Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Max Fischer, *The New York Times*, 8 Jan 2017 http://www.nytimes.com/2017/01/08/world/europe/russian-hackers-find-ready-bullhorns-in-the-media.html?partner=rss&emc=rss But in this case, the source was Russia's military intelligence agency, the GRU—operating through shadowy fronts who worked to mask that fact—and its agenda was to undermine the American presidential election. By releasing documents that would tarnish Hillary Clinton and other American political figures, but whose news value compelled coverage, Moscow exploited the very openness that is the basis of a free press. Its tactics have evolved with each such operation, some of which are still unfolding. Thomas Rid, a professor of security studies at King's College London who is tracking the Russian influence campaign, said it goes well beyond hacking: "It's political engineering, social engineering on a strategic level."
http://www.telegraph.co.uk/news/2017/01/08/france-blocks-24000-cyber-attacks-amid-fears-russia-may-try/
Russell Goldman, *The New York Times*, 8 Jan 2017 http://www.nytimes.com/2017/01/07/world/europe/russias-rt-the-network-implicated-in-us-election-meddling.html Created by Russia's government to offer “the Russian view on global news,” RT acted like a Kremlin propaganda operation, an American intelligence report suggests.
Many companies don't know that their ads are appearing next to abhorrent content. Tell them. http://www.nytimes.com/2017/01/07/opinion/sunday/how-to-destroy-the-business-model-of-breitbart-and-fake-news.html [The same article by Pagan Kennedy is in the hardcopy National Edition of *The New York Times* Sunday Review, although with the title in the subject line above. PGN]
https://freedom-to-tinker.com/2016/12/14/disrupting-the-business-model-of-the-fake-news-industry/ In the aftermath of the 2016 election, researchers and media professionals alike seized on the vast proliferation of so-called *Fake News* on Facebook as a cause for concern. An informed citizenry is a necessary condition for democracy, so it is far from ideal to have millions of people consuming intentionally misleading information masquerading as hard news. Now that Facebook has admitted that it has a problem with Fake News, Mark Zuckerberg and Co. need to do even more to prevent its spread on the platform. We propose one solution: Facebook should block advertising links to Fake News websites and Fake News pages on the Facebook platform itself. [...]
Neil Genzlinger, *The New York Times*, 4 Jan 2015 http://www.nytimes.com/2017/01/04/arts/television/a-chilling-pbs-documentary-shows-how-mistakes-are-made.html *Command and Control* is an *American Experience* episode on PBS on 10 Jan [tonight]. It recounts a 1980 maintenance blunder at a missile silo in Arkansas.
The US Food and Drug Administration today issued a Safety Communication: to reduce the risk of patient harm due to cybersecurity vulnerabilities associated with St Jude Medical's radio-frequency-enabled implantable cardiac devices and corresponding Merlin@home Transmitter[1]. <http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm?source=govdelivery&utm_medium=email&utm_source=govdelivery> After months of reviewing information, the FDA confirmed there are "vulnerabilities" that if exploited could allow an unauthorized user to "remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter." The FDA said there has been no reports of patient harm related to the cybersecurity vulnerabilities but that if hacked, the "transmitter could be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate shocks." http://www.medscape.com/viewarticle/874193
A Research Report from the NTIA Awareness and Adoption Group https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pdf
Perhaps it's time for Apple to bring back the "Titanium" Powerbook? [I'll bet Steve Frappier is *really glad* that he wasn't carrying a Samsung Galaxy Note 7 in his backpack... Now if Apple could only make bullet-proof software... HB] MacBook saves man's life during Fort Lauderdale airport shooting WPLG Miami 7 Jan 2017 http://www.chron.com/news/article/Macbook-saves-man-s-life-Fort-Lauderdale-10842126.php There were bullets flying at Fort Lauderdale-Hollywood International Airport when 11 people were shot. Five of them didn't make it out of the baggage claim area alive. And Steve Frappier was lucky. He credited his Apple MacBook Pro for saving his life. The 37-year-old traveler from Atlanta brought his school-issued lap top, because he was going to an education conference. He placed it in his backpack, but didn't think of it when he felt an impact on his back during the shooting. Frappier said he saw a man get shot in the head and heard his wife screaming. When the bloodshed was over, he said he went to the men's restroom and saw a bullet hole on the lap top. He gave it to FBI agents. And he was in shock when they found a 9 mm bullet in his backpack. That was when he realized a gunman aimed to kill him, but the laptop took the bullet for him. "If I didn't have that backpack on, the bullet would have shot me between the shoulders," Frappier said.
The Verge via NNSquad http://www.theverge.com/2017/1/7/14195118/iran-porn-block-censorship-overflow-bgp-hijack Thursday afternoon, something very unusual happened to super - - - - - - - -.com. That site and 255 others—many of them p*rn sites—suddenly began dropping off the web. The servers showed no problems, but users from Russia to Hong Kong were typing the URLs into their browsers and getting blank pages. Something on the Internet was getting in the way. Executive summary: Screwed up BGP ... again.
Woody Leonhard, InfoWorld, 6 Jan 2017 The bad December patches include Windows 7 security-only KB 3205394 and Windows 10 cumulative updates KB 3206632, KB 3205386 http://www.infoworld.com/article/3155264/microsoft-windows/december-windows-security-patches-crash-active-directory-admin-center.html opening text: It's been three weeks since Microsoft released its December security patches, and a bad conflict with the Active Directory Admin Center (and, by some accounts, SCCM) is only now reaching the mainstream. Those of you running Active Directory take note. The good news: Uninstalling the wayward patch solves the problem. The bad news: Nobody seems to know exactly which patches trigger the crash.
Lucian Constantin, Romania Correspondent, InfoWorld, 6 Jan 2017 Five groups of attackers are competing to delete as many publicly accessible MongoDB databases as possible http://www.infoworld.com/article/3155201/security/more-than-10000-exposed-mongodb-databases-deleted-by-ransomware-groups.html selected text: Groups of attackers have adopted a new tactic that involves deleting publicly exposed MongoDB databases and asking for money to restore them. In a matter of days, the number of affected databases has risen from hundreds to more than 10,000. The issue of misconfigured MongoDB installations, allowing anyone on the Internet to access sensitive data, is not new. ... puts their number at more than 99,000. On Monday, security researcher Victor Gevers from the GDI Foundation reported that he found almost 200 instances of publicly exposed MongoDB databases that had been wiped and held to ransom by an attacker or a group of attackers named Harak1r1. The bad news is that most of them don't even bother copying the data before deleting it, so even if the victims decide to pay, there's a high chance they won't get their information back. [See also Fahmida Y. Rashid, MongoDB ransomware attacks sign criminals are going after servers, applications: http://www.infoworld.com/article/3155435/cyber-crime/mongodb-ransomware-attacks-sign-criminals-are-going-after-servers-applications.html PGN, also from Gene]
There is really no excuse for Cloudflare's problem with the recent leap-second. In 1969 and for many years afterward, I worked on computer software that handled leap-seconds correctly. All we needed was about 2 month's advance notice that a leap-second would occur; today, such notices are available much more than 2 months in advance. The key to proper handling of time is that computer systems should internally maintain atomic time (TAI, from the French term Temps Atomique International) instead of universal time (UTC, French Temps universel coordonné). TAI and UTC share the same definition of a second, and a TAI clock ticks its seconds at the exact same instant as a UTC clock. However, a TAI clock does not tick the same second as a UTC clock. This is because TAI never has leap-seconds, which means that it has a growing failure to align with time computed from the sun. UTC, on the other hand, requires leap-seconds to keep its time aligned with sun-time. Thus, today a UTC clock might show 11:24:00 while a TAI clock will simultaneously show 11:24:27. At the very beginning of 1 January 2017, while a TAI clock kept ticking 60-second minutes, a UTC clock ticked a 61-second minute. This is how it looked, allowing for the fact that, before then, the two were already 26 seconds misaligned: UTC TAI 31 Dec 16 23:59:58 1 Jan 17 00:00:24 31 Dec 16 23:59:59 1 Jan 17 00:00:25 31 Dec 16 23:59:60 1 Jan 17 00:00:26 <= the leap-second 1 Jan 16 00:00:00 1 Jan 17 00:00:27 1 Jan 17 00:00:01 1 Jan 17 00:00:28 For user interfaces, a simple routine in the software on which I worked converted internal TAI to external UTC for displays and reports and converted external UTC to internal TAI for user input. A more complex software routine handled the fact that the earth's rotation exhibits annual and semi-annual fluctuations and thus the earth's current rotational position and velocity. All this was necessary because the software was used to operate earth-orbiting space satellites. Accurate time is needed to determine what spot on the rotating earth was directly beneath a satellite while giving the human users data in terms of "wall clock" time (UTC). Cloudflare is not alone in having software developed by individuals who have little knowledge about the dynamics of time. The problem of careless (ignorant?) programmers is even promoting plans to eliminate leap-seconds, which would mean a gradual (but generally unnoticeable in a human lifetime) shift in the times of sunrise, sunset, and tides.
The only thing the requirement for real names in social networks produces is an enormous chilling effect on the writing by exactly the category of people we would all want to read and learn from: smart, aware of the realities of life, having opinions of their own, and desiring to talk about things which actually matter rather than engage in verbal mutual grooming. Smart - because smart people are interested in big and often controversial issues. Meaningless chatter about celebrity antics and greatness of Burning Man is for dullards. Only a person totally oblivious to how corporate business works uses his real name to discuss anything remotely politically sensitive on-line. The rest of us understands very well that the first thing an HR dept does upon receiving a qualified resume is on-line search to see any dirt (in the eyes of the HR drone) which may justify tossing the resume into trash can. In many cases this "vetting" could be totally illegal, but the law is also totally unenforceable here. Besides "I was rejected because lady in HR disliked my joke about cats" isn't going to impress the judge. Same goes for the people searching dirt on their opponents in corporate political games, etc. No one who has any awareness of the reality would want to conflate personal with professional. Now, the mindless parrots merely regurgitating approved blabber from the mainstream press are probably reasonably safe. They also are absolutely boring. Thank you, I can read WaPo myself. The only interesting speech is by those who have to say something new or different and have mind of their own. Finally... nobody cares about pictures of cats, vacation photos, or stories about how great the last party was. It's content-free, it is nothing more than mutual grooming. I like yours, you like mine. Nothing wrong with that, but, please, I have a mind which needs something more complicated than simian camaraderie. The obvious and observable result is terrifying dullness of social networks - and willing and widespread disrespect of the "real names only" policies by virtually everyone whose words I may be interested in reading (and who haven't yet secured an unassailable position of a tenured professor or a housewife). And, yes, I'm one of those who got banned by Facebook for not using my real name. I consider it beneath myself to use Photoshop to bypass the idiotically easy identity check FB requires, so I'm not coming back to that platform, ever.
In RISKS-30.06, PGN said: "Nevertheless, nation-state hacking into other nations' systems is reprehensible." That would carry a lot more moral authority if it was preceded by a pledge by the US government to forswear hacking other nation's systems. But we openly talk about US Cybercommand whose mission is to do exactly that. As discussed in RISKS-30.04, *The Washington Post)* told of the USA's long history of interfering in other nation's elections or promoting regime change. But in today's bizarre political debate, hacking another nation's systems may be deemed more reprehensible than assassination or bombing their capitol city.
PGN notes that there's a history of these attacks documented in RISKS. There was also a talk at Blackhat this summer which summarized, modeled, and presented security guidance and privacy guidance for voice driven products. It will be interesting to see how well they did at predicting the problems which emerge. http://www.ewf-usa.com/page/voiceprivacy https://www.blackhat.com/us-16/briefings.html#building-trust-and-enabling-innovation-for-voice-enabled-iot
This really shouldn't be much of a surprise. When voice commands were just beginning, there was the (likely apocryphal) story that during an early demo, someone yelled from the back of the room "format c:", at which point the system did as instructed. Whether or not this is true (and I heard it at least a couple decades ago), it's unfortunate that the Alexa designers didn't consider the known risks... [In the process of trying to figure out when I heard about disk formatting first, I ran across a Dilbert cartoon from 1994 demonstrating this risk: http://dilbert.com/strip/1994-04-24]
[Alexa, subscribe me to the Risks Digest!] This presents opportunities for calling talk radio stations and giving Alexa commands.
If you can come up with a tool that keeps zombie botnets from taking over your connected hairbrush, refrigerator, or nanny cam, the US Federal Trade Commission (FTC) wants to pay you $25,000.00, assuming you are the first to contact the FTC with a best solution in the FTC "IoT Home Inspector Challenge." There are also awards of $3,000.00 each for honorable mention winners. The winning tool needs to be able to resolve the problems of "smart" and "IoT" devices that have out-of-date or inadequate security. Submissions will be accepted, starting in March 2017, with final deadline May 22. Winners shall be announced around 2017 July 27. https://www.ftc.gov/iot-home-inspector-challenge https://www.ftc.gov/news-events/blogs/business-blog/2017/01/25000-prize-winner-internet-things-home-inspector-challenge https://www.consumer.ftc.gov/blog/announcing-internet-things-home-inspector-challenge Rules, such as who owns the solution. https://www.ftc.gov/news-events/contests/iot-rules and FAQ https://www.ftc.gov/iot/faqs How to participate in the contest: https://www.ftc.gov/node/1010513 I have not read the complete contents of all the above links, just their summary statements and abstracts. I suggest people, interested in participating in the contest, ought to do so. Not mentioned in the challenge requirements, but important to me: * Provide to our home, car, work place, etc. services similar to that of a Firewall, where we have the option of telling which "smart" or "IoT" services may operate in which modes, like OFF, require a Yes/No from operator, which actions to perform, do 100% spying on us, accept as valid commands, anything we hear on radio, TV, other background noise. * Identify "smart" and "IoT" connected gadgets in the home, or affecting the home, such as neighbor wifi, smart utility company meters, which have the capability of messing with electronics in the home, and/or have capability of harming the home. * Identify any purchased items whose internal "RFID" was not turned off, when we purchased it. * Provide aids to backing up current config, then obtaining latest security patches, if any are available. * Scan all these "smart" and IoT home connections, identify which of them have what viruses, remove them. Have option to setup an automated schedule of scans, like we have on most computers. * Offer a log of hack attempts into your home's connected devices, and a way to share that log with security organizations, similar to DShield of Firewall logs, and KNUJON for spam e-mail. * Offer a log, on incidents of smart devices sending info from our home, which we can sort to see which devices are most prolific in doing so. * Plug & Play alert the moment another "smart" or "IoT" or other similar technology device is introduced into the household. * Develop a hand held device to carry around to locate the spies which have Internet connections. For connected devices in which it is impossible to fix their cyber security, offer information links, which collectively provide: * Brand names of competitor products, which provide similar services, with vastly superior cyber security; * How to disconnect the "smart" or "IoT" hardware, making it impossible for that device to be a continuing threat. * Legal site opinion on whether it is against the law in your nation, city, province, etc. to disconnect this threat, what the penalties can be if you do so, and are caught. * While we may own devices for specific purposes, but illegal for us to use them for other purposes, who can we sue, when those devices act against our best interests?
Please report problems with the web pages to the maintainer