Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://thehill.com/opinion/cybersecurity/445746-russia-hacked-us-we-made-it-far-too-easy-and-still-do
The coffin is leaking its poison into the surrounding environment,' warns local official, amid growing fears of radioactive disaster. https://www.timesofisrael.com/on-a-pacific-island-a-nuclear-dome-left-behind-by-the-us-begins-to-crack/ Infrastructure? What's that?
https://www.cbc.ca/news/canada/toronto/passengers-stranded-as-air-canada-technical-outage-stymies-airport-operations-check-ins-1.5153669
In terms of both bandwidth and compute power, the new setup is five times more capable than the system underpinning GM's current cars, the rough equivalent of going from the original iPhone to the iPhone 7. And so more cars will get Cadillac's Super Cruise semiautonomous driving system and other active safety features. GM will now be able to issue over-the-air software updates, improving how its engines run or how its suspensions handle bumpy roads, even years after a car has been sold. (This idea is old hat for smartphone users and Tesla drivers, but still new to most automakers.) More processing power allows for better resolution on screens. Smarter battery management systems can squeeze more miles out of electric cars' batteries. https://www.wired.com/story/gm-gives-vehicles-new-soul/ Over-the-air software updates. Minimal discussion of security. What could go wrong?
The ancient Lydian king Croesus—yes, THAT rich king Croesus—"turned to
the Delphic oracle and the oracle of Amphiaraus to inquire whether he should
pursue this campaign [against Persia] and whether he should also seek an
alliance. The oracles answered, with typical ambiguity, that if Croesus
attacked the Persians, he would destroy a great empire—this would become
one of the most famous oracular statements from Delphi [after Croesus was
defeated."[1]
[1] https://en.wikipedia.org/wiki/Croesus
Mustard gas and other poisonous gasses were used to devastating effect in
WWI, although outlawed by multiple conventions both before and since. The
subsequent use of poisonous gasses has since been vastly reduced—not due
so much to the effectiveness of these international treaties, but to the
fact that the gasses are indiscriminate, and have a tendency to "blow back"
on those using them as weapons.
[2] https://en.wikipedia.org/wiki/Chemical_weapons_in_World_War_I
Computer scientists have been warning for quite a while about "blowback"
("CIA internal coinage denoting the unintended, harmful consequences—to
friendly populations and military forces—when a given weapon is used
beyond its purpose as intended by the party supplying it" [3]) from
cyberweapons such as STUXNET. Unlike most "kinetic" weapons, which leave
little trace after their use, the core problem with cyberweapons is that in
the overwhelming percentage of uses, the digital pieces of the cyberweapon
continue to exist after the attack, and can be repurposed for
counter-attacks. In this way, cyberweapons are like poison gas, which isn't
instantly neutered after achieving its killing purpose, but remains toxic to
non-combatants as well as to the original users.
[3] https://en.wikipedia.org/wiki/Blowback_(intelligence)
The billion-dollar blowback from EternalBlue continues [3] without any
apologies from the NSA, which developed it ("Adm. Michael S. Rogers, who was
director of the NSA during the Shadow Brokers leak [including EternalBlue],
suggested in unusually candid remarks that the agency should not be blamed
for the long trail of damage." [4]). Yet the FBI and the Five Eyes around
the world continue their push for "back doors" in encryption, completely
clueless about the even greater repercussions possible in the form of
blowback from the compromise of such encryption backdoors.
Dona NOBUS Pacem, indeed!
[4] https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc
Nicole Perlroth and Scott Shane, The New York Times, 25 May 2019
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
For nearly three weeks, Baltimore has struggled with a cyberattack by
digital extortionists that has frozen thousands of computers, shut down
email and disrupted real estate sales, water bills, health alerts and many
other services.
But here is what frustrated city employees and residents do not know:
A key component of the malware that cybercriminals used in the attack
was developed at taxpayer expense a short drive down the Baltimore-
Washington Parkway at the National Security Agency, according to
security experts briefed on the case.
Since 2017, when the NSA lost control of the tool, EternalBlue, it has been
picked up by state hackers in North Korea, Russia and, more recently, China,
to cut a path of destruction around the world, leaving billions of dollars
in damage. But over the past year, the cyberweapon has boomeranged back and
is now showing up in the NSA's own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks have
reached a high, and cybercriminals are zeroing in on vulnerable American
towns and cities, from Pennsylvania to Texas, paralyzing local governments
and driving up costs.
The NSA connection to the attacks on American cities has not been previously
reported, in part because the agency has refused to discuss or even
acknowledge the loss of its cyberweapon, dumped online in April 2017 by a
still-unidentified group calling itself the Shadow Brokers. Years later,
the agency and the Federal Bureau of Investigation still do not know whether
the Shadow Brokers are foreign spies or disgruntled insiders.
Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the
Shadow Brokers episode "the most destructive and costly NSA breach in
history," more damaging than the better-known leak in 2013 from Edward
Snowden, the former NSA contractor.
"The government has refused to take responsibility, or even to answer
the most basic questions," Mr. Rid said. "Congressional oversight
appears to be failing. The American people deserve an answer."
The NSA and FBI declined to comment.
Since that leak, foreign intelligence agencies and rogue actors have used
EternalBlue to spread malware that has paralyzed hospitals, airports, rail
and shipping operators, ATM's and factories that produce critical vaccines.
Now the tool is hitting the United States where it is most vulnerable, in
local governments with aging digital infrastructure and fewer resources to
defend themselves.
Before it leaked, EternalBlue was one of the most useful exploits in the
NSA's cyberarsenal. According to three former NSA operators who spoke on
the condition of anonymity, analysts spent almost a year finding a flaw in
Microsoft's software and writing the code to target it. Initially, they
referred to it as EternalBluescreen because it often crashed computers—a
risk that could tip off their targets. But it went on to become a reliable
tool used in countless intelligence-gathering and counterterrorism missions.
EternalBlue was so valuable, former NSA employees said, that the agency
never seriously considered alerting Microsoft about the vulnerabilities, and
held on to it for more than five years before the breach forced its hand.
The Baltimore attack, on 7 May, was a classic ransomware assault. City
workers' screens suddenly locked, and a message in flawed English demanded
about $100,000 in Bitcoin to free their files: "We've watching you for
days," said the message, obtained by The Baltimore Sun. "We won't talk
more, all we know is MONEY! Hurry up!"
Today, Baltimore remains handicapped as city officials refuse to pay,
though workarounds have restored some services. Without EternalBlue,
the damage would not have been so vast, experts said. The tool
exploits a vulnerability in unpatched software that allows hackers to
spread their malware faster and farther than they otherwise could.
North Korea was the first nation to co-opt the tool, for an attack in
2017—called WannaCry—that paralyzed the British health care
system, German railroads and some 200,000 organizations around the
world. Next was Russia, which used the weapon in an attack—called
NotPetya—that was aimed at Ukraine but spread across major
companies doing business in the country. The assault cost FedEx more
than $400 million and Merck, the pharmaceutical giant, $670 million.
The damage didn't stop there. In the past year, the same Russian
hackers who targeted the 2016 American presidential election used
EternalBlue to compromise hotel Wi-Fi networks. Iranian hackers have
used it to spread ransomware and hack airlines in the Middle East,
according to researchers at the security firms Symantec and FireEye.
"It's incredible that a tool which was used by intelligence services
is now publicly available and so widely used," said Vikram Thakur,
Symantec's director of security response.
One month before the Shadow Brokers began dumping the agency's tools
online in 2017, the NSA—aware of the breach—reached out to
Microsoft and other tech companies to inform them of their software
flaws. Microsoft released a patch, but hundreds of thousands of
computers worldwide remain unprotected.
Hackers seem to have found a sweet spot in Baltimore, Allentown, Pa.,
San Antonio and other local, American governments, where public
employees oversee tangled networks that often use out-of-date
software. Last July, the Department of Homeland Security issued a
dire warning that state and local governments were getting hit by
particularly destructive malware that now, security researchers say,
has started relying on EternalBlue to spread.
Microsoft, which tracks the use of EternalBlue, would not name the
cities and towns affected, citing customer privacy. But other experts
briefed on the attacks in Baltimore, Allentown and San Antonio
confirmed the hackers used EternalBlue. Security responders said they
were seeing EternalBlue pop up in attacks almost every day.
Amit Serper, head of security research at Cybereason, said his firm
had responded to EternalBlue attacks at three different American
universities, and found vulnerable servers in major cities like
Dallas, Los Angeles and New York.
The costs can be hard for local governments to bear. The Allentown
attack, in February last year, disrupted city services for weeks and
cost about $1 million to remedy—plus another $420,000 a year for
new defenses, said Matthew Leibert, the city's chief information
officer.
He described the package of dangerous computer code that hit Allentown
as "commodity malware," sold on the dark web and used by criminals who
don't have specific targets in mind. "There are warehouses of kids
overseas firing off phishing emails," Mr. Leibert said, like thugs
shooting military-grade weapons at random targets.
The malware that hit San Antonio last September infected a computer
inside Bexar County sheriff's office and tried to spread across the
network using EternalBlue, according to two people briefed on the
attack.
This past week, researchers at the security firm Palo Alto Networks
discovered that a Chinese state group, Emissary Panda, had hacked into
Middle Eastern governments using EternalBlue.
"You can't hope that once the initial wave of attacks is over, it will
go away," said Jen Miller-Osborn, a deputy director of threat
intelligence at Palo Alto Networks. "We expect EternalBlue will be
used almost forever, because if attackers find a system that isn't
patched, it is so useful."
Until a decade or so ago, the most powerful cyberweapons belonged
almost exclusively to intelligence agencies—NSA officials used the
term "NOBUS," for "nobody but us," for vulnerabilities only the agency
had the sophistication to exploit. But that advantage has hugely
eroded, not only because of the leaks, but because anyone can grab a
cyberweapon's code once it's used in the wild.
Some FBI and Homeland Security officials, speaking privately, said
more accountability at the NSA was needed. A former FBI official
likened the situation to a government failing to lock up a warehouse
of automatic weapons.
In an interview in March, Adm. Michael S. Rogers, who was director of
the NSA during the Shadow Brokers leak, suggested in unusually candid
remarks that the agency should not be blamed for the long trail of
damage.
"If Toyota makes pickup trucks and someone takes a pickup truck, welds
an explosive device onto the front, crashes it through a perimeter and
into a crowd of people, is that Toyota's responsibility?" he asked.
"The NSA wrote an exploit that was never designed to do what was
done."
At Microsoft's headquarters in Redmond, Wash., where thousands of
security engineers have found themselves on the front lines of these
attacks, executives reject that analogy.
"I disagree completely," said Tom Burt, the corporate vice president
of consumer trust, insisting that cyberweapons could not be compared
to pickup trucks. "These exploits are developed and kept secret by
governments for the express purpose of using them as weapons or
espionage tools. They're inherently dangerous. When someone takes
that, they're not strapping a bomb to it. It's already a bomb."
Brad Smith, Microsoft's president, has called for a "Digital Geneva
Convention" to govern cyberspace, including a pledge by governments to
report vulnerabilities to vendors, rather than keeping them secret to
exploit for espionage or attacks.
Last year, Microsoft, along with Google and Facebook, joined 50
countries in signing on to a similar call by French President Emmanuel
Macron—the Paris Call for Trust and Security in Cyberspace—to
end "malicious cyber-activities in peacetime."
Notably absent from the signatories were the world's most aggressive
cyberactors: China, Iran, Israel, North Korea, Russia—and the
United States.
A version of this article appears in print on Page A1 of the New
York edition with the headline: Cities Hijacked By Tool Stolen From
the NSA.
https://arstechnica.com/information-technology/2019/05/fake-cryptocurrency-apps-on-google-play-try-to-profit-on-bitcoin-price-surge/
https://www.nytimes.com/2019/05/25/technology/huawei-rural-wireless-service.html Many small carriers depend on inexpensive equipment from the Chinese company. Now they must rethink expansion plans, and perhaps replace existing gear.
One false assumption that some programmers make is that zip codes everywhere are like American ones. Years ago my American bank's web site insisted on being given my 5-digit zip code. But NZ "zip codes", called postcodes here, have only 4 digits. So do Australian ones. That made the web site unusable, and was my first proof that the bank didn't care about its foreign customers. School of Mathematics and Statistics, Victoria Univ. of Wellington, PO Box 600, Wellington 6140, New Zealand.
If you own a smart phone, this has probably happened to you: you're talking to someone about a product or activity-- and ads for it start popping up on your social media. You may think it's a coincidence—or you're paranoid—but experts say it's neither. If you have a smartphone, it's hard to hide. There is a privacy feature that lets you turn off certain apps that are tracking your location. But that doesn't keep them from seeing other information. “You get apps, and they're free, and there has to be a cost because the app developer has to make money,'' Special Agent Steven Foster with the GBI Cyber-Unit said. The cost? Your privacy... https://www.wrdw.com/nbc26/content/news/No-your-smartphone-is-not-listening-to-you-but-the-free-apps-youre-downloading-are-tracking-your-every-move-510559571.html
The electric car company Tesla admits it has been lacking in servicing its vehicles. One man in Massachusetts has taken to restoring and fixing Teslas <https://www.wbur.org/bostonomix/2019/04/08/with-blowtorches-and-spare-parts-massachusetts-man-fills-teslas-repair-void But getting parts ” and Tesla's support ” has not been easy. WBUR's Quincy Walters https://www.wbur.org/hereandnow/2019/05/28/tesla-repair-service
It's the middle of the night. Do you know who your iPhone is talking to? Apple says, "What happens on your iPhone stays on your iPhone." Our privacy experiment showed 5,400 hidden app trackers guzzled our data -” in a single week. https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/ And (way too long and WAY too cheery): Inside Apple's top secret testing facilities where iPhone defences are forged in temperatures of -40C https://www.independent.co.uk/life-style/gadgets-and-tech/features/apple-iphone-privacy-security-park-interview-federighi-a8925291.html
Stilgherrian for The Full Tilt | 30 May 2019
https://www.zdnet.com/article/employees-not-the-target-of-encryption-laws-home-affairs/
Australian developers really do need to relax. Cops and spooks are being
told very clearly that the Assistance and Access Act isn't for dragooning
you into deceiving your bosses.
[Relax? With security?]
[selected text]
This reinforces expert views that the laws are "highly unlikely" to force
employees to deceive their bosses, while also stating the intention of the
DHA staffer who drafted the laws.
["highly unlikely" is not terribly reassuring.]
"It is important to note outright that these new measures cannot be used in
a manner that would jeopardise the cybersecurity of innocent parties for the
sake of facilitating greater government access to communications content and
data."
[I smell a confusion between "cannot" and "should not".]
Much of the controversy has been triggered by the Act's vague definitions,
and not just that "designated communications provider" is a three-page list
of everyone from a major telco down to the operator of a personal website.
The guide says that it's an "interim step while more comprehensive guidance"
is developed.
https://www.theguardian.com/cities/2019/may/29/new-york-facial-recognition-cameras-apartment-complex Tenants in a New York City apartment complex are fighting their landlord's effort to install a facial recognition system to access parts of the buildings, calling it an affront to their privacy rights. [...] At Atlantic Plaza Towers in the Brownsville neighborhood of Brooklyn, the landlord, Nelson Management Group, is moving to install a new system to control entry into the buildings. It would use facial recognition to open the front door for recognized tenants rather than traditional keys or electronic key fobs. More than 130 tenants have, however, filed a formal complaint with the state seeking to block the application. "We do not want to be tagged like animals," said Icemae Downes, who has lived at Atlantic Plaza Towers since it opened 51 years ago. "We are not animals. We should be able to freely come in and out of our development without you tracking every movement."
Charlie Osborne for Zero Day | 24 May 2019 Staff members have allegedly abused their positions to spy on Snapchat users. https://www.zdnet.com/article/snapchat-internal-tools-used-to-spy-on-users-pillage-their-data/ Snapchat has internal tools dedicated to accessing consumer data and these same tools have been subject to abuse by employees. According to a report published by Motherboard, "multiple" members of staff have abused their positions and used their privileges to access these tools and spy on users.
On May 5 Boeing issued a press release about the significance of the AOA Disagree alert on 737 MAX airplanes. https://boeing.mediaroom.com/news-releases-statements?item=130431 It says: "Neither the angle of attack indicator nor the AOA Disagree alert are necessary for the safe operation of the airplane." This misrepresents the situation. Once the MCAS takes control of the airplane away from the pilots, the single AOA sensor that the MCAS chooses to use must function correctly for the airplane to function safely. Since MCAS doesn't use the airplane's two AOA sensors in a redundant mode, the AOA Disagree alert is a vital indication to the pilots that MCAS is malfunctioning and that corrective action is needed. When the acting head of the FAA testified before the House Transportation Committee a week and a half later, he said he thought Boeing should have explained MCAS more completely, he implicitly supported Boeing's claim that MCAS is not a safety-critical system, then he blamed the flight crews for the crashes. https://www.nytimes.com/2019/05/15/us/politics/boeing-faa-congress.html Self certification is especially troublesome when it's linked with regulatory capture.
Probably not news to RISKS readers, but there was a critique of the EU's General Data Protection Regulation in this weekend's newspaper—web article behind a paywall, summary follows: https://www.telegraph.co.uk/business/2019/05/24/time-press-delete-europes-failed-data-protection-rules/ > It's time to press delete on Europe's failed data protection rules > *The Telegraph*, 24 May 2019 > > One year on from the introduction of the massively expensive GDPR > legislation across Europe presumably we have far better control over the > Internet and technology is serving society rather than the other way around. > After all, it has cost somewhere between $10bn (8bn pounds) and $20bn to > implement, so it should have achieved something. > > Except, it doesn't quite look like that. Instead, venture capital > investment has been crippled, the existing web giants are more dominant... As ever, it appears that lawmakers' attempts to legislate for an ideal world have tiny or negative benefits at great expense. https://www.avg.com
"those developing or deploying AI should be held accountable for their actions" But what if an AI system is developed and/or deployed by another AI system? For example, an AI system which analyses security needs for an organization or a government, and recommends which one to deploy, may decide to deploy a face recognition system and connect it to a database of criminals—or dissidents. It is already possible by current technology that deployment, and even part of the design, might be carried out without human intervention; and soon, even without human awareness.
PGN, I rather wish that you hadn't run the message :-( I think what happened is that I stashed to post away as something interesting to be followed up later, then found it again later and assumed that I had already checked out the references! I will take care to double-check references in future posts. I apologise to everyone concerned. Fortunately, the self-correcting element in comp.risks has done its job. Unfortunately, this part of the story has detracted from my main point: that for-profit healthcare is generally less efficient and less effective than universal healthcare. International comparison of health systems (using OECD data): https://en.wikipedia.org/wiki/Health_system#International_comparisons https://upload.wikimedia.org/wikipedia/commons/f/f8/HC-Graph.jpg The Commonwealth Fund, in its annual survey, "Mirror, Mirror on the Wall", compares the performance of the health systems in Australia, New Zealand, the United Kingdom, Germany, Canada and the United States. Its 2007 study found that, although the United States system is the most expensive, it consistently underperforms compared to the other countries. A major difference between the United States and the other countries in the study is that the United States is the only country without universal health care. Comparing the average values for Australia, Canada, France, Germany, Italy, Japan, Norway, Sweden and the UK against the USA: Life Expectancy: 82.4 vs 78.7 Infant Mortality: 3.6 vs 5.9 Preventable deaths: 66 vs 96 Spending: $4,885 vs $7,437 (See the wikipedia page above detailed figures) A survey in 2013 found that only 4% of people in the UK experienced cost-related barriers to accessing health care, compared to 37% in the USA. (Commonwealth Fund International Health Policy Survey 2013). [I have had other messages on this subject, but I think it os far enough out of the RISKS mainstream(s) that I am closing the thread. I also think it would have been better had I rejected Martin's original post. PGN]
GlobalCoin? Nah, call it Facebuck.
So let me get this straight. This Fearnley woman withdrew money from the bank (as in cash from an ATM) and put in in an envelope and mailed it to her buddy. Someone took the envelope containing the cash from her buddies mailbox. How does this have anything whatsoever to do with RBC or Interac? Obviously the problem is sending cash through the mail. The fact that it was electronic cash sent via electronic mail is irrelevant—it was still cash in the mail. The Risks are obvious but I guess people are just dumb.
The bank blamed the theft on Fearnley's email security. Hoover's security question to her friend was: "Who is my favourite Beatle?" The fraudster would have had a one in four chance of getting it right ”- John, Paul, George or Ringo. In a test of RBC's Interac system, Go Public was given four chances to answer the security question correctly. https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114
Coming from Europe (Spain), I am amazed at the really convoluted way people transfer money here in Canada. Back at home: give me you account number, I'll do the transfer from my bank for free. Here: give me your e-mail address, I'll add it do my bank's Interac system, then I will send you N dollars as we agreed on, so you will receive an e-mail with a link you have to click, then you have to log into your bank and know the answer to the "security question" I have set, which is something only you and me should know, and the money will be deposited. Easy! I used to pay my rent by check (yay 21st Century!) until my bank gave me two free Interac transfers per month. More than that, and it's $1 each. Having phishing scams here in Canada using this kind of links is quite common. See for instance: https://ottawacitizen.com/news/local-news/fraud-alert-interac-warns-customers-about-fake-e-transfer-emails https://www.ctvnews.ca/business/canada-revenue-agency-warns-of-text-message-phishing-scam-1.2296220
OK, bear with me. I *will* get to the security part.) (It may not be worth it, but ...) I've been burying my aunt over the weekend. It was expected, she'd had a good innings (she was awarded "Citizen of the Century," among other things), and it was great to swap stories with others who knew and loved her. Number One Daughter has recently moved fairly close to that area, so we stayed with her. Beautiful place, built on a slope, *way* too many stairs for us to live there. For complicated reasons they have two dogs: Marley, who is very old and now has arthritis among other things; and Fera, who is young, high-strung, somewhat nervous, and *extremely* high energy. Despite disparate ages and temperaments "the pack" has a great relationship. Marley doesn't do stairs any better than we do. She has developed a weird front- legs-together-back-legs-together double bounce method of getting *down* stairs, but can't get back up. But when she gets to the bottom of the house, she can get out onto the deck, then down more stairs, then up the slope (which is steep but at least not stairs) to the front door. The house came with an alert system for the front door. A motion sensor triggers a camera and sends a picture to Number One Daughter's cell phone. However, most of the time this is unnecessary. Fera, noting that Marley is at the front door, will run down through the house, out the back, up the slope, check with Marley, then race back down the slope, and up through the house until she finds Number One Daughter. Aside from the specificity of this activity, it's easy to tell that this is about Marley, because Fera gets a very distinct look on her face. (It's all a very "What Lassie? Timmy hasn't fallen down the well, but is hiding out from aliens who want to abduct him, while running away from a dinosaur that Farmer Jones created from old DNA that was lying around the barn?" type situation.) Fera's alert usually comes before the high tech door system. Thing is, this is one of those cheap "security" systems that have wretched security themselves, and are probably sending data back to China. Which means that, somewhere in some monitoring station in China, someone keeps getting, and having to pay attention to, alerts about Marley needing to get in the front door. And the system behind it has to commit bandwidth, storage, and processing for it. I have *absolutely* no sympathy for those people at all ...
Please report problems with the web pages to the maintainer