Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Kim Zetter wrote an absolutely wonderful long article, with a very clever cover page in *The New York Times* Sunday Magazine section. For those of you actually read the print edition, the very fine-print footnote to the title on the cover of the Magazine section tells it all, beautifully. For those of you who read The Times online, you will miss out on the cover -- and have to read the entire article. As the midterms approach, America's electronic voting systems are more vulnerable than ever. Why isn't anyone trying to fix them? https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html
Robert McMillan and Dustin Volz, *The Wall Street Journal*, 27 Sep 2018 via ACM TechNews, Friday, September 28, 2018 Election machines used in more than half of U.S. states contain a decade-old flaw that makes them vulnerable to a cyberattack, according to a report based on research conducted last month at the Def Con hacker conference, which was released Thursday. The vulnerability was found in the Model 650 high-speed ballot-counting machine from Election Systems & Software (ES&S), and is one of about seven security issues identified in several models of voting equipment described in the report. The Model 650 machine does not have the advanced security features of more-modern systems, but ES&S says its security is "strong enough to make it extraordinarily difficult to hack in a real-world environment." Many of the flaws cited in the report can be exploited only through physical access to the machines, but hackers could exploit others via remote access. The company has said it considers cybersecurity a top priority, and has never experienced a breach. https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1ca89x217941x072467%26
[Security and Privacy Code Review FAIL] https://www.engadget.com/2018/09/28/facebook-hack-exposed-info-on-up-to-50-million-users/ Facebook announced on Friday that it has suffered a data breach affecting up to 50 million users. According to a report from the New York Times, Facebook discovered the attack on Tuesday and have contacted the FBI. The exploit reportedly enables attackers to take over control of accounts so, as a precaution, the social network has automatically logged out more than 90 million potentially compromised accounts. "This is a really serious security issue and we're taking it really seriously," Facebook Mark Zuckerberg told reporters during a Friday media call. [Gene Wirchenko noted "Facebook discloses network breach affecting 50 million user accounts", by Natalie Gagliordi https://www.zdnet.com/article/facebook-discloses-network-breach-affecting-50-million-user-accounts/ PGN]
"Travelers refusing digital search now face $5000 Customs fine" [*] I can't imagine what NZ will do to travelers with implanted digital devices, including medical devices. Of course, as a member of the "Five Eyes", NZ will also share all of your digital info with the other Four. Probably best to leave NZ to the New Zealanders, and enjoy NZ movies and their excellent wine w/o having to be strip-searched there. Two L with NZ, I say! [* Speaking of TWO L, I generally change "traveller" to "traveler". My rule is that there should be a difference between accented double letters and unaccented double letters. TRAvelers is not traVELLers. PGN] https://www.msn.com/en-nz/news/national/travellers-refusing-digital-search-now-face-dollar5000-customs-fine/ar-BBNLCFW Travelers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine. The Customs and Excise Act 2018—which comes into effect today—sets guidelines around how Customs can carry out "digital strip-searches". Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travelers must provide access—whether that be a password, pin-code or fingerprint—but officials would need to have a reasonable suspicion of wrongdoing. "It is a file-by-file [search] on your phone. We're not going into 'the cloud'. We'll examine your phone while it's on flight mode," Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched. Mr Brown said the law struck the "delicate balance" between a person's right to privacy and Customs' law enforcement responsibilities. "I personally have an e-device and it maintains all my records—banking data, et cetera, et cetera—so we understand the importance and significance of it." Council for Civil Liberties spokesperson Thomas Beagle said the law was an unjustified invasion of privacy. "Nowadays we've got everything on our phones; we've got all our personal life, all our doctors' records, our emails, absolutely everything on it, and customs can take that and keep it." The new requirement for reasonable suspicion did not rein in the law at all, Mr Beagle said. "They don't have to tell you what the cause of that suspicion is, there's no way to challenge it." Customs Minister Kris Faafoi said the power to search electronic devices was necessary. "A lot of the organised crime groups are becoming a lot more sophisticated in the ways they're trying to get things across the border. "And if we do think they're up to that kind of business, then getting intelligence from smartphones and computers can be useful for a prosecution." But Mr Beagle said "serious criminals" would simply store incriminating material online. "You'd be mad to carry stuff over on your phone. Privacy Commissioner John Edwards had some influence over the drafting of the legislation and said he was "pretty comfortable" with where the law stood. "There's a good balance between ensuring that our borders are protected ... and [that people] are not subject to unreasonable search of their devices." "You know when you come into the country that you can be asked to open your suitcase and that a Customs officer can look at everything in there." Border officials searched roughly 540 electronic devices at New Zealand airports in 2017. Customs will be required to keep Parliament updated on the number of devices searched every year. The agency said it did not expect the number to increase.
https://www.forbes.com/sites/thomasbrewster/2018/09/30/feds-force-suspect-to-unlock-apple-iphone-x-with-their-face/%234dbbfaaa1259
The ruling is a setback to the Justice Department and a victory for tech firms. https://www.washingtonpost.com/world/national-security/facebook-wins-court-battle-over-law-enforcement-access-to-encrypted-phone-calls/2018/09/28/df438a6a-c33a-11e8-b338-a3289f6cb742_story.html
https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179 It started with a tub of protein powder. Omar Abdulaziz ordered one on Amazon in late June and was waiting for it to arrive at his Sherbrooke, Que., apartment. Abdulaziz didn't think much of it when he received a text message later that day from DHL with a link to a tracking number, stating his package was on its way. In what has become a scarily effective hacking technique, the text message -” and the link it contained ” was not what it claimed to be. Abdulaziz believes he clicked the link, which would have let spyware burrow its way into his iPhone. There, it could copy his contacts and messages and even eavesdrop on calls. Its operators would have total control. But unlike the phishing attacks that ultimately helped Russian operatives disrupt the 2016 U.S. presidential election, the attack on Abdulaziz's phone was deeply personal. In a new report, researchers at the University of Toronto's Citizen Lab say that it was very likely conducted by the government of Abdulaziz's home country, Saudi Arabia.
Darlene Storm and Michelle Davidson, Computerworld | Sep 18, 2018 Easy way to bypass passcode lock screens on iPhones, iPads running iOS 12 The vulnerability allowing anyone to bypass the passcode lock screen still exists in iOS 12 running on iPhones and iPads that have Touch ID. Security Is Sexy https://www.computerworld.com/article/3041302/security/4-new-ways-to-bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html [Monty Solomon found this as well. https://www.macrumors.com/2018/09/29/iphone-passcode-bypass-contacts-photos/ PGN]
https://lauren.vortex.com/2018/09/30/criminal-behavior-how-facebook-steals-your-security-data-to-violate-your-privacy One of the most fundamental and crucial aspects of proper privacy implementations is the basic concept of "data compartmentalization" -- essentially, assuring that data collected for a specific purpose is only used for that purpose. Reports indicate that Facebook is violating this concept in a way that is directly detrimental to both the privacy and security of its users. I'd consider it criminal behavior in an ethical sense. If it isn't already actually criminal under the laws of various countries, it should be. There's been much discussion over the last few days about reports (confirmed by Facebook, as far as I can determine) that Facebook routinely abuses their users' contact information, including phone numbers provided by users, to ad target other users who may never have provided those numbers in the first place. In other words, if a friend of yours has your number in his contacts and lets Facebook access it, Facebook considers your number fair game for targeting, even though you never provided it to them or gave them permission to use it. And you have no way to tell Facebook to stop this behavior, because your number is in someone else's contacts address book that was shared and is under their control, not yours. This abuse by Facebook of "shadow contacts" is bad enough, but is actually not my main concern for this post today, because Facebook is also doing something far worse with your phone numbers. By now you've probably gotten a bit bored of my frequent posts strongly urging that you enable 2sv (two-step verification, 2-factor verification) protections on your accounts whenever this capability is offered. It's crucial to do this on all accounts where you can. Just a few days ago, I was contacted by someone who had failed to do this on a secondary account that they rarely used. That account has now been hijacked, and he's concerned that someone could be conducting scams using that account—still in his name—as a home base for frauds. It's always been a hard sell to get most users to enable 2sv. Most people just don't believe that they will be hacked—until they are and it's too late (please see: "How to 'Bribe' Our Way to Better Account Security" - https://lauren.vortex.com/2018/02/11/how-to-bribe-our-way-to-better-account-security While among the various choices that can be offered for 2sv (phone-based, authenticator apps, U2F security keys, etc.) the phone-based systems offer the least security, 2sv via phone-based text messaging still greatly predominates among users with 2sv enabled, because virtually everyone has a mobile phone that is text messaging capable. But many persons have been reluctant to provide their mobile numbers for 2sv security, because they fear that those numbers will be sold to advertisers or used for some other purpose than 2sv. In the case of Google, such fears are groundless. Google doesn't sell user data to anyone, and the phone numbers that you provide to them for 2sv or account recovery purposes are only used for those designated purposes. But Facebook has admitted that they are taking a different, quite horrible approach. When you provide a phone number for 2sv, they feel free to use it as an advertising targeting vector that feeds into their "shadow contact" system that I described above. This is, as I suggested, so close to being criminal as to be indistinguishable from actual criminality. When you provide a phone number for 2sv account security to Facebook, you should have every expectation that this is the ONLY purpose for which that phone number will be used! By violating the basic data compartmentalization concept, Facebook actually encourages poor security practices, by discouraging the use of 2sv by users who don't want to provide their phone numbers for commercial exploitation by Facebook! Facebook will say that they now have other ways to provide 2sv, so you can use 2sv without providing a phone number. But they also know damned well that most people do use mobile phones for 2sv. There are very large numbers of people who don't even have smartphones, just simple mobile phones with text messaging functions. They can't run authenticator apps. Security keys are only now beginning to make slow inroads among user populations. So Facebook—in sharp contrast to far more ethical companies like Google who don't treat their users like sheep to be fleeced—is offering vast numbers of Facebook users a horrible Hobson's choice -- let us exploit your phone number for ad targeting, or suffer with poor security and risk your Facebook account being hijacked. This situation, piled on top of all the other self-made disasters now facing Facebook, help to explain why I don't have a Facebook account. I realize that Facebook is a tough addiction to escape. "All my friends and family are on there!" is the usual excuse. But if you really care about them—not to mention yourself—you might consider giving Facebook the boot for good and all.
Stephanie Condon for Between the Lines | 26 Sep 2018 The nationwide settlement agreement also requires Uber to implement better data protection policies. https://www.zdnet.com/article/uber-to-pay-148-million-in-settlment-over-2016-data-breach-and-cover-up/ opening text: Uber has agreed to pay $148 million in a nationwide settlement agreement over its 2016 data breach and subsequent cover-up, state attorneys general announced Wednesday. The money will be dispersed across all 50 states and the District of Columbia. Uber has also agreed to take specific steps to better secure its employees' data.
Corinne Reichert, ZDNet, 28 Sep 2018 After being fined AU$10 million for misleading customers on its management of premium direct billing services, Telstra has also had to refund customers a total of AU$9.3 million. https://www.zdnet.com/article/telstra-refunds-customers-au9-3m-for-billing-practices/
Catalin Cimpanu for Zero Day | 25 Sep 2018 Bug was discovered after a user posted a theoretical question on Reddit. The developers of the Monero anonymous cryptocurrency have rolled out a patch today that addresses a bug that could have been used by hackers to obtain funds from exchanges illegally. https://www.zdnet.com/article/monero-bug-could-have-allowed-hackers-to-steal-massive-amounts-of-cryptocurrency/
Catalin Cimpanu for Zero Day | 23 Sep 2018 Wendy's faces lawsuit for unlawfully collecting employee fingerprints Restaurant chain faces class-action lawsuit in Illinois for breaking BIPA state law. https://www.zdnet.com/article/wendys-faces-lawsuit-for-unlawfully-collecting-employee-fingerprints/ A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy's accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The complaint is centered around Wendy's practice of using biometric clocks that scan employees' fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems.
Catalin Cimpanu for Zero Day | 25 Sep 2018 Server sabotage resulted in 17 days of delay in US Army Reserve pay. https://www.zdnet.com/article/man-gets-two-years-in-prison-for-sabotaging-us-army-servers-with-logic-bomb/ A US judge has sentenced an Atlanta man to two years in prison followed by three years of supervised release for sabotaging one of the US Army's payroll databases with a "logic bomb." According to investigators, Das didn't appear to take this handover lightly, and at some time before the changeover, he placed malicious code on the RLAS database that would execute days after the new company took over and would destroy locally-stored records.
"All 293 of the [2019 Subaru Ascent] SUVs that were built in July will be scrapped because they are missing critical spot welds. According to Subaru's recall notice filed with the U.S. National Highway Transportation Safety Administration, the welding robots at the Subaru Indiana Automotive plant in Lafayette, Ind., were improperly coded, which meant the robots omitted the spot welds required on the Ascents' B-pillar." https://developers.slashdot.org/story/18/09/23/0311221/coding-error-sends-2019-subaru-ascents-to-the-car-crusher
https://www.zdnet.com/article/ai-security-camera-detects-guns-and-identifies-shooters/ False positives may lead to unintentional shootings.
https://www.scientificamerican.com/article/will-l-a-s-anti-terrorist-subway-scanners-be-adopted-everywhere/ Terahertz millimeter-wave screening devices scan crowded public spaces to detect weapons/explosives. 'How the technology works in practice depends heavily on the operator's training. According to Evans, "A lot of tradecraft goes into understanding where the threat item is likely to be on the body." He sees the crucial role played by the operator as giving back control to security guards and allowing them to use their common sense.' 'Ultimately will these devices make public places safer? Opinions vary drastically. Schneier, for one, is a skeptic. "It makes no sense, because all it does is force an attacker to make minor changes to their plans," adding that he sees the technology as a step toward "militarization of the police." Evans responds: The scanners offer an alternative to leaving mass transit unprotected or increasing the visible police presence as terrorists shift their focus away from airports. "It's part of the solution," he says. "We don't claim it's the whole solution, and anyone who does is over-claiming their technology." But the enormity of the problem makes even that more modest goal a challenge. "A bomb can be set off anywhere in a free society," Stanley says. "When and where is the trade-off worth it? A lot of terrorism is not really very fussy about what's attacked. Are we going to screen everybody every time people get together in one place?"'
The problems caused widespread confusion, and many customers demanded to know why they could not book flights, print tickets or board their planes. https://www.nytimes.com/2018/09/25/business/delta-airlines-outage.html
So this scientist has taken a fall for rather questionable methods in directing scientific experiments. https://www.npr.org/sections/thesalt/2018/09/26/651849441/cornell-food-researchers-downfall-raises-larger-questions-for-science or https://is.gd/RC6Fju So what has this to do with security? Well, it sorta falls into the realm of integrity. Kinda like fake news. And what's wrong with what he was doing? After all, we teach about data warehousing, right? You got a bunch of data: what's wrong with using it to learn things aside from what you originally thought you were going to learn? That's sort of OK if you don't stray too far, but, at some point, you get into the realms of "shoot first: draw the target afterward."
If you express interest in buying drugs illicitly, expect a flood of solicitations to be funneled to you. https://www.washingtonpost.com/business/economy/instagram-has-a-drug-problem-its-algorithms-make-it-worse/2018/09/25/c45bf730-bdbf-11e8-b7d2-0773aa1e33da_story.html
We have seen bankruptcy trustees and Judges in some jurisdictions contend that the personal information held by failed companies is an asset that can be bought and sold, but "renting the room" containing the servers for $15,000 takes that to a whole new level. The relevant General Principles in Codes of Fair Information Practices and most Privacy Regulations are that Personal Information must only be used for the purposes for which it was originally collected, and cannot be passed along without the informed consent of the person involved. https://boingboing.net/2018/09/21/unencrypted-data.html "When Vancouver tech retailer NCIX went bankrupt, it stopped paying its bills, including the bills for the storage where its servers were being kept; that led to the servers being auctioned off without being wiped first, containing sensitive data—addresses, phone numbers, credit card numbers, passwords, etc—for thousands of customers. Also on the servers: tax and payroll information for the company's employees." https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-from-ncix-retailer-for-sale-on-craigslist/
https://www.nsc.org/Portals/0/Documents/DistractedDrivingDocuments/Driver-Tech/Road%20to%20Zero/The-Report.pdf?ver=2018-04-17-111652-263 Fascinating report prepared by the Rand Corporation. Some of the acronyms used: 3HF Three-Horizons Foresight AACN advanced automatic crash notification ABP assumption-based planning ADAS advanced driver assistance systems AEB automatic emergency braking DADSS Driver Alcohol Detection System for Safety EMS emergency medical services FARS Fatality Analysis Reporting System HAV highly automated vehicle IIHS Insurance Institute for Highway Safety V2V vehicle-to-vehicle V2X vehicle-to-everything Will 3HF correct ABP vision and align the CRM-114 discriminator POE?
Yes, I know say in Europe international borders might just clutter up maps, but in other parts of the world well, they are a more serious matter and shouldn't be removed from maps just yet... https://github.com/openstreetmap/openstreetmap-website/issues/2002
https://www.straitstimes.com/singapore/tardy-responses-security-failings-led-to-singhealth-breach "Tardy responses owing to a lack of awareness of how critical the situation was and multiple security inadequacies contributed to the factors that led to a massive SingHealth cyber-attack compromising the personal data of 1.5 million patients." An embarrassing wakeup call for Singapore where medical tourism is a big draw throughout the APAC region. Deficient employee cybersecurity training practices, data breach reporting procedure gaps, temporary database connections left open across the network, malware implantation undetected, password specification weaknesses, etc.
https://www.npr.org/sections/health-shots/2018/09/30/652201204/perspective-a-heart-device-can-save-lives-but-doctors-need-to-explain-the-downsi [SafeLinks munged url?] Another cautionary tale about implantable devices. The piece discusses quality of life (QOL) outcome probabilities, and attempts to educate patients about informed choice selection: to implant or not to implant. Also mentioned are the "incentives" that device manufacturers offer physicians and medical centers to promote their products. Device implantation QOL outcomes (enhanced or diminished) are not predictably deterministic. "Of course, technology improves with time. A clinical trial published in May showed that a newer-model LVAD (left-ventricle assist device) had significantly fewer complications. This is encouraging, but it will be important to see whether these outcomes hold true in practice -- particularly because almost on the day that study was published, the manufacturer recalled the device to deal with technical problems." Technology does not always 'improve' with time; it changes, sometimes for good, sometimes for bad. The Hassle Factor (something like Murphy's Law) is immutable. This outcome is especially pronounced for software stacks. When implantable device manufacturers are compelled to disclose and publish at least this life cycle collateral: (a) a device test plan; (b) the device test results (conducted via a random control trial protocol); (c) wall clock to qualify each candidate change pushed into the stack; and, (d) top-10 reported defect escapes for their released, version-controlled implantable device, consumers will then be empowered to make a rational choice based on data, not a video packaged as manufacturer's propaganda. Granted, most consumers only want implanted devices to "work"—produce a favorable QOL outcome. Most implantation candidates would likely prefer an informed and conflict-free, independent 3rd party to assess the device test life cycle outcomes for them, and make a recommendation. Consumer Reports or Underwriters Laboratory are candidate organizations that can fulfill this public interest.
This trial, organized several years ago, was discussed here starting with RISKS 28.17. RISKS followers may be interested to learn that the trial has been completed, with a result that hardly anyone anticipated. As described in the New England Journal of Medicine (379(8): 711-721, 787-788 (2018-08-23)), administering epinephrine in conventional doses to patients in cardiac arrest results in improved 30-day survival, but no improvement in neurological outcome.
I think you're forgetting the bit where we had to have single-core CPUs pumping bloat so fast they melted themselves blowing fuses city-wide... and sales went down. So the chipmakers went with more-slower-cores instead and for a short while were decrying the programmers' inability to program in parallel. Until the software industry called and asked if they ever heard about biting the hand that feeds them. On the plus side I can finally run the original Master of Orion complete with the original Sound Blaster emulation in DosBox. Again. Because let's face it: the sequels, especially the latest cellphone glitz version, are... just bloat.
Martyn, Thanks correcting my garbled interpretation of the NHTSA statistic The NHTSA's metrics (see https://crashstats.nhtsa.dot.gov/Api/Public/Publication/812456), comprise a factual reporting source. The metrics discriminate among vehicle type (SUV, passenger car, pickup truck, motorcycle, etc.). Deaths per 100 million vehicle miles traveled, be they carbon or silicon driven, comprise an aggregate key indicator. Segregating this indicator (e.g., carbon v. silicon driven) may be valuable, provided that comparison reporting is accurate. If, hypothetically, NTHSA reported: CB (Carbon-based) 100VMT for 2016: 1.2 (~270M registered vehicles)* SB (Silicon-based) 100VMT for 2016: 3 (~100 registered vehicles)^ This hypothetical statistic demonstrates a safety disadvantage for AVs. Not a likely selling point for consumers currently. Also, the AV sample size is at least 4 orders of magnitude smaller than the CB population. Not hard to imagine AV vendors trivializing or spinning this statistic. Also, many consumers are mathematically challenged by the term "order of magnitude." https://www.statista.com/statistics/183505/number-of-vehicles-in-the-united-states-since-1990/ https://static.googleusercontent.com/media/www.google.com/en//selfdrivingcar/files/reports/report-0916.pdf I also note that Alphabet/Waymo is apparently "throwing down the gauntlet" for AV deployment in 2020. See https://www.recode.net/2018/3/27/17167906/alphabet-waymo-self-driving-jaguar-electric-ride-hail Perhaps the NHTSA will introduce the SB statistic after 2020 go-live (or go-dead)!
Politicians and physics do not mix, except when a nuclear issue arises... The energy of photon, E = h * f, or h * c/lambda, where h is Planck's constant and f is the photon frequency, lambda the wavelength, establishes photo-ionization potential—the ability of a photon to eject an electron from an atom (in a DNA molecule for instance) and potentially initiate cancer formation. Cellphone frequencies range from ~0.45 to 6GHz. Doing the math per https://www.1728.org/freqwave.htm 0.45 GHz or ~66.6 cm or ~1.86 microvolts 6.0 GHz or ~4.9 cm or ~25 microvolts Ionization potential for carbon, hydrogen, and oxygen atoms: 11.2/13.6/13.6 eVolts. These values are 5-6 orders of magnitude larger than cell phone energy radiation. 5G spectrum might approach ~30GHz, but the radiated energy remains in the trivial range compared to ionization energy. A cellphone might be used to warm croissant crumbs @ 2 GHz.
Berkman Klein Center for Internet & Society at Harvard A report that is worth reading: Artificial Intelligence & Human Rights: Opportunities & Risks https://cyber.harvard.edu/publication/2018/artificial-intelligence-human-rights F. Raso, H. Hilligoss, V. Krishnamurthy, C. Bavitz, L. Kim Berkman Klein Center for Internet & Society at Harvard University - Readable for non-computer-scientists, thanks to the clean & clear language used; - Interesting for computer scientists, because helps them elaborating on the potential impacts of their work.
Please report problems with the web pages to the maintainer