Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Boeing is issuing a software upgrade for the troubled 737 MAX 8 aircraft in the coming weeks. (The announcement is fairly far down this article.) https://www.cbc.ca/news/world/boeing-upgrade-software-737-max-8-1.5052471 Presumably this will address some issues with the MCAS flight software. Hopefully the upgrade won't be online, with aircraft rebooting in mid-flight ... (I'm waiting for 737 MAX 8 ver. 3.0 ...) [Monty Solomon noted Boeing to Make Key Change in 737 MAX Cockpit Software. https://www.wsj.com/articles/boeing-to-make-key-change-in-max-cockpit-software-11552413489
Excerpt: I woke up this morning to discover, yet again, that I was one of a stupidly large number of people whose personal data had been leaked in the latest mega breach. Troy Hunt's 'have i been pwned?' service informed me that 763,117,241 people have had their records leaked by Verifications IO: including verified emails, phone numbers, addresses, dates of birth, Facebook, LinkedIn and Instagram account details, credit scoring and even mortgage data such as amount owing and interest rates being charged. Which wasn't the best news to receive first thing on a Sunday morning. But then things got even worse, a lot worse. SC Media UK reports that Andrew Martin, CEO & founder of cybersecurity company DynaRisk, has revealed the true number of leaked records is much higher. How much higher? How does a total of 2,069,145,043 unencrypted records grab you? <https://haveibeenpwned.com/> <https://www.scmagazineuk.com/2-billion-records-leaked-breach-triple-size-earlier-reports/article/1578429> *So, what actually happened?* According to Bleeping Computer <https://www.bleepingcomputer.com/news/security/insecure-database-leads-to-over-800-million-records-data-breach/> an unprotected MongoDB database was discovered by security researcher Bob Diachenko. Having cross-referenced the data, sitting there in plain text, with the have i been pwned site, Diachenko was able to conclude this was fresh to the market new information and not just a dump of previously breached data as has been seen with the recent Collection 1 leak. <https://www.forbes.com/sites/daveywinder/2019/02/01/2-2-billion-accounts-found-in-biggest-ever-data-dump-how-to-check-if-youre-a-victim/> After doing some more investigative work, Diachenko was able to track the database back to the Verifications IO enterprise email validation service. This company validates bulk email lists for companies wanting to remove inactive addresses from newsletter mailouts. Diachenko reported, working alongside researcher Vinny Troia, that a total of 808,539,939 records had been leaked. The 'mailEmailDatabase' contained three sections: Emailrecords, emailWithPhone and businessLeads containing that data. However, DynaRisk CEO, Andrew Martin, also analyzed the data and came to the conclusion that on the one server exposed to the web there were actually four databases not just the one. He told The Register <https://www.theregister.co.uk/2019/03/08/verificationio_database_hole/> "Our analysis was conducted over all four databases and extracted over two billion email addresses. The additional three databases were hosted on the same server, which is no longer accessible." *What data was leaked?* The security researcher who made the discovery, Bob Diachenko <https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/> says that "although not all records contained the detailed profile information about the email owner, a large amount of records were very detailed." That detail included commonplace breach data such as email addresses and phone numbers, but went far beyond the basics as well. Information such as dates of birth, mortgages amounts and interest rates and social media accounts related to the emails in question. But it doesn't stop there, you can also throw in basic credit scoring data, company names and revenue figures as well. *Should you be worried?* Yes, of course you should. This was, after all, a massive leak of the kind of personal information that would be a goldmine for the phishers and spammers of this world. However, that concern can be diluted by a number of factors. Not least there's the small matter that nobody has found any compelling evidence that the data has actually been used for any criminal purpose as of yet. Although the databases were accessible for some time, as soon as the problem was disclosed to Verifications IO the service was taken offline and remains so. Which means that bad guys alerted by this news won't be able to exploit it. What's just as important as what was in the breach is what wasn't. So, there were no social security numbers, no credit card numbers, no passwords. And, importantly, this was a leak not a hack: white hat researchers found the data was accessible rather than black hats looking to exploit it. *Can you mitigate your risk?...* [...] https://www.forbes.com/sites/daveywinder/2019/03/10/2-billion-unencrypted-records-leaked-in-marketing-data-breach-what-happened-and-what-to-do-next/ [Also noted by Jim Reisert and Rob Slade. PGN]
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/ The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too. ... Over the past decade or so, companies have been adding Internet connectivity and sensors to all kinds of industrial equipment. The data captured is being used for everything from predictive maintenance — which means using machine-learning models to better anticipate when equipment needs servicing — to fine-tuning production processes. There's also been a big push to control processes remotely through things like smartphones and tablets. All this can make businesses much more efficient and productive, which explains why they are expected to spend around $42 billion this year on industrial Internet gear such as smart sensors and automated control systems, according to the ARC Group, which tracks the market. But the risks are also clear: the more connected equipment there is, the more targets hackers have to aim at. ...
https://www.wsj.com/articles/navy-industry-partners-are-under-cyber-siege-review-asserts-11552415553
A database of all kinds of personal information about 1.8 million women in China has been found online. Who did it? Unknown. What's it for? Unknown. Oh, and one of the, very personal, info fields is "BreedReady." https://gizmodo.com/mysterious-leaked-database-labels-the-breedready-status-1833205396
https://www.wsj.com/articles/u-s-takes-on-chinas-huawei-in-undersea-battle-over-the-global-internet-grid-11552407466
The Journal of the American Medical Association (JAMA) has an article this morning describing 3 million simulated phishing emails sent to staff at 6 US healthcare systems. 14% resulted in a click. One finding was that the odds of clicking dropped to about 5% after 10 fake phishing campaigns. They did not test how many people would enter login credentials, but clearly some would, having trusted the link in the first place. https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2727270 "If the simulated email is clicked, it is used as a real-time opportunity to provide short phishing education to the employee." This missed the chance to teach about much bigger cyber weaknesses in healthcare. Displaying rotating messages about the multitude of cyber risks would help administrators and staff think about and reduce risks more widely. These efforts do not protect an organization from phishing. At a 5% click rate, emails to 24 recipients give a 70% chance that someone will click. There is no reliable way to tell phishing emails from legitimate emails. When people think an email looks suspicious, and send it for checking, 90% are "legitimate," which means most people cannot tell them apart. Sending them for checking simply prevents access to the 90% which are legitimate, since checkers rarely send them back. Advice never to click an email link is impractical too, since the world lives by such links. https://www.checkbook.org/washington-area/phishing-scams-is-your-financial-institution-helping-cyberthieves/ https://cofense.com/whitepaper/state-of-phishing-defense-2018/ Even JAMA and Checkbook send email links to their articles, these links ask for a login, and it can be hard to find the articles except by clicking. One of the JAMA authors used to work for a contractor which sent 135 million simulated phishing emails. They got similar click rates in every industry, so systems need to protect themselves with compartmentalization, data transfer only to other hardware-identified health systems, etc. https://cofense.com/wp-content/uploads/2017/10/PhishMe_EnterprisePhishingSusceptibilityReport_2015_Final.pdf The education offered upon a click is a good time to raise cyber security awareness, but it can't stop people clicking on emails. Emails to IT administrators can be filtered to remove all links, or this could apply after the first time (third time?) they click on a simulated phish.
Peter Holley, *The Washington Post*, 7 Mar 2019, via ACM TechNews 8 Mar 2019 New Zealand farmers are using drones to herd livestock, with some capable of emitting barks like dogs. One drone, the DJI Mavic Enterprise, can record sounds and play them over a loudspeaker, allowing the machine to mimic its canine counterparts. Shepherd Corey Lambeth said cows are less resistant to drones than to actual dogs, which means the machines move livestock faster, with less stress. The drones also let farmers monitor their land remotely, tracking water and feed levels, and checking on livestock health without upsetting the animals. Said farmer Jason Rentoul, "Being a hilly farm where a lot of stuff is done on foot, the drones really saved a lot of man-hours. The drone does the higher bits that you can't see [from the ground], and you would [otherwise] have to walk half an hour to go and have a look and then go, 'Oh, there was no sheep there.'" https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ec00x21abeax069424& [Risks? How about hacking into the drone, and reprogramming it to sound like a pack of wolves, to herd the sheep into waiting trucks? PGN]
The incidents occurred the same week a report revealed that Chinese hackers targeted more than two dozen universities in the U.S. and other countries in an effort to steal research about maritime technology being developed for military use. https://www.washingtonpost.com/education/2019/03/08/hackers-breach-admissions-files-three-private-colleges/ [More than three in today's news. Tuesday 12 Mar 2019. PGN]
https://www.scribd.com/document/401616402/Internet-of-Things-IoT-Cybersecurity-Improvement-Act-of-2019 via the Washington Post at https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/03/12/the-cybersecurity-202-security-pros-once-worried-trump-would-be-a-loose-cannon-in-cyberspace-now-they-praise-his-policies/5c8703381b326b2d177d6058 On paper, the senate bill establishes federal IoT baseline standards for certain "covered devices." These devices consist of: "(a) capable of connecting to and is in regular connection with the Internet; has computer processing capabilities that can collect, send, or receive data; and is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems." Generally, wireless medical devices (pacemakers, etc.), environmental controllers (NeST), Zigbee, etc. Should help reduce botnet co-opting via common vulnerabilities and exposures (CVEs). Risk: Organizational maturity that may prevent implementation compliance and operational vigilance after policy enacted into law.
I hold a Revolut Business account. A counter-party of mine holds a Revolut Personal account. Users in the Revolut Personal system are uniquely identified by their phone number. Some months ago I added this counter-party in my Revolut Business account and about two weeks ago made a (small - no need to shed tears) transfer to them. The transfer did not arrive. We then began a game of customer support ping-ping. Revolut Business assured me the transfer had succeeded, and referred me to Revolut Personal support. Revolut Personal assured my counter-party the transfer was unknown to them, and referred them to Revolut Business support. In the end, my counter-party and I realised for ourselves what had happened : my counter-party had since I created their counter-party entry changed their phone number—my information for them still used their old number. (The Revolut Business web-site does not display the phone number of a counter-party *anywhere*. In fact, you can retrieve the phone number of a counter-party only by contacting customer support.) Revolut Business support assert that if a transfer is made to a non-existent phone number, the transfer will fail. This is not correct (but this is expected - first line customer support for any larger company always and invariably is to truth what whiskey is to alcoholism). The transfer was made, but went and silently into limbo. When we had noticed this has happened, and then later had worked out what had happened, and informed Revolut Personal customer support, providing the old number, they retrieved the funds and moved them to the counter-party's account. (I'm not sure how they validated their claim to the old number.) This begs the question as to what happens if the phone number has in the meantime been reused by the telco and another person has opened a Revolut account with that number and, for good measure, while we're asking questions, possibly spent those funds. (I would expect the customer to be held completely and fully responsible, for using the wrong phone number.) In the existing banking system, the unique ID for an account is controlled by the bank itself. They do not re-use IDs, or only knowingly re-use IDs. In the Revolut system, the unique ID for the account is controlled by the telco, who are oblivious to the existence of Revolut and with a complete lack of consideration for FinTech startups, re-use IDs. (Please bear strongly in mind it is impossible for me to verify or even discuss any of this information with Revolut, so it could be there is a flaw, or many, in my understanding. What I have written is what is true to the best of my knowledge.) In general, phone numbers as unique IDs are now not uncommon. This issue of a third party controlling ID would seem then on the face of it to extend potentially to all such systems, and when there are a range of systems facing the same challenge, there exists a range of success in the response to that challenge. (Actually, using a phone number as an ID is I think extremely unwise always, since it enables your identity to be linked up to third party information. Privacy is best served with a web-based burner email address service, such as mailinator, accessed via Tor. However, burner mobile phones can be found on Amazon for 10 USD. Remember the phone has a unique ID, and the SIM also, so you need to change both the phone and the SIM; never re-use a burner phone with multiple SIMs. Also remember when you do use it, don't use it at home - you will be geolocated by the telco, and that will also give you away. Go somewhere you've never been before, and never go there again. Actually of course, none of this I mean seriously, rather, I write it to show how much specialist knowledge, and effort, is required to be anonymous.)
As a parent, you might walk past your child's room and see her happily typing away on a Google Docs page. “Lovely!'', you think. “She's probably working on her science report or finishing up her essay on the rise of RBG.'' Or, she could be in a secret chat room. In today's edition of Let's Try to Stay One Step Ahead of Our Kids on the Internet (spoiler: we can't!), we're offering this heads-up: Some are using Google Docs, the seemingly wholesome web-based word processor, to skirt their parents' tech rules. It's impressive, really. All they need to do is open up a document, invite their friends to become collaborators, and boom -- they have a private space to chat, draw, share links, upload photos and post memes. Google Docs is hardly a program parents think to block (in fact, on tech message boards, I've seen several parents asking how to ban everything except for the software) and many kids already have accounts for school. After the chat session, they can simply delete the document and empty their Trash folder without leaving any record. https://offspring.lifehacker.com/how-kids-are-using-google-docs-to-bully-each-other-1833151374
https://www.bbc.com/news/world-us-canada-47510038 "A doctor in California told a patient he was going to die using a robot with a video-link screen. "Ernest Quintana, 78, was at Kaiser Permanente Medical Center in Fremont when a doctor - appearing on the robot's screen - informed him that he would die within a few days. "A family friend wrote on social media that it was 'not the way to show value and compassion to a patient'. "The hospital says it 'regrets falling short' of the family's expectations. "Mr Quintana died the next day." "Michelle Gaskill-Hames, senior vice-president of Kaiser Permanente Greater Southern Alameda County, told the Associated Press that its policy was to have a nurse or doctor in the room when remote consultations took place." Risk: Telemedicine's convenience eliminates compassion from healthcare delivery, especially for acute patient illness. [Also noted by Mark Thorson. PGN]
https://www.straitstimes.com/singapore/drowning-detection-system-to-be-set-up-at-28-public-pools Silicon supplements lifeguard vigilance. Risk: Image recognition to detect drowning swimmer and alert public safety/lifeguard response.
Let's say we first print something bad, then we cover it up with something good. And say we really shouldn't print something bad in the first place, but it doesn't matter, because at today's speeds, users will surely never notice. https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34477 Got me thinking about this.
Some U.S. states are mulling proposals to adopt Daylight Saving Time year round—I'm aware of California and Florida, for example. At least one Canadian province (British Columbia) is considering doing the same. It occurs to me that if states in the Eastern time zone (UTC-5; UTC-4 in summer) adopt year-round DST, this will break WWVB-based "atomic clocks" in those states during the winter (November through early March). WWVB-based clocks currently on the market in the US offer four time zones (Pacific, Mountain, Central, and Eastern), plus an option either to move between standard and daylight time per the US-wide rules or to stay permanently on standard time. If California goes to year-round DST, "atomic clock" owners in CA could set their clocks to use Mountain time with no DST. These option settings do not provide any way to specify Eastern daylight time during winter, however, so if an east- coast state (like Florida) moves to year-round DST, "atomic" clocks in use there will be an hour off for four months out of the year. Two possible solutions would be either to add a third DST setting (i.e., DST always on), or else to add a fifth time zone (Atlantic) and tell consumers in the affected states to select Atlantic time with no DST. Affected consumers would, of course, need to buy new clocks, since it's impossible to upgrade the firmware in existing clocks.
*The cybersecurity company says it's seen hackers get deep access into the Macs of regular users.* EXCERPT: It's long been legend that Macs are harder to hack than other computers. Not only are they said to be more secure, but fewer people use them, so hackers have less incentive to break in. <https://www.cnet.com/tags/hacking/ Cybersecurity company Crowdstrike is happy to bust that myth. At the RSA Conference on Thursday, CEO George Kurtz and CTO Dmitri Alperovitch detailed hacking techniques they've seen used to do a host of bad things on Apple-built computers. https://www.cnet.com/apple/ Attackers can trick Mac users into downloading malicious software and then get deep access into the computer, the Crowdstrike executives said. They also have tools to loot the system's keychain for more passwords and build backdoors into the machines, allowing hackers to have repeated access. "They have interesting tradecraft on Macs," Alperovitch said of the hackers. The Crowdstrike presentation comes in the wake of a flaw found in Apple's Facetime app <https://www.cnet.com/news/apples-facetime-bug-was-discovered-by-a-teen-playing-fortnite/> that could have let hackers listen in on unwitting iPhone <https://www.cnet.com/reviews/apple-iphone-xs-review/> users, as well as a vulnerability in the keychain <https://www.cnet.com/news/keysteal-exploit-attacks-macos-keychain-to-take-all-your-passwords/> which stores the passwords of apps connected to a Mac. Taken together, these flaws mean Mac users should take steps to keep their computers secure instead of relying on Apple's reputation for security to keep them safe... [...] https://www.cnet.com/news/hackers-can-get-into-macs-with-sneaky-tricks-crowdstrike-experts-say/
Lindsey Bever, *The Washington Post*, 10 Mar 2019 A woman was attacked by a jaguar as she was apparently trying to get a photo outside the big cat's enclosure at Wildlife World Zoo in Arizona, authorities said. Shawn Gilleland, a spokesman for the Rural Metro Fire Department, told The Washington Post on Sunday that fire crews said the woman, who is in her 30s, climbed over a barrier at the zoo Saturday to get closer to the jaguar's enclosure so that she could get a selfie with the animal. The jaguar reached out and grabbed her arm with its paw, leaving lacerations, Gilleland said. https://www.washingtonpost.com/science/2019/03/10/woman-was-trying-take-selfie-with-jaguar-when-it-attacked-her-authorities-say/
Supporters of enterprise blockchains say they tend to work best in situations where people want to share tamper-resistant data among many parties. Critics of the technology argue that it offers little in the way of improvement over traditional database software; still other critics say the technology doesn't truly qualify as a blockchain unless it is public and open and has a cryptocurrency, like Bitcoin, tied to it. http://fortune.com/2019/03/08/tuna-blockchain-bumble-bee-sap/ As usual, no explanation of what "tracking tuna on a blockchain" MEANS... ...as in, how is an individual fish—or shipment—irrevocably tied to a transaction or data? [O ForTuna! (Carl Orff, Carmina Burana) PGN]
The Swiss challenge to hack their voting system has moved along. Three independent research groups have announced a vulnerability that permits the undetectable insertion of bogus votes (and alteration of existing ones?). https://motherboard.vice.com/en_us/article/zmakk3/researchers-find-critical-backdoor-in-swiss-online-voting-system https://people.eng.unimelb.edu.au/vjteague/SwissVote
One of the URLs listed in the Editorial comment had health-data links that shared an ironic similarity of some Facebook postings. https://www.naturalhealth365.com/vaccinations-autism-news-2849.html By comparison, a Slashdot article noted: https://science.slashdot.org/story/19/03/06/1523258/decade-long-study-measles-vaccine-doesnt-cause-autism-even-in-high-risk-kids I have followed RISKS for decades, finding it providing education and information not widely available. I did not expect to be reminded of a newspaper city editor's skepticism in "if your mother says she loves you, check it out." (I recognize that this email is likely to be trashed. [No. Sorry, I could not do that. PGN] Thus the reference to who will bell the cat. I do find your work on RISKS large-hearted and helping inestimably in pushing back the FUD.) Mark Norem
Here in Canada a number of classes of operations are exempt from having to comply with the National CRTC Do Not Call List, in particular politicians and their Opinion Polling Allies, among other exceptions. However each of these entities is required to clearly identify themselves, and to stop talking if you interrupt. At that point you can order them to add your number to their own internal Do Not Call List, giving you a confirmation code. After that they cannot call you again. This seems to be cloaked in Security by Obscurity, few people seem aware of these secondary DNC lists. https://crtc.gc.ca/eng/phone/telemarketing/reg.htm Am I an exempt telemarketer? * registered charities raising funds newspapers looking for subscriptions political parties and their candidates companies who only make telemarketing calls and send faxes to businesses * Being an exempt telemarketer does not eliminate your responsibility to maintain your own internal do not call list. * You must also maintain your own internal do not call list ... * You can't call or send faxes to the consumers on your own internal do not call lists."
Is Your Seatmate Googling You? (NYTimes) We underestimate the risks to privacy in our everyday, offline lives. Read More... <https://nyti.ms/2UrV2NE?smid=nytcore-ios-share>
Please report problems with the web pages to the maintainer