Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Manufacturer aims to eliminate chances of cockpit displays failing due to lightning events http://www.wsj.com/articles/lightning-hazards-prompt-boeing-to-fix-787-jets-1524652201
via Lauren Weinstein's Network Neutrality Squad http://techcrunch.com/2018/04/28/facebooks-dark-ads-problem-is-systemic/ Facebook's admission to the UK parliament this week that it had unearthed unquantified thousands of dark fake ads after investigating fakes bearing the face and name of well-known consumer advice personality, Martin Lewis, underscores the massive challenge for its platform on this front. Lewis is suing the company for defamation over its failure to stop bogus ads besmirching his reputation with their associated scams. The Dark-ads might be thought of as similar to the Naryads, the Leeryads, the Purseyads, and other meatier showers—except that they are largely invisible to Facebook and ubiquitously visible to everyone else. Besides, they are not like (scattered) showers at all—more like uninterrupted monsoons and biblical deluges. At least Noah's Ark did not have the World Wide Web to blare at the hoofers and tweeters on board, or TV speakers offering fake gnus. We might want to take a lesson from the Hindu U-punish-ads. PGN
via NNSquad http://slate.com/technology/2018/04/60-minutes-interview-facebooks-ties-with-aleksandr-kogan-and-cambridge-were-cozier-than-we-thought.html What Zuckerberg didn't mention was that Facebook itself had worked directly with Kogan and his Cambridge colleagues for years--and that it continues to this day to employ two of Kogan's close research associates. In an interview with CBS' 60 Minutes on Sunday, Kogan said one of them, his former co-worker Joseph Chancellor, was fully involved in harvesting the user data that they then sold to Cambridge Analytica. On Monday, Facebook spokesman Andy Stone confirmed to Slate that, with respect to Chancellor, "a review of the situation is ongoing."
via NNSquad http://www.washingtonpost.com/business/economy/how-merchants-secretly-use-facebook-to-flood-amazon-with-fake-reviews/2018/04/23/5dad1e30-4392-11e8-8569-26fda6b404c7_story.html But a Washington Post examination found that for some popular product categories, such as bluetooth headphones and speakers, the vast majority of reviews appear to violate Amazon's prohibition on paid reviews. They have certain characteristics, such as repetitive wording that people likely cut and paste in. Many of these fraudulent reviews originate on Facebook, where sellers seek shoppers on dozens of networks, including Amazon Review Club and Amazon Reviewers Group, to give glowing feedback in exchange for money or other compensation. The practice artificially inflates the ranking of thousands of products, experts say, misleading consumers.
http://www.nytimes.com/2018/04/23/technology/privacy-regulation-facebook-google.html Facebook and Google are dealing with a privacy backlash and new European rules on data collection. The rules, though, may not be as damaging to the companies as they appear.
http://www.nytimes.com/2018/04/25/technology/fake-mark-zuckerberg-facebook.html The Facebook chief executive has vowed to clean up the social network, but his company has failed to stop even those impersonating him from swindling people.
Security firm Checkmarx reports that malicious Amazon Alexa skills could have enabled an attacker to record everything a user says. Amazon has taken steps to mitigate the issue. http://www.eweek.com/security/researchers-find-amazon-alexa-can-be-hacked-to-record-users Of course, how secure are other listening devices?
via NNSquad http://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html Even as scientific experts applauded this week's arrest of the Golden State Killer suspect, Joseph James DeAngelo, 72, some expressed unease on Friday at reports that detectives in California had used a public genealogy database to identify him. Privacy and ethical issues glossed over in the public's rush to embrace DNA databases are now glaringly apparent, they said. Apparently they also got a false genetic hit on this case last year and harassed a sick and elderly innocent man as as result. I've been saying for years that anyone voluntarily submitting genetic data to publicly accessible databases is worse than an idiot. DNA-based genealogy as a hobby is for suckers. You're selling the current and future generations of your relatives down the goddamned river, you morons! [Also noted by Mark Thorson. PGN]
http://www.nakedcapitalism.com/2018/04/tsb-train-wreck-massive-bank-it-failure-going-into-fifth-day-customers-locked-out-of-accounts-getting-into-other-peoples-accounts-getting-bogus-data.html Snippet: The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over to Sabadell over the weekend. It's turned out to be an epic failure, and it's not clear if and when this can be straightened out. It is bad enough that bank IT problem had been so severe and protracted a major newspaper, The Guardian, created a live blog for it that has now been running for two days. The more serious issue is the fact that customers still can't access online accounts and even more disconcerting, are sometimes being allowed into other people's accounts, says there are massive problems with data integrity. That's a nightmare to sort out. Even worse, the fact that this situation has persisted strongly suggests that Lloyds went ahead with the migration without allowing for a rollback. If true, this is a colossal failure...
People outside the UK may not be aware that customers of one of the largest banks, TSB, has had a week-long IT disaster that has locked people out of accounts, cash, mortgages, staff payments...you name it. The Guardian says an inside source claims that the warning signs were there a year ago when TSB was forced to divest itself of Lloyds Banking Group (in the financial crisis taxpayer bailout) because after many mergers the IT system was a "bodge of many old systems" (banks here went on a consolidation spree in the 1990s and early 2000s). The risk that *The Guardian* highlights is interesting: IT systems that are forced into working together by business decisions, then forced apart by regulatory ones...compounded by IT mistakes and internal divisions. http://www.theguardian.com/business/2018/apr/28/warning-signs-for-tsbs-it-meltdown-were-clear-a-year-ago-insider [Richard Stein also notes TSB chaos: 'We are on our knees,' says boss (BBC) http://www.bbc.com/news/business-43904267 PGN]
Bryan Johnson, the founder and CEO of neurotech company Kernel, on the issues surrounding direct access to our most valuable data http://www.wsj.com/articles/brain-computer-interfaces-the-last-frontier-of-human-privacy-1524580522
http://www.bbc.com/news/world-asia-india-43619944
Bob Sullivan, an author who specializes in cybercrime and consumer protection, said he was stunned by how poorly the banks had communicated Zelle's risks ” and by their failure to learn from the painful lessons of the past. http://www.nytimes.com/2018/04/22/business/zelle-banks-fraud.html [Monty Solomon added this from that: The personal payment platform Zelle is flourishing. But so are fraudsters, who are exploiting weaknesses in the banks' security. PGN]
[Apparently, it's a thing!] Civil says the future of media is blockchains and cryptocurrencies Mathew Ingram, December 4, 2017, CJR http://www.cjr.org/business_of_news/civil-says-the-future-of-media-is-blockchains-and-cryptocurrencies.php Mathew Ingram, March 2, 2018, CJR Jarrod Dicker on what the blockchain can do for news http://www.cjr.org/innovations/blockchain-poet.php
Experts complain of shoddy tech specs and personal attacks. http://www.theregister.co.uk/2018/04/25/nsa_iot_encryption Those experts with their high standards...
https:/www.washingtonpost.com/news/monkey-cage/wp/2018/04/26/what-can-cybergames-teach-us-about-cyberattacks-quite-a-lot-in-fact/ "Frankly, the United States is under attack. "This February 2018 warning to the Senate from Director of National Intelligence Dan Coats included a message that "there should be no doubt" that Russia, emboldened by its 2016 cyberattacks and informational warfare campaign, will target the U.S. midterm elections this year. "We agree. However, our research suggests that, although states like Russia will continue to engage in cyberattacks against the foundations of democracy (a serious threat indeed), states are less likely to engage in destructive "doomsday" attacks against each other in cyberspace. Using a series of war games and survey experiments, we found that cyber operations may in fact produce a moderating influence on international crises. "Here's why: Cyberspace offers states a way to manage escalation in the shadows. Thus, cyber operations are more akin to the Cold War- era political warfare than a military revolution." Daniel Ellsberg's latest, "The Doomsday Machine: Confessions of a Nuclear War Planner," supplies sober discourse about his persistent and successful effort, during the first Cold War, to implement permissive action links (PALs) as part of US strategic nuclear war planning. Are similar protocols and devices applied to constrain cyber weaponry? The article does not discuss how delegation of authority may initiate an offensive cyber attack, or escalate into a limited or general war, if or when established command and control channels are disabled or compromised.
http://www.scientificamerican.com/article/defending-hospitals-against-life-threatening-cyber-attacks/ "We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees' roles line up with cybersecurity efforts." Heterogeneous infrastructure broadens ransomware attack surface area and malicious service denial takedown. Role privilege allocation/restriction gaps elevates computerized medical device configuration and usage error risks. "Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us they're worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said they're focused on patient care and don't have time to worry about cybersecurity." Professionals shirk their oaths and obligations to protect patients, compromising ethical practice with impunity; an alarming standard operating procedure that begs for enforcement and strictly monitored, corrective measures. Business operations that neglect risk mitigations in the name of profit and expenditure reduction, and a criminal exploiting these vulnerabilities are linked by more than metaphor. Hospital administrators fear brand outrage, yet demure to proactively suppress this potential. Dysfunctional organizational behavior is inimical to patient health and resilient operations. Digital medical records are integral components of the surveillance economy, and apparently easy to monetize. The notorious bank robber Willie Sutton said, "I rob banks because that's where the money is." Electronic medical record banks are sweeter targets, and software is the criminal's weapon of choice.
Pyongyang-linked data-theft campaign has hit 17 countries, including the U.S., report says http://www.wsj.com/articles/operation-ghostsecret-north-korea-is-suspected-in-intensifying-global-cyberattack-1524629807
http://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ Danny Palmer, ZDNet, 23 Apr 2018 Orangeworm hacking group carefully selects victims in highly targeted attacks. selected text: A newly-discovered cybercriminal group is installing custom malware onto the systems of organisations in healthcare and related sectors in order to conduct corporate espionage. "The targeting of large multinational corporations that work directly in or related to the healthcare space has been a consistent theme with Orangeworm since their discovery," Alan Neville, threat researcher at Symantec told ZDNet. Within the healthcare sector, Kwampirs malware was found installed on a wide variety of systems, including X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms. However, rather than stealing information stored upon these systems, it is suggested that attackers are mostly interested in learning about the devices themselves.
http://www.healthcareitnews.com/news/comcast-partners-independence-health-create-digital-health-company Use terrible/hated consumer brand for healthcare. What could go wrong?
Courtesy of Krebsonline, 18 Apr 2018 (URL at end), Transcription Service Leaked Medical Records https:/krebsonsecurity.com/2018/04/transcription-service-leaked-medical-records/ MEDantex, a Kansas-based company that provides medical transcription services for hospitals, clinics and private physicians, took down its customer Web portal last week after being notified by KrebsOnSecurity that it was leaking sensitive patient medical records - apparently for thousands of physicians. On Friday, KrebsOnSecurity learned that the portion of MEDantex's site which was supposed to be a password-protected portal physicians could use to upload audio-recorded notes about their patients was instead completely open to the Internet. What's more, numerous online tools intended for use by MEDantex employees were exposed to anyone with a Web browser, including pages that allowed visitors to add or delete users, and to search for patient records by physician or patient name. No authentication was required to access any of these pages.
Almost 1,300 addresses for Amazon Route 53 rerouted for two hours. http://arstechnica.com/information-technology/2018/04/suspicious-event-hijacks-amazon-traffic-for-2-hours-steals-cryptocurrency/
http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery
Master Key At the Infiltrate conference in Miami later this week, Tuominen and Hirvonen plan to present a technique they've found to not simply clone the keycard RFID codes used by Vingcard's Vision locks, but to create a master key that can open any room in a hotel. With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute. http://www.wired.com/story/one-minute-attack-let-hackers-spoof-hotel-master-keys
The hack can turn the Switch into a tablet that can run pirated programs and grant hackers far greater control over the system than Nintendo intended. http://www.washingtonpost.com/news/the-switch/wp/2018/04/24/hackers-have-found-a-way-to-jailbreak-the-nintendo-switch/
http://www.hpe.com/us/en/insights/articles/the-state-of-patch-management-1804.html It's automated so it's wonderful. That takes more faith than I have.
http://arstechnica.com/information-technology/2018/04/eventbrite-rolls-back-policy-that-would-have-given-it-right-to-record-events/
Regulate AI: laudable and important goal, but the Three Steps in the Nature article sound the same as proposals for nuclear non-proliferation. Nukes are hard to make and hard to hide. AI code can be emailed to North Korea. Is any kind of prohibition going to work for AI? What about the opposite: Open and promote AI development so that a pretty good system is freely available. People worried about secret AI systems can turn their efforts to improving the open system. This may put pressure on dark AI systems. Or is the risk really in applications - that 20 year old AI in textbooks is being keyed into missile guidance software? Then the prohibition needs to be on guided missiles?
The Risk? That someone will confuse this achievement with professional software development.
What about Condorcet, as used by Debian? Basically, for any pair of candidates, you say which one you prefer. This will give you a candidate who is preferred above everyone else, or alternatively an "anyone but" candidate to be eliminated. The trouble with Condorcet is you really need a computer to count the votes. Personally, my favourite where there are multiple positions available (such as our parliamentary elections) would be "top up" places. Keep the current "first past the post" voting for constituencies, then based on the national vote share out the top-up seats to candidates who came second in the constituencies. That's not perfectly fair, it is intended to ensure that two or three parties get most of the seats, but it makes it much easier to unseat an unpopular party. It also prevents the instability that Italy experienced a decade or two when a system, intended to be as fair as possible, resulted in even the largest party not having many seats, and thus the country lurched from one short-lived coalition to another.
> "The politicians running in the election shouldn't have to argue their > challenges in court." If they are Congressional candidates, they cannot argue their challenges in court. Article I, Section 5 of the U.S. Constitution says, "Each House shall be the Judge of the Elections, Returns, and Qualifications of its own Members..." Candidates who lose Congressional elections due to fraud can appeal only to Congress. Not even the Supreme Court can intervene, as the power to judge Congressional elections rests solely with Congress. Does anyone know if a candidate has ever won one of those appeals?
If this is an actual problem you must have a remarkably bad local clock. Google uses the standard TOTP algorithm that generates a new key every 30 seconds, and I am reasonably sure they will accept either the current or the previous code to give you time to switch apps and type the code in. So as long as your phone's clock is within a minute of the correct time, the code should work. One time I lost my phone in an airport parking garage shortly before getting on a plane. It was easy enough to buy another phone and port my number to it, thereby recovering any 2FA keyed to my phone number, but I'd lost all the Authenticator codes. So I made sure that wouldn't happen again. When Google or anyone else shows you a QR code to set up in Authenticator, it contains a base32 seed string along with a comment. If you save or write down that seed string, you can later enter it into Authenticator or any other TOTP application. I have all my seeds both in the phone app and in a python script on my laptop. Adding to the confusion, I have SIM cards for countries I visit so my phone has a Canadian phone number when I'm in Canada, and a UK phone number when I'm in Europe. This means when I'm traveling, the TOTP 2FA works fine, but anyone who sends a SMS to my US phone number will have to wait until I get home. So overall I like TOTP a lot better, clock issues and all.
My bank has an even better option, actually: they'll print you a card with 2 rows of symbols for a challenge-response authentication. It's not quite one-time: it's good for a couple of months or until you call them and ask for a new one, whichever comes first. :)
Please report problems with the web pages to the maintainer