Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Unraveling the Russia Story So Far Scott Shane and Mark Mazzetti *The New York Times* Special Report, Section F, 20 Sep 2018 F2-F3. As the Trump campaign advanced, Russia stepped up efforts on three fronts: hacks and leaks, social media fakery, and outreach to Trump associates. F4-F8. Vladimir Putin was nostalgic for Russia's lost superpower status and believed the United States had sought to undermine his presidency. F9-F10. As hacked emails shook the Democratic Party, Russian online trolls reached an audience of nearly as many Americans as would vote in the election. F11-12. President Trump has sown doubts about the federal investigation and created a new affinity for Russia among his most devoted supporters. There is also a remarkably comprehensive running timeline (across the tops of pages F4 to F12), “showing the full scale of Russia's unprecedented interference in the 2016 election—and its aftermath.'' This would be an invaluable read for people who are deniers (other than those who measure fine silk or value old European coins).
via NNSquad https://www.washingtonpost.com/world/national-security/in-georgia-a-legal-battle-over-electronic-vs-paper-voting/2018/09/16/d655c070-b76f-11e8-94eb-3bd52dfe917b_story.html Logan Lamb, a cybersecurity sleuth, thought he was conducting an innocuous Google search to pull up information on Georgia's centralized system for conducting elections. He was taken aback when the query turned up a file with a list of voters and then alarmed when a subsequent, simple data pull retrieved the birth dates, drivers' license numbers and partial Social Security numbers of more than 6 million voters, as well as county election supervisors' passwords for use on Election Day. He also discovered the server had a software flaw that an attacker could exploit to take control of the machine. The unsecured server that Lamb exposed in August 2016 is part of an election system—the only one in the country that is centrally run and relies upon computerized touch screen voting machines for Georgia's 6.8 million voters—that is now at the heart of a legal and political battle with national security implications.
Grigor Atanesian, Wisconsin Center for Investigative Journalism. https://www.usnews.com/news/best-states/wisconsin/articles/2018-09-16/wisconsin=-officials-prepare-for-potential-election-hackers [Very long item. Heavily PGN-excerpted. PLEASE READ THE ENTIRE ARTICLE IF YOU SEEK ELECTION INTEGRITY.] Cybersecurity experts say Wisconsin and many other states have specific potential vulnerabilities in their election systems, including the use of private vendors to program and service voting machines. Madison, Wis. (AP) A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official. These are some of the potential vulnerabilities of Wisconsin's election system described by cybersecurity experts. [...] In July, the Wisconsin Center for Investigative Journalism reported that Russian hackers have targeted websites of the Democratic Party of Wisconsin, the state Department of Workforce Development and municipalities including Ashland, Bayfield and Washburn. Elections in this swing state are administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin Elections Commission. Top cybersecurity experts from the United States, Canada and Russia interviewed by the Center said that some practices and hardware components could make voting in Wisconsin open to a few types of malicious attacks, and that Russian actors have a record of these specific actions. And it is not just Wisconsin—this is a nationwide threat, the National Academy of Sciences, Engineering and Medicine stated in its newly released report, Securing the Vote. [...] Former longtime Legislative Audit Bureau manager Karen McKim, a coordinator for the Madison-based grassroots group Wisconsin Election Integrity, said many Wisconsin elections officials do not realize "how very much is completely outside their control. They really, truly, do believe that if they keep the individual voting machines unconnected from the Internet and do pre-election testing, that the software is safe," said McKim, whose group advocates for measures to secure Wisconsin's elections. [...] Dane County Clerk Scott McDonell said large counties in Wisconsin such as his "typically code their own elections," but "the small ones are outsourcing. If I were being paranoid," he added, "I would worry about the outsourced ones." [...] Computer scientist J. Alex Halderman, who was part of the team that pushed for the 2016 recount of the presidential vote in Wisconsin, told the U.S. Senate Intelligence Committee that private vendors can make elections systems vulnerable. "Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters," Halderman, director of the University of Michigan's Center for Computer Security and Society, testified in 2017. [...] Harri Hursti, an international expert on election cybersecurity and co-founder of the Voting Machine Hacking Village at the annual DEFCON hacker conference, agreed. He said that "it is hard to make the claim that anything using any kind of USB devices can be air-gapped," or physically isolated from attack. "USB memory cards are mini-computers," Hursti said, "and we have known for years how to reprogram those to carry malicious content over air gaps and extract confidential information." [...] Experts said another potential vulnerability is associated with the use of modems in voting machines across Wisconsin to transmit unofficial Election Day results. In some cases, those modems are transmitting results over the Internet, Haas, the former Elections Commission administrator, acknowledged in 2016 testimony during the legal battle over Wisconsin's presidential recount. [...] However, computer scientists say that existing defense measures can be overrun. According to *The New Yorker*, such concerns have prompted four states—New York, Maryland, Virginia and Alabama—to prohibit the use of machines with modems to transmit election results. [...] Another practice criticized by the computer scientists is the use of cellular technology to transmit unofficial election results. Cellular networks' security liabilities were detailed in a 2017 U.S. Department of Homeland Security report, which called for enhanced protections when governments use cellular technology. [...] In February, two Princeton University computer science professors, Andrew Appel and Kyle Jamieson, published a blog describing possible scenarios to hack modems used in DS200 paper ballot tabulators, including erecting fake cellphone towers near voting locations like police do with Stingray devices. "If your state laws, or a court with jurisdiction, say not to connect your voting machines to the Internet, then you probably shouldn't use telephone modems either," they said. [...] But even discrepancies between initially reported unofficial results and the outcome of the election may achieve Russia's goal of sowing discord, according to FireEye's McNamara. He is among those cautioning against becoming too focused on the vulnerabilities of America's vote-tallying systems. McNamara said the Kremlin's goal may be simpler: "Attacking the confidence of electoral process itself." [...]
https://www.theguardian.com/commentisfree/2018/sep/17/science-behind-brexit-vote-trump
Sen. Ron Wyden (D-Ore.) is trying to expand the Senate Sergeant at Arms' mandate to provide protection for senators' and staffers' personal accounts and devices, as well as their official ones. https://www.washingtonpost.com/powerpost/democrat-pushes-changes-to-protect-senators-personal-accounts-from-continued-threats/2018/09/19/57ff1678-bc69-11e8-8792-78719177250f_story.html
I got a loaner/rental from a car dealership today, and rather than printing out a contract, they sent me a text message with a link to a bare-bones PDF that, to be honest, I could have forged in about 15 seconds. But I suppose a car thief wouldn't bother. In any case, the risk is that I get pulled over and have no cell service (or my phone has died because I left the charging cord in my car). What would I do—ask the cop to follow me until I got service?? A small risk, but seems like maybe they're trying too hard to be all high-tech. Interesting: the host in the link was an amazonaws host.
Defect is latest example of problems generated by the growing use of software to control a car's mechanical functions https://www.wsj.com/articles/gm-recalls-one-million-pickups-and-suvs-in-u-s-for-crash-risk-1536845725
https://www.scientificamerican.com/article/former-fema-chief-uses-ai-to-prepare-for-hurricanes-and-rising-seas/ Predicting greater flood potential can be applied to determine insurance eligibility. Application may force families, communities, or businesses to relocate as rates adjust to accommodate storm surge or inundation risks.
Master Blaster https://soranews24.com/2018/09/17/major-japanese-ramen-chains-logo-confuses-honda-cars-ai/ Motorist and Twitter user Yukiesu (@yuk381) posted a scene from his driver seat in front of a Tenkaippin ramen store. In it, despite just sitting in the parking lot, a warning on his dashboard is indicating that the car sees a "Do Not Enter" sign.
With road conditions changing rapidly, officials advised travelers to check back frequently ” especially because satellite navigation systems were still directing drivers to dangerous stretches of roadway. https://www.washingtonpost.com/news/post-nation/wp/2018/09/16/florence-several-deaths-reported-as-storm-swamps-carolinas/
Lauren's Blog https://lauren.vortex.com/2018/09/12/eu-preliminarily-passes-horrific-articles-11-13-heres-how-to-fight-back By a vote of 438 to 226, the massively confused and lobbyists-owned EU Parliament has preliminary passed horrific Article 11 and Article 13, aimed at turning ordinary users into the slaves of government-based Internet censorship and abuse. The war isn't over, however. These articles now enter a period of negotiation with EU member states, and then are subject to final votes next year, probably in the spring. So now's the time for the rest of the world to show Europe some special "tough love"—to help them understand what their Internet island universe will look like if these terrible articles are ever actually implemented. Article 11 is an incredibly poorly defined "link tax" aimed at news aggregators. If Article 11 is implemented, the reaction by most aggregators who have jurisdictional exposure to the EU (e.g., EU-based points of presence) will not be to pay the link taxes, but rather will be to completely cease indexing those EU sites. Between now and the final votes next year, news aggregation sites should consider temporarily ceasing to index those EU sites for various periods of time at various intervals, to give those sites a taste of what happens to their traffic when such indexing stops, and what their future would look like under Article 11. Then we have Article 13's massive, doomed-to-disaster content filtering scheme, which would be continually inundated with false matches and fake claims (there are absolutely no penalties under Article 13 for submitting bogus claims). While giant firms like Google and Facebook would have the resources to implement Article 13's mandates, virtually nobody else could. And even the incredibly expensive filtering systems built by these largest firms have significant false positive error rates, frequently block permitted content, and cost vast sums to maintain. A likely response to Article 13 by many affected firms would be to geoblock EU users from those company's systems. That process can begin now on a "demonstration" basis. The IP address ranges for EU countries can be easily determined in an automated manner, and servers programmed to present an explanatory "Sorry about that, Chief—You're in the EU!" message to EU users instead of the usual services. As with the Article 11 protest procedure noted above, these Article 13 IP blocks would be implemented at various intervals for various durations, between now and the final votes next year. The genuinely sad part about all this is that none of it should be necessary. Article 11 and 13 mandates will never work as their proponents hope, and if deployed will actually do massive damage not only to EU (and other) users at large, but to the very constituencies that have lobbied for passage of these articles! And that's a lose-lose situation in any language. [Gene Wirchenko noted this item by David Meyer: "The EU's new Copyright Directive really is that bad": New rules will make it harder to share links and content. So can it be stopped? 13 Sep 2018 https://www.zdnet.com/article/the-eus-new-copyright-directive-really-is-that-bad/
https://gizmodo.com/deepfake-videos-are-getting-impossibly-good-1826759848 *Deepfakes*, ultra-realistic fake videos manipulated using machine learning, are getting pretty convincing And researchers continue to develop new methods to create these types of videos, for better or, more likely, for worse. The most recent method comes from researchers at Carnegie Mellon University, who have figured out a way to automatically transfer the style of one person to another... https://gizmodo.com/it-was-only-a-matter-of-time-before-internet-trolls-mad-1822463473 https://gizmodo.com/researchers-come-out-with-yet-another-unnerving-new-de-1828977488
https://www.nytimes.com/2018/09/12/magazine/google-maps-location-data-privacy.html How looking at the location data that the company collects about you lets you see yourself in a whole new way.
NNSquad https://tech.slashdot.org/story/18/09/15/2147254/uber-glitch-stops-payments-to-drivers-prices-surge Now the San Diego Reader reports the issue "is forcing San Diego drivers off the road," with the shortage of drivers triggering surge pricing throughout the entire region as much as triple the usual rate. Surge pricing is also hitting riders in Dallas, according to another Uber driver's tweet, who complains "It's a shame that a $48 billion 'tech' company can't get it together. [Also noted by Gabe Goldberg. PGN]
The city council of Mill Valley, a small town located just a few miles north of San Francisco, voted unanimously late last week to effectively block deployments of small-cell 5G wireless towers in the city's residential areas. Through an urgency ordinance, which allows the city council to immediately enact regulations that affect the health and safety of the community, the restrictions and prohibitions will be put into force immediately for all future applications to site 5G telecommunications equipment in the city. Applications for commercial districts are permitted under the passed ordinance. The ordinance was driven by community concerns over the health effects of 5G wireless antennas. According to the city, it received 145 pieces of correspondence from citizens voicing opposition to the technology, compared to just five letters in support of it ” a ratio of 29 to 1. While that may not sound like much, the city's population is roughly 14,000, indicating that about 1% of the population had voiced an opinion on the matter. https://techcrunch.com/2018/09/10/bay-area-city-blocks-5g-deployments-over-cancer-concerns/
When Mangesh Gururaj's wife left home to pick up their child from math lessons one Sunday this month, she turned on her Tesla Model S and hit "Summon," a self-parking feature that the electric automaker has promoted as a central step toward driverless cars. But as the $65,000 sedan reversed itself out of the garage, Gururaj said, the car bashed into a wall, ripping off its front end with a loud crack. He said the damaged Tesla looked like it would have kept driving if his wife hadn't hit the brakes. No one was hurt, but Gururaj was rattled: The car had failed disastrously, during the simplest of maneuvers, using one of the most basic features from the self-driving technology he and his family had trusted countless times at higher speeds. http://www.latimes.com/business/la-fi-hy-tesla-self-driving-20180913-story.html
The agency warned that attackers may be refining a scheme to redirect federal student aid money to private bank accounts, preparing for times when large volumes of aid are disseminated, and said the phishing attempt is a serious threat. https://www.washingtonpost.com/education/2018/09/15/education-department-warns-that-students-financial-aid-are-being-targeted-phishing-attacks/
https://www.nytimes.com/2018/09/13/technology/standard-market-retail-automation-behavioral-data.html "The goal is to predict, and prevent, shoplifting, because unlike Amazon's Go stores, which have a subway turnstile-like gate for entry and exit, Standard Market has an open door, and the path is clear." This 24/7 shop got at least one thing right: there are no locks on the doors!
https://www.forensicmag.com/news/2018/09/new-research-can-identify-extremists-online-even-they-post-dangerous-content New research has found a way to identify extremists, such as those associated with the terrorist group ISIS, by monitoring their social media accounts, and can identify them even before they post threatening content. The research, "Finding Extremists in Online Social Networks," which was recently published in the INFORMS journal Operations Research, was conducted by Tauhid Zaman of the Massachusetts Institute of Technology; Lieutenant Colonel Christopher E. Marks, U.S. Army; and Jytte Klausen of Brandeis University The number and size of online extremist groups using social networks to harass users, recruit new members, and incite violence is rapidly increasing. While social media platforms are working to combat this (in 2016, Twitter reported it had shut down 360,000 ISIS accounts) they traditionally rely heavily on users' reports to identify these accounts. In addition, once an account has been suspended, there is little that can be done to prevent a user from opening up a new account, or multiple accounts. "Social media has become a powerful platform for extremist groups, ranging from ISIS to white nationalist "alt-right" groups," said Zaman. "These groups use social networks to spread hateful propaganda and incite violence and terror attacks, making them a threat to the general public." Identifying extremists before they pose a threat online The researchers collected Twitter data from approximately 5,000 "seed" users who were either known ISIS members or who were connected to many known ISIS members as friends or followers. They obtained their names through news stories, blogs, and reports released by law enforcement agencies and think tanks. In addition to reviewing the content of 4.8 million tweets from these users' timelines (including text, links, hash tags, and mentions), they also tracked account suspensions, as well as any suspensions of their friends and followers accounts. For the purpose of this study, the researchers focused on the account networks forged by known ISIS and Al Qaeda sympathizers and known foreign fighters and content that had been flagged by Twitter as terrorist in nature. Using statistical modeling of extremist behavior with optimized search policies and actual ISIS user data, the researchers developed a method to predict new extremist users, identify if more than one account belongs to the same user, as well as predict network connections of suspended extremist users who start a new account. In addition, by tracking and comparing data on screen names, user name, profile images and banner images, the researchers were also able to identify 70 percent of additional Twitter profiles held by extremist users, with only a 2 percent incidence of misclassifying profiles. "We created a new set of operational capabilities to deal with the threat posed by online extremists in social networks," said Marks. "We are able to predict who is an extremist before they post any content, and then able to predict where they will re-enter the network after they are suspended. In short, we can automatically figure out who is an extremist and keep them of the social network." While the study was conducted using data from accounts belonging to ISIS extremists on Twitter, their methodology can be applied to any extremist group and any social network. "Users that engage in some form of online extremism or harassment will have very similar behavioral characteristics in social networks," said Klausen. "They will connect to a specific set of users which form their extremist group. They will create new accounts which will resemble their old accounts after being suspended, and when the return to the social network following a suspension, there is a high probability they will reconnect with certain former friends."
Whoops! Weather Channel Caught in Fake News Scam—Blown Reporter Did Not Expect Kids in Shorts to Spoil Shot? https://www.thegatewaypundit.com/2018/09/whoops-weather-channel-caught-in-fake-news-scam-wind-blown-reporter-did-not-expect-kids-in-shorts-to-spoil-shot-video/
Catalin Cimpanu for Zero Day | 19 Sep 2018 Simple denial of service bug can crash unpatched Bitcoin network nodes and may also affect many Bitcoin-based cryptocurrency offshoots. The Bitcoin team fixed today a severe vulnerability in the software that underpins the entire Bitcoin network. https://www.zdnet.com/article/bug-in-bitcoin-code-also-opens-smaller-cryptocurrencies-to-attacks/
I have been studying quantum computing, in terms of its implications for security, for some time now. itsecurity.co.uk/2016/09/security-implications-quantum-computing/ Sometimes the news is good. https://community.isc2.org/t5/Industry-News/Quantum-computers-really-are-better/m-p/11746#M1140 or https://is.gd/tkLyQF Oftentimes people get it wrong. https://community.isc2.org/t5/Tech-Talk/Cryptography-need-to-go-down-the-rabbit-hole-suggestions/m-p/13293/highlight/true#M386 or https://is.gd/70hYhU But this news is extremely disturbing. https://www.scientificamerican.com/article/reimagining-of-schroedingers-cat-breaks-quantum-mechanics-mdash-and-stumps-physicists1/ or https://is.gd/Ylj3jM If the implications of this thought experiment are true, then quantum computers may be impossible. (Or, if possible, then subject to extremely weird sorts of race conditions that make Intel architectures seem positively reliable ...) https://community.isc2.org/t5/Industry-News/Foreshadowing-the-end-of-computing-as-we-know-it/m-p/13822#M1456 or https://is.gd/sFO1MV
https://www.washingtonpost.com/technology/2018/09/14/what-cardiologists-think-about-apple-watchs-heart-tracking-feature "But there is also concern that widespread use of electrocardiograms without an equally broad education initiative could burden an already taxed health-care system. Heart rhythms naturally vary, meaning that it's likely that Apple Watch or any heart monitor could signal a problem when there isn't one—and send someone running to the doctor for no reason." "The FDA has cleared Apple's device as a Class II medical device, meaning that it is intended to diagnose or treat a medical condition and poses a minimal risk to use. (Other Class II devices include some powered wheelchairs and pregnancy kits, according to the FDA website.) In its letter to Apple clearing the feature, the FDA listed as a risk factor the potential for mistakenly flagging a problem, prompting unneeded treatment." Hypochondriacs take note: This watch is for you.
Catalin Cimpanu for Zero Day | 19 Sep 2018 A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations. If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years. This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text. The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says. https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/
Before I "upgraded" to Windows 10 (yeah, I seriously regret it ...) my editor of choice was Word Perfect. Version 4.2. For those of you not old enough to understand that, it was written in 1985. I used it for 30 years. It worked just fine. It was, as far as I know, the last commercial program to be code optimized. So I have great sympathies with this fellow who is disenchanted with our current bloated software practices. http://tonsky.me/blog/disenchantment/ Lest you think this is just another rant from an old IT curmudgeon, it does have a security point. Complexity is the enemy of security. It's not just that now, in order to run these bloated applications, we have to have multi-core CPUs that are subject to race conditions https://community.isc2.org/t5/Industry-News/The-Spectre-of-multi-core-CPUs/m-p/10827 or https://is.gd/Asvvhx or give away secret information. https://community.isc2.org/t5/Industry-News/Foreshadowing-the-end-of-computing-as-we-know-it/m-p/13822 or https://is.gd/O2Jfrb It's having to have 150 megabyte programs just to draw a keyboard on a screen. (Yes, I know we get autocorrect thrown in. Not everyone considers that a benefit.) http://www.damnyouautocorrect.com/ When we used to have viruses that clocked in at hundreds of bytes (and, yes, I know even malware has gotten bloated these days) how much damage can you do with that much space to hide in? It follows that their demolitions of the White House, Los Angeles, Sydney Opera House, and so on were probably not intended as conquering tactics, merely assertions of good taste - Verity Stob victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade
More griping... http://screencrush.com/you-dont-own-your-itunes-movies/ https://theoutline.com/post/6167/apple-can-delete-the-movies-you-purchased-without-telling-you And the real story: https://www.cnet.com/news/no-apple-didnt-delete-that-guys-movies-heres-what-really-happened/ Bottom line: Though his tweets went viral <https://twitter.com/drandersgs/status/1039270646243414016> he did chat with Apple Support, the company didn't delete or actively "remove" the movies that disappeared from Anders Gonçalves da Silva's iTunes library and his devices. It seems to have been a more complicated mix-up, based on the fact that da Silva moved his residence from one country to another.
Let me add to the mix. In one of the courses on my Bachelor of Computing Science, we were required to give a presentation. Mine was entitled "The Worldwide Web / An Invitation to Stupidity". I found a lot of material.
Please report problems with the web pages to the maintainer