The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 30 Issue 47

Friday 29 September 2017

Contents

NTSB: Tesla's Autopilot UX a "major role" in fatal Model S crash
Ars Technica
Deloitte joins the club of the massively hacked
The Guardian
In spectacular fail, Adobe security team posts private PGP key on blog
Ars Technica
Distrustful U.S. Allies Force NSA to Back Down in Encryption Fight
Joseph Menn
Propaganda flowed heavily into battleground states around election, study says
WashPo
PC-Wahl in the German elections
Chaos Computing Club via PGN
Yet another trove of sensitive US voter records has leaked
ZDNet
See The Fake End-Of-World Broadcast That Panicked Southern Cal
Patch
RT, Sputnik and Russia's New Theory of War
NYTimes
U.S. bans use of Kaspersky software in federal agencies amid concerns of Russian espionage
WashPo
Facebook and Russian Ads
The Guardian
4-10% of encrypted web connections are man-in-the-middled and intercepted
BoingBoing
Forget Your Password, Go to Jail
ITKE via Gabe Goldberg
Failure to patch two-month-old bug led to massive Equifax breach
Ars Technica
Equifax's Maddening Response
Zeynep Tufekci
Equifax hacked well before it was disclosed
TechCrunch
Equifax Says CIO, Chief Security Officer to Leave After Breach
Bloomberg
Equifax victims may face another hassle in buying an iPhone
StarTribune
A new website lets you automatically sue Equifax with a click
Chuck Petras
Stay away from Equifax sites!
Lauren Weinstein
Billions of devices imperiled by new clickless Bluetooth attack
Ars Technica
BEWARE/HEADS UP vis-a-vis Bluetooth & Wi-Fi can't be fully disabled via iOS 11 Control Center
Apple Insider
Blockchains Technology in Finance
IEEE
Risks of geolocation
paul wallich
Re: UK Banks, etc. to check account-holders' residence eligibility
Chris Drewe
Re: Hurricane Harvey Knocked Out Cell Service...
Wols
Judge dismisses libel lawsuit filed by self-proclaimed e-mail inventor
ArsTechnica
An open letter to the W3C Director, CEO, team and membership
EFF
Letter from indigenous Mexican man who was denied a US visa to receive an award for Internet development
BoingBoing
Info on RISKS (comp.risks)

NTSB: Tesla's Autopilot UX a "major role" in fatal Model S crash (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Tue, 12 Sep 2017 09:34:46 -0700
Ars Technica via NNSquad
https://arstechnica.com/cars/2017/09/ntsb-teslas-autopilot-ux-a-major-role-in-fatal-model-s-crash/

  Brown was driving a 2015 Model S, using the original Mobileye-sourced
  hardware and running Tesla's Firmware 7.1.  Although that system works
  like most other adaptive cruise control and lane keeping "Level 2"
  semi-autonomous driving systems offered by other OEMs, Tesla's Autopilot
  differs in that it allowed the driver to go much, much longer without
  interacting with the car. The industry standard allows for just 15 seconds
  before it prompts the driver to interact with the vehicle--fail to do so
  and the car stops controlling the brakes, accelerator, and
  steering. Autopilot, on the other hand, allows for several minutes to pass
  between prompting the driver, and NTSB's data reconstruction showed there
  was no driver interaction for two minutes leading up to the crash.
  (Driver interaction in this case is measured by a steering wheel torque
  sensor.)


Deloitte joins the club of the massively hacked (The Guardian)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 25 Sep 2017 14:44:54 PDT
https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

This involved compromising Deloitte's global e-mail server through an
admin account, which presumably gave them unrestricted privileges.
Reportedly, the account required only a single password.

Marcus Ranum has a delightfully sarcastic polymorphic item on this and
all other relevant hacks:
http://www.ranum.com/security/computer_security/editorials/generator/index.html

  My Comments on the breach at [$COMPANY_NAME$]

  I heard about the breach at [$COMPANY_NAME$] and the [$BREACH_QUANTITY$]
  [$DATA_TYPE$ one of "credit card", "patient record", "social security
  number", "user login", "hashed passwords", "national security secrets",
  "Hollywood star's 'selfies'"] compromised. Of course this is a serious
  matter and is the largest since [$YESTERDAY_DATE$]

  The people at [$COMPANY_NAME$] have not yet released details, which is
  appropriate given an incident response of this magnitude. I understand
  that they have the [$RESPONDER_NAME$ multiple of "FBI", "NSA", "CIA",
  "Mandiant", "army of consultants", "Keystone Kops"] involved and have
  issued a press release.

  My guess is that the attackers were able to initially breach the target
  using a [$ATTACK_TYPE$ one of "phishing attack", "brilliantly clever
  targeted phishing attack", "piece of custom malware", "cat with a WiFi
  interface implanted in its head", "SQL injection attack", "basic website
  vulnerability", "army of ninjas", "variant of Stuxnet"] which is
  [$UNEXPECTED$ one of "totally unexpected", "the way it usually happens",
  "innovative", "obscure as hell", "bloody typical"] form of attack that is
  often used by [$USUAL_SUSPECTS$ multiple of "China", "North Korea", "CIA",
  "NSA", "Anonymous", "brotherhood of blades", "Bavarian Illuminati",
  "Trilateral commission", "hackers who have read 'Hacking Exposed'", "any
  complete newbie"] Until I know more about it, I can't really guess about
  the details.

However, this illustrates the basic issues in information security, which is
that organizations don't appear to have effective responses to basic malware
and/or phishing attacks, and have aggregated critical data into central
locations on their networks where it is accessible.  Once an attacker gets
inside, it is pretty easy for them to escalate privileges, find out where
the data is, and exfiltrate it.  Organizations with critical data should
segregate it off their network, perform regular vulnerability audits and
remediation, maintain detailed system logs, and use two factor
authentication for administrator access.  If it's a large organization, Big
Data also helps, but I am not sure how.

Marcus Ranum

  [Of course, Marcus could have added,
    "We are not at liberty to discuss further details.
  PGN]


In spectacular fail, Adobe security team posts private PGP key on blog (Ars Technica)

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Sep 2017 23:39:16 -0400
Since deleted, post gave public and private key for Adobe incident response
team.

https://arstechnica.com/information-technology/2017/09/in-spectacular-fail-adobe-security-team-posts-private-pgp-key-on-blog/


Distrustful U.S. Allies Force NSA to Back Down in Encryption Fight (Joseph Menn)

ACM TechNews <technews-editor@acm.org>
Mon, 25 Sep 2017 12:08:19 -0400 (EDT)
Joseph Menn, Reuters via ACM TechNews, 25 Sep 2017

Distrustful U.S. Allies Force Spy Agency to Back Down in Encryption Fight
Reuters (09/21/17)

The U.S. National Security Agency (NSA) reportedly has been forced by an
international coalition of cryptography experts to back off from pressing
the independent International Organization for Standardization (ISO) to
globally standardize several data encryption methods amid suspicion among
U.S. allies. Academic and industry specialists from Germany, Japan, Israel,
and elsewhere are concerned NSA was promoting the new techniques not because
they were good encryption tools, but because it knew how to crack them.
Following a series of closed-door meetings around the world over the past
three years, which discussed whether ISO should approve two NSA data
encryption techniques known as Simon and Speck, NSA has agreed to drop all
but the most powerful versions of the techniques.  Many experts who took
part in the approval process for Simon and Speck were concerned NSA would
gain a "back door" into coded transmissions if it were able to crack the
encryption techniques.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1702dx21305dx077344&


Propaganda flowed heavily into battleground states around election, study says (WashPo)

Lauren Weinstein <lauren@vortex.com>
Thu, 28 Sep 2017 10:46:37 -0700
NNSquad
https://www.washingtonpost.com/business/technology/2017/09/27/32855bba-a3a0-11e7-ade1-76d061d56efa_story.html

  Propaganda and other forms of "junk news" on Twitter flowed more heavily
  in a dozen battleground states than in the nation overall in the days
  immediately before and after the 2016 presidential election, suggesting
  that a coordinated effort targeted the most pivotal voters, researchers
  from Oxford University reported Thursday.  The volumes of low-quality
  information on Twitter—much of it delivered by online "bots" and
  "trolls" working at the behest of unseen political actors—were
  strikingly heavy everywhere in the United States, said the researchers at
  Oxford's Project on Computational Propaganda. They found that false,
  misleading and highly partisan reports were shared on Twitter at least as
  often as those from professional news organizations.  But in 12
  battleground states, including New Hampshire, Virginia and Florida, the
  amount of what they called "junk news" exceeded that from professional
  news organizations, prompting researchers to conclude that those pushing
  disinformation approached the job with a geographic focus in hopes of
  having maximum impact on the outcome of the vote.


PC-Wahl in the German elections (CCC)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 25 Sep 2017 13:12:14 PDT
The Computer Chaos Club had very little difficulty hacking the PC-Wahl
voting system used in Germany to count and report votes.  It is reportedly
hopelessly broken (remote compromises of computers, vote tampering, etc.),
but was nevertheless widely used in yesterday's election.

  See http://www.ccc.de/en/updates/2017/pc-wahl


Yet another trove of sensitive US voter records has leaked (ZDNet)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 14 Sep 2017 22:08:29 PDT
<http://www.zdnet.com/article/yet-another-trove-of-sensitive-of-us-voter-records-has-leaked/>
A cache of voter records on over a half-million Americans has been found
online.  The records, totaling 593,328 individual sets of records, appear to
contain every registered voter in the state of Alaska, according to security
researchers at the Kromtech Security Research Center, who found the
database.
<https://mackeepersecurity.com/post/another-voter-database-exposed-online>

The records were stored in a misconfigured CouchDB database, which was
accessible to anyone with a web browser—no password needed—until
Monday when the data was secured and subsequently pulled offline.

The exposed data is just a portion of a larger voter file compiled by
TargetSmart <https://targetsmart.com/offering/voterbase/>, which said its
national voter file—that contains 191 million voters—is the "most
comprehensive and up-to-date voter file ever assembled." The data is
collected and used to help political campaigns with their fundraising,
research, and voter contact programs, the company said.

ZDNet was provided a small sample of the records for verification.

Each XML-formatted record contained details, some sensitive and personally
identifiable information, on prospective voters, including names, addresses,
dates of birth, their ethnic identity, whether an individual is married, and
the individual's voting preferences.

But the data also contained highly personal information, such as household
income, the age ranges of an individual's children, and if an individual is
a homeowner. The records—some are more complete than others—also have
fields for the types of issues that an individual can be lobbied on, such as
climate change, gun control, and tax reforms.

When reached, TargetSmart said that a third-party company was to blame for
the data exposure.

"We've learned that Equals3, an [artificial intelligence] software company
based in Minnesota, appears to have failed to secure some of their data and
some data they license from TargetSmart, and that a database of
approximately 593,000 Alaska voters appears to have been inadvertently
exposed," said Tom Bonier, Targetsmart chief executive.

Bonier said the data was not accessed by anyone other than the security
researchers at TargetSmart and the team that identified the exposure.

"None of the exposed TargetSmart data included any personally identifiable,
non-public financial data," he said.

"To be clear, TargetSmart's database and systems are secure and have not
been breached. TargetSmart imposes strict contractual obligations on its
clients regarding how TargetSmart data must be stored and secured, and takes
these obligations seriously," Bonier added.

Equals3 chief executive Dan Mallin confirmed it had "experienced an
intrusion of a sample data set on one of our development servers." He said
that the server wasn't in use by any of the company's clients and was shut
down.

"This was an isolated intrusion, stemming from a white hat group who was
searching for a known vulnerability in couchDB," referring to Kromtech
security researchers.

"We have diligently conducted a forensic audit confirming the data set was
not downloaded," he said.

This is the second known data exposure of voter records this year.

The first, and largest ever to date saw 198 million records on individuals
from every state exposed. Deep Root Analytics, a data company working for
the Republican party, took responsibility for the exposure.
<http://www.zdnet.com/article/security-lapse-exposes-198-million-united-states-voter-records/>,

Kromtech has in recent years discovered and reported on several US voter
databases online, totaling 18 million voters
<http://www.csoonline.com/article/3018912/security/18-million-targeted-voter-records-exposed-by-database-error.html>,
as well as the state of Louisiana's entire database
<https://motherboard.vice.com/en_us/article/29-million-louisiana-voters-database-leak>
of 2.9 million voters.

Kromtech's Alex Kernishniuk said the exposure was "yet another wake-up call"
for companies and governments to audit their networks.

"There seems to be no end in sight for improperly secured data making its
way onto the web, and with little or no accountability for proper storage
and security measures, it is up to regulators to decide the best way to
manage an aging electoral system that seems to be struggling to keep up with
the digital age," he said.


See The Fake End-Of-World Broadcast That Panicked Southern Cal

Gabe Goldberg <gabe@gabegold.com>
Sat, 23 Sep 2017 20:50:47 -0400
Could Sept. 23 really be the day the world ends? Watch the creepy message
that has people scared.

LAKE FOREST, CA  An ominous prediction that the world would end Saturday,
Sept. 23 shocked southern California residents as they watched cable
television.

Lake Forest Cox Cable watcher Stacy Laflamme was on her couch watching HGTV
when she heard an ominous voice declare Thursday that the world was ending.
The interruption came at just after 11 a.m. in the form of an onscreen
emergency alert followed by a voice.

"Realize this: extremely violent times will come," a male voice said (see
the YouTube video below). Laflamme told the Orange County register she was
alarmed.

“It almost sounded like Hitler talking,'' said another woman who was
interviewed on KTLA.  “It sounded like a radio broadcast coming through the
television.''

Across social media, viewers said they were disturbed by the messages that
interrupted everything from C-SPAN to Bravo.

https://patch.com/district-columbia/washingtondc/s/g8jql/see-the-fake-end-of-world-broadcast-that-panicked-southern-california

The risk? Automated alerts echoing War of the Worlds panic.

Punchline; we've seen this rodeo before: “We have confirmed that we were
fed an incorrect audio file,'' said Dennis Johnson, a spokesman for
Spectrum.


RT, Sputnik and Russia's New Theory of War (NYTimes)

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Sep 2017 08:02:19 -0700
*The New York Times* via NNSquad
https://www.nytimes.com/2017/09/13/magazine/rt-sputnik-and-russias-new-theory-of-war.html

  Officials in Germany and at NATO headquarters in Brussels view the Lisa
  case, as it is now known, as an early strike in a new information war
  Russia is waging against the West. In the months that followed,
  politicians perceived by the Russian government as hostile to its
  interests would find themselves caught up in media storms that, in their
  broad contours, resembled the one that gathered around Merkel.  They often
  involved conspiracy theories and outright falsehoods—sometimes with a
  tenuous connection to fact, as in the Lisa case, sometimes with no
  connection at all—amplified until they broke through into domestic
  politics. In other cases, they simply helped promote nationalist, far-left
  or far-right views that put pressure on the political center. What the
  efforts had in common was their agents: a loose network of
  Russian-government-run or -financed media outlets and apparently
  coordinated social-media accounts.  After RT and Sputnik gave platforms to
  politicians behind the British vote to leave the European Union, like
  Nigel Farage, a committee of the British Parliament released a report
  warning that foreign governments may have tried to interfere with the
  referendum.  Russia and China, the report argued, had an "understanding of
  mass psychology and of how to exploit individuals" and practiced a kind of
  cyberwarfare "reaching beyond the digital to influence public opinion."


U.S. bans use of Kaspersky software in federal agencies amid concerns of Russian espionage (WashPo)

Dewayne Hendricks <dewayne@warpspeed.com>
Wed, Sep 13, 2017 at 8:40 AM
Ellen Nakashima and Jack Gillum, *The Washington Post*, 13 Sep 2017
<https://www.washingtonpost.com/world/national-security/us-to-ban-use-of-kaspersky-software-in-federal-agencies-amid-concerns-of-russian-espionage/2017/09/13/36b717d0-989e-11e7-82e4-f1076f6d6152_story.html>

The U.S. government on Wednesday banned the use of a Russian brand of
security software by federal agencies and gave them three months to remove
the software amid concerns the company has ties to state-sponsored
cyber-espionage activities, according to U.S. officials.

Acting Homeland Security secretary Elaine Duke ordered that Kaspersky Lab
software be barred from federal civilian government networks, giving
agencies a timeline to get rid of it, according to several officials
familiar with the plan who were not authorized to speak publicly about it.
Duke ordered the scrub on the grounds that the company has connections to
the Russian government and its software poses a security risk.

“The Department is concerned about the ties between certain Kaspersky
officials and Russian intelligence and other government agencies, and
requirements under Russian law that allow Russian intelligence agencies to
request or compel assistance from Kaspersky and to intercept communications
transiting Russian networks,'' the department said in a statement.  “The
risk that the Russian government, whether acting on its own or in
collaboration with Kaspersky, could capitalize on access provided by
Kaspersky products to compromise federal information and information systems
directly implicates U.S. national security.''

The directive comes months after the federal General Services
Administration, the agency in charge of government purchasing, removed
Kaspersky from its list of approved vendors. In doing so, the GSA suggested
a vulnerability exists in Kaspersky that could give the Kremlin backdoor
access to the systems the company protects.

In a statement to The Washington Post on Wednesday, the company said:
“Kaspersky Lab doesn't have inappropriate ties with any government, which
is why no credible evidence has been presented publicly by anyone or any
organization to back up the false allegations made against the company. The
only conclusion seems to be that Kaspersky Lab, a private company, is
caught in the middle of a geopolitical fight, and it's being treated
unfairly even though the company has never helped, nor will help, any
government in the world with its cyber-espionage or offensive cyber-efforts.''

“Kaspersky Lab has always acknowledged that it provides appropriate
products and services to governments around the world to protect those
organizations from cyberthreats, but it does not have unethical ties or
affiliations with any government, including Russia,'' the firm said.

The directive comes in the wake of an unprecedented Russian operation to
interfere in the U.S. presidential election that saw Russian spy services
hack the networks of the Democratic National Committee and other political
organizations and release damaging information.

At least a half-dozen federal agencies run Kaspersky on their networks, the
U.S. officials said, although there may be other networks where an agency's
chief information security officer—the official ultimately responsible
for systems security—might not be aware it is being used. [...]


Facebook and Russian Ads (The Guardian)

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 21 Sep 2017 21:34:03 PDT
http://www.theguardian.com/technology/2017/sep/21/facebook-russia-advertising-mark-zuckerberg


4-10% of encrypted web connections are man-in-the-middled and intercepted (BoingBoing)

geoff goodfellow <geoff@iconia.com>
Fri, 15 Sep 2017 08:05:01 -1000
https://boingboing.net/2017/09/13/weakening-security-for-securit.html


Forget Your Password, Go to Jail

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Sep 2017 12:29:37 -0400
Remember the guy who got put in jail for contempt for forgetting his hard
disk drive encryption passwords? He's still in there, and doesn't have any
prospects for getting out anytime soon.

Francis Rawls, a former sergeant in the 16th district of the Philadelphia
Police Department, was accused of having child pornography on two encrypted
Macintosh hard drives, which were seized in March, 2015. He was ordered by a
judge in August, 2015, to provide the passcode to decrypt the drives, but he
claims to not remember it. He was put in jail for contempt of
court. Prosecutors claim Rawls is `forgetting' his password on purpose to
keep from being charged with possessing child pornography, which could put
him in prison for 20 years. ...

Consequently, Rawls stays in jail, though prosecutors said they should check
in on him now and then to see if, after two years of largely solitary
confinement, he suddenly remembers his passwords.  “Theoretically, he could
be held in jail for contempt foreverĶ until he's dead,'' Dan Terzian, a
lawyer from Duane Morris, tells Olivia Solon in The Guardian.

The moral of the story? Don't forget your password. You could go to jail.

http://itknowledgeexchange.techtarget.com/storage-disaster-recovery/forget-password-go-jail/


Failure to patch two-month-old bug led to massive Equifax breach (Ars Technica)

Lauren Weinstein <lauren@vortex.com>
Wed, 13 Sep 2017 20:31:01 -0700
via NNSquad
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/

  Thursday's disclosure strongly suggests that Equifax failed to update its
  Web applications, despite demonstrable proof the bug gave real-world
  attackers an easy way to take control of sensitive sites.  An Equifax
  representative didn't immediately respond to an e-mail seeking comment on
  this possibility. As Ars warned in March, patching the security hole was
  labor intensive and difficult, in part because it involved downloading an
  updated version of Struts and then using it to rebuild all apps that used
  older, buggy Struts versions. Some websites may depend on dozens or even
  hundreds of such apps, which may be scattered across dozens of servers on
  multiple continents.

    [Gabe Goldberg noted Equifax blames open-source software for its
    record-breaking security breach: Report
http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
    See analysis by Bruce Schneier, On the Equifax Data Breach
    <https://www.schneier.com/crypto-gram.html>.
    PGN]


Equifax's Maddening Response (Zeynep Tufekci)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 12 Sep 2017 9:16:26 PDT
Zeynep Tufekci, *The New York Times*, 11 Sep 2017
https://www.nytimes.com/2017/09/11/opinion/equifax-accountability-security.html

Excerpts:

Big corporations have poured large amounts of money into our political
system, helping to create a regulatory environment in which consumers
shoulder more and more of the risk, and companies less and less.

Most software failures and data breaches aren't inevitable; they are the
result of neglect and underinvestment in product reliability and security.

As long as impunity for corporations and their executives is the norm, data
breaches will continue to happen.


Equifax hacked well before it was disclosed (TechCrunch)

"Peter G. Neumann" <neumann@csl.sri.com>
Mon, 18 Sep 2017 16:58:27 PDT
Equifax was reportedly hacked almost five months before its first disclosed
date

https://techcrunch.com/2017/09/18/equifax-was-reportedly-hacked-almost-five-months-before-its-first-disclosed-date/

  Equifax learned about a major breach in its systems in March, well before
  it disclosed a massive breach earlier this month that included sensitive
  information for 143 million consumers, according to a new report from
  Bloomberg.  Bloomberg is also reporting that both breaches may have
  involved the same intruders, which is not a good look for the company that
  is reeling from the massive breach and has seen its stock crater.  The
  company's security and information executives stepped down last week, and
  Bloomberg also reported today that the Justice Department is said to be
  investigating the questionable sale of stock by Equifax executives in
  advance of the company disclosing its massive breach.


Equifax Says CIO, Chief Security Officer to Leave After Breach

Lauren Weinstein <lauren@vortex.com>
Fri, 15 Sep 2017 15:10:20 -0700
https://www.bloomberg.com/news/articles/2017-09-15/equifax-says-cio-chief-security-officer-to-leave-after-breach

  Equifax Inc. said two of its senior executives are leaving as the
  credit-reporting company faces mounting public anger for losing data on
  143 million Americans in one of the biggest cyber-attacks in history.  The
  firm's chief information and chief security officers are retiring
  immediately, the Atlanta-based company said Friday in an emailed statement
  that didn't name the individuals. Mark Rohrwasser was named interim CIO
  and Russ Ayres was appointed interim CSO, reporting to Rohrwasser,
  according to the statement.

You can run, but you can't hide.


Equifax victims may face another hassle in buying an iPhone

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Sep 2017 09:12:11 -0700
via NNSquad
http://m.startribune.com/equifax-victims-may-face-another-hassle-in-buying-an-iphone/444449273/?section=nation

  Apple fans who froze their credit after the Equifax data breach may end up
  with another hassle on their hands if they try to get one of the new
  iPhones that can cost more than $1,000. People who did so and want to make
  any big purchase may find the same.

Freezing credit reports doesn't really protect you from the big hacks and
just causes hassles for real purchases. It's mostly just another credit
agency scam.


A new website lets you automatically sue Equifax with a click

<Chuck_Petras@selinc.com>
Thu, 14 Sep 2017 13:48:40 -0700
Predictably the class action lawsuits have started. These suits always are
very lucrative for the litigation teams but for us injured parties not so
lucrative. Our take usually comes down to a handful of time limited Vegas
condo coupons.

Now we have the opportunity to control our own destiny (so to speak) and
take direct action against the #EquifaxHoles that have heap misery upon us.

"The entrepreneur behind DoNotPay, a free online chatbot that has
successfully fought around 375,000 parking tickets in New York, Seattle, and
the U.K., is launching a new service on Tuesday that will allow people to
sue Equifax for $15,000 in mere minutes."

A new website lets you automatically sue Equifax with a click

Chuck Petras, Schweitzer Engineering Laboratories, Inc, Pullman, WA 99163
http://www.selinc.com


Stay away from Equifax sites!

Lauren Weinstein <lauren@vortex.com>
Mon, 11 Sep 2017 10:33:39 -0700
via NNSquad
https://plus.google.com/+LaurenWeinstein/posts/Jvj5VRuJL2c

Now Equifax says they're changing their easily guessable PINs. My
recommendation is to NOT TOUCH ANY EQUIFAX SITES FOR ANY REASON. Do NOT
trust their "was I affected by the breach?" site. It's at best a fallacy, at
worst a scam. Do NOT sign up for their "free" credit monitoring. It's all
sucker bait.  STAY AWAY!


Billions of devices imperiled by new clickless Bluetooth attack

Gabe Goldberg <gabe@gabegold.com>
Tue, 12 Sep 2017 15:34:23 -0400
BlueBorne exploit works against unpatched devices running Android, Linux, or
Windows.

In all, Armis researchers uncovered eight Bluetooth-related vulnerabilities
in Android, Linux, Windows, and iOS. The researchers consider three of the
flaws to be critical. The researchers reported them to Google, Microsoft,
and Apple in April and to Linux Maintainers in August. All parties agreed to
keep the findings confidential until today's coordinated disclosure. The
vulnerabilities for Android are indexed as CVE-2017-0781, CVE-2017-0782,
CVE-2017-0783, and CVE-2017-0785; the vulnerabilities for Linux are
CVE-2017-1000251 and CVE-2017-1000250; the vulnerability for Windows is
CVE-2017-8628; the designation for iOS vulnerability wasn't immediately
available.

https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/

  [Gabe Goldberg noted
    How to Check If You're Exposed to Those Scary BlueBorne Bluetooth Flaws?
    http://fortune.com/2017/09/13/armis-blueborne-bluetooth-ios-android-windows-linux
  PGN]


BEWARE/HEADS UP vis-a-vis Bluetooth & Wi-Fi can't be fully disabled via iOS 11 Control Center (Apple)

geoff goodfellow <geoff@iconia.com>
September 20, 2017 at 4:08:11 PM EDT
Bluetooth & Wi-Fi can't be fully disabled via iOS 11 Control Center, Apple
says.  Contrary to intuition, toggling off Bluetooth and/or Wi-Fi in the iOS
11 Control Center won't completely disable those radios, according to a new
Apple support document.

http://appleinsider.com/articles/17/09/20/bluetooth-wi-fi-cant-be-fully-disabled-via-ios-11-control-center-apple-says

This comment by "Mike1", from the above article, sez it best:

  "After toggling off Wi-Fi, network auto-join is disabled as well until
  Wi-Fi is manually restarted, a person walks or drives to a new place, or
  it's 5 a.m. local time. Bluetooth accessory connections will resume under
  the same circumstances, minus the location trigger."

Really?! This sounds incredibly silly and certainly makes it less
convenient. If I'm toggling off WiFi, it's because I don't want it on.
Period. At least three use cases that affect me personally...

1. I'm driving and the phone wants to connect to some public wifi signal I
   may have used in the past. But now, all it will do is slow down the phone
   because it's not connecting to LTE. On a typical commute, I may pass
   through dozens of wifi networks.

2. I'm running errands and don't want my phone to connect to every public or
   store wifi signal I may pass through. Most of them suck and I prefer to use
   my phone data.

3. I do not connect to my company's wifi network with my phone as they block
   most non-work related sites. No personal e-mail, no score updates
   etc. So, I again turn off the wifi. Don't want it turning on again when I
   go into a different building.

Shouldn't have to go into Settings to turn it off thereby negating the
benefit of Control Center. Not like Apple to make things less convenient.


Blockchains Technology in Finance

IEEE Computer Society <csconnection@computer.org>
Thu, 28 Sep 2017 19:02:58 +0000
  [E-mail blurb from the IEEE.   I found useful content at
    https://www.computer.org/csdl/mags/co/2017/09/mco2017090014.html
  and have merged some of the blurb with it.  PGN]

Philip Treleaven, Richard Gendal Brown and Danny Yang
Blockchain Technology in Finance
IEEE Computer Magazine, September 2017. pp. 14-17.

Blockchain technology promises to be hugely disruptive and empowering in
both public and private sector computing applications. As a way to order
transactions in a distributed ledger, blockchains offer a record of
consensus with a cryptographic audit trail that can be maintained and
validated by multiple nodes. It lets contracting parties dynamically track
assets and agreements using a common protocol, thus streamlining and even
completely collapsing many in-house and third-party verification processes.

Originally conceived as the secure foundation of cryptocurrencies,
blockchain technology has far-reaching potential in many other areas. This
special issue explores blockchain's tremendous impact on the finance
industry, as well as its implementation challenges and enormous potential.

Check out the virtual roundtable at youtu.be/wPFxKnlu1bA , in which Tim
Swanson, director of market research for distributed-database-technology
company R3, interviews global experts on blockchain technology for
finance. Also in this issue: "Alexa, Can I Trust You?" and "Indie Fog: An
Efficient Fog-Computing Infrastructure for the Internet of Things."


Risks of geolocation

paul wallich <pw@panix.com>
Sun, 24 Sep 2017 17:14:00 -0400
I use a gmail account for certain professional communications, and in the
past couple months I've taken the step of adding that account to my mobile
email app (it's not any of the gmail accounts associated with my android
devices). Big mistake. Every time I go more than a few miles from home, I
get a string of notices that I'm being hacked. The first time, the
unexpected access was from Rhode Island, hundreds of miles from where I
live, so I promptly changed all my passwords. The next time it was one town
over, and I quickly realized that yep, Google was phreaking out that I'd
gone to the grocery store.

But a weirder thing happened: the location of the first "hacking" on my
account review page was no longer Rhode Island but New Haven,
Connecticut. Google does the best it can with geolocation, but when it's
tracking mobile IPs they could be anywhere at the whim of the carriers, and
change ostensible position from hour to hour. Today, when my account was
supposedly accessed from Albany NY, I didn't even blink.

All of this means that eventually my gmail account will be hacked, and I
won't have any idea of it for a long time because I'll be so used to telling
the security system to quit bothering me with bogus alerts.


Re: UK Banks, etc. to check account-holders' residence eligibility

Chris Drewe <e767pmk@yahoo.co.uk>
Sat, 23 Sep 2017 22:04:18 +0100
Item in this week's newspaper says that UK banks and similar financial
organisations will be required to check account-holders' names against lists
of illegal migrants, and block them if appropriate:

http://www.telegraph.co.uk/news/2017/09/22/banks-check-immigration-status-70-million-accounts-identify/
https://www.theguardian.com/uk-news/2017/sep/21/uk-banks-to-check-70m-bank-accounts-in-search-for-illegal-immigrants

In the immortal RISKS phrase, what could go wrong?  Depends on how rigorous
the checks are; bit of a pain if your name is similar to one on the list,
and you suddenly find yourself bankrupted by having access to your finances
blocked.  "If you've done nothing wrong, you have nothing to fear", as the
saying goes...

It's already an offence to rent out residential accommodation to illegal
migrants, so if you offer property for rent then you have to grapple with
the intricacies of immigration law (e.g. not everybody with a UK passport
has right of residence in Britain), but if you turn away a tenant because
you're unsure of the migration status, you may be charged with a
discrimination offence.

On a similar topic, the authorities nowadays are paranoid about
money-laundering and tax evasion so banks have to keep a close watch on
customers having dealings abroad.  For some banks this is more trouble than
it's worth so customers can have their accounts summarily closed, even if
they've loyally been with the bank for years.  Reportedly, one customer was
asked by his bank why he hadn't disclosed his connections with Romania,
which puzzled him as he didn't have any; turned out that his account details
included his landline telephone number, along with (for some reason) the
country code and international access code, and a bank employee had
mistakenly typed 0040 for Romania rather than 0044 for the UK...

http://www.telegraph.co.uk/news/2017/09/22/banks-check-immigration-status-70-million-accounts-identify/


Re: Hurricane Harvey Knocked Out Cell Service... (RISKS-30.46)

Wols Lists <antlists@youngman.org.uk>
Tue, 12 Sep 2017 12:06:32 +0100
> Depending on cell service during a disaster is a disaster in and of itself.
> That's why so many telecom experts hang onto their landlines as lifelines! I
> sure as hell do!

And what happens when all you've got is FTTP not POTS? We were looking
at a new house recently, and the estate was all fibre. So if your power
has gone out, so have your phones. That's why at present, I still have
an old-fashioned, corded phone so if we have a problem I've got a phone
that will work fine without mains power.


Judge dismisses libel lawsuit filed by self-proclaimed e-mail inventor (ArsTechnica)

Lauren Weinstein <lauren@vortex.com>
Wed, 6 Sep 2017 13:17:45 -0700
via NNSquad
https://arstechnica.com/tech-policy/2017/09/judge-dismisses-libel-lawsuit-filed-by-self-proclaimed-e-mail-inventor/

  A federal judge in Massachusetts has dismissed the libel lawsuit filed
  earlier this year against the tech news website, Techdirt.  The claim was
  brought by Shiva Ayyadurai, who has controversially claimed that he
  invented e-mail in the late 1970s. Techdirt (and its founder and CEO, Mike
  Masnick) has been a longtime critic of Ayyadurai, as well as institutions
  that have bought into his claims. "How The Guy Who Didn't Invent Email Got
  Memorialized In The Press & The Smithsonian As The Inventor Of Email,"
  reads one Techdirt headline from 2012.  Numerous articles that dubbed
  Ayyadurai a "liar" and a "charlatan" followed.  That, in turn, lead to
  Ayyadurai's January 2017 libel lawsuit.  In the Wednesday ruling, US
  District Judge F. Dennis Saylor, found that because it is impossible to
  define precisely and specifically what e-mail is, then Ayyadurai's "claim
  is incapable of being proved true or false."


An open letter to the W3C Director, CEO, team and membership (EFF)

"Peter G. Neumann" <neumann@csl.sri.com>
Tue, 18 Sep 2017 5:30:44 PDT
https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership

  In 2013, EFF was disappointed to learn that the W3C had taken on the
  project of standardizing "Encrypted Media Extensions," an API whose sole
  function was to provide a first-class role for DRM within the Web browser
  ecosystem. By doing so, the organization offered the use of its patent
  pool, its staff support, and its moral authority to the idea that browsers
  can and should be designed to cede control over key aspects from users to
  remote parties.  [...]


Letter from indigenous Mexican man who was denied a US visa to receive an award for Internet development

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Sep 2017 09:35:29 -0700
via NNSquad
https://boingboing.net/2017/09/14/ikta-kop-collective.html

  Mariano Gomez is a 23 year old Tseltal from Abasolo, Chiapas, and a member
  of the Ikta K'op Collective; he is being given an award by the prestigious
  Internet Society for his work creating "a wireless Internet and Intranet
  network that provided connectivity and access to information to his
  community, which has no telephone or radio service," but will not be able
  to attend the awards in Los Angeles because the US embassy has denied him
  a tourist visa.

Please report problems with the web pages to the maintainer

Top