Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Atomic research agency acknowledges "isotope power source" of "rocket engine" exploded. Ars Technica: https://apple.news/ACGIU3viPQvmd1MPkMUV_uQ
https://www.latimes.com/california/story/2019-08-12/facial-recognition-software-mistook-1-in-5-california-lawmakers-for-criminals-says-aclu
Israeli security researchers have found that a database belonging to web-based Biostar 2 biometrics lock system, was unprotected and mostly unencrypted. It exposed fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees. https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms [Also noted by John Utteridge. PGN]
A huge data breach in security platform BioStar 2": https://www.vpnmentor.com/blog/report-biostar2-leak/ If this leak—discovered by Vpnmentor researchers—has been exploited by criminals the results would be disastrous. According to Vpnmentor blog, the database contains plaintext—*not* hashed -- passwords and biometric data for millions of users. These users are employees of firms using the Biostar 2 access control application (including administrators). You can change a compromised password, but your fingerprint is not only fixed, but shared across all applications which use fingerprint recognition. What is your contingency plan?
University of Waterloo News (14 Aug 2019) via ACM TechNews, 19 Aug 2019 Researchers in the Cheriton School of Computer Science and the Department of Management Science of Canada's University of Waterloo have incorporated blockchain into energy systems, which could expand charging infrastructure for electric vehicles (EVs). An open blockchain platform will give EV owners, property owners, and charging service operators access to charging data, and alert them to tampering; EV owners will be able to see whether they are being overcharged for charging their vehicles, and property owners will be alerted to instances of underpayment. Said Waterloo's Christian Gorenflo, "Mitigating trust issues in EV charging could result in people who have charging stations and even those who just have an outdoor outlet being much more willing to team up with an EV charging service provider, resulting in much better coverage of charging stations." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21235x21d3e7x0 69144&
Lucas Mearian, Computerworld As the desire to increase voter turnout remains strong and the number of online voting pilot projects rises in the U.S. and abroad, some security experts warn any Internet-based election system is wide open to attack, regardless of the underlying infrastructure. https://www.computerworld.com/article/3430697/why-blockchain-could-be-a-threat-to-democracy.html selected text: Even as there's been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through "wholesale fraud" or "manipulation tactics." Thirty-two states permit various kinds of online voting—such as via email -- for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts. "Tampering with mailed paper ballots is a one-at-a-time attack. Infecting voters' computers with malware or infecting the computers in the elections office that handle and count ballots are both effective methods for large-scale corruption," Epstein said.
Charlie Osborne for Zero Day | 13 Aug 2019 The researcher was asked not to disclose the bug but did so anyway. https://www.zdnet.com/article/steam-vulnerability-reportedly-exposes-windows-gamers-to-system-hijacking/ The Steam gaming platform reportedly contained a severe vulnerability which could subject users to privilege escalation attacks but was not considered in scope for Valve to fix. "So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn't offer any explanation to me," Kravets said. "Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve."
As the Black Hat security conference comes to an end in Las Vegas, so the DEF CON hacker convention begins. It didn't take long for the first critical warnings for Windows users to emerge as a result. This one is particularly worrying as, according to the Eclypsium researchers who gave the presentation, the issue applies "to all modern versions of Microsoft Windows," which leaves millions of Windows 10 users at risk of system compromise. What did the researchers reveal? In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines. https://www.forbes.com/sites/daveywinder/2019/08/11/critical-windows-10-warning-confirmed-millions-of-users-are-at-risk/#521532402b51 [Gabe later added this on 18 Aug 2019:] Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7 Users The latest Patch Tuesday update from Microsoft included several critical security fixes. Unfortunately, as Microsoft has now confirmed, it also borked some things. If you haven't applied that August 13 update and are running on Windows 10, Windows 8.1 or Windows 7, you may want to read this before you do. What's the problem with the latest Patch Tuesday Windows update? Microsoft has confirmed a bunch of "known issues" with the August 13 Windows update. Some, such as the "black screen during first logon after installing updates" issue, have hit users after previous updates. That can be filed in the annoying but ultimately not much to worry about folder: it only impacts a "small number" of users and only the first time they logon after the update. Anything that impacts millions of users is a far more serious thing. And so it is that Microsoft has confirmed that this Patch Tuesday update does just that. "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an "invalid procedure call error," Microsoft has stated. https://www.forbes.com/sites/daveywinder/2019/08/17/microsoft-confirms-update-warning-for-windows-10-windows-81-and-windows-7-users/#281fcef23063 [The risk? Automatic updates? GG]
"Security researcher Joseph Tartaro thought NULL would make a fun license plate. He's never been more wrong." <https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell> An old risk comes back to life (RISKS-6.40) and many other cases. Little Johnny Tables <https://xkcd.com/327/> comes to mind, too. [David, Thanks. You have a good memory back to 9 Mar 1988. PGN] [Also noted by Gabe Goldberg, who remarked, "Nice to see the old standards are still playing..." PGN]
Charlie Osborne for Zero Day | 15 Aug 2019 The vulnerability could be used for privilege escalation and code execution attacks. https://www.zdnet.com/article/trend-micro-fixes-hijack-security-flaw-in-password-manager/
A coordinated ransomware attack has affected at least 20 local government entities in Texas, the Texas Department of Information Resources said. It would not release information about which local governments have been affected. The department said the Texas Division of Emergency Management is coordinating support from other state agencies through the Texas State Operations Center at DPS headquarters in Austin. DIR said the Texas Military Department and the Texas A&M University Systems' Cyber-response and Security Operations Center teams are deploying resources to "the most critically impacted jurisdictions."... https://www.kut.org/post/ransomware-attack-hits-local-governments-texas
Customs and Border Protection computers are down nationwide, and international arrivals at Dulles International Airport are being delayed, according to the Metropolitan Washington Airports Authority. CBP officers are processing passengers manually Some passengers say they have been waiting for two hours at passport control. "CBP is experiencing a temporary outage with its processing systems at various air ports of entry & is taking immediate action to address the technology disruption," the agency tweeted. "CBP officers continue to process international travelers using alternative procedures until systems are back online." [Reportedly, at least 5,000 passengers stuck in line. PGN] [Monty Solomon noted Officials said service was restored after about two hours but travelers then faced long waits to be processed. https://www.nytimes.com/2019/08/16/us/customs-computer-shutdown.html PGN]
https://www.nytimes.com/2019/08/16/business/lse-delay-stocks.html Opening of trading was pushed back one hour and 40 minutes as the stock exchange tried to determine the cause.
Most business and home TELUS e-mail customers have been impacted to a large degree by an telus.net e-mail outage that began Aug 15 and is still affecting some customers across Alberta and BC, as well as customers trying to connect from elsewhere. The outage was aggravated by the lack of information. TELUS kept saying that the Root Cause was unknown until Aug 19, when reports began to surface attributing the outage to a failed Dell EMC Cloud server repair: https://www.telus.com/en/internet/email-outage "This issue occurred during an overnight update to our servers in the early hours of Thursday, August 15, in partnership with our vendor Dell EMC, when a flawed repair procedure took the TELUS.net email system offline." My experience was that pop connection attempts fared better than web mail or imap. There is apparently some risk of at least temporary e-mail loss for customers who kept their e-mail on TELUS servers, rather than downloading it. Generally TELUS has a well earned reputation for Continuous Availability and ability to roll back failed updates promptly. Businesses that have come to rely on e-mail for orders and other functions have been heavily impacted. My personal view, using e-mail for work since the 1980s, is that it is not yet a reliable or secure form of business communication. This reminded me of Dr. Nancy Leveson's analogy of Software and the early days of high pressure steam. The economic incentive to push ahead with unreliable, potentially unsafe, methods overwhelmed the voices of caution. If you pushed ahead you made money faster, until the boiler blew up on your workers. Cloud seems to have been motivated by the idea of simplifying the addition and management of servers and storage. Looks like there is some work to be done to balance that saving against the risk of you and your customers being impacted for days at a time if something in the cloud goes wrong.
Electric cars are an essential component of a lower-carbon future, but a new report from researchers at the New York University Tandon School of Engineering raises the specter that plug-in electric vehicles—and the charging stations that supply them—could be prime vectors for cyber-attacks on urban power grids. "In simulations using publicly available information about charging station usage in Manhattan and the structure of the island's power grid, our research team found that a fleet of just roughly 1,000 simultaneously charging electric vehicles would be adequate for mounting an attack whose effects could rival the blackout that affected the city's West Side last month," said Yury Dvorkin, assistant professor in NYU Tandon's Department of Electrical and Computer Engineering. NYU Tandon doctoral candidate Samrat Acharya led the research in collaboration with Dvorkin and Professor Ramesh Karri, also from the Department of Electrical and Computer Engineering. "This simulation is a wake-up call to the public and policymakers, and an encouragement to take steps to protect the data generated between electric cars and charging stations—most of which could be co-opted by a hacker with college-level skills," Dvorkin said... https://m.techxplore.com/news/2019-08-electric-car-stations-portals-power.html
What a photographer's struggle to raise money for his book of images tells us about Facebook and conspiracy theorists. About 24 hours after the ads were approved, he got a notification telling him the ad had been removed. He resubmitted it. It was accepted â and then removed again â 15 or 20 times, he said. The explanation given: He had run misleading ads that resulted in high negative feedback.â He understood that it was Facebook's algorithm that rejected the ads, not a person. Getting additional answers proved difficult, a common complaint with advertising on Facebook. The best clues he could find came in the comments under the ads, which he and his colleagues captured in screenshots before they were removed and in responses to other posts about the project: There were phrases such as The original moon landing technology. Some comments were hard to gauge, with users insisting that the earth was flat but that they'd buy the book anyway. <https://digiday.com/marketing/underlining-arrogance-media-buyers-frustrated-google-facebook-ad-reps/>
(More on Warshipping in RISKS-31.36) *For under $100, compact hardware can turn a shipped package into a Trojan horse for attacks.* (Ars Technica) https://arstechnica.com/information-technology/2019/08/hack-in-the-box-hacking-into-companies-with-warshipping/ Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping." [Long item truncated for RISKS. PGN]
So this cable allows attacker to access to the connected computer. The implant must have a Wi-Fi component as well since accessing the computer via Wi-Fi using the cable as antennae. Silent or passive monitoring of data that flows data and sending it out via low-power radio signal seems to be favored by spy agencies until Snowden released such a trick in one of his documents in wikileaks. I recall the USB cable for this purpose. Around 1996-2000 time frame, I noticed a USB cable with mysterious embedded chip inside (inside the plug portion). I found it in a photo blog of a second-hand part shop in Akihabara. Initially, I thought this could be similar to APC's UPS control cable that has some components inside (for proprietary connection, I guesss.) But it did not make sense, and the cable did act as ordinary USB cable. Years later, when I read the Wikileaks document, I realized that the cables could have been used as spying tool. My scenario was like this: A large company bought a ton of PCs from Lenovo/Dell/HP/Fujitsu/NEC/etc. you name it. The agent that delivered the PCs first assembled them in a warehouse before shipping them to the customer site (big trading agency/banks or even a Japanese government office?). Then the warehouse was "attacked" and all the USB cables inside the PC delivery boxes were replaced with this spying cable. However, back then, rack computers were expensive and scarce. Many startup e-Commerce companies used ordinary PCs sans PCs and keyboards to act as rack computers. Thus most, if not all, of the delivered keyboard and USB cables were dumped to second hand market. Thus they were sold at an outlet in Akihabara and noticed by the store clerk who accidentally broke the plug and found the strange implant and opened a few others and found the implants there, too. And since he posted the strange USB cable that works in a shop blog with the photo and I noticed it. Nobody knows how that cable was used for spying and where. Intriguing mind wants to know. The cable was so strange and this is why I remembered it until I read wikiweaks document.
I think the true RISK here is an article like this that propagates the myth that the password complexity rules from NIST's 1980s era document are STILL a good idea. I find it especially egregious that the author of this article chose to reference NIST SP-800-63b while espousing overly complex password rules. Permit me to quote from the appendix to that document: Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner Worse, because it was touted on a large computer company website, this article might give weight to their inanity.
Second part of sentence you quote: "but new recommendations have led to changes around password policies". After recapping password history, article notes new defaults, changes, resources: The default levels are changing But in May 2019, Microsoft announced changes in the Security Baselines for Windows 10 and Windows Server build 1903 <https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/>: The minimum and maximum password ages will no longer be set in the baselines and therefore will not be enforced. Microsoft cites research (see "An Administrator's Guide to Internet Password Research <https://cormac.herley.org/docs/WhatsaSysadminToDo.pdf>" and "The Security of Modern Password Expiration <https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf>") to claim that password expiration policies are no longer considered to have great value. Other measures, such as checking lists of banned passwords, are more effective. As they note, Windows Group Policies don't provide for checking such lists, so neither can the Security Baselines, which is a good example of why you should not rely only on the baselines. Microsoft offers some of the more advanced capabilities in Azure AD Password Protection <https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-and-Smart-Lockout-are-now-in-Public/ba-p/245423>. Password complexity: The ground rules What is the default Windows password complexity policy <https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements>? * The password may not contain the account name or variations on the account name. * It must contain characters from three of the following five groups (quoted from the Microsoft document): o Uppercase letters of European languages (A through Z, with diacritical marks, Greek and Cyrillic characters) o Lowercase letters of European languages (A through Z, sharp S, with diacritical marks, Greek and Cyrillic characters) o Base 10 digits (0 through 9); non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/) o Currency symbols such as the euro or British pound are not counted as special characters for this policy setting. o Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. Everyone who has had to deal with these policies, which are enabled in the Security Baselines, knows what a pain they can be. As the Microsoft document says, enabling the policies "may cause some additional help desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve." The default password length requirement <https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length> is seven characters, but elsewhere Microsoft recommends eight characters, as do the NIST requirements. In the Security Baselines, the minimum password length is 14 characters. The NIST policies specifically reject (though they do not ban) complexity requirements. Microsoft has not removed the default imposition of these requirements from Windows or the Security Baselines, but it may be a change you want to make yourself. If you want finer control of password filtering but want to stick with Active Directory <https://www.hpe.com/us/en/insights/articles/5-ways-to-see-whats-going-on-in-your-windows-server-system-right-now-1812.html>, you can replace Microsoft's standard Passfilt.dll <https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters> with a commercial one or write one yourself, as Yelp did, based on an open source implementation <https://engineeringblog.yelp.com/2018/04/ad-password-blacklisting.html>. Examples of commercial replacements are those from nFront Security <https://nfrontsecurity.com/products/nfront-password-filter/>, ManageEngine <https://www.manageengine.com/products/self-service-password/password-policy-enforcer.html>, and Anixis <https://anixis.com/products/ppe/faq.htm>. Using one of these replacements, you can implement current best practices within your otherwise standard Active Directory infrastructure. SecLists keeps a collection of many large common password lists. <https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials> Beyond banned passwords Banned password lists are useful, but another way may be better. Have I Been Pwned <https://haveibeenpwned.com/> is a site that keeps records of major user ID and password breaches and allows you to check whether any of your logins have been compromised. The site was built and is maintained by Troy Hunt, a Microsoft regional director <https://rd.microsoft.com/en-us/> and well-known security expert. It has data on 369 breached sites and 7,860,402,548 breached accounts. The site also has an API that allows you to check whether a particular account has been breached or just if a particular password exists in the breach database. <https://haveibeenpwned.com/API/v2#PwnedPasswords> Hunt thinks that, once a list is as large as his, it is “exceptionally unlikely to have anything outside that collection which is both terrible and actively used.'' The answer is to check against the separate Pwned Passwords database <https://haveibeenpwned.com/Passwords>, which contains 551 million passwords that have been in one or more of the breaches, using its API. Hunt says he would set a minimum of six characters and then block anything that shows up in Pwned Passwords. One more tip from Hunt: “I'd block every variation of the company name; nobody on the Acme Corp. website can use AcmeCorp, AcmeCorp1, AcmeC0rp, etc.'' If you want to use the Pwned Passwords API, you can build on one of the many projects already doing so <https://haveibeenpwned.com/API/Consumers>. Typically, they create an environment-native interface to the API, such as with the many PHP libraries, Python and Perl scripts, WordPress plugins, and Java clients, as well as an IFTTT recipe. In addition to many weak passwords, Pwned Passwords has a large number of passwords that would satisfy any set of complexity rules, so it might seem to be overkill. But compared with the range of possible passwords, 551 million isn't as big a number as it seems. Nearly all of my own passwords are randomly generated by my password manager, but I tested several passwords I made up on my own in recent years, and none appear in the Pwned Passwords database. So maybe relying on Hunt's API and a minimum length and blocking organization name variants is the easiest route to strong protection. I wrote a program to check the contents of one of the SecLists lists of `common credentials' against the Pwned Passwords database. All but 3,663 of 262,000 passwords tested were in Pwned Passwords, and more than half of those that weren't had fewer than eight characters. Perhaps this means that Hunt is right that checking banned password lists is largely redundant, though if you're going to check one or the other, it's easy enough to check both. But all of this is about usernames and passwords, a technology that we should all hope will someday be deprecated. At the same time you make sure your passwords are strong, move forward with multifactor authentication <https://www.hpe.com/us/en/insights/articles/with-webauthn-web-authentication-is-finally-getting-smart-1808.html> and biometrics <https://www.hpe.com/us/en/insights/articles/biometric-authentication-from-speeding-travel-to-providing-id-for-the-marginalized-1903.html> that bypass the inherent problems with passwords. Password policy best practices: Lessons for leaders * Stay up to date with recommendations for creating and maintaining secure passwords. * Minimize opportunities for user password failures. * Make use of public databases of password failures and account breaches.
> As temperatures rose across the massive ice sheet, which blankets an area > five times the size of Germany, around 60 per cent of the surface > started to melt, one of the largest ever recorded. Except it didn't: And the last sentence is a basically a lie. Even if that one station had recorded an above zero temperature, it would not mean that 60% of the surface was also melting. https://wattsupwiththat.com/2019/08/12/greenlands-record-temperature-denied-the-data-was-wrong/ Now from the Danish Meteorological Institute (DMI), via the news website The Local, the cooler reality: Danish climate body wrongly reported Greenland heat record The Danish Meteorological Institute, which has a key role in monitoring Greenland's climate, last week reported a shocking August temperature of between 2.7C and 4.7C at the Summit weather station, which is located 3,202m above sea level at the the centre of the Greenland ice sheet, generating a spate of global headlines. But on Wednesday it posted a tweet saying that a closer look had shown that monitoring equipment had been giving erroneous results. “Was there record-level warmth on the inland ice on Friday? No! A quality check has confirmed out suspicion that the measurement was too high.'' Shoot out the headlines first, ask questions later.
Please report problems with the web pages to the maintainer