Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Patrick Howell O'Neill, Technology Review, 13 Aug 2019 via ACM TechNews, Wednesday, August 21, 2019 A study by researchers at New York University found that at least 16 million Americans in eight states will vote on completely paperless machines in the 2020 U.S. elections, despite a strong consensus among cyberosecurity and national security experts that paper ballots and vote audits are necessary to ensure election security. While the states in question are not historically battleground states, some are likely to be more closely contested than usual. Said U.S. Senator Ron Wyden of Oregon, "Congress needs to set mandatory federal election security standards that outlaw paperless voting machines and guarantee every American the right to vote with a hand-marked paper ballot." Wyden cited experts as requiring hand-marked paper ballots and post-election audits to defend against hacking. "Vendors should recognize that fact or get out of the way." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-212c5x21d479x070202&
A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. MOSCOW BLOCKCHAIN VOTING SYSTEM ENCRYPTION BROKEN IN 20 MINUTES Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. "It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month. "Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added. https://www.zdnet.com/article/moscows-blockchain-voting-system-cracked-a-month-before-election/
Laura Hautala, CNet 15 Aug 2019) via ACM TechNews, 23 Aug 2019 U.S. District Judge Amy Totenberg has ordered Georgia not to use its paperless voting machines, election management software, or servers for the 2020 election, requiring the state to implement a new voting system in time for the presidential primaries. Georgia is currently acquiring new electronic voting machines and vote-counting software. The court order will prevent the state from relying on its paperless voting machines and election management software if the replacement infrastructure is not ready in time; should this happen, Georgia may have to fall back on paper ballots. Attorney David Cross said the order “is a big win for all Georgia voters and those working across the country to secure elections and protect the right to vote.'' https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2135bx21d58ax070501&
By Catalin Cimpanu for Zero Day | 22 Aug 2019 The Ukrainian Secret Service is investigating the incident as a potential security breach. https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/
Patrick Byrne says that he helped the "Deep State" investigations. He also says that the FBI ordered him to pursue a relationship with Russian (spy? agent? dupe?) Maria Butina. Oh. And he also wanted to change Overstock from a "cheap furniture" company to a "blockchain" company. So caveat emptor ...
https://www.scientificamerican.com/article/why-the-u-s-disaster-agency-is-not-ready-for-catastrophes/ "The Federal Emergency Management Agency has wasted more than $3 billion and misused thousands of its employees by responding to hundreds of undersized floods, storms and other events that states could have handled on their own, an investigation by E&E News shows." As noted in http://catless.ncl.ac.uk/Risks/31/36#subj12, nations and localities are struggling to plan prioritized disaster response allocation. FEMA-level response dilution, partially driven by climate change, threatens US resilience—a portentous sign of bad risk mitigation planning at a strategic level.
Catalin Cimpanu for Zero Day | 20 Aug 2019 RubyGems staff have removed 18 malicious Ruby library versions that have been downloaded 3,584 times since July 8. https://www.zdnet.com/article/backdoor-code-found-in-11-ruby-libraries/ selected text: Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. The individual behind this scheme was active for more than a month, and their actions were not detected. Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems.
Catalin Cimpanu for Zero Day | 20 Aug 2019 Xilinx Zynq UltraScale+ SoCs are normally used in automotive, aviation, consumer electronics, industrial, and military components. https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/ opening text: Security researchers have discovered an unpatchable security flaw in a popular brand of system-on-chip (SoC) boards manufactured by Xilinx. The vulnerable component is Xilinx's Zynq UltraScale+ brand, which includes system-on-chip (SoC), multi-processor system-on-chip (MPSoC), and radio frequency system-on-chip (RFSoC) products used inside automotive, aviation, consumer electronics, industrial, and military components. Two bugs found, but one is unpatchable
https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-pirates
https://techcrunch.com/2019/08/20/moviepass-thousands-data-exposed-leak/
Catalin Cimpanu for Zero Day | 23 Aug 2019 Message shared on discussion boards sparks panic among protesters. https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/
Catalin Cimpanu for Zero Day | 21 Aug 2019 Valve gets heavily criticized for mishandling a crucial bug report. https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program/ Valve has responded to the publication of this second Steam zero-day. Due to the length of the response, we chose to cover it as a separate article. Original story below. A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform.
Danny Palmer | 21 Aug 2019 NanoCore RAT can steal passwords, payment details, and secretly record audio and video of Windows users. https://www.zdnet.com/article/cybersecurity-this-trojan-malware-being-offered-for-free-could-cause-hacking-spike/ A new version of a powerful form of trojan malware is being offered on the dark web for free, with one cybersecurity company warning this could lead to a rise in attacks targeting passwords, bank details and other personal information, even by crooks with limited technical skills.
https://www.infosecurity-magazine.com/news/users-of-adult-website-exposed-by/
At the public library in Wilmer, Tex., books were checked out not with the beeps of bar code readers but with the scratches of pen on notebook paper. Out on the street, police officers were literally writing tickets—by hand. When the entire computer network that keeps the small town's bureaucracy afloat was recently hacked, Wilmer was thrown into the digital Dark Ages. This has been the summer of crippling ransomware attacks. Wilmer—a town of almost 5,000 people just south of Dallas—is one of 22 cities across Texas that are simultaneously being held hostage for millions of dollars <https://www.nytimes.com/2019/08/20/us/texas-ransomware.html?module=inline> after a sophisticated hacker, perhaps a group of them, infiltrated their computer systems and encrypted their data. The attack instigated a statewide disaster-style response that includes the National Guard and a widening F.B.I. inquiry. More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand—about $460,000 in Bitcoin, a cryptocurrency -- because it thought reconstructing its systems would be even more costly. (https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html?module=inline) In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments *are the least likely to have updated their cyberdefenses or backed up their data*... https://www.msn.com/en-us/news/technology/ransomware-attacks-are-testing-resolve-of-cities-across-america/ar-AAGapHU https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html
The state declined to say which towns were affected by the coordinated cyberattack. But one expert said it could signal more such attacks in the future. https://www.nytimes.com/2019/08/20/us/texas-ransomware.html
Gloria asked me to have a look at an email message "from" our bank. Other than addressing her as an "esteemed" customer, it looked pretty good. No problems with spelling or grammar. A security warning at the bottom. The head office address for the bank. When I looked at the headers, there were only a few, very small, indications of possible problems. It was sent from a domain that was not owned by the bank, but a lot of companies are outsourcing a lot of IT functions, so that wasn't exactly definitive. It had a couple of headers indicative of spam filtering. About the only thing that solidly demonstrated a problem was the verification link in the body of the message, but that a) won't be visible to most, and b) isn't a really strong indication unless you really know how to read URLs. (Now if banks start outsourcing account verification ...)
Apple warns its credit card doesn't like leather or denim or other cards. [Just in case there is someone on the planet who does not know how special Apple is ... . I go to my optometrist's office every so often for a fresh cloth. I think they may have given me fewer instructions than Apple does.] By Adrian Kingsley-Hughes for Hardware 2.0 | 22 Aug 2019 Yes, Apple went and published care instructions for its new credit card. https://www.zdnet.com/article/a-credit-card-never-needed-cleaning-instructions-then-apple-came-along/ I used to think that the $999 XDR monitor stand was the most Apple thing Apple ever made. But then the company came out with a credit card that needed its own care instructions. Yes, care instructions. For a credit card. Apple goes into great detail on how to keep your flashy laser-etched titanium Apple Card looking its finest. Store it in "a wallet, pocket, or bag made of soft materials," don't store it with another credit card because it might become scratched, and give it the occasional clean with a "soft, slightly damp, lint-free microfiber cloth." Chris Duckett, ZDNet, 22 Aug 2019 Apple warns its credit card doesn't like leather or denim or other cards White titanium card is afraid of most things people use to carry ID and coinage, like wallets and pockets. https://www.zdnet.com/article/apple-warns-its-credit-card-doesnt-like-leather-or-denim/ Oh dear, that card appears to be on a hard surface. Apple has detailed a number of things that its newly launched titanium credit card should be kept away from. A support note from Cupertino, spotted by AppleInsider, says the card should be kept away from leather and denim to avoid discoloration, and also away from hard surfaces, to avoid scratching its white finish. Users are warned not to use household cleaners on the card, nor compressed air and aerosols, nor any solvents, or ammonia, or anything abrasive to clean it.
https://www.npr.org/sections/health-shots/2019/08/20/752378580/want-to-know-whats-in-your-sweat-there-s-a-patch-for-that "The patch the Berkeley scientists designed collects sweat at the surface of the skin and analyzes it in real-time using a custom printed circuit board that transmits the collected data wirelessly to a mobile phone." Obvious risk here—streaming perspiration chemistry to a phone or Internet-connected widget for analysis. If there's too much sodium or potassium detected in perspiration, does this imply that a custom replenishment fluid must be ingested to re-balance blood chemistry? How is the replenishment molarity calibrated for an athlete in competition? This device represents the next step in the pharmaceutical athletic games. Should that IV be shaken or stirred?
A 400-year-old temple in Japan is attempting to hot-wire interest in Buddhism with a robotic priest it believes will change the face of the religion—despite critics comparing the android to "Frankenstein's monster." The android Kannon, based on the Buddhist deity of mercy, preaches sermons at Kodaiji temple in Kyoto, and its human colleagues predict that with artificial intelligence it could one day acquire unlimited wisdom. "This robot will never die, it will just keep updating itself and evolving," priest Tensho Goto told AFP. "That's the beauty of a robot. It can store knowledge forever and limitlessly. "With AI we hope it will grow in wisdom to help people overcome even the most difficult troubles. It's changing Buddhism," added Goto. ... https://news.yahoo.com/playing-god-japan-temple-puts-faith-robot-priest-043640106.html
My contingency plan is to use a different finger. Even if all 10 fingers are eventually compromised, assuming the access control locks out after n tries where (n << 10) I should be ok :-) In Risks 31.37 Anthony Thorn <anthony.thorn@atss.ch> wrote: You can change a compromised password, but your fingerprint is not only fixed, but shared across all applications which use fingerprint recognition. What is your contingency plan?
> Facial recognition software mistook 1 in 5 California lawmakers for > criminals, says ACLU A better headline and subhead for the original story might be: Software Set At 80% Confidence Level Works Correctly 80% Of The Time; Software Used With Default Values Rather Than Recommended Values Doesn't Work Well Amazon does seem disingenuous with its claim that the software should be used at the 99% confidence level when matching faces, while shipping with the default set to 80%. As we've seen here, many users who should know better never change from default settings. Note that the 80% default value didn't appear in the linked story, but in another on the same topic that I had read earlier: <https://yro.slashdot.org/story/19/08/13/2046220/amazons-facial-recognition-misidentified-1-in-5-california-lawmakers-as-criminals>. [Sarcastically, Geoffrey Newbury and Phil Martel each suggested: So the software actually had an 80% failure rate? Might that suggest that 5 out of 5 were actually criminals?] PGN]
I did not see what types of charging stations were involved. The flip side is that reversing flow and drawing power from e-vehicles has been proposed has been proposed as a way to smooth out demand spikes and to store surplus wind and solar power when they are parked plugged in. I have to speculate that this risk involves Level 3 or higher stations. With the demise of the last gas station in downtown Vancouver BC, and the proliferation of "free" (TANSTAAFL) or pay to use fast charging stations at parking lots and underground garages this might be a risk, but not likely for 110 or 220 volt charging stations. I did not bother to install a level 2 charger for our plug in hybrid because it charges from the carport plug in 5.5 hours with about the same draw as a major kitchen appliance. Other protection in the electric distribution system could put them offline before a large section goes down. Canadian wiring specs require the top and bottom sockets of kitchen counter outlets, and adjacent outlets, to be on separate circuits. You need at least 4 circuits to wire a kitchen according to code if you have 2 or more kitchen outlets. Don't Grid Controllers in the UK have TVs in the control rooms to monitor Football (Soccer in Canadian & USA English) games because so many fans tend to plug in electric kettles during long pauses and ad breaks? Pumped Hydro Electric Storage generators in Wales and elsewhere can be spun up to meet those demand surges when the operators see a break coming. We don't need electric cars to experience this type of power demand surge. In Canada the equivalent is the Hockey Game Flush, as thousands of fans flush toilets, creating a risk of municipal water lines collapsing or having infiltration due to sharp drops in water pressure. System ops watch the game, ready to start turbo boost pumps during breaks and stop them at the end of the break.
Rushing into print or digital publication of new startling results from recently deployed or newly developed instruments is a known risk in Climate Research. Someone rushed into print with an "Oceans are Cooling" paper, based on comparing early Argo Buoy data with older XBT data. With the wisdom of hindsight the Argo data had a Cold bias and the XBT data had a Warm bias. Longer term study revealed the bias in both instruments. https://earthobservatory.nasa.gov/features/OceanCooling Instrument Bias also came up when Anthony Watt enlisted an army of fans to create a list of "poorly sited" weather stations which they felt gave a warm bias to the NOAA conclusion of a warming trend in the Continental USA. NOAA repeated the analysis, excluding those stations, and got a slightly stronger warming trend. Be careful what you ask for. https://en.wikipedia.org/wiki/Anthony_Watts_(blogger)#Surface_Stations_project
Before joining the celebrations of the "Ha ha, no global warming! We can go on burning as much carbon as we like!" crowd, please see the following article (in French): https://www.lci.fr/planete/les-records-de-chaleur-au-groenland-remis-en-cause-par-des-climatosceptiques-en-quoi-ils-se-trompent-2129437.html It points out that the post in "What's up with that" relies on an error in a single station on a single day, ignoring thousands of measurements over the past few months. Also check out my post in Quora: https://www.quora.com/Is-global-warming-a-hoax/answer/Amos-Shapir-1 which includes two maps to demonstrate the current situation in Greenland.
I'm pretty sure this made RISKS at least once before: https://xkcd.com/936/ Evidently none of the password security expert policy writes ever heard of xkcd. (Incidentally I recently tried "oh, not again!" for a linux account password and it worked.)
> "Federal air marshals have begun following ordinary US citizens not > suspected of a crime or on any terrorist watch list and collecting > extensive information about their movements and behavior under a new > domestic surveillance program that is drawing criticism from within the > agency." "As an ordinary citizen," Mark's submission provoked my "spider sense" to file a FOIA request with TSA. I finally received a response to my petition dated 19AUG2019: "This letter is in response to your Freedom of Information Act (FOIA) request to the Transportation Security Administration (TSA) dated October 11, 2018, seeking access to the following records about yourself: "1. All Federal Air Marshall Service 'Quiet Skies' records collected, reported, and collated that pertain to international or domestic travel. To include dates/times of collection, transport vehicle/flight or bus/train or ship, and itemize detail of collected records include purpose/reason/justification for data capture based on air marshal prerogative. "2. A list of federal and state agencies that have approved direct/indirect access to these records and include dates/time/purpose for access. "Your request has been processed under the FOIA, 5 U.S.C. 552, and the Privacy Act, 5 U.S.C 552a. A search was conducted within the TSA and no records responsive to your request were located." Guess the skies are safe to fly after all? While a sample size of 1 does not prove much, the TSA response suggests that citizens of "sufficient interest" merit air marshal tracking and attention. What constitutes "sufficient interest" was not a petition subject, and therefore not disclosed.
Please report problems with the web pages to the maintainer