Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Someone looking at 3-year-old Rylee Taylor's photo on Facebook noticed a difference in the way her eyes looked, and suggested an ophthalmic exam. The girl turned out to have something called Coats' disease, and it may have been detected in time to save her vision in the bad eye. Story at: http://abcnews.go.com/US/facebook-user-helps-spot-girls-dangerous-eye-disease/story?id#186341 http://www.nydailynews.com/life-style/health/girl-diagnosed-eye-disease-mom-posts-pic-online-article-1.1744069
Gary Marcus and Ernest Davis Eight (No, Nine!) Problems with Big Data *The New York Times*, Op-Ed, 7 April 2014 RISKS readers by now should be well aware that Big Data can create Big Risks, Little Risks, and lots more. This rather incisive op-ed piece itemizes and discusses each of the following, which I have excerpted: 1. Although big data is good at detecting correlations, it is never tells us which correlations are meaningful 2. Big data can work well as an adjunct to scientific inquiry, but rarely succeeds as a wholesale replacement. 3. Many tools that are based on big data can be easily gamed. 4. Even when not intentionally gamed, they may be less robust than initially seemed. 5. The echo-chamber effect: When the source is itself a product of big data, vicious cycles can abound. 6. The risk of too many correlations, some of which are bogus. 7. Big data is prone to giving scientifically sounding solutions to hopelessly imprecise questions. 8. Big data is at its best when analyzing things that are extremely common, but often falls short when analyzing the less common. [PGN: and the authors add, sort of as an afterthought item 9] 9. Wait, we almost forgot the *hype*!!! “Big data is here to stay, as it should be. But let's be realistic: It's an important resource for anyone analyzing data, not a silver bullet. [RISKS readers are likely to also recognize the pervasive hype associated with the wonders of big data and the great economies of storage in the clouds, especially that which is promulgated by vendors who cannot even spell the words *security*, *integrity*, *prevention of denials of service* and *prevention of insider misuse*, much less know what they might entail. PGN]
Ellen Nakashima, *The Washington Post*, 1 Apr 2014 NSA searched Americans' communications without a warrant, intelligence director says http://www.washingtonpost.com/world/national-security/nsa-searched-americans-communications-without-a-warrant-intelligence-director-says/2014/04/01/2fdb5b6e-b9c3-11e3-a397-6debf9e66e65_print.html Director of National Intelligence James R. Clapper Jr. acknowledged that the National Security Agency has searched for Americans' communications without warrants in massive databases that gather e-mails and phone calls of foreign targets. Although recently declassified documents made clear that the NSA had conducted such searches, no senior intelligence official had previously acknowledged the practice. [...]
David Linthicum | InfoWorld, 04 Apr 2014 The SEC shuts down a cloud computing scam—and more could be on the way http://www.infoworld.com/d/cloud-computing/beware-the-clouds-ponzi-schemes-are-here-239514
Alex Hern, *The Guardian*, 9 Apr 2014 http://www.theguardian.com/technology/2014/apr/09/heartbleed-dont-rush-to-update-passwords-security-experts-warn?CMP=ema_565 Internet security researchers say people should not rush to change their passwords after the discovery of a widespread "catastrophic" software flaw that could expose website user details to hackers. The flaw, dubbed "Heartbleed", could reveal anything which is currently being processed by a web server—including usernames, passwords and cryptographic keys being used inside the site. Those at risk include Deutsche Bank, Yahoo and its subsidiary sites Flickr and Tumblr, photo-sharing site Imgur, and the FBI. About half a million sites worldwide are reckoned to be insecure. "Catastrophic is the right word," commented Bruce Schneier, an independent security expert. "On the scale of 1 to 10, this is an 11." But suggestions by Yahoo and the BBC that people should change their passwords at once—the typical reaction to a security breach—could make the problem worse if the web server hasn't been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Atlanta, Georgia. Doing so "could even increase the chance of somebody getting the new password through the vulnerability," Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker. The bug exists in a piece of open source software called OpenSSL, which is meant to encrypt communications between a user's computer and a web server. But security researchers have no way to prove whether or not the flaw, which has existed since at least March 2012, has been exploited. The bug's age, and its presence in software to which anyone can submit an update, has led to speculation that it could have been inserted and then exploited by government spy agencies such as the US's National Security Agency, which is known to have programs aiming to collect user data. "My guess is accident, but I have no proof," Schneier commented. Tumblr, which is affected, issued a warning to its users on Tuesday night. Although the firm said it had "no evidence of any breach", and has now fixed the issue on its servers, it recommends users take action. “This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,'' it says. The advice to change passwords was repeated elsewhere, by groups including the BBC. But Rapid7's Schoessler cautioned against doing that. "The estimate is that the larger providers all get patched within the next 24-48 hours [Thursday to Friday afternoon] and I would agree that people should change their credentials when a provider has updated their OpenSSL versions." Users can check whether a specific site remains vulnerable to Heartbleed with a tool put together by developer Filippo Valsorda. The Heartbleed vulnerability is only found in a few recent releases of OpenSSL, a software library that lets web servers initiate secure conversations. In affected versions, it lets attackers potentially read content out from the active memory of a web server. While some servers have fixed the OpenSSL flaw, the cascading nature of the problem means that they may not be fully safe. The flaw lets a determined attacker steal the private key to a site's SSL certificate, the code that enables all communications with the server to be held securely. Sites which have updated OpenSSL but are still using the same certificate as before—such as Deutsche Bank's main consumer portal in Germany—may show up as secure on initial inspection, but remain easy for attackers to penetrate. "Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs," says Trey Ford, global security strategist at Rapid7. "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website." Yahoo was one of the sites worst affected by Heartbleed, but the firm has now fixed its main properties, including subsidiaries Flickr and Tumblr, and says it is "working to implement the fix across the rest of our sites". "We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data," a Yahoo spokesperson added. [According to Alex Hern in today's *Guardian* article , the programmer responsible for the flaw was Robin Segglemann, at one minute before midnight (the time zone is unspecified) on New Year's Eve, the last minute of 2011. PGN] http://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-error-regrets-oversight [And even later today, Segglemann denies he did it deliberately (e.g., at someone else's behest?). PGN] http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html [As noted by the CERT notice that follows, the only systems affected were those using OpenSSL 1.0.1 through 1.0.1f or OpenSSL 1.0.2-beta. Yahoo! used 1.0.1. For a graphic example, see http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ PGN]
NCCIC / US-CERT
National Cyber Awareness System:
TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
https://www.us-cert.gov/ncas/alerts/TA14-098A ] 04/08/2014
Systems Affected
* OpenSSL 1.0.1 through 1.0.1f
* OpenSSL 1.0.2-beta
Overview
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive
data, possibly including user authentication credentials and secret keys,
through incorrect memory handling in the TLS heartbeat extension.
Description
OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation
of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to
retrieve private memory of an application that uses the vulnerable OpenSSL
library in chunks of 64k at a time. Note that an attacker can repeatedly
leverage the vulnerability to retrieve as many 64k chunks of memory as are
necessary to retrieve the intended secrets. The sensitive information that
may be retrieved using this vulnerability include:
* Primary key material (secret keys)
* Secondary key material (user names and passwords used by vulnerable
services)
* Protected content (sensitive data used by vulnerable services)
* Collateral (memory addresses and content that can be leveraged to bypass
exploit mitigations)
Exploit code is publicly available for this vulnerability. Additional
details may be found in CERT/CC Vulnerability Note VU720951
[ http://www.kb.cert.org/vuls/id/720951 ].
Impact
This flaw allows a remote attacker to retrieve private memory of an
application that uses the vulnerable OpenSSL library in chunks of 64k at a
time.
Solution
OpenSSL 1.0.1g [ http://www.openssl.org/news/secadv_20140407.txt ] has been
released to address this vulnerability. Any keys generated with a
vulnerable version of OpenSSL should be considered compromised and
regenerated and deployed after the patch has been applied.
US-CERT recommends system administrators consider implementing Perfect
Forward Secrecy [ http://en.wikipedia.org/wiki/Perfect_forward_secrecy ] to
mitigate the damage that may be caused by future private key disclosures .
References
* OpenSSL Security Advisory [ http://www.openssl.org/news/secadv_20140407.txt ]
* The Heartbleed Bug [ http://heartbleed.com/ ]
* CERT/CC Vulnerability Note VU720951 [ http://www.kb.cert.org/vuls/id/720951 ]
* Perfect Forward Secrecy [ http://en.wikipedia.org/wiki/Perfect_forward_secrecy ]
* RFC2409 Section 8 Perfect Forward Secrecy [ http://tools.ietf.org/html/rfc2409section-8 ]
Flaw Found in Key Method for Protecting Data on the Internet http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?hp Flaw Found in Key Method for Protecting Data on the Internet On Monday, several security researchers, including from Google, uncovered a major vulnerability called Heartbleed in the technology that powers encryption across the Internet. Screenshot via heartbleed.com <http://graphics8.nytimes.com/images/2014/04/08/technology/08bits-heartbleed/08bits-heartbleed-articleInline.png> On Monday, several security researchers, including from Google, uncovered a major vulnerability called Heartbleed in the technology that powers encryption across the Internet. The tiny padlock icon that sits next to many web addresses, suggesting protection of users' most sensitive information—like passwords, stored files, bank details, even Social Security numbers—is broken. A flaw has been discovered in one of the Internet's key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers. On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords. The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google. Researchers are calling the bug Heartbleed because it affects the heartbeat portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers. The bug allows attackers to access the memory on any web server running OpenSSL and take information like customer usernames and passwords, sensitive banking details, trade secrets and the private encryption keys that organizations use to communicate privately with their customers. What makes the Heartbleed bug particularly severe is that it can be used by an attacker without leaving any digital crumbs behind. “It's a serious bug in that it doesn't leave any trace,'' said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there's no trace they've been there.'' Three security researchers at Codenomicon's offices in Oulu, Finland, first discovered the bug last Thursday. The researchers, Antti Karjalainen, Riku Hietamäki and Matti Kamunen, immediately alerted the Finnish authority that is charged with responsibly disclosing security bugs. As it turned out, a security researcher at Google, Neel Mehta, had also discovered the bug and the Google security team had been working on a fix. On Monday, the open-source team that oversees OpenSSL issued a warning to people and organizations about the bug, and encouraged anyone using the OpenSSL library to upgrade to the latest version, which fixes the problem. Security researchers say it is impossible to know for sure whether an attacker used the bug to steal a victim's information, but they found evidence that suggests attackers were aware of the bug and had been exploiting it. Researchers monitoring various honeypots—stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques—found evidence that attackers had used the Heartbleed bug to access the fake data. But actual victims are out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won't know if you've been compromised,'' Mr. Chartier said. “That' what makes it so vicious.'' Security researchers are warning organizations to get new private encryption keys as quickly as possible, and warning people to start changing their usernames and passwords immediately, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.
Roger A. Grimes | InfoWorld, 10 Apr 2014 On a scale of 1 to 10, this vulnerability is an 11. Here are the steps to take to thoroughly protect yourself from this OpenSSL bug http://www.infoworld.com/d/security/the-heartbleed-openssl-flaw-worse-you-think-240231 [Thus, we are giving multiple reports on this fiasco. PGN]
[RT USA, via Dave Farber] NSA monitors Wi-Fi on US planes 'in violation' of privacy laws, 10 Apr 2014 <http://rt.com/usa/inflight-wfi-nsa-monitoring-548/> Companies that provide WiFi on US domestic flights are handing over their data to the NSA, adapting their technology to allow security services new powers to spy on passengers. In doing so, they may be in violation of privacy laws. In a letter leaked to Wired, Gogo, the leading provider of inflight WiFi in the US, admitted to violating the requirements of the Communications Assistance for Law Enforcement Act (CALEA). The act is part of a wiretapping law passed in 1994 that requires telecoms carriers to provide law enforcement with a backdoor in their systems to monitor telephone and broadband communications. Gogo states in the letter to the Federal Communications Commission that it added new capabilities to its service that go beyond CALEA, at the behest of law enforcement agencies. “In designing its existing network, Gogo worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security interests,'' Gogo attorney Karis Hastings wrote in the leaked letter, which dates from 2012. He did not elaborate as to the nature of the changes, but said Gogo “worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests.'' Gogo, which provides WiFi services to the biggest US airlines, are not the only ones to adapt their services to enable spying. Panasonic Avionics also added `additional functionality' to their services as per an agreement with US law enforcement, according to a report published in December. The deals with security services have civil liberties organizations up in arms. They have condemned the WiFi providers' deals with authorities as scandalous. "Having ISPs [now] that say that CALEA isn't enough, we're going to be even more intrusive in what we collect on people is, honestly, scandalous," Peter Eckersley, of the Electronic Frontier Foundation, told Wired. The powers of the National Security Agency and other US law enforcement agencies have come under harsh criticism since the data leaks from whistleblower Edward Snowden revealed the extent to which they monitor citizens' communications. In particular, critics have taken issue with the NSA's mass, indiscriminate gathering of metadata which has been described as"almost Orwellian in nature" and a violation of the Fourth Amendment. Judge Richard Leon of the US District Court for the District of Columbia has filed a lawsuit against the US agency and is pushing to have the case heard in the US Supreme Court. Last week the Supreme Court said that Leon would have to wait for a ruling from the lower court before his case could be heard. [...]
http://j.mp/1e68Xlm (IETF / John Levine via NNSquad) "The problem for mailing lists isn't limited to the Yahoo subscribers. Since Yahoo mail provokes bounces from lots of other mail systems, innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo subscribers' messages, but all those bounces are likely to bounce them off the lists. A few years back we had a similar problem due to an overstrict implementation of DKIM ADSP, but in this case, DMARC is doing what Yahoo is telling it to do."
Claire Cain Miller in *The New York Times*, 5 Apr 2014 http://j.mp/1fWHQ7H "Today, even as so many barriers have fallen - whether at elite universities, where women outnumber men, or in running for the presidency, where polls show that fewer people think gender makes a difference - computer engineering, the most innovative sector of the economy, remains behind. Many women who want to be engineers encounter a field where they not only are significantly underrepresented but also feel pushed away. Tech executives often fault schools, parents or society in general for failing to encourage girls to pursue computer science. But something else is at play in the industry: Among the women who join the field, 52 percent leave by midcareer, a startling attrition rate that is double that for men, according to research from the Harvard Business School. A culprit, many people in the field say, is a sexist, alpha-male culture that can make women and other people who don't fit the mold feel unwelcome, demeaned or even endangered."
http://j.mp/1lwpwcV (Bortzmeyer via NNSquad) "If you try another well-known DNS resolver, such as OpenDNS, you'll get the same problem: a liar responds instead. So, someone replies, masquerading as the real Google Public DNS resolver. Is it done by a network equipment on the path, as it is common in China where you get DNS responses even from IP addresses where no name server runs? It seems instead it was a trick with routing: the IAP announced a route to the IP addresses of Google, redirecting the users to an IAP's own impersonation of Google Public DNS, a lying DNS resolver. Many IAP already hijack Google Public DNS in such a way, typically for business reasons (gathering data about the users, spying on them). You can see the routing hijack on erdems' Twitter feed, using Turkish Telecom looking glass: the routes are no normal BGP routes, with a list of AS numbers, they are injected locally, via the IGP (so, you won't see it in remote BGP looking glasses, unless someone in Turkey does the same mistake that Pakistan Telecom did with YouTube in 2008). Test yourself: ... Of course, DNSSEC would solve the problem, if and only if validation were done on the user's local machine, something that most users don't do today."
Please report problems with the web pages to the maintainer