Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/ Intel CPUs afflicted with simple data-spewing spec-exec vulnerability https://www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/ SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks https://arxiv.org/pdf/1903.00446.pdf
Web Informant, March 5, 2019 [via Gabe Goldberg] A new report describes the depth of criminality across online ticketing websites. I guess I was somewhat naive before I read the report, "How Bots affect ticketing," from Distil Networks <https://resources.distilnetworks.com/all-blog-posts/how-bots-affect-ticketing (Registration is required.) The vendor sells anti-bot security tools, so some of what they describe is self-serving to promote their own solutions. But the picture they present is chilling and somewhat depressing. The ticketing sites are being hit from all sides: from dishonest ticket brokers and hospitality agents who scrape details and scalp or spin the tickets, to criminals who focus on fan account takeovers to conduct credit card fraud with their ticket purchases. These scams are happening 24/7, because the bots never sleep. And there are multiple sources of ready-made bad bots that can be set loose on any ticketing platform. You probably know what scalping is, but spinning was new to me. Basically, it involves a mechanism that appears to be an indecisive human who is selecting tickets but holding them in their cart and not paying for them. This puts the tickets in limbo, and takes them off the active marketplace just long enough that the criminals can manipulate their supply and prevent the actual people from buying them. That is what lies at the heart of the criminal ticketing bot problem: the real folks are denied their purchases, and sometimes all seats are snapped up within a few milliseconds of when they are put on sale. In many cases, fans quickly abandon the legit ticketing site and find a secondary market for their seats, which may be where the criminals want them to go. This is because the seat prices are marked up, with more profit going to the criminals. It also messes with the ticketing site's pricing algorithms, because they don't have an accurate picture of ticket supply. This is new report from Distil and focusing just on the ticketing vendors. In the past year, they have seen a rise in the sophistication of the bot owners' methods. That is because like much with cybercrime, there is an arms race between defenders and the criminals, with each upping their game to get around the other. The report studied 180 different ticketing sites for a period of 105 days last fall, analyzing more than 26 billion requests. Distil found that the average traffic across all 180 sites was close to 40% consumed by bad bots. That's the average: many sites had far higher percentages of bad bot traffic. Botnets aren't only a problem with ticketing websites, of course. In an article that I wrote recently for CSOonline <https://www.csoonline.com/article/3339377/how-polls-are-hacked-what-every-business-should-know.html?nsdr=true#tk.twt_cso I discuss how criminals have manipulated online surveys and polls. (Registration also required.) Botnets are just one of many methods to fudge the results, infect survey participants with malware, and manipulate public opinion. So what can a ticketing site operator do to fight back? The report has several suggestions, including preventing outdated browser versions, using better Captchas, blocking known hosting providers popular with criminals, and looking carefully at sources of traffic for high bounce rates, a series of failed logins and lower conversion rates, three tells that indicate botnets. Comments always welcome here. <http://blog.strom.com/wp/?p=7061
http://fortune.com/2019/01/15/deepfakes-law/?fbclid=IwAR0irzRsbZMra5ApNgf_nEq1zIQAUmjcRJ-1mRpTvy3ZUkmbxPKibDOK1-s
Consumer Health Digest #19-09, 3 Mar 2019 According to a complaint by the Federal Trade Commission (FTC), Cure Encapsulations, Inc. and its owner, Naftula Jacobowitz: <https://www.ftc.gov/system/files/documents/cases/quality_encapsulations_complaint_2-26-19.pdf> * paid a Web site, amazonverifiedreviews.com to create and post Amazon reviews of their product "Quality Encapsulations Garcinia Cambogia Extract with HCA" capsules. * falsely claimed that the product is an appetite-suppressing, fat-blocking, weight-loss pill. Jacobowitz allegedly told the site's operator that the product needed to have an average rating of 4.3 out of 5 stars in order to have sales and to, "Please make my product ... stay a five star." The reviews were posted on Amazon and were represented as truthful and written by actual purchasers, when in reality they were fabricated. The FTC's complaint also alleges that the defendants made false and unsubstantiated claims on their Amazon product page, including through the purchased reviews, that their garcinia cambogia product is a "powerful appetite suppressant," "Literally BLOCKS FAT From Forming," causes significant weight loss, including as much as twenty pounds, and causes rapid and substantial weight loss, including as much as two or more pounds per week. The proposed court order settling the FTC's complaint <https://www.ftc.gov/system/files/documents/cases/quality_encapsulations_proposed_order_2-26-19.pdf>: * prohibits the defendants from making weight-loss, appetite-suppression, fat-blocking, or disease-treatment claims for any dietary supplement, food, or drug unless they have competent and reliable scientific evidence in the form of human clinical testing supporting the claims. * requires them to have competent and reliable scientific evidence to support any other claims about the health benefits or efficacy of such products. * prohibits them from making misrepresentations regarding endorsements, including that an endorsement is truthful or by an actual user. * requires the defendants to email notices to consumers who bought the capsules detailing the FTC's allegations regarding their efficacy claims. * requires the defendants to notify Amazon, Inc. that they purchased Amazon reviews of their Quality Encapsulations Garcinia Cambogia capsules and to identify to Amazon the purchased reviews. * imposes a judgment of $12.8 million, which will be suspended upon payment of $50,000 to the Commission and the payment of certain unpaid income tax obligations. If the defendants are later found to have misrepresented their financial condition to the FTC, the full amount of the judgment will immediately become due. [FTC brings first case challenging fake paid reviews on an independent retail website. <https://www.ftc.gov/news-events/press-releases/2019/02/ftc-brings-first-case-challenging-fake-paid-reviews-independent?utm_source=govdelivery> FTC news release. 26 Feb 2019]
https://www.cell.com/cell/fulltext/S0092-8674(15)01492-0 NYTimes https://www.nytimes.com/2019/03/02/opinion/sunday/diet-artificial-intelligence-diabetes.html "Coming up with a truly personalized diet would require crunching billions of pieces of data about each person. In addition to analyzing the 40 trillion bacteria from about 1,000 species that reside in our guts, as the project I participated in did, it would need to take into account all of the aspects of that person's health, including lifestyle, family history, medical conditions, immune system, anatomy, physiology, medications and environment. This would require developing an artificial intelligence more sophisticated than anything yet on the market." Risk: Dietary app guidance based on AI requires a randomized control trial to establish viability and merit before it can reliably applied for human benefit.
The risks, I think, are self-evident. The potential to deliver `one shot cures' is one of the most attractive aspects of gene therapy, genetically-engineered cell therapy and gene editing. However, such treatments offer a very different outlook with regard to recurring revenue versus chronic therapies, analyst Salveen Richter wrote in the note to clients Tuesday. “While this proposition carries tremendous value for patients and society, it could represent a challenge for genome medicine developers looking for sustained cash flow.'' Goldman Sachs asks in biotech research report: “ Is curing patients a sustainable business model?'' https://urldefense.proofpoint.com/v2/url?u=https-3A__www.cnbc.com_2018_04_11_goldman-2Dasks-2Dis-2Dcuring-2Dpatients-2Da-2Dsustainable-2Dbusiness-2Dmodel.html
"... the memo reveals that Sandberg's feminist memoir ["Lean In"] was perceived as a *lobbying tool* by the Facebook team and a means of winning support from female legislators for Facebook's wider agenda." "[George Osborne] offered to host a launch for Sandberg's book in Downing Street, an event that went ahead in spring 2013." Apparently, Sheryl Sandberg's relationship with feminism was transactional all along; she shamelessly traded on her feminist relationships in her attempts to destroy GDPR. But isn't privacy a feminist issue? https://medium.com/@sarah_17279/gdpr-is-a-feminist-issue-79e8dd17e09f Isn't Viviane Reding (GDPR's architect) a feminist? https://www.theparliamentmagazine.eu/articles/interview/viviane-reding-data-protection-regulation-one-more-step-towards-digital-single Famous Sandberg quotes: "There's a special place in hell for women who don't help other women." -- Sheryl Sandberg "Leadership is not bullying and leadership is not aggression. Leadership is the expectation that you can use your voice for good. That you can make the world a better place."—Sheryl Sandberg https://www.theguardian.com/technology/2019/mar/02/facebook-global-lobbying-campaign-against-data-privacy-laws-investment Revealed: Facebook's global lobbying against data privacy laws Social network targeted legislators around the world, promising or threatening to withhold investment Carole Cadwalladr & Duncan Campbell, *The Guardian*, modified 3 Mar 2019 Facebook has targeted politicians around the world--including the former UK chancellor, George Osborne--promising investments and incentives while seeking to pressure them into lobbying on Facebook's behalf against data privacy legislation, an explosive new leak of internal Facebook documents has revealed. The documents, which have been seen by the Observer and Computer Weekly, reveal a secretive global lobbying operation targeting hundreds of legislators and regulators in an attempt to procure influence across the world, including in the UK, US, Canada, India, Vietnam, Argentina, Brazil, Malaysia and all 28 states of the EU. The documents include details of how Facebook: * Lobbied politicians across Europe in a strategic operation to head off "overly restrictive" GDPR legislation. They include extraordinary claims that the Irish prime minister said his country could exercise significant influence as president of the EU, promoting Facebook's interests even though technically it was supposed to remain neutral. * Used chief operating officer Sheryl Sandberg's feminist memoir Lean In to "bond" with female European commissioners it viewed as hostile. * Threatened to withhold investment from countries unless they supported or passed Facebook-friendly laws. The documents appear to emanate from a court case against Facebook by the app developer Six4Three in California, and reveal that Sandberg considered European data protection legislation a "critical" threat to the company. A memo written after the Davos economic summit in 2013 quotes Sandberg describing the "uphill battle" the company faced in Europe on the "data and privacy front" and its "critical" efforts to head off "overly prescriptive new laws". Most revealingly, it includes details of the company's "great relationship" with Enda Kenny, the Irish prime minister at the time, one of a number of people it describes as "friends of Facebook". Ireland plays a key role in regulating technology companies in Europe because its data protection commissioner acts for all 28 member states. The memo has inflamed data protection advocates, who have long complained about the company's "cosy" relationship with the Irish government. The memo notes Kenny's "appreciation" for Facebook's decision to locate its headquarters in Dublin and points out that the new proposed data protection legislation was a "threat to jobs, innovation and economic growth in Europe". It then goes on to say that Ireland is poised to take on the presidency of the EU and therefore has the "opportunity to influence the European Data Directive decisions". It makes the extraordinary claim that Kenny offered to use the "significant influence" of the EU presidency as a means of influencing other EU member states "even though technically Ireland is supposed to remain neutral in this role". It goes on: "The prime minister committed to using their EU presidency to achieve a positive outcome on the directive." Kenny, who resigned from office in 2017, did not respond to the Observer's request for comment. John Naughton, a Cambridge academic and Observer writer who studies the democratic implications of digital technology, said the leak was "explosive" in the way it revealed the "vassalage" of the Irish state to the big tech companies. Ireland had welcomed the companies, he noted, but became "caught between a rock and a hard place". "Its leading politicians apparently saw themselves as covert lobbyists for a data monster." A spokesperson for Facebook said the documents were still under seal in a Californian court and it could not respond to them in any detail: "Like the other documents that were cherry-picked and released in violation of a court order last year, these by design tell one side of a story and omit important context." The 2013 memo, written by Marne Levine, who is now a Facebook senior executive, was cc-ed to Elliot Schrage, Facebook's then head of policy and global communications, the role now occupied by Nick Clegg. As well as Kenny, dozens of other politicians, US senators and European commissioners are mentioned by name, including then Indian president Pranab Mukherjee, Michel Barnier, now the EU's Brexit negotiator, and Osborne. The then chancellor used the meeting with Sandberg to ask Facebook to invest in the government's Tech City venture, the memo claims, and Sandberg said she would "review" any proposal. In exchange, she asked him to become "even more active and vocal in the European Data Directive debate and really help shape the proposals". The memo claims Osborne asked for a detailed briefing and said he would "figure out how to get more involved". He offered to host a launch for Sandberg's book in Downing Street, an event that went ahead in spring 2013. Osborne told the Observer: "I don't think it's a surprise that the UK chancellor would meet the chief operating officer of one of the world's largest companies ... Facebook and other US tech firms, in private, as in public, raised concerns about the proposed European Data Directive. To your specific inquiry, I didn't follow up on those concerns, or lobby the EU, because I didn't agree with them." He noted it was "not a secret" that he had helped launch Sandberg's book at 11 Downing Street and added: "The book's message about female empowerment was widely praised, not least in the Guardian and the Observer." In fact, the memo reveals that Sandberg's feminist memoir was perceived as a lobbying tool by the Facebook team and a means of winning support from female legislators for Facebook's wider agenda. In a particularly revealing account of a meeting with Viviane Reding, the influential European commissioner for justice, fundamental rights and citizenship, the memo notes her key role as "the architect of the European Data Directive" and describes the company's "difficult" relationship with her owing to her being, it claims, "not a fan" of American companies. "She attended Sheryl's Lean In dinner and we met with her right afterward," the memo says, but notes that she felt it was a "very 'American' discussion", a comment the team regarded as a setback since "getting more women into C-level jobs and on boards was supposed to be how they bonded, and it backfired a bit". The Davos meetings are just the tip of the iceberg in terms of Facebook's global efforts to win influence. The documents reveals how in Canada and Malaysia it used the promise of siting a new data centre with the prospect of job creation to win legislative guarantees. When the Canadians hesitated over granting the concession Facebook wanted, the memo notes: "Sheryl took a firm approach and outlined that a decision on the data center was imminent. She emphasized that if we could not get comfort from the Canadian government on the jurisdiction issue, we had other options." The minister supplied the agreement Facebook required by the end of the day, it notes.
It's bad enough when financial institutions don't practice what they preach, but it only compounds the confusion when they promise one thing and do the opposite. For example, Merrill Lynch recently posted this online alert: “Recently, some Merrill Lynch clients have reported receiving emails that appear to be from Merrill Lynch but which have, in fact, been sent by imposters. ... How can you tell the difference? Fraudulent emails typically include website links, and/or request you to provide personal information. Merrill Lynch has not and will not initiate a request for sensitive information via email.'' But when we reviewed a legitimate email sent by Merrill Edge, it did contain website links and invitations to click to `view statements'. When the link is clicked, it takes you to an account login page where Merrill requests sensitive information, in the form of your user ID and password. Thus, Merrill's own legitimate email is similar to the emails it warns could be bogus. https://www.checkbook.org/washington-area/phishing-scams-is-your-financial-institution-helping-cyberthieves/ The risk? Nothing new, just same old clueless companies.
https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/
Richi Jennings, Security Boulevard, 4 Mar 2019 Facebook has been caught red-handed again, so say privacy wonks. They accuse Zuckerberg's crew of misusing phone numbers given to it for use in two-factor authentication. Said wonks say Facebook is sharing the data with Instagram and WhatsApp to secretly link your profiles together. And that it lets miscreants look you up by your phone number, subjecting your identity to stalking, social engineering and other malicious awfulness. Facebook is also accused of violating GDPR, for using the numbers without consent. https://securityboulevard.com/2019/03/uproar-over-facebook-2fa-privacy-violation/ The risk? Facebook.
https://www.nytimes.com/2019/03/05/technology/uber-self-driving-car-arizona.html "Arizona prosecutors said Tuesday that they had not found evidence to charge Uber with a crime in connection with an accident in which one of its autonomous cars hit and killed a pedestrian in Tempe a year ago. "On March 18, 2018, a Volvo sport utility vehicle, one of several self-driving vehicles that Uber was testing, was traveling about 40 miles per hour when it hit Elaine Herzberg, 49, as she was walking her bicycle across the street at night, the authorities said. While the car was in autonomous mode, a safety driver was sitting in the driver's seat. The Yavapai County Attorney's Office, which reviewed the case, said in a letter dated Monday that there was 'no basis for criminal liability for the Uber corporation.' But it added that investigators should look into what the safety driver 'would or should have seen that night given the vehicle's speed, lighting conditions, and other relevant factors.'" A favorable prosecution determination: blame the carbon component, not the silicon. A jury trial on behalf of Ms. Herzberg's estate, if victorious, might terminate the entire AV technology industry.
Outdoor Tech makes the Chips 2.0 speakers for your audio equipped ski helmet. It give you the ability to have conversations with your other friends on the ski slope via a Bluetooth connection to your smartphone, and thence over the Internet. https://nakedsecurity.sophos.com/2019/03/06/ski-headphones-flaw-unlocks-mountain-of-user-data/ First problem: all the conversations go through Outdoor Tech's servers. Second problem: in order to set up conversations with your friends, you have to set up a group. You have to search for your friends names. While searching, it turns out you can, with very little effort, find absolutely anyone who has registered the speakers. And their email addresses. And their phone numbers. You can also find out where they are. And reset their passwords. I'm going to recommend this for all my skiing friends who don't think security is important ...
Today someone noted that PDF signatures are broken: https://www.pdf-insecurity.org/index.html But I don't trust PDF signatures in any case. I am pretty sure that almost nobody knows how to use them. (I mean, really. How many security mavens who actually understand cryptography and PKI are there in comparison to the total number of people using tech they don't understand for almost all of their business functions?) For example: A certain entity which shall not be named (but whom we all know) has asked me to sign an NDA for a process which I can't tell you about because it's probably covered by the NDA. I don't have a PDF document creation program. So I signed the signature page (of the five page NDA), scanned that page, and sent it back. (Whilst looking for and printing the NDA PDF I noticed that it had "active" fields for name, address, etc. When I went to fill in the date, my reader [Foxit] offered to "sign" the document. I don't know how, since I'm not particularly aware of any certificates on my machine.) I got a message back from an admin saying that the legal team says a JPEG isn't good enough, and could I send in a PDF. No, I didn't go back and get Foxit to sign it. I opened a document in LibreOffice, inserted the JPEG, and "printed" it as a PDF. That seems to have been acceptable. (Although now they want a PDF of the whole five pages ...) Never attribute to technical faults that which can be can be adequately explained away by ignorance or pure, blind stupidity ...
Nicole Perlroth, *The New York Times*, 4 Mar 2019) In 2009, Google was hacked by the Chinese military. Now Chronicle, a security start-up owned by Google parent company Alphabet, plans to help other companies learn from that experience. The company's new Backstory product will make Alphabet's storage, indexing, and search capabilities available to other companies so they can trace the origins of a malicious attack. Chronicle is one of dozens of companies currently promising big data threat intelligence and storage. While many customers of other firms can't afford to pay to search through huge amounts of information, Chronicle says it will charge customer companies by their number of employees.
Yet again, Facebook is caught using data for other purposes than indicated at the time of collection (to phrase it in EU privacy law terms). Not that this ought to come as a surprise by now, it appears pretty much their modus operandi. This week's installment: "Another week, another Facebook privacy storm. This time, the Silicon Valley giant has been caught red-handed using people's cellphone numbers, provided exclusively for two-factor authentication, for targeted advertising and search—after it previously insinuated it wouldn't do that. Folks handing over their mobile numbers to protect their accounts from takeovers and hijackings thought the contact detail would be used for just that: security. Instead, Facebook is using the numbers to link netizens to other people, and target them with online ads." https://www.theregister.co.uk/2019/03/04/facebook_phone_numbers/
> Precisely because Congresspersons utilize robocalls *themselves* for their > own re-election campaigns. Yes, they exempt themselves but this is a somewhat self limiting issue due to campaign schedules. FWIW, in my experience if you tell a candidate to stop calling, they usually do. > Who else loves robocalls? Phone companies themselves. Robocalls run up > lucrative charges on accounts that would otherwise have *zero* traffic and > minimum account charges. This is simply false. Inter-company accounting these days is all bill and keep, so nobody gets paid for robocalls. The problem is that the SS#7 signaling system was designed for a world in which there was a small number of telcos and they all knew each other so there wasn't any internal security, sort of like the early Internet. Through the magic of VoIP now anyone can dump a call into the network. The point of the IETF's STIR and SHAKEN is to add a cryptographic signature of the party injecting the call. (The telco or VoIP provider, not the individual caller.) People I know at at large telcos say they're planning to do what is essentially spam filtering, lose dubious looking calls coming from parties with poor reputations. > Who else loves robocalls? NSA/intelligence agencies. ... Sorry, my tin foil hat is at the cleaners this week.
What happened to IBM had happened to most big US companies in the 2000's. Because of reduced regulations, corporations can make more money out of their shares value than out of production. This means that IBM is no longer a computer company, Ford is no longer a car company, etc.—they are all stock brokerage companies, using their manufacturing part as en excuse. Companies are no longer committed to their product, even to their customers, and certainly not committed to their workers. (In another Big Company I'd worked at, even the wording of the CEO's New Year message had changed from “keep up the good work, generating value for our customers'' to “making value for our shareholders''). Consequently, anything which does not affect the share value, preferably within the next quarter, is being scaled down. Middle managers know that, but are helpless to do anything, they just grind their teeth and cut corners; if the increase in raw profits (or even the increase of the increase) stops rising for more than one quarter, shareholders will just take their money elsewhere, and they'd all be jobless overnight. (Upper management have their golden parachutes, of course). One effect is that IBM has been growing in the past decades by acquiring smaller companies which so far had escaped this fate, and can still do some serious R&D. These companies still exist intact as independent business units within IBM. So IBM is no longer a big company, it's becoming a conglomerate of smaller ones. (Some of the suggested future development ideas mentioned at the end of the ad, are actually projects of companies acquired by IBM).
Please report problems with the web pages to the maintainer