Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Lulu Friesdat, *AlterNet*, 29 Jul 2017 (via Dave Farber) Disturbing footage from the DEF CON 25 hacker convention. http://www.alternet.org/investigations/def-con-25-hackers-get-electronic-voting-machines-and-e-poll-books-minutes Who says America's electronic voting machinery cannot be hacked? One of the world's largest and best-known hacker conventions, DEF CON, debuted an interactive "Voting Machine Hacker Village" this year at its annual gathering in Las Vegas. In some cases within minutes, and in other cases within a few hours, of the village doors' opening, hackers in attendance said they had successfully breached some systems. The security investigators claimed to have found major vulnerabilities or claimed to have breached every voting machine and system present. Members of the DEF CON hacking community said they took complete control of an e-poll book, a type of election equipment in use in dozens of states where voters arrive at precincts, sign in and receive their ballots. Other targets hackers claim had major security flaws include the Sequoia AVC Edge, currently in use in 13 states and the AccuVote TSX, in use in 19 states. (Those machine usages are according to Verified Voting, an election transparency advocacy group.) [See also http://www.telegraph.co.uk/technology/2017/07/31/hackers-take-control-us-voting-machines-less-90-minutes/ PGN]
As they do every year, hackers descended on Las Vegas this week to show off the many ways they can decimate the Internet's security systems. Here's a collection of some of our favorite talks from this week's Black Hat conference, including some we didn't get the chance to cover in depth. https://www.wired.com/story/best-black-hat-defcon-talks/
Adam Segal, *The New York Times*, 1 Aug 2017 [PGN-ed] "Reports this month [presumably meaning July] that the United Arab Emirates orchestrated the hacking of a Qatari news agency, helping to incite a crisis in the Middle East, are as unsurprising as they are unwelcome. For years, countries—in particular Russia—have used cyberattacks and the dissemination of disinformation to provoke protests, sway elections and undermine trust in institutions. It was only a matter of time before smaller states tried their hand at these tactics." [But this is not new. Examples noted:] August 2012: India accused Pakistani hackers of trying to provoke sectarian violence. June 2017: Hackers believed to be tied to the Vietnamese government stole and released transcripts of talks been the Philippine and U.S. presidents, with the suspected hope of pressuring Duterte and sabotaging Philippine relations with China. "It's only a matter of time before a state's response to a cyberattack escalates into full-blown military conflict. ... As a result, we all are much less secure in cyberspace—and in the real world." [Well, cyberspace and its ubiquitous lack of security are unfortunately the real world, and have been for a long time—as should be evident to RISKS readers. PGN]
via NNSquad http://www.businessinsider.com/home-secretary-amber-rudd-real-people-dont-need-end-to-end-encryption-terrorists-2017-8?IR=T UK home secretary Amber Rudd has called on messaging apps like WhatsApp to ditch end-to-end encryption, arguing that it aids terrorists. Writing in The Telegraph on Tuesday, the Conservative minister said that "real people" don't need the feature and that tech companies should do more to help the authorities deal with security threats. But activists have reacted with concern to her remarks, blasting them as "dangerous and misleading."
via NNSquad https://techcrunch.com/2017/07/30/putin-passes-law-that-will-ban-vpns-in-russia/?ncid=rss The new law (link via Google Translate), signed today by President Vladimir Putin, goes into effect on 1 Nov 2017 and represents another major blow to an open Internet. This weekend, news broke that Apple has removed most major VPN apps from the App Store in China to comply with regulations passed earlier this year that require VPN apps to be explicitly licensed by the Chinese government. Putin tightens his murderous grip. ALSO: To Protect Global Free Speech, Google May Need to Take Some Drastic Actions https://lauren.vortex.com/2017/07/29/google-free-speech
"[The bill] would give police the power to turn existing devices into surveillance devices during a declared emergency, including by remotely installing software... This is further exacerbated through [terrorists'] use of encryption and anonymising tools to make their use of the Internet and social media invisible to intelligence and law enforcement agencies." Perhaps buying that "smart" device isn't so smart, after all? Heck, in the U.S., the local police will simple "asset forfeiture" your fridge and it becomes theirs for whatever they want to do with it! Felicity Caldwell, Brisbane Times, 24 Jul 2017 Queensland police say fridges could be turned into listening devices http://www.brisbanetimes.com.au/queensland/queensland-police-say-fridges-could-be-turned-into-listening-devices-20170724-gxh97o.html Your fridge could be turned into a covert listening device by Queensland Police conducting surveillance. The revelation was made during a Parliamentary committee hearing on proposed legislation to give police more powers to combat terrorism. Police Commissioner Ian Stewart said technology was rapidly changing and police and security agencies could use devices already in place, and turn them into listening devices. "It is not outside the realm that, if you think about the connected home that we now look at quite regularly where people have their security systems, their CCTV systems and their computerised refrigerator all hooked up wirelessly, you could actually turn someone's fridge into a listening device, This is the type of challenge that law enforcement is facing in trying to keep pace with events and premises where terrorists may be planning, they may be gathering to discuss deployment in a tactical way and they may be building devices in that place. All of that is taken into account by these new proposed laws." The Counter-Terrorism and Other Legislation Amendment bill would give police more powers during and following attacks. It would give police the power to turn existing devices into surveillance devices during a declared emergency, including by remotely installing software, when the life, health or safety of a person may be in danger. It would also allow police the power to search a person or vehicle without a warrant during a declared terrorist emergency. A review of emergency situation declarations for the past 2.5 years did not identify any incident which would have required the proposed extraordinary emergency powers. But Mr Stewart said despite the rarity, the proposed legislation was still important to help police fight the terror threat. Mr Stewart said the most likely scenario for a terrorist attack in Australia would be low-tech violence by a person or small group involving knives, vehicles, firearms or improvised explosive devices. "The threat of a low-tech terrorist organisation inspired attack is exponentially harder to detect and disrupt. This is further exacerbated through their use of encryption and anonymising tools to make their use of the Internet and social media invisible to intelligence and law enforcement agencies." Mr Stewart said there was an unprecedented escalation of terrorist-related activity within Australia since September 2014, with the principal threat from an extremist interpretation of Islam, while far right-wing violent extremism also posed a domestic threat. Since 2012, about 200 Australians have traveled to Syria and Iraq to join the conflict, and there are about 40 Australians who have returned. "And some of these returnees remain a significant security concern," Mr Stewart said. Mr Stewart said there were about 210 Australians being investigated. The bill is being considered by the Legal Affairs and Community Safety Committee, which is due to report by 11 Aug.
Following a report that some Blu phones use an app that collects your data, Amazon has made them unavailable on its site. https://www.cnet.com/news/amazon-suspends-sales-of-blu-phones-due-to-privacy-concerns/
How much do you value your privacy and security? Researchers at Black Hat found a series of phones that are secretly sending data to Chinese servers. https://www.cnet.com/news/these-cheap-phones-are-costing-you-your-privacy/
A nightmare scenario develops for HBO https://www.washingtonpost.com/news/the-switch/wp/2017/07/31/hbo-is-hacked-and-game-of-thrones-episodes-may-have-leaked-out/
https://www.washingtonpost.com/news/true-crime/wp/2017/08/01/senate-launches-bill-to-remove-immunity-for-websites-hosting-illegal-content-spurred-by-backpage-com/
via NNSquad http://blog.koehntopp.info/index.php/2282-illegal-and-undocumented-instructions/ Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips. The findings have been summarized in a whitepaper (PDF), which also describes how to effectively search the instruction space of a CPU that has variable length instructions from 1 to 15 bytes in length. A crafty way of using page faults to determine the length of privileged instructions while running unprivileges is shown.
via NNSquad https://tech.slashdot.org/story/17/07/31/2026230/iranians-use-cute-photographer-profile-to-hack-targets-in-middle-east Hackers working on behalf of the government of Iran are using alluring social media profiles featuring a young, English photographer to entice and then compromise the systems of high value targets in the oil and gas industry, according to a report by Dell Secureworks. In a report released on Thursday, Secureworks' Counter Threat Unit (CTU) said that it observed an extensive phishing campaign beginning in January and February 2017 that used a polished social media profile of a young, English woman using the name "Mia Ash" to conduct highly targeted spear-phishing and social engineering attacks against employees of Middle Eastern and North Africa firms in industries like telecommunications, government, defense, oil and financial services. The attacks are the work of an advanced persistent threat group dubbed COBALT GYPSY or "Oil Rig" that has been linked to other sophisticated attacks.
via NNSquad Only for older units, and physical access is required to alter the firmware. So as with pretty much all devices, physical access always means that all bets are off, and always avoid purchases from untrusted third party sources. The authors also note that the mic mute button still works and cannot be disabled in software, and points out that overall, ordinary smartphones are far more easily hacked for similar capabilities (and much more)! http://www.androidguys.com/2017/08/01/amazon-echo-can-be-turned-into-a-spying-device-security-researchers-reveal/
https://www.theregister.co.uk/2017/07/31/ai_defeats_antivirus_software
In the cheesy 1980s film Maximum Overdrive, a passing comet causes machines to rise up and attack the humans who once controlled them. Well, don't look now, but something like that came to pass in a car wash in Washington state. At the car wash, hackers hijacked the Internet-enabled PDQ LaserWash system in order to slam shut the outside doors, and trap a pick-up inside. The attackers also proved they were able to take over the mechanical arms inside the car wash and direct a powerful stream of water at the vehicle's door to prevent the occupant from exiting. http://fortune.com/2017/07/27/car-wash-hack/
via NNSquad https://www.washingtonpost.com/news/the-switch/wp/2017/07/30/googles-new-program-to-track-shoppers-sparks-a-federal-privacy-complaint/ The legal complaint from the Electronic Privacy Information Center, to be filed with the FTC on Monday, alleges that Google is newly gaining access to a trove of highly sensitive information—the credit and debit card purchase records of the majority of U.S. consumers—without revealing how they got the information or giving consumers meaningful ways to opt out. Moreover, the group claims that the search giant is relying on a secretive technical method to protect the data—a method that should be audited by outsiders and is likely vulnerable to hacks or other data breaches. EPIC is right up there with Consumer Watchdog as reliable Google Haters, but Google does need to tread with great care in this area, and maximum possible transparency in this realm is strongly encouraged.
https://lauren.vortex.com/2017/08/01/google-personal-information-and-star-trek
Rarely does a day go by when I don't get an email from some outraged soul
who has seen on some wacky site—or perhaps heard on a right-wing radio
program somewhere—the lie that Google sells users' personal information
to advertisers. I got a phone call from one such person very recently—an
individual who hardly would calm down enough for me to explain that they'd
been bamboozled by the Google Haters.
'Cause Google doesn't sell your data. Not to advertisers, not to anyone
else. But the falsehood that they do so is one of the most enduring of
fabrications about Google.
To be sure, Google is partly responsible for the long life of this legend,
because frankly they've never done a really good job of explaining for
non-techies how the Google ad system works, and Google ad relevance is often
so accurate that users naturally assume (again, falsely) that their browsing
habits or other data were handed over to third parties.
Here's what actually happens. Let's say that you work in warp engine design
and testing. So you're frequently using Google to search for stuff like
antimatter injectors and dilithium crystals.
Now you start seeing "top of page" search results ads from some mining
operation on Rigel XII for exactly the raw crystals that you need, and at an
attractive price with free shipping, too! (Yes Trekkies, I realize that in
this early episode they were actually referred to as "lithium" crystals --
go tell it to Spock.)
But you wonder: Did Google provide my search history to those ragtag and
somewhat disreputable bachelor miners—out there on a planet that is so
windy that you clean pots by hanging them out to be sandblasted?
How else could that ad have been targeted to me?
The answer is simple, and you don't need a dose of Venus Drug to understand
it. (OK, happy now, Trekkies?)
The miners create an ad that is aimed at users who are looking for warp
drive paraphernalia, based on the logical keywords—like dilithium, for
example.
When Google's ad personalization algorithms detect that your search terms
are relevant to that ad, Google displays it to you. The miners back on Rigel
XII don't even know that you exist at this point. They didn't display the ad
to you, Google did.
Now, if you proceed to click on their ad and visit the miners' sale site,
you'll be providing more information to them, much as you would when
visiting other sites around the Web.
But if you don't click on the ad, there's no connection between you and the
advertiser.
And you don't have to simply accept Google's default handling of ad
personalization. Over at:
https://adssettings.google.com
you can change Google ad personalization settings or even disable ad
personalization entirely.
So the next time that someone tries to fervently sell you the big lie that
Google is selling your personal data, tell them that they're wrong and that
they're a stick in the Mudd.
https://www.nytimes.com/2017/07/29/technology/china-apple-censorhip.html The world's most valuable company appears to have pulled down the apps amid China's deepening crackdown on tools that evade Internet controls.
via NNSquad https://www.nytimes.com/2017/07/27/automobiles/wheels/car-data-tracking.html Cars have become rolling listening posts. They can track phone calls and texts, log queries to websites, record what radio stations you listen to —even tell you when you are breaking the law by exceeding the speed limit. Automakers, local governments, retailers, insurers and tech companies are eager to leverage this information, especially as cars transform from computers on wheels into something more like self-driving shuttles. And they want to tap into even more data, including what your car's video cameras see as you travel down a street. Who gets what information and for what purposes? Not the ancient vehicle I drive. But wait until you see what the government will do with the data from autonomous vehicles, and how the government will demand the ability to remotely control them, both individually and en masse.
The news relating to "Chinese group hacks a Tesla for the second year in a row" hints at the opening of a new (?) front in the ongoing global cyberwar: never mind directly attacking an adversary's government, military or critical infrastructure, leave aside the election hacking and fake news malarkey, strike directly at the jugular of its commercial industry. Undermine it by demonstrating just how pitifully easy it is to hack its products. Poke the capitalists where it hurts the most - the brands and profits. Oh, but hang on a moment, the West has been doing that to China for years. I get it now. The playground fight just popped into focus. And all of a sudden, the West's consistent and substantial underinvestment in security engineering over far too many decades seems 'somewhat shortsighted', not to put too fine a point on it.
> "Who gives a sh*t?" about better hardware seems good argument against > buying Ring. Better hardware might last longer, not rust, be upgradeable, > have better connectivity, be more reliable. Even look better.' Or not last as long, rust, not be upgradeable, have worse connectivity, be less reliable. Even look worse. Or remove needed functionality, add privacy invasion, etc. If I am looking for a replacement because the old one has died or is not up to my current or projected needs, yes, I will look at another system. However, if I have a system that is working well for me, it is fairly irrelevant that another system is shinier for whatever value of "shiny". Going from Windows XP to Windows 7 broke part of my development toolkit. I was very impressed by this but not in a positive way. Frankly, I am tired of the myopia of technology companies who insist on new, new, new at all costs. I want solutions, not a bunch of prated-about features.
Re: Charging Phone Kills 14-Year-Old Girl in Bathtub (Strauss, RISKS-30.40) > 15.08.020 National Electrical Code adopted. > The regulations contained in the National Electrical Code, 1956 Edition, * as the same are now or may be amended* > is adopted by reference and is declared > to be a part of this chapter Note the phrase "or may be amended". I am quite sure that the present code, *including GFI requirements* is legally an amended version of the 1956 Code. At least, the relevant authorities will treat it as such. Otherwise, no-one could be charged or prosecuted or sanctioned for a failure to do what the present code requires. What goes un-noticed is that the legislature effectively grants to an un-named, un-accountable body the power to unilaterally *amend the law*. Don't feel bad, though. The same thing is going on in Canada.
https://www.boston.com/news/local-news/2017/07/28/mass-maker-of-roomba-isnt-going-to-sell-your-data-after-all
Please report problems with the web pages to the maintainer