Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.nytimes.com/2017/09/28/business/airport-check-in-computer.html A “network issue'' affected programs used by several major carriers, delaying flights and causing other problems for travelers.
The NYC Police Department has in the past gone to great lengths to avoid disclosing information to the public. Their latest defense seems to be that they don't know how to manage their systems or databases—they told a judge that they "lack the technical capacity" to answer the public records request, and that they don't know how to make a backup copy of their data. The creation of this particular database system for civil asset forfeiture records reportedly cost the city $25.5 million back in 2009. https://www.courthousenews.com/no-forfeiture-database-backup-millions-line-nypd-admits/
AirBnB detect the currency of payment cards and force charges to be in that currency; users are no longer permitted to chose between AirBnB with their conversion rate, and their bank, with its conversion rate. The detection mechanism is not perfect, and is incorrectly asserting Revolut (a FinTech) Mastercards, which are multi-currency, are denominated in GBP. (It's probably not unreasonable to suspect other multi-currency cards are incorrectly detected. Presumably there are also other causes of failure, which are wholly unknown to me.) This means that AirBnB are in the cases where currency detection goes wrong forcing an unnecessary currency conversion, which adds about 5% to the cost of a booking. For a booking of about 1000 euro this 5% is about a 50% addition to the service charge levied by AirBnB. It seems clear then why AirBnB have taken this step to remove from its users choice in this matter. The possibility of the computing risk in this case—incorrect card currency detection—must have been considered, and so the problem faced by a user in that situation was perceived and understood, but the cost of this risk to users (and so, indirectly, also to AirBnB) are obviously much less than the benefit to the AirBnB and so this risk has been accepted.
“We call it the freezing robot problem,'' says Anca Dragan, who studies autonomy in UC Berkeley's electric engineering and computer sciences department. “Anything the car could do is too risky, because there is some worst-case human action that would lead to a collision.'' Expect a thaw. Researchers like Dragan are tackling the challenges of interpreting --and predicting—human behavior to make self-driving cars safer and more efficient, but also more assertive. After all, if every machine screeches to a stop for every unpredictable human, we'll have soon millions of terrified robots choking the streets. www.wired.com/story/self-driving-cars-freezing-robot-problem/ Humans ... think? Author must not have been on the road lately.
https://gizmodo.com/palestinian-man-arrested-after-facebook-auto-translates-1819782902 A Palestinian construction worker was arrested by Israeli police after Facebook incorrectly translated the text of one of his posts. Haaretz reports that the man uploaded a picture from his job at a construction site with the text "good morning" in Arabic. When officers used Facebook's automatic translation service to read the post, the text was mistranslated as "attack them" in Hebrew and "hurt them" in English. According to Haaretz, Arabic speakers said the "English transliteration used by Facebook is not an actual word in Arabic but could look like the verb 'to hurt'—even though any Arabic speaker could clearly see the transliteration did not match the translation." No Arabic-speaking officers reportedly saw the post prior to the man's arrest. He was released after several hours of questioning.
Fun with big data How in the world was it OK to just hand that over to anybody who asked for it, Matis wondered? "If anyone can get this information, thats getting into Big Brother," Matis mused. "If I was trying to look at what my spouse is doing, [I could]. To me, that is something that is kind of scary. Why do they allow people to release this without a law enforcement reason? Searching it or accessing the information should require a warrant." https://insights.hpe.com/articles/fixing-cities-data-privacy-potholes-1710.html
Of the many new features in Apple's iOS 11—which hit your iPhone a few weeks ago—a tool called Core ML stands out. It gives developers an easy way to implement pre-trained machine learning algorithms, so apps can instantly tailor their offerings to a specific person's preferences. With this advance comes a lot of personal data crunching, though, and some security researchers worry that Core ML could cough up more information than you might expect—to apps that you'd rather not have it. Core ML boosts tasks like image and facial recognition, natural language processing, and object detection, and supports a lot of buzzy machine learning tools like neural networks and decision trees. And as with all iOS apps, those using Core ML ask user permission to access data streams like your microphone or calendar. But researchers note that Core ML could introduce some new edge cases, where an app that offers a legitimate service could also quietly use Core ML to draw conclusions about a user for ulterior purposes. https://www.wired.com/story/core-ml-privacy-machine-learning-ios/
Ah, the high seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the Internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure. A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated. It's low-hanging fruit, says Mario Ballano, principal security consultant at IOActive who conducted the research. “The software that they're using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn't have connection over the Internet. But now things are changing.'' https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-fixed/
Today I corrected the resolution on my down-the-hill neighbor's monitor to 1024x768. Finally, characters were no longer blurred and the browser was no longer hanging off the edge. However he now had to face the reality that the pinup model on his home screen that he stares at all day was very much no longer as slim as she formerly seemed. [That's the "Zaftig" Transformation. It can do wonders for skinny pinups. PGN]
Christine McMorrow was in the middle of using her iPhone's voice-to-text feature to comment on a *New York Times* story this week. As she paused from ranting on the newspaper's website to take the call on the house phone, little did she know that her iPhone never stopped recording her voice. The contents of her private conversation were accidentally transcribed directly into the story's comment box, and then inadvertently posted to the Times' website. <https://mobile.nytimes.com/2017/10/26/reader-center/nyt-comments-section.html> http://www.bostonglobe.com/metro/2017/10/27/mass-woman-comment-new-york-times-article-went-viral-here-story-behind/6NsrsKKl0jTk0Vfq7qypvN/story.
John Wenzel, *The Denver Post*, 30 Oct 2017 A phishing scam in June led to the compromised email inboxes, officials said http://www.denverpost.com/2017/10/30/denver-art-museum-data-breach-800/ The Denver Art Museum warned 800 people this month of a data breach that included sensitive personal and financial information about its donors, customers, and current and former employees, according to a letter obtained by *The Denver Post*. The letter, dated 9 Oct, informed recipients of the "data security incident" over the summer, as well as the museum's discovery of the breach on 13 Sep, which triggered a forensic investigation by an unnamed third-party firm. The unauthorized access began on or about 5 Jun, and ended on or about 27 Jun, the letter said. The breach occurred through an email phishing scam and affected two of the museum's email inboxes, said Andrea Fulton, chief marketing officer for the Denver Art Museum. "We have no evidence that anybody's data has been compromised," Fulton said. "None of our big databases were impacted. It's simply content that was in a couple of email inboxes."
An upgrade to software used to run the Virginia lottery meant that a few hundred tickets were sold that could not win the main jackpot. The selection criteria changed during the upgrade (and the price per ticket went from $1 to $2), and for a short period of time tickets were sold that met the old rules but not the new ones, and hence could not win. They could still win the other prizes, just not the jackpot. Although the normal odds of winning the lottery are near-zero, reducing them to actual zero is a (microscopically small) RISK. https://www.washingtonpost.com/local/no-chance-of-winning-big-jackpot-in-virginia-mega-millions-for-some-players/2017/10/31/1d6914b0-be2b-11e7-8444-a0d4f04b89eb_story.html [microscopic? Not if anyone who actually had the winning combination tried to sue the state—and won!]
Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions. https://www.bleepingcomputer.com/news/security/researchers-devise-2fa-system-that-relies-on-taking-photos-of-ordinary-objects/ What could go wrong? "What do you mean you threw away that crumpled beer can? IT WAS MY PASSWORD". Then there's this: This is because the system doesn't restrict users and they can choose anything they want as their login trinket, from their watch to parts of their body, and from clothing objects to furniture. Users should be careful not to choose perishable objects like food, because once it's gone, users will most likely get locked out of their account. Too bad Anthony Weiner's in jail, he could test it.
via NNSquad https://www.washingtonpost.com/national/technology-seeks-to-preserve-fading-skill-braille-literacy/2017/11/01/f4d1a072-bec4-11e7-9294-705f80164f6e_story.html For nearly a century, the National Braille Press has churned out millions of pages of Braille books and magazines a year, providing a window on the world for generations of blind people. But as it turns 90 this year, the Boston-based printing press and other advocates of the tactile writing system are wrestling with how to address record low Braille literacy. Roughly 13 percent of U.S. blind students were considered Braille readers in a 2016 survey by the American Printing House for the Blind, another major Braille publisher, located in Louisville, Kentucky. That number has steadily dropped from around 30 percent in 1974, the first year the organization started asking the question.
Attacks on RSA keys generated by the Infineon crypto library. https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf
Check your spam box. It could be the SEC. That's the lesson learned this week by Axon Enterprise Inc., the company best known for its Taser stun guns. Late Thursday, Axon announced that “due to miscommunication issues,'' the company has just become aware of SEC requests regarding its previous financial reports and is now scrambling to respond. The stock fell as much as 7 percent, its biggest drop in more than two months. What happened? Axon's internal email filters are to blame. The SEC sent its initial comment on Aug. 10 and follow-up requests only to Axon's new CFO Jawad Ahsan, and they were quarantined in a spam filter. Dougherty & Co. analyst Jeremy Hamblin in a note to clients, called the incident "embarrassing, but nothing to be concerned about.'' https://www.bloomberg.com/news/articles/2017-10-20/pesky-spam-filter-is-behind-taser-maker-ghosting-the-sec That's not the lesson, it's the symptom.
The fundamental problem with spam folders, of course, is that they tend to be ignored by recipients, or only haphazardly inspected—sometimes at very long intervals. False positive emails end up in spam unread, with no indication to the sender that they likely were not seen—and may never be seen. My policy on my servers has long been to do a hard reject on suspected spam, that should result in an immediate error returned to the sender. That error points at a URL that explains my policy, and provides another URL that can be used to push a brief "hey, you're blocking me and I'm not spam!" message through to me in those rare instances to request unblocking/whitelisting. Some sites that do this sort of real time response don't offer any way to communicate when there's a false positive—they just say stuff like "spam, go away!" That's hopelessly ignorant and antisocial since false positives DO happen. One oddity is that sometimes a false positive person will send me their note and say something like "how dare you accuse me of suspected spam" (that's what my error messages says, "suspected" spam). I always reply asking if they would have preferred their email disappear into a black hole spam folder without their ever knowing it hadn't been seen? That always ends the argument. Re: https://www.bloomberg.com/news/articles/2017-10-20/pesky-spam-filter-is-behind-taser-maker-ghosting-the-sec
http://s3.amazonaws.com/CHINFO/USS+Fitzgerald+and+USS+John+S+McCain+Collision+Reports.pdf The USS Fitzgerald case seems to be mostly human error, but the USS John S McCain case includes significant elements of poor ergonomics in the computers. Extracts from the report: At 0519, the Commanding Officer noticed the Helmsman (the watchstander steering the ship) having difficulty maintaining course while also adjusting the throttles for speed control. In response, he ordered the watch team to divide the duties of steering and throttles, maintaining course control with the Helmsman while shifting speed control to another watchstander known as the Lee Helm station ... The CO had only ordered speed control shifted. Because he did not know that steering had been transferred to the Lee Helm, the Helmsman perceived a loss of steering. ... Additionally, when the Helmsman reported loss of steering, the Commanding Officer slowed the ship to 10 knots and eventually to 5 knots, but the Lee Helmsman reduced only the speed of the port shaft as the throttles were not coupled together (ganged). The starboard shaft continued at 20 knots for another 68 seconds before the Lee Helmsman reduced its speed. The combination of the wrong rudder direction, and the two shafts working opposite to one another in this fashion caused an un-commanded turn to the left (port) into the heavily congested traffic area in close proximity to three ships, including the ALNIC. So, to gain operational flexibility it seems that the KISS principle (Keep It Simple Stupid) has been egregiously ignored. There were 8 stations to which control could be transferred via pull-down menus and pop-ups. On top of that there are multiple operating modes that change the capabilities of those stations. A minimum of 24 crew would have to be trained on all the details. [Remember the Einstein version of the KISS principle: Everything should be made as simple as possible, *but no simpler*. PGN] Few RISKS readers have commanded a ship at sea, but almost all have flown on an airliner. Imagine if 8 other stations on the plane or on the ground were able to take control away from the pilot such that the pilot doesn't even know if he is in control or not. I am a technologist but also a blue water sailor. I am so KISS that I rejected a steering wheel in favor of an old fashioned tiller because complex steering can fail at sea. I also have a grandson in the US Navy. Now, I'm very worried about his safety. There used to be "the Navy way" of doing things. That meant that any seaman with minimal training could perform critical tasks. Apparently, that no longer applies.
Forgeries undermine the trust millions of people place in digital certificates. https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/
Based on my experiences as a patient, I'd say hospitals are among the least competent institutions to handle new technology. It's a target-rich environment and it will probably take a major intrusion resulting in deaths before the industry gets serious about security. https://www.statnews.com/2017/11/02/medical-devices-security-hospitals/
https://www.washingtonpost.com/business/technology/inside-story-how-russians-hacked-the-democrats-emails/2017/11/03/2f1caea6-c0fb-11e7-9294-705f80164f6e_story.html
via NNSquad https://www.engadget.com/2017/11/04/estonia-freezes-resident-id-cards-security-flaw/ Estonia's residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the IDs' chip that makes it easy for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that's half the small country's population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability. All ID cards issued from the beginning of the program in October 2014 to October 25th, 2017 will be frozen until their owners apply for updated certificates with the fix. They can do that online, but the online service kept crashing over the past week, leading people to flock to police stations and other government offices to get their IDs updated. For now, only medical professionals and the most frequent users will be able to apply for updated certificates online, but Estonia will open up the system to the public again on Monday.
Years of funding shortfalls and stalled IT projects have placed the census in a precarious position. https://thinkprogress.org/census-it-programs-stalled/ Skimping on every ten years must-do project—what could go wrong? Of course, leadership gaps and botched estimates never help.
https://www.washingtonpost.com/realestate/hackers-prey-on-home-buyers-with-hundreds-of-millions-of-dollars-at-stake/2017/10/30/0379dcb4-bd87-11e7-97d9-bdab5a0ab381_story.html New to me. Though, somewhat related, I keep hearing radio commercials for some sort of "Lifelock for home titles" (my term, not theirs) preventing bogus registration/transfers and mortgages. That seems about as credible as Lifelock (that is, not). Though I wonder about this: Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close—often hundreds of thousands of dollars, sometimes far more—to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish. ...since funds are often wired by mortgage lenders, I'd hope (!) they pay attention to where funds go.
To quote from the linked article: Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions of dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges. One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation's exports. The North Korean cyberthreat crept up on us, said Robert Hannigan, the former director of Britain's Government Communications Headquarters, which handles electronic surveillance and cybersecurity. “Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn't take it seriously, how can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?" Surely this is asking something of the wrong question, and sadly, typically so of governments? The main issue is not how N Korean got so good at hacking, it's how the West got so bad at security!
Dan Jacobson writes: >I mentioned to my Mom about the endless deletion attempts on Wikipedia, >https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Peace_and_World_Affairs_Center_of_Evanston Dan seems to have inexplicably forgotten to mention that he originally created this article, which might have unfortunately led the RISKS reader to suppose this was a disinterested observation on the deletion process from an unbiased observer. >They even tired to delete >https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Triscuit He also seems to have failed to mention that the mysterious "they" here was one person who politely withdrew the deletion proposal after a few comments. Is there no end to their iniquity? I've said in the past that Wikipedia's a bit of a sausage factory under the surface, but I'm not sure these are the most trenchant criticisms of the process RISKS has ever featured.
There is another side effect: it actively legitimises banks to acquire more personal data (to then presumably lose to hackers who got bored reading through what they had already stolen from Equifax). Apropos Equifax: I wonder how certain is the company of the integrity of own its data now. We're only focusing on the loss and possible abuse, but I imagine there's more you can do when you have that kind of months long open door access.
My mother has already suffered from a similar problem. When her husband died she was 89 had been driving cars without accident for 50 years. We tried to get insurance for her to continue to drive her car, but no company would insure her. Why not? Because the "all driver" comprehensive insurance had been in her husband's name so the companies had no record of her, and they would not insure a "new" 89 year old driver. So I tried to get insurance for her car in my name and to add her as a named driver, but you can't insure a car you don't own. The only solution was for me to take ownership of her car and insure it in my name, which presents different risks. Seven years later she doesn't drive any more, but we've kept her driving licence up to data since it is the only form of photo ID she possesses. (My driving licence doesn't have a photo, which occasionally flummoxes youngsters in banks.)
via NNSquad http://www.cnn.com/2017/10/19/opinions/cyber-attacks-opinion-eschelbeck/index.html Gerhard Eschelbeck is the vice president of privacy and security at Google. He published the "Laws of Vulnerabilities," is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security.
240 pages, Yale University Press, 28 Nov 2017 https://www.amazon.com/Listening-Cybersecurity-Insecure-Susan-Landau/dp/0300227442. *A cybersecurity expert and former Google privacy analyst's urgent call to protect devices and networks against malicious hackers* New technologies have provided both incredible convenience and new threats. The same kinds of digital networks that allow you to hail a ride using your smartphone let power grid operators control a country's electricity—and these personal, corporate, and government systems are all vulnerable. In Ukraine, unknown hackers shut off electricity to nearly 230,000 people for six hours. North Korean hackers destroyed networks at Sony Pictures in retaliation for a film that mocked Kim Jong-un. And Russian cyberattackers leaked Democratic National Committee emails in an attempt to sway a U.S. presidential election. And yet despite such documented risks, government agencies, whose investigations and surveillance are stymied by encryption, push for a weakening of protections. In this accessible and riveting read, Susan Landau makes a compelling case for the need to secure our data, explaining how we must maintain cybersecurity in an insecure age. "Susan Landau is eminently qualified to guide readers to deeper understanding of risks and threats that accompany an increasingly connected world. Our online appetites are growing and our presence attracts hacking and surveillance among other uses we may not have authorized or even anticipated. Must read." Vint Cerf, Internet pioneer "Susan Landau manages to harness the sprint of our online era and provides a lasting framework for how to manage, protect, and even master our digital footprint." Juliette Kayyem, former Assistant Secretary, United States Department of Homeland Security "Encryption is essential to our online security, but it also makes the job of law enforcement harder. In Listening In, Landau gives us an authoritative and unflinching look at this challenge and confronts the urgent question of security in the digital age." Matt Olsen, Former Director, National Counterterrorism Center "Susan Landau has performed a remarkable feat of public service with *Listening In*: she simplifies the complex contemporary debate around privacy and security trade-offs in a way that welcomes anyone with an interest in these topics to engage with them—and she demonstrates why everyone should." Jonathan Zittrain, author of *The Future of the Internet—and How to Stop It* [See Susan's website: https://privacyink.org ]
Please report problems with the web pages to the maintainer