Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Software used to rig outcome in Wisconsin, Colorado, Kansas and Oklahoma Investigators say Tipton installed software that let the computers work as they should on all but three days of the year—May 27, Nov. 22 and Dec. 29 -- when they would produce predictable numbers if the drawings occurred on Wednesdays or Saturdays after 8 p.m. http://www.cbc.ca/news/world/u-s-lottery-rigged-then-payout-used-for-offshore-tax-scam-1.4192281
Shaun Nichols, *The Register*, 29 Jun 2017 Hang on, there's a tech angle in here somewhere... IoT, right? https://www.theregister.co.uk/2017/06/29/fidget_spinners_catch_fire/ opening text: Fad-crazed parents have something new to worry about, as reports suggest that fidget spinners can pose a fire risk. A family in the US says one of the smash-hit toys caught fire as it was charging its Bluetooth speaker in their home, and it only narrowly avoided becoming a much larger blaze.
Robert Burns, AP Exclusive via WRAL, 3 Jul 2017 WASHINGTON—The Pentagon has thrown a cloak of secrecy over assessments of the safety and security of its nuclear weapons operations, a part of the military with a history of periodic inspection failures and lapses in morale. Overall results of routine inspections at nuclear weapons bases, such as a "pass-fail" grade, had previously been publicly available. They are now off-limits. The change goes beyond the standard practice of withholding detailed information on the inspections. The stated reason for the change is to prevent adversaries from learning too much about U.S. nuclear weapons vulnerabilities. Navy Capt. Greg Hicks, spokesman for the Joint Chiefs of Staff, said the added layer of secrecy was deemed necessary. "We are comfortable with the secrecy," Hicks said Monday, adding that it helps ensure that "as long as nuclear weapons exist, the U.S. will maintain a safe, secure, and effective nuclear stockpile." Critics question the lockdown of information. "The whole thing smells bad," said Steven Aftergood, a government secrecy expert with the Federation of American Scientists. "They're acting like they have something to hide, and it's not national security secrets." "I think the new policy fails to distinguish between protecting valid secrets and shielding incompetence," he added. "Clearly, nuclear weapons technology secrets should be protected. But negligence or misconduct in handling nuclear weapons should not be insulated from public accountability." http://www.wral.com/ap-exclusive-security-of-us-nukes-now-an-official-secret/16799565/
Ronen et al., /IEEE Security and Privacy 2017/ <https://eprint.iacr.org/2016/1047.pdf> You probably don't need another reminder about the woeful state of security in IoT, but today's paper choice may well give you further pause for thought about the implications. The opening paragraph sounds like something out of science fiction—except that it's a demonstrated reality today: Within the next few years, billions of IoT devices will densely populate our cities. In this paper, we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will rapidly spread over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass. https://blog.acolyer.org/2017/06/22/iot-goes-nuclear-creating-a-zigbee-chain-reaction/
Volvo's self-driving car's animal detection system can identify and avoid deer, elk and caribou, but is yet to work against the marsupial movements of kangaroos— because hopping confounds its systems. https://www.theguardian.com/technology/self-driving-cars https://www.theguardian.com/technology/2017/jul/01/volvo-admits-its-self-driving-cars-are-confused-by-kangaroos [You would certainly roo the night when your self-driving car plows into a whopper of a hopper. PGN]
Amazon went down 87 percent, and Zynga was up 3,292 percent A stock market data error this evening set an undetermined number of companies listed on the Nasdaq exchange to a share price of $123.47, sending some tech companies' stock prices crashing and others' soaring. In a statement obtained by the Financial Times, Nasdaq said the culprit was “improper use of test data'' that was picked up by third party financial data providers. The exchange said it was “working with third party vendors to resolve this matter.'' https://www.theverge.com/2017/7/3/15917950/nasdaq-nyse-stock-market-data-error The risk? Computers.
Sheera Frenkel, *The New York Times*, Business Day, 3 Jul 2017
Subcaption: Hackers target developing countries to hone their skills with
malware that learns as it intrudes.
Allan Liska [senior threat intelligence analyst] said, "We see a pattern
among the attackers. They test something, make improvements, and then six
weeks later test again before launching it at their true targets."
Chris Rock [Australian security researcher] said, "Doing tests in a
country that presumably has fewer defenses is a double-edged sword. On
one hand, attackers can hone their skills. On the other hand, they risk
being discovered. Once a cybersecurity firm has the signature of an
attack, it can build defenses against it, and spread those defenses among
its clients."
[The person responsible for titling this article apparently needed to
save a line space on on page B1. My Subject: above is actually the
caption on the *continuation* page, which is more explicit and less
ambiguous than the front-page caption in a VERY LARGE font across the
entire page:
Cyberattack Proving Grounds
Cyberattack Proving [coffee] grounds [are undrinkable?]
[proving = gerundive]
Cyberattack proving Grounds [itself in risks?]
[proving = noun, grounds = verb]
On a sunny day last summer, in the middle of a vast cornfield somewhere in the large, windy middle of America, two researchers from the University of Tulsa stepped into an oven-hot, elevator-sized chamber within the base of a 300-foot-tall wind turbine. They'd picked the simple pin-and-tumbler lock on the turbine's metal door in less than a minute and opened the unsecured server closet inside. Jason Staggs, a tall 28-year-old Oklahoman, quickly unplugged a network cable and inserted it into a Raspberry Pi minicomputer, the size of a deck of cards, that had been fitted with a Wi-Fi antenna. He switched on the Pi and attached another Ethernet cable from the minicomputer into an open port on a programmable automation controller, a microwave-sized computer that controlled the turbine. The two men then closed the door behind them and walked back to the white van they'd driven down a gravel path that ran through the field. Staggs sat in the front seat and opened a MacBook Pro while the researchers looked up at the towering machine. Like the dozens of other turbines in the field, its white blades—each longer than a wing of a Boeing 747—turned hypnotically. Staggs typed into his laptop's command line and soon saw a list of IP addresses representing every networked turbine in the field. A few minutes later he typed another command, and the hackers watched as the single turbine above them emitted a muted screech like the brakes of an aging 18-wheel truck, slowed, and came to a stop. https://www.wired.com/story/wind-turbine-hack/
https://arstechnica.com/information-technology/2017/06/skylake-kaby-lake-chips-have-a-crash-bug-with-hyperthreading-enabled/
https://www.cnet.com/news/android-hack-copycat-malware-device-outdated-14-million/
https://www.nytimes.com/2017/06/28/world/europe/ukraine-ransomware-cyberbomb-accountants-russia.html
Interesting article in today's newspaper: context is a report on the UK National Health Service's links with DeepMind Health (owned by Alphabet, parent company of Google), but the report also has more-general comments on the NHS's IT, or lack it (but no mention of Windows XP). http://www.telegraph.co.uk/news/2017/07/04/nhs-doctors-use-snapchatto-send-patients-scans-report-says/ Summary: > The panel commissioned a series of independent experts to examine > elements of DeepMind's work - including employing data security > analysts. They identified 11 "relatively minor" technical > vulnerabilities but overall the panel commended DeepMind Health for its > "high level of data security". > > They were not so favourable about the NHS, writing: "The digital > revolution has largely bypassed the NHS, which, in 2017, still retains > the dubious title of being the world's largest purchaser of fax machines. > "Many records are insecure paper-based systems which are unwieldy and > difficult to use. > "Seeing the difference that technology makes in their own lives, > clinicians are already manufacturing their own technical fixes. They may > use SnapChat to send scans from one clinician to another or camera apps > to record particular details of patient information in a convenient format. > "It is difficult to criticise these individuals, given that this makes > their job possible. However, this is clearly an insecure, risky, and > non-auditable way of operating, and cannot continue." > > The authors also add that the average NHS trust has 160 different > computer systems in operation.
*The New York Times*, Editorial, 4 July 2017 [The Commission on "Election Integrity" is demanding everything that would undermine election integrity? PGN-ed] The reviews of President Trump's new commission on election integrity are rolling in, and they're not good! https://mobile.nytimes.com/2017/07/03/opinion/voter-fraud-data-kris-kobach.html Disingenuous. <http://news.delaware.gov/2017/07/03/delaware-will-not-provide-voter-information-white-house-commission/> Repugnant. <http://www.baltimoresun.com/news/maryland/politics/bs-md-frosh-trump-voter-fraud-20170703-story.html> At best a waste of taxpayer money. <https://www.facebook.com/kysecretaryofstate/photos/a.10150156414242247.338791.44487052246/10155195098437247/?type=3&theater> A tool to commit large-scale voter suppression. <https://governor.virginia.gov/newsroom/newsarticle?articleId=20595> State officials across the country responded to the commission's slapdash request last week for detailed voter data in the manner previously reserved for emailed pleas from a Nigerian prince. Delete, said secretaries of state in Kentucky, Minnesota, Tennessee, California—more than 20 states refused to comply, red and blue and every hue in between. “They can go jump in the Gulf of Mexico,'' Mississippi's secretary of state, Delbert Hosemann, a Republican, responded. What triggered the bipartisan backlash? A letter from the commission -- whose ostensible goal is to restore Americans' confidence in their elections -- asked states to turn over by July 14 all publicly available information about their voters, including names, addresses, dates of birth, political party and voting history, criminal record, military status and the last four digits of their Social Security number. <https://www.brennancenter.org/sites/default/files/analysis/06.28.17_Kobach_Letter_to_States.pdf> <https://www.nytimes.com/interactive/2015/09/08/opinion/100000003889944.embedded.html>
Last week's hospital cyber-attack was no big deal and the electoral system is secure, according to Cyber Bureau head Eviatar Matania, who's both worried and confident. http://www.timesofisrael.com/staying-humble-is-key-to-staying-safe-says-israels-cyber-chief/
Germany's Chaos Computer Club, a multigenerational army of activists, has made the country's democracy a lot tougher to undermine. https://www.bloomberg.com/news/features/2017-06-27/the-chaos-computer-club-is-fighting-to-save-democracy
The Canadian TV Documentary Series Cyberwar has an international perspective and often airs video recorded in Russia (beyond those places in Alaska) and in other countries beyond the borders of Canada and the USA. http://www.eyeoncanada.ca/television/details/cyberwar One recent episode dealing with 2016 USA election meddling, pointed out that the USA and probably other governments have been heavily involved in Russian Election meddling since at least as far back as the 1996 election of "western" favourite Boris Yeltsin. Pot, Kettle, Black as they say. Points made by one of the USA folks interviewed was to identify the risk as primarily a Russian Problem, not as a Digital Device or Network problem and to distinguish between Retaliation and Response, since Response to a Russian Problem can take a number of forms other than a cyber warfare or election hack attempt against Russia or other meddlers. It is a bad situation, but it is hard to claim the moral high ground when your adversaries use computers and networks with effect, to do the same thing you have both been doing for decades. If talking to someone seems like looking in a mirror, and you don't like what you see, then perhaps it is time to make some changes. Russian Disinformation tactics go back a long time, as do similar campaigns by other governments.
https://plus.google.com/+LaurenWeinstein/posts/Li1MA8ytR5b Trump's "Voter Fraud" Commission's attempt (wisely refused by the state) to obtain California voter records and then to make the data public would be in direct violation of Title 2, Division 7, Article 1 section 19005 of the California Administrative Code: No person who obtains registration information from a source agency shall make any such information available under any terms, in any format, or for any purpose, to any person without receiving prior written authorization from the source agency. The source agency shall issue such authorization only after the person to receive such information has executed the written agreement set forth in Section 19008.
Brandon Carter, *The Hill*, 30 Jun 2017 The science division of the White House Office of Science and Technology Policy reportedly had no staff members as of Friday. Sources told CBS News that the last employees in the division, three holdovers from former President Obama's administration, all left the White House this week. Under Obama, the science division was staffed with nine employees who crafted policy on STEM education, crisis response and other key issues, according to the report. Eleanor Celeste, the former assistant director for biomedical and forensics sciences in the division, appeared to tweet about leaving the office this week. http://thehill.com/homenews/administration/340328-science-division-of-white-house-office-no-longer-staffed-report
One concern for Republicans: Lacking federal standards, 22 states have imposed some sort of regulations, according to a tally by the National Conference of State Legislatures, often in an attempt to address safety concerns with a technology they believe is in its infancy. To Walden and his GOP colleagues, the flurry of state-level activity marks a break with a longstanding division of labor, one that sees the federal government determining national safety and driver standards while leaving only the logistics, like approving licenses, to the locals. <OK, perhaps, but this too?> Another Republican proposal would allow the government to designate as many as 100,000 self-driving cars to be exempt from existing federal motor safety rules, even though those guidelines — which govern everything from steering wheels to airbags — were written many years before that technology existed. https://www.recode.net/2017/6/27/15880088/republicans-gop-congress-autonomous-self-driving-cars-legislation
Mary Beth Quirk, *Consumerist*, 12 Apr 2017 https://consumerist.com/2017/04/12/this-burger-king-ad-forces-your-google-home-device-to-tell-you-about-whoppers/ opening text: You might think you're the master of your own home, controlling all the Internet-connected devices within it and bending them to your will with the touch of a button or an uttered command. But Burger King is trying to sneak into your home through the TV with a new ad that tries to trigger the voice-activated Google Home.
via NNSquad https://www.privateinternetaccess.com/blog/2017/06/att-gigapower-plans-charge-extra-per-month-want-privacy-no-ads/ AT&T plans to reinstate their GigaPower pay-for-privacy scheme, as revealed by AT&T VP Robert Quinn in a recent interview with C-SPAN. In 2014, AT&T started offering GigaPower 300 Mbps fiber internet in cities around the United States. Users signing up had the option of paying $29 more per month to guarantee that AT&T doesn't snoop on your internet traffic and serve you advertisements and offers from their MITM position on your Internet. Yes, they actually put a price on privacy and it's coming back. GigaOM discovered that $29 a month ($348 per year) isn't even the real price of buying your privacy back from AT&T - the total bill could run up to $800 per year. "Nice Internet connection you have there. Be a shame if something happened to it!"
Got this mail again:
Hi Dan!
Your DreamHost VPS has just exceeded the memory allocation that you've
established. If left unchecked that behavior could begin to negatively
impact the VPS services of every other customer on your server.
Ha, but this time I was prepared with an answer:
Dear Dreamhost, thank you for these occasional reminders these months.
This time I finally devised a system to find out the culprit. I "set a
trap", waiting to catch it the next time it happened. And I succeeded!
$ crontab -l
# This gives me a whole week (expr 60 \* 60 \* 24 \* 7 : 604800)
# after reboot to figure out which process was the memory hog:
* * * * * if test $(sed 's/\..*//' /proc/uptime) -gt 604800; then set
-e—$(date +\%M); COLUMNS=500 top -b -n 1 -c > TOP.${1#[0-9]}; fi
# Yes, need to run once a minute, as Dreamhost takes no snapshots of
# the system before rebooting it.
Well you will never guess what the culprit is!:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12295 root 39 19 319m 276m 4016 R 80 73.7 0:22.92
/usr/bin/python /usr/sbin/update-apt-xapian-index --quiet
Face the facts. It is Dreamhost's own process. It has nothing to do
with me! Kindly do not send users such messages when the fault lies
100% with Dreamhost. Thank you.
Vindicated!:
Thanks for contacting us an providing your detailed findings. I spoke
to a System Admin and he mentioned that what you saw does appear be a
valid issue. This issue also appears to be related to
https://bugs.launchpad.net/ubuntu/+source/apt-xapian-index/+bug/363695
On 25/06/17 00:13, RISKS List Owner wrote: > * Under pressure, Western tech firms bow to Russian demands to share > cybersecrets > http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB Quote: "But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code" Here's a crazy idea: why don't the tech firms do their *own* code reviews and find the vulnerabilities themselves, before the Russians get to see the source code? An even better approach would be to use formal methods to develop provably-correct code in the first place: this would be guaranteed to have no vulnerabilities for the Russians to find.
Amos Shapir wrote:
> More likely it's just a data entry error, e.g. 6/29/25 interpreted as 2025.
I assume that to be the real reason. For instance if you're using Java and
its standard way of parsing a date using a template like mm/dd/yy, there are
specific rules how that's actually interpreted:
https://docs.oracle.com/javase/6/docs/api/java/text/SimpleDateFormat.html#year
| For parsing with the abbreviated year pattern ("y" or "yy"), SimpleDateFormat
| must interpret the abbreviated year relative to some century. It does this
| by adjusting dates to be within 80 years before and 20 years after the time
| the SimpleDateFormat instance is created. For example, using a pattern of
| "MM/dd/yy" and a SimpleDateFormat instance created on Jan 1, 1997, the
| string "01/11/12" would be interpreted as Jan 11, 2012 while the string
| "05/04/64" would be interpreted as May 4, 1964.
06/29/25 falls into the 20-years-after-current-date rule.
I'm not sure if there was a Java-program being involved but I assume that
other languages provide similar ways of date-parsing mechanisms and should
use similar rules when parsing two-digit years.
The whole thing happened because of multiple failures:
- The program parsing the date didn't check if the resulting date
after the parsing is in the past and if not fail with an error
and demand a full year specification or assume it to be a year of
the last century and subtract 100 years from it.
- The alert-processing side obviously didn't do any checks, either
since it reacted to an earthquake that is still due for 8 years.
Please report problems with the web pages to the maintainer