Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://arstechnica.com/tech-policy/2019/01/heathrow-flights-disrupted-by-yet-another-drone/
https://www.bbc.com/news/uk-46754489 "The equipment, which can detect and jam communications between a drone and its operator, was deployed by the RAF on a roof at Gatwick last month." One trusts that this gear does not interfere with commercial aviation signals or RF-dependent devices used for emergency service.
https://www.medscape.com/viewarticle/907429 https://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm629348.htm Some surgery is only possible with imaging software, but the software can have bugs. "The software monitor may show that the tip of the surgical tool has not yet reached the planned target and may prevent the neurosurgeon from being able to accurately see the location of surgical tools in the patient's brain."
[twitter] Micah Lee Verified account @micahflee Since the government shutdown started "more than 80 TLS certificates used by .gov websites have so far expired without being renewed" https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html Micah Lee Verified account @micahflee I do computer security, open source software development, and journalism at the Intercept
Aldo Svaldi, *The Denver Post*, 11 Jan 2019 https://www.denverpost.com/2019/01/11/centurylink-network-outage-denver/ For about 30 hours, from the early morning hours of Dec. 27 until late on Dec. 28, chaos reigned on CenturyLink's system. Western states that depend most heavily on the company's fiber-optic system were hardest hit, but reports of outages and slower speeds came in from Alaska to Florida, according to downdetector.com. "CenturyLink experienced a network event on one of our six transport networks beginning on December 27 that impacted voice, IP, and transport services for some of our customers. The event also impacted CenturyLink's visibility into our network management system, impairing our ability to troubleshoot and prolonging the duration of the outage," the company said in a statement. Technicians were left scrambling trying to pinpoint the root cause, and that resulted in them losing time on fixes that didn't work. New Orleans as ground zero was an early suspect, and then it was San Antonio, Texas. Teams, which had to make physical site visits, went into action in Kansas City, Mo., and then Atlanta, and so on. But as they tried fixes in different areas, the problem didn't go away. Making matters worse, the reporting system that gathered customer complaints also failed. The source of all that turmoil and hours of angst for affected customers came down to one piece of equipment ”- a faulty third-party network management card in Denver, according to the company.
https://www.thesun.co.uk/news/8116475/astronaut-calls-911-space-nasa-security/
The USB Type-C authentication standard is moving forward in an effort to help protect systems against malicious USB devices. http://www.eweek.com/security/usb-type-c-to-become-more-secure-with-authentication-standard
via NNSquad https://lauren.vortex.com/2019/01/10/finally-some-good-news-about-the-eus-horrendous-right-to-be-forgotten-law I've been highly critical—to say the least—of the European Union's insane global censorship regime—"The Right To Be Forgotten" (RTBF) -- since well before it became actual, enacted law. But there's finally some good news about RTBF—in the form of a formal opinion from EU Advocate General Maciej Szpunar, chief adviser at Europe's highest court. I'm not sure offhand when I first began writing about the monstrosity that is RTBF, but a small subset of related posts includes: The "Right to Be Forgotten": A Threat We Dare Not Forget (2/2012): https://lauren.vortex.com/archive/000938.html Why the "Right To Be Forgotten" is the Worst Kind of Censorship (8/2015): https://lauren.vortex.com/archive/001119.html RTBF was always bad, but it became a full-fledged dumpster fire when (as many of us had predicted from the beginning) efforts were made to enforce its censorship demands globally. This gave the EU effectively worldwide censorship powers via RTBF's "hide the library index cards" approach, creating a lowest common denominator "race to the bottom" of expanding mass, government-directed censorship of search results related to usually completely accurate and still published news and other information items. In a nutshell, Maciej Szpunar's opinion—which is not binding but is likely to be a strong indicator of how related final decisions will turn out -- is that global application of EU RTBF decisions is usually unreasonable. While he doesn't rule out the possibility of global "enforcement" in "certain situations" (an aspect that will need to be clarified), it's obvious that he views routine global enforcement of EU RTBF demands to be untenable. This is of course only a first step toward reining in the RTBF monster, but it's potentially an enormously important one, and we'll be watching further developments in this arena with great interest indeed.
ZDnet, 10 Dec 2018 Stock trading algorithms know how to read news headlines, but they don't
For decades, Microsoft products have been very vulnerable to viruses and other exploits. This does not seem to be a solvable problem. For over two decades, I have used Linux in some form as my primary laptop or desktop OS, mostly because I'm old enough to have grown up with Unix and VMS. Back in the day, I would use a Windows VM as a way to run products like MS-Office, but now the open source alternatives have gotten to the point where I never do so—car diagnostic software is the only reason to fire up the VM. LibreOffice is more compatible with MS-Office than Microsoft's own Office:mac Many years ago, Linux support for hardware was variable, now it's rarely a concern. Installs and upgrades were awkward, now Ubuntu is very slick, and easy for IT to manage centrally. The need for Windows to support fat client business software is far less, as most applications are now thin client requiring only a good browser (Chrome) and indeed in the cloud. Is it time for the security community to recommend "run Linux if you can?"
The incredibly promising business behind people injecting themselves with microchips. Bye-bye keys, passwords, and tickets—they're all on the chip. Down a narrow side street in the Swedish city of Gothenburg sits the Barbarella piercing parlor, a regular haunt for locals who decorate their bodies with piercings and tattoos, and which claims to offer the area;s finest collection of ear discs and nose rings. But on a frigid evening in November, the shop is the setting for a very different kind of body enhancement: biochips. As darkness falls on the port town of nearly 600,000 people, Jowan Österlund wanders in, wearing a baseball cap and T-shirt, to meet two new clients for his small startup, ÂBiohax International. From his backpack, he pulls plastic-wrapped syringes, each containing a tiny, dark microchip that is barely visible from the outside. Inside the unassuming package is Österlund's prized product, a window into what today is a fringe tech obsession but which, he believes, will one day be a giant industry. “You are creating an entirely new type of behavior and entirely new types of data that will be massively more valuable than what we have now. It is kind of a moonshot. But in the long run, this is what is going to happen.'' http://fortune.com/longform/biochipping-biohax-microchip/
Facebook user sends another user a vital link about a disease: https://www.cdc.gov.tw/home/Scrub_typhus But because Facebook appends ?fbclid... to the link, the second user cannot open it, and eventually perhaps dies. Yup, some sites rightly do not expect random parameters randomly added...
https://www.securitynow.com/author.asp?section_id=706&doc_id=748435& Lots of risks but not clear they justify the headline, nor are all related to 5G.
https://www.nytimes.com/2019/01/04/us/politics/marriott-hack-passports.html The overall number of guests affected by the hacking, in which Chinese intelligence is the leading suspect, declined to 383 million. But the passport data is critical to intelligence agencies.
https://www.nytimes.com/2019/01/04/world/europe/germany-hacking-politicians-leak.html Twitter has shut down an account that had been posting personal data for weeks. Only the Alternative for Germany party appeared to be unscathed.
Clever trick allows attackers to obtain valid TLS certificate for hijacked domains. https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/
Data leaked by DX.Exchange would be "super easy" to criminalize. https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/
Huawei's New Year's greeting was sent from their official account, tagged "via Twitter for iPhone". At least two employees have been demoted with reduction of pay. http://www.taipeitimes.com/News/biz/archives/2019/01/05/2003707357
https://www.cnbc.com/2019/01/04/chinese-phone-maker-huawei-punishes-employees-for-iphone-tweet-blunder.html?__source=iosappshare%7Ccom.apple.UIKit.activity.Mail The risk? Insufficient loyalty to house brand.
https://www.nytimes.com/2019/01/03/technology/weather-channel-app-lawsuit.html In a lawsuit on Thursday, the city attorney said tracking was used not just for local forecasts but also for commercial purposes like targeted marketing. [Gabe Goldberg noted this item as well: L.A. Sues IBM's Weather Company over 'Deceptive' Weather Channel App http://fortune.com/2019/01/04/la-ibm-weather-channel-app/ The risk? Everything spies/leaks/sells personal data. PGN]
https://www.washingtonpost.com/local/trafficandcommuting/could-a-chinese-made-metro-car-spy-on-us-many-experts-say-yes/2019/01/07/00304b2c-03c9-11e9-b5df-5d3874f1ac36_story.html It would be quaint and surprising to learn about technology-enabled transportation that DID NOT spy on passengers! To counteract intrusive surveillance, each seat should have a built-in personal "Cone of Silence" ala Mel Brooks' "Get Smart."
If the risks of keeping a voice activated device at home were not obvious enough, here are some more proofs: the recordings are kept for a while, and may even be provided to the wrong user. https://www.theregister.co.uk/2018/12/20/amazon_alexa_recordings_stranger/ pointing to https://www.heise.de/downloads/18/2/5/6/5/3/9/6/ct.0119.016-018_engl.pdf
https://www.nytimes.com/2019/01/09/nyregion/el-chapo-trial.html An IT expert working for the crime lord helped the FBI obtain dozens of intimate—and incriminating—text messages he wrote to the women.
He Gave a Bounty Hunter $300. Then He Located His Phone T-Mobile, Sprint, and AT&T are selling access to their customers' location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country. https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile
The `smart home' [isn't] just supposed to be a monument to convenience, weâre told, but also to protection, a Tony Stark-like bubble of vigilant algorithms and Internet-connected sensors working ceaselessly to watch over us. But for some who've welcomed in Amazon's Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring's dismal privacy practices. Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around—and perhaps inside -- their house. The company has marketed its line of miniature cameras, designed to be mounted as doorbells, in garages, and on bookshelves, not only as a means of keeping tabs on your home while you're away, but of creating a sort of privatized neighborhood watch, a constellation of overlapping camera feeds that will help police detect and apprehend burglars (and worse) as they approach. “Our mission to reduce crime in neighborhoods has been at the core of everything we do commemorate the company's reported $1 billion acquisition payday from Amazon, a company with its own recent history of troubling facial recognition practices. The marketing is working; Ring is a consumer hit and a press darling. Despite its mission to keep people and their property secure, the company's treatment of customer video feeds has been anything but, people familiar with the company's practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon's S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring's security lapses, reported on these practices last month. https://theintercept.com/2019/01/10/amazon-ring-security-camera/ The risk? Believing advertising? [PGN's risk—large number of garbled characters approximated from this and the next posting from Gabe. Note `[??]' in the next item.]
Ten Technology Offerings Bright Lights, thick smoke, constant walking and avoidance maneuvers. After taking a year or two off, returning to CES is a chore and a revelation—it clearly is the major event for new technology announcements. Gadgets, yes, too many smart wearables, including underwear, too many near misses of being run over by gangs of oblivious young guys staring at their phones. If there was a key trend in all of this racket, Sleep has become a tech obsession, the uptake of Digital Health is almost here, new variants of companions and assistants were pervasive, including Google Assistant inside everything and Amazon voice devices everywhere. Self-service increasingly matters in unexpected health categories. As with nearly every [?], we want to serve ourselves, no matter what. One day soon, onset of a stroke can be detected (Celloscope) when your smartphone watches your face droop as you read your email. A robotics company, Intuition Robotics, launches its cognitive AI Q[?] for 3rd-party companies to use as a digital companion agent, for example, in a car. In subsequent posts, others will be noted from the exhibit hall books, but for now, here are 10 other new companies/new offerings in alphabetical order from CES 2019 with content from the press releases/sites of the companies: https://www.ageinplacetech.com/blog/ten-technology-offerings-ces-2019 The risks? TBD
In the escalating market for security vulnerabilities, a new milestone has been recorded early in the new year, with $2 million now being offered for a remote Apple iOS exploit. The $2 million award is being offered by vulnerability acquisition firm Zerodium, which first achieved global notoriety for offering $1 million for an iOS 9 zero-day exploit back in September 2015. In September 2016, Zerodium increased its top iOS exploit award to a $1.5 million, which has now been topped by the $2 million bounty. http://www.eweek.com/security/escalating-value-of-ios-bug-bounties-hits-2m-threshold
Dan Goodin, Ars Technica, 7 Jan 2019 Governments and police forces around the world are trying harder than ever to exploit software that is becoming increasingly difficult to compromise. Market-leading software exploit broker Zerodium recently said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over security messaging apps WhatsApp and iMessage. These prices are up about $500,000 from previous levels, an indication that the demand for them continues to grow, and that reliable exploitation of these targets is becoming increasingly difficult. Zerodium said it sells the exploits only to lawful governments, although it has never provided details to verify those claims. https://arstechnica.com/information-technology/2019/01/zeroday-exploit-prices-continue-to-soar-especially-for-ios-and-messaging-apps/ [MISPLACED ONLY PGN-ed above. See my long-ago analysis of that problem: http://www.csl.sri.com/neumann/only.html PGN]
https://www.bbc.com/news/uk-england-northamptonshire-46762571 A woman has warned of the dangers of looking at phones while crossing roads after being hit by a vehicle in a suspected hit-and run. Olivia Keane, 20, was knocked unconscious while walking across Butts Road in Wellingborough, Northamptonshire, on New Year's Eve. Police believe she was hit by a vehicle that failed to stop. Miss Keane cannot remember the details, but believes she was looking down at her phone at the time. Lucky to be alive after this hit-and-run incident. I lost count of pedestrians in Singapore and Malaysia descending stairs and fully engrossed typing SMS content or playing a mobile game, oblivious to their peril. See http://catless.ncl.ac.uk/Risks/30/89#subj18.1 cellphone addiction. Some people can't live without 'em until they die with 'em.
https://www.nytimes.com/2019/01/08/us/politics/manafort-trump-campaign-data-kilimnik.html Mr. Manafort's lawyers made the disclosure by accident, through a formatting error in a document filed to respond to charges that he had lied to prosecutors working for the special counsel, Robert S. Mueller III, after agreeing to cooperate with their investigation into Russian interference in the election.
https://www.nytimes.com/2019/01/07/us/politics/alabama-senate-facebook-roy-moore.html A prohibitionist campaign appeared to be led by supporters of the Republican Senate candidate in 2017. But it was created by progressives—the second such secret effort to be unmasked.
Catalin Cimpanu, ZDNet, 9 Jan 2019 https://www.zdnet.com/article/google-search-results-listings-can-be-manipulated-for-propaganda/ Google search results listings can be manipulated for propaganda Dutch researcher argues that Google should remove support for knowledge panels. opening text: A feature of the Google search engine lets threat actors alter search results in a way that could be used to push political propaganda, oppressive views, or promote fake news. The feature is known as the "knowledge panel", and is a box that usually appears at the right side of the search results, usually highlighting the main search result for a very specific query. [The article then gives details that, while I have not tried this myself, appear to suffice to reproduce the problem.]
Overwhelmed by all the TV you haven't seen? Get ready for even more. https://www.washingtonpost.com/classic-apps/the-new-streaming-services-you-should-watch-in-2019/2019/01/04/1c40d660-106c-11e9-831f-3aa2c2be4cbd_story.html
If the past teaches us anything, it will happen one day. In fact, the process might have already started. https://www.nytimes.com/2018/12/12/magazine/what-happens-when-facebook-goes-the-way-of-myspace.html
Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message https://variety.com/2019/digital/news/chromecast-hacked-pewdiepie-1203097889/
https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019
http://www.bbc.com/future/story/20190104-are-you-a-digital-hoarder "With the storage capacity of our devices increasing with every upgrade and cloud storage plans costing peanuts, it might not seem like a problem to hold on to thousands of emails, photos, documents and various other digital belongings. "But emerging research on digital hoarding—a reluctance to get rid of the digital clutter we accumulate through our work and personal lives -- suggests that it can make us feel just as stressed and overwhelmed as physical clutter. Not to mention the cybersecurity problems it can cause for individuals and businesses and the way it makes finding that one email you need sometimes seem impossible." Digital storage ubiquity promotes monomaniacal behavior. Horder iDisorder disorder? IDisorder Horder disorder?
One need only to look at hacker games and competitions to see the compelling allure of gamification in training and practice for security pros. https://www.channelfutures.com/mssp-insider/is-gamification-working-in-security-training Wait, what?
https://www.nytimes.com/2019/01/10/business/fiat-chrysler-justice-emissions-settlement.html The accord in lawsuits over false readings on diesel vehicles could cost nearly $800 million, including penalties, fixes, warranties and compensation.
https://www.businessinsider.com/apple-google-ad-ces-2019-privacy-imessage-2019-1
Is that the Google that removes the little padlock icon from their browser because "the web is now safe by default"? The one that's pushing https down our throats to ensure the ads we (don't) see came from bona fide Google-paying advertisers? Was it Bruce Schneier who said this isn't techno-feudalism because in feudalism the feudal actually had obligations towards his vassals? No obligation indeed.
The initial role of the Internet (in its first incarnation as Arpanet) was to provide a medium, detached from the phone network, for secure and stable communication even during a nuclear emergency. It's ironic is that the same network had become a Trojan horse within the US national security infrastructure.
This is yet another symptom of the "US first" fallacy. Such laws and regulations are based on an inherent assumption that the US is first in everything, so any new technology would be made in the USA, and the only way adversaries could get it is by export from the USA. During the encryption exports craze of the 1980's, I came into the US carrying a computer board for an exhibition; I was employed by an American company, but the board was designed and built in their Israeli branch. When leaving the US, I was stopped by customs—it seems the board's CPU was too fast, so it was categorized as an encryption device. I had no problem just leaving it there, we had plenty more back home. (I have no idea if the company had ever redeemed the board, it may sill be stored in some customs warehouse at JFK).
No, not that one. The other one. http://www.smbc-comics.com/comics/1547218636-20190111.png
Please report problems with the web pages to the maintainer