB raw, well below IBM capacity levels. IBM has quoted 3:1 compression rates for the TS1150, so the same rate applied to the TS1155 gives us a 45TB compressed capacity, a useful increment over the TS1150's 30TB. http://www.theregister.co.uk/2017/05/11/ibm_15tb_tape_drive/ ...so archive to these, just keep a few around forever to read the data.
Please report problems with the web pages to the maintainer