Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In the prime-minister race, Conservative Party wants to make voting more convenient for its 160,000 eligible members; no U.S. state permits universal online voting. Members of the UK's ruling Conservative Party who are voting to decide the country's next prime minister are for the first time casting ballots online in a leadership election, a rarity among democracies wary of Internet voting because of cybersecurity concerns Over a several-week period, the party is offering Internet voting alongside voting by mail, in part to provide greater convenience during August weeks when Britons take vacation and to avoid disruptions by striking postal workers. The results are to be announced Sept. 5. The Conservatives are sending qualifying members a ballot pack in the mail that will include a paper ballot to be returned by mail and information and security codes for voting online. “We recommend online voting where possible,'' the party states on its website. The party sought guidance from Britain's National Cyber Security Centre, or NCSC, and a Tory spokesman said the party was confident the leadership election would be secure. “We have consulted with the NCSC throughout this process,'' the spokesman said. Election security analysts fear the system is vulnerable to interference by hackers. “We do not have the technology to conduct voting securely online and so it should not be deployed for high-stakes elections. And I count this as rather high stakes,'' said Peter Ryan, a professor of applied security at the University of Luxembourg. [...] https://www.wsj.com/articles/voters-in-u-k-cast-ballots-online-in-test-for-internet-voting-11660993200 [I expect there will be some attempts to hack into the Conservative Party leadership election. If the software allows write-in votes, the Duke of Windsor (Edward VIII), Winston Churchill, and Princess Diana would seem to be particularly likely choices, along with some well-known still-active athletes—e.g., David Beckham (soccer) and James Anderson (cricket), and a few leading liberals. Perhaps the Russians will re-use their skills that evidently influenced the Brexit election. We'll have only just a few more weeks to find out. PGN]
Two pilots are believed to have fallen asleep and missed their landing during a flight from Sudan to Ethiopia on Monday, according to a report by commercial aviation news site Aviation Herald. <http://avherald.com/h?article=4fd127fe> The incident took place on board an Ethiopian Airlines Boeing 737-800 en route from Khartoum to Addis Ababa, the report said, "when the pilots fell asleep" and "the aircraft continued past the top of descent." Data obtained by the website indicates that the aircraft was cruising at 37,000 feet on autopilot when it failed to descend at Addis Ababa Bole International Airport, its scheduled destination, on August 15. Air traffic control were apparently unable to reach the crew despite making several attempts at contact. However, an alarm was triggered when the plane overshot the runway and continued along the route. The aircraft subsequently began to descend, landing safely around 25 minutes later. Automatic Dependent Surveillance-Broadcast (ADS-B) data shows the aircraft overflying the runway, before beginning its descent and maneuvering for another approach. [...] http://www.cnn.com/travel/article/pilots-reported-to-fall-asleep-ethiopian-airlines/index.html
Elisha Fieldstadt, NBC News, Aug. 17, 2022, 12:12 PM MDT An Apple AirTag led to the arrest of an airline subcontractor accused of stealing thousands of dollars' worth of items from luggage at a Florida airport. Giovanni De Luca, 19, was charged with two counts of grand theft after authorities recovered the stolen items from his home, the Okaloosa County Sheriff’s Office said in a news release last week. Authorities said a traveler reported last month that her luggage never made it to her destination. The items inside were worth about $1,600. She said an Apple AirTag, a tracking device that triggers alerts on iPhones, iPads and Apple computers, had been in her luggage and showed that it was on Kathy Court in Mary Esther, about 50 miles east of Pensacola. https://www.nbcnews.com/news/us-news/airtag-leads-arrest-airline-worker-accused-stealing-least-15000-items-rcna43547
Maggie Miller, *Politicom* 15 Aug 2022, via ACM TechNews, Friday, August 19, 2022 The annual DEF CON hacking conference's "Voting Machine Village," has been a feature since 2017, with attendees attempting to break into registration databases, ballot-casting machines, and other voting equipment to identify vulnerabilities. However, in the wake of the 2020 U.S. presidential election and the resulting false claims of election fraud, the focus of this year's event was how to detect vulnerabilities without fueling election misinformation. Said Harri Hursti, co-founder of the Voting Machine Village, "All the security improvements [have been] hampered by all the false claims, conspiracies--and fighting those." Hursti noted that clips from DEF CON were used in the media after the election to cast doubt on election security. This year's Voting Village featured officials from Maricopa County, AZ, among others, who discussed ongoing, though debunked, conspiracy theories. Hursti explained, "What we try to do is to make certain that the right message gets out." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355ddx069731&
Fun reading—using public/private keys copied from a public tutorial to sign real-world software in Hyundai cars https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
Another day, another hack—and another blockchain bridge burned. When thieves stole an estimated $190 million from U.S. crypto firm Nomad last week, it was the seventh hack of 2022 to target an increasingly important cog in the crypto machine: Blockchain "bridges"—strings of code that help move cryptocoins between different applications. https://www.reuters.com/business/future-of-money/cryptoverse-blockchain-bridges-fall-into-troubled-waters-2022-08-09/
Schneier writes: Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response, Matthew Green has written—not really a rebuttal, but"a general response to some of the more common spurious objections people make to public blockchain systems." In our letter, we write: "By its very design, blockchain technology is poorly suited for just about every purpose currently touted as a present or potential source of public benefit. From its inception, this technology has been a solution in search of a problem and has now latched onto concepts such as financial inclusion and data transparency to justify its existence, despite far better solutions to these issues already in use. Despite more than thirteen years of development, it has severe limitations and design flaws that preclude almost all applications that deal with public customer data and regulated financial transactions and are not an improvement on existing non-blockchain solutions." https://www.schneier.com/crypto-gram/archives/2022/0715.html#cg8
"Please, God, I don' ask for much from You. But give me this. A video of a sad cryptobro, trying to get a beat cop to make a police report about his stolen ape jpeg." There's very little that' sadder or funnier than corporate NFT projects that launch after the crypto crash. Starbucks' NFT programme is the latest. "What's more, the digital program could give customers a reason to care about NFTs." Yeah, uh, OK. [TechCrunch] Why did Starbucks want to do an NFT? Because Starbucks owner and CEO Howard Schultz thinks this will be a shiny object to distract his Generation Z workers from wanting to unionise. Yes, I know that nothing in that sentence isn't dumb as hell. Remember that this is the guy who ran for President with a logo that was his name with his name on it https://davidgerard.co.uk/blockchain/2022/08/17/news-starbucks-nfts-reddit-karma -points-on-the-blockchain-saylor-fired-telegram-ico-slight-return/
Wait, you're telling me that you want to use the least energy efficient technology in the world to track offsets for carbon emissions resulting from us using too much energy? https://www.reuters.com/business/environment/exclusive-world-banks-ifc-taps-blockchain-carbon-offsets-2022-08-17/
Jessica Hallman, Pennsylvania State University, 11 Aug 2022, via ACM TechNews, 17 Aug 2022 Researchers at Pennsylvania State University and China's Shandong and Zhejiang universities found most application programming interfaces (APIs) using the facial liveness verification detection feature of facial recognition technology do not always identify deepfakes, and those that can are less effective than claimed at detecting deepfakes. The researchers created and used the LiveBugger deepfake-powered attack framework to evaluate six commercial facial liveness verification APIs. LiveBugger tried to deceive the APIs using deepfake images and videos from two separate datasets, and easily bypassed the four most common verification methods. The researchers proposed strengthening the technology's security by eliminating verification that only analyzes a static image of a user's face, and by matching lip movements to a user's voice in dual audio-video analysis schemes. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f0dex23550ex069538&
Email marketing firm Klaviyo disclosed a data breach after threat actors gained access to internal systems and downloaded marketing lists for cryptocurrency-related customers. Klaviyo says the breach occurred on August 3rd after hackers stole an employee's login credentials in a phishing attack. These login credentials were then used to access the employee's account and internal Klaviyo support tools. https://www.bleepingcomputer.com/news/security/email-marketing-firm-hacked-to-steal-crypto-focused-mailing-lists/
As Rodolfo Castro slid into third base, his phone shot out of his pocket. He has appealed his suspension for violating MLB' electronic device policy. https://www.nytimes.com/2022/08/16/sports/baseball/rodolfo-castro-pirates-suspension.html [Perhaps it was a pirated phone, or even PI-rated if his was batting average was .314. What is there to appeal? Maybe his wife was about to deliver, and he was ready to ask for a pinch-runner at third base so he could join her? Suppose the opponents called him just as he was ready to tag up on a fly ball? Would he actually answer the phone and forget to run home? Any appeal would be an interesting "hot-corner" case (pun only for baseball addicts). PGN]
https://www.nbcnews.com/news/africa/mount-kilimanjaro-wifi-broadband-fiber-optic-tanzania-rcna43880 [Even from above the third base camp! That will be a cool-corner case, especially if GPS can locate your phone when you are buried in a snow storm higher up. PGN]
https://www.mass.gov/news/massachusetts-registry-of-motor-vehicles-cautions-customers-to-be-aware-of-unofficial-third-party-websites-and-textphishing-scams
https://www.vice.com/en/article/qjkvxv/how-a-third-party-sms-service-was-used-to-take-over-signal-accounts
Three Nigerian citizens are facing U.S. criminal charges over alleged scams that targeted construction contractors and public project owners. Prosecutors say the scams netted nearly $6 million and involved the defendants posing as five different contractors. [...] To carry out the scam, prosecutors say the defendants obtained information about large construction projects, including the names of project owners, companies that won contracts and contract dollar amounts. They then registered website domain names similar to those of actual contractors. Using email addresses under false names from those domains, the individuals contacted employees of universities and other public agencies that had hired the contractors for projects. In the emails, they would direct the employees to wire a payment to a bank account they controlled. https://www.enr.com/articles/54623-posing-as-contractors-nigerians-scammed-projct-owners-for-nearly-6m-fbi-says
Shirin Ali, *The Hill*, 17 Aug 2022, via ACM TechNews, Friday, August 19, 2022 A study of 25 reproductive health apps and wearable devices by researchers at the Mozilla Foundation found that most have weak privacy protections. The researchers found that these apps generally collect personal information, including phone numbers, emails, home addresses, dates of menstrual cycles, sexual activity, doctors' appointments, and pregnancy symptoms. Of the apps analyzed, 18 were given a "Privacy Not Included" warning label due to vague privacy policies and potential security concerns. Additionally, the study found that most of the apps had vague guidelines regarding data-sharing with law enforcement. Mozilla's Ashley Boyd warned users that many reproductive health apps are "riddled with loopholes and they fail to properly secure intimate data." Only the Euki app was found not to collect any personal information about users, and any information input by users is stored locally on the user's device. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dfx0 69731&
https://arstechnica.com/tech-policy/2022/08/ftc-sued-by-firm-allegedly-selling-sensitive-data-on-abortion-clinic-visits/
A conversation with reporter Charles Piller, whose recent Science investigation rocked the research world. More than 15 years ago, researchers at the University of Minnesota announced they had made a breakthrough: When they purified a protein from the brains of genetically modified mice and injected it into rats, it would cause the rats to develop symptoms similar to Alzheimer's disease in humansâthe first time anyone had directly linked a substance to the disease. They called this protein Aβ*56. The researchers, along with colleagues from three other universities, published their findings in *Nature* in 2006. The study has since been cited about 2,300 times and helped provide the basis of a leading hypothesis about the cause of Alzheimer's, a disease that currently impacts about 6 million Americans and their families. Proponents of the hypothesis think that clumps of amyloid beta protein (Aβ) in peoples brains may be the primary cause of Alzheimer's. Since the *Nature* study showed that AÎ*56, one form of the protein, could cause dementia in rats, it seemed to validate the hypothesis. But now, the accuracy of the *Nature* paper has been called into question. As documented in an explosive report in Science that published on July 21, whistleblower Matthew Schrag discovered evidence to suggest that some of the images at the center of the 2006 paper were tampered with, along with dozens of other images connected to one of the authors, University of Minnesota neuroscientist Sylvain LesnÃ. https://www.motherjones.com/politics/2022/08/alzheimers-research-image-photo-tampering-science-investigation-research
[Sort of like the way Imperial Rome would "decimate" troops (which is where the word comes from, by the way). -L] https://www.engadget.com/facebook-contractors-cut-accenture-via-algorithm-194128471.html?src=rss
Proper use of "zero trust"/security key models should render such leaks ineffectual. -L https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github
A time honored tradition in many US high schools is for students in their final year to do some kind of prank as part of their senior year. As it turns out, some pranks or more interesting from a hacker perspective, than others. At the at the DEFCON 30 security conference in Las Vegas, Minh Duong outlined how he, along with a team of friends, was able to gain control of the presentation and public address systems in his local high school district outside of Chicago and Rickrolled it. A Rickroll is when a loop of Rick Astley's 1987 song 'never going to give you up' is played to annoy a user. Duong explained that his high school has approximately 2000 students and is part of a larger school district in suburban Chicago, which has six high schools in total. "Like any hacker wannabe, I started running scans against my school network," Duong said. https://www.infosecurity-magazine.com/news/defcon-how-us-teen-rickrolled/
Associated Press, 18 Aug 2022, via ACM TechNews, Friday, August 19, 2022 Apple issued two security reports about a major flaw that hackers could potentially exploit to hijack iPhones, iPads, and Macs by gaining "full admin access." Rachel Tobac at computer security service SocialProof Security said this would allow intruders to masquerade as device owners and run any software in their name. Security experts have recommended that users update affected devices, while researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company cited an anonymous researcher as the flaws' discoverer, without disclosing how or where they were found. Apple has previously conceded the existence of similarly serious flaws, and expressed awareness that such vulnerabilities had been exploited on perhaps a dozen occasions by Strafach's estimates. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dex0 69731&
Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks. Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited. https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/ Good reason to apply updates now...
Michael Kan, PC Magazine, 17 Aug 2022 via ACM TechNews, Friday, August 19, 2022 Microsoft software engineer Raymond Chen said a sound frequency in Janet Jackson's song "Rhythm Nation" could crash a model 5400rpm laptop hard drive used in certain Windows XP notebooks. A laptop maker alerted Microsoft's Windows team to the problem, which seemed to occur when the song's music video played on the laptops. However, the video also would crash Windows laptops produced by the manufacturer's competitors, and Chen blogged, "Playing the music video on one laptop caused a laptop sitting nearby to crash, even though that other laptop wasn't playing the video!" Microsoft determined the song had a frequency that matched the laptop hard drive's natural resonant frequency, which caused its moving disks to over-vibrate and induce a crash. Chen said the laptop manufacturer put a custom filter in the device's audio system that could eliminate the resonant frequency during audio playback. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355e2x0 69731& [Also noted by Monty Solomon at https://arstechnica.com/gadgets/2022/08/janet-jacksons-rhythm-nation-is-officially-a-security-threat-for-some-old-laptops/ I remember a case in the 1970s where am IBM disk unit could allegedly be programmed to rock at a particular frequency—and fall over. PGN]
*Discover*, 16 Aug 2022, via ACM TechNews, Friday, August 19, 2022 Columbia University's Rapha=C3=ABl Milli=C3=A8re found that made-up words can trick text-to-image generators, raising questions about their security. Milli=C3=A8re created nonsense words using the "macaronic prompting" technique, which involves combining parts of real words from different languages. For instance, the made-up word "falaiscoglieklippantilado," a combination of the German, Italian, French, and Spanish words for "cliff," generated images of cliffs when input into the DALL-E 2 text-to-image generator. Milli=C3=A8re said, "The preliminary experiments suggest that hybridized nonce strings can be methodically crafted to generate images of virtually any subject as needed, and even combined together to generate more complex scenes." However, Milli=C3=A8re noted, "In principle, macaronic prompting could provide an easy and seemingly reliable way to bypass [content] filters in order to generate harmful, offensive, illegal, or otherwise sensitive content, including violent, hateful, racist, sexist, or pornographic images, and perhaps images infringing on intellectual property or depicting real individuals." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dax069731&
Quote from the Guardian article: "The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an in-app browser, controlled by Facebook Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox." As a longtime Firefox user and Chrome hater, I am pleased to see Chrome omitted as an example of a "web browser of choice."
Please report problems with the web pages to the maintainer