Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The Washington Post*, 9 Apr 2017 <https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/> Dallas residents got an unexpected wake up call on 8 Apr when all the city's 156 emergency sirens were set off just before midnight. Officials says a hacker was to blame. (Reuters) Last year, someone kept hacking into traffic signs in Dallas—corrupting bland electronic messages into jokey missives such as: “Work is Canceled, Go Back Home'', and `Donald Trump Is A Shapeshifting Lizard'. Funny? Dumb? Vandalism? Whatever your opinion of the pranks, the big Dallas hack of 2016 had one quality totally lacking in this year's sequel: It was silent.
A voter registration site that crashed in the run-up to last year's EU referendum could have been targeted by a foreign cyber attack, MPs say. The "register to vote" site <https://www.gov.uk/register-to-vote> crashed on 7 June last year just before the deadline for people to sign up to vote. The UK government and electoral administrators blamed a surge in demand after a TV debate. But MPs on the parliamentary Public Administration Committee say a foreign cyber attack could not be ruled out. http://www.bbc.com/news/uk-politics-39564289
Inmates in Ohio's Marion Correctional Institution smuggled computer parts out of an e-waste recycling workshop and built two working computers out of them, hiding them in the ceiling of a training room closet ceiling and covertly patching them into the prison's network. The prisoners used the PCs for a number of activities, including several criminal acts like identity theft and credit-card fraud. They were able to network their PC by using a guard's password; the use of this account on days when the guard wasn't on-shift tipped off the prison's systems administrators that something was awry. http://boingboing.net/2017/04/12/mother-necessity-where-would-w.html
https://patch.com/virginia/annandale/s/g38gc/is-your-fingerprint-locked-cell-phone-really-secure Some devices—my iPad, for example—require entering passcode after a very few failed fingerprint attempts. So trying random "masterprints" to unlock may not be practical or terribly successful.
He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks' crimes. http://www.thedailybeast.com/articles/2017/03/31/fbi-arrests-hacker-who-hacked-no-one.html
https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/ Thanks a Miele-on for making everything dangerous, Internet of Things firmware slackers Richard Chirgwin, *The Register*, 26 Mar 2017 selected text: Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report—and it's accused of ignoring the warning. The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE-2017-7240—aka Miele Professional PG 8528—Web Server Directory Traversal. This is the built-in web server that's used to remotely control the glassware-cleaning machine from a browser. And because Miele is an appliance company and not a pure-play IT company, it doesn't have a process for reporting or fixing security bugs. The researcher who noticed the dishwasher's web server vulnerability—Jens Regel of German company Schneider-Wulf—complains that Miele never responded when he contacted the biz with his findings; he says his first contact was made in November 2016.
FYI—Southern California is an area prone to wildfires, which have routinely destroyed many homes in the past. As a result, there are *fire regulations* that force home-owners to clean up vegetation which can burn and put homes at risk. Fire departments also engage in "controlled burns", which more-or-less-safely burn up some of the brush that can sustain a wildfire. And when fighting a wildfire, fire departments often have to set "backfires", which burn the brush ahead of the wildfire to remove the fuel that would enable the main fire to spread. Apparently, some vigilante has decided to light a *controlled burn*/*backfire* in order to clear out the brush (vulnerable IoT devices) that would sustain a much larger & more damaging wildfire (major infrastructure breach and/or denial-of-service). A biological analogy for "BrickerBot" might be IoT "apoptosis". https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/ https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1417 "BrickerBot" Results In Permanent Denial-of-Service, 5 Apr 2017 Abstract Imagine a fast moving bot attack designed to render the victim's hardware from functioning. Called Permanent Denial-of-Service (PDoS), this form of cyber-attack is becoming increasingly popular in 2017 as more incidents involving this hardware-damaging assault occur. Also known loosely as "phlashing" in some circles, PDoS is an attack that damages a system so badly that it requires replacement or re-installation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of system. It is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage. BrickerBot—Discovery and Analysis of a PDoS Tool Over a four-day period, Radware's honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage. Besides this intense, short-lived bot (BrickerBot.1), Radware's honeypot recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date—both bots were discovered less than one hour apart—with lower intensity but more thorough and its location(s) concealed by TOR egress nodes. Compromising a Device The Bricker Bot PDoS attack used Telnet brute force - the same exploit vector used by Mirai - to breach a victim's devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv'. Corrupting a Device Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device. Below is the exact sequence of commands that performed by the PDoS bots: fdisk -l busybox cat /dev/urandom >/dev/mtdblock0 & busybox cat /dev/urandom >/dev/sda & busybox cat /dev/urandom >/dev/mtdblock10 & busybox cat /dev/urandom >/dev/mmc0 & busybox cat /dev/urandom >/dev/sdb & busybox cat /dev/urandom >/dev/ram0 & fdisk -C 1 -H 1 -S 1 /dev/mtd0 w fdisk -C 1 -H 1 -S 1 /dev/mtd1 w fdisk -C 1 -H 1 -S 1 /dev/sda w fdisk -C 1 -H 1 -S 1 /dev/mtdblock0 w route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null & sysctl -w net.ipv4.tcp_timestamps=0;sysctl -w kernel.threads-max=1 halt -n -f reboot Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium). The sysctl commands attempt to reconfigure kernel parameters: net.ipv4.tcp_timestamps=0 disables TCP timestamps which does not affect local LAN IPv4 connectivity but seriously impacts the Internet communication, and kernel.threads-max=1 limits the max number of kernel threads to one. Typically, this is in the 10,000s for ARM-based devices. Targets The use of the 'busybox' command combined with the MTD and MMC special devices means this attack is targeted specifically at Linux/BusyBox-based IoT devices which have their Telnet port open and exposed publicly on the Internet. These are matching the devices targeted by Mirai or related IoT botnets. The PDoS attempts originated from a limited number of IP addresses spread around the world. All devices are exposing port 22 (SSH) and running an older version of the Dropbear SSH server. Most of the devices were identified by Shodan as Ubiquiti network devices; among them are Access Points and Bridges with beam directivity. ...
NNSquad http://boingboing.net/2017/04/12/uber-for-carjacking.html Charlie Miller made headlines in 2015 as part of the team that showed it was possible to remote-drive a Jeep Cherokee over the internet, triggering a 1.4 million vehicle recall; now, he's just quit a job at Uber where he was working on security for future self-driving taxis, and he's not optimistic about the future of this important task.
NNSquad https://www.engadget.com/2017/04/13/uber-hell-program-lyft-drivers/ As for Lyft, a spokesperson told The Information: "We are in a competitive industry. However, if true, these allegations are very concerning." A couple of law firms that worked with Uber in the past also told the publication that the company could face a number of allegations, including breach of contract, unfair business practices, misappropriation of trade secrets and violation of the federal Computer Fraud and Abuse Act. Are self-driving taxis just going through pUBERty?
https://mishtalk.com/2017/04/08/second-order-consequences-of-self-driving-vehicles/ http://ben-evans.com/benedictevans/2017/3/20/cars-and-second-order-consequences Imagining transportation in our next generation. [?] of global oil production is for vehicle fuels. But if that is replaced by electric for electric cars, how do we get that extra power—other fossil fuels, solar, hydro-electric, more nuclear power plants? Over 1 million people killed per year in road accidents, mostly human error. Those accidents also cause property damage, medical and legal costs, traffic jams, insurance costs. With dramatically less collisions, will we still need such a large investment in safety features? Millions of long-haul truck drivers, local taxi and delivery drivers, and non-drivers supporting those industries. Driverless trucks need robots, or cheap labor, for loading & unloading at various destination points of the trucks. Trucks can be driving 24 hours, instead of 11, minus time to refuel & get maintenance. Will we need as many trucks? They can travel safely much faster, except for terrorist hacker caused spectacular mass pile ups. 150,000 gas stations, most of their money made selling cigarettes and snacks. They can morph into battery recharge for driverless cars, while their owners are at home asleep, or busy at day job. Payment could be via prepaid account, or other banking arrangement. Owner might also have a standing request for the battery fill up place to replenish in-car supply of snacks and cigarettes for the normal vehicle riders. Then when owner exits home, or day job, car is on-demand and supplied with the usual, so riders not inconvenienced with extra stops in transit, the autonomous vehicle to handle all that at times when normal riders not need it. If our autonomous vehicle is on demand, it need no longer be parked in walking distance. Congestion less, when cities no longer need long term parking lanes. If our car is parked driverless, until we send the signal to call it to pick us up, how will that driverless car put coins in parking meter, where it is off-street parked waiting to be called? May it go driverless to the battery fill up place, so it is fully ready when on-demand called? Will bus service be only in high population areas, with robotaxi on the city fringes? Will robot farm vehicles see what service is needed where, without human involvement? Today there are grocery stores serving the disabled. Order what's needed, via Internet, then drive to the store, whose personnel loads it up with the groceries, no need to get out of car. That technology could later be morphed to driverless car get the groceries, a robot unload them at home. Contemporary city road sides are filled with retail marketing signs aimed at occupants of manually driven vehicles, encouraging them to stop here for a restaurant, shopping, whatever. But if we are to have autonomous cars zooming past too fast to see the signs, marketing to reach riders of the autonomous vehicles may need a sea change of technology rethinking. If those vehicles are using smart roads, commercial establishments will want marketing to the cars coming their way, offering choices aimed at demographics of their riders. Will we have a bill board inside our cars, with info about the retail establishments along our coming route? We can select what we want, then the car will stop there, and the store workers will deliver our purchases to our car, for all manner of products. A gas fill up takes only 4 minutes, but with Tesla Supercharger, you'll need to stop 16 times more often for a battery fill up. Can solar on top of vehicles make a difference? Electric cars easily catch on fire. The technology needs improving, so a whole battery can be slid out & replaced with one which has been charging unattended, like at home & replacement stations for long trips. Batteries are heavy, perhaps too heavy for elderly, and other segments of population. Will they need a robot helper? Think parking garages with battery recharging stations, or robot service going from car to car, checking what's needed, with fees added at check out time, where license plate & auto description used to match up fees due. Can any driverless cars there pay by credit card signal, which cannot be detected by fraudsters not inside the garage? When there's an accident, police not only get CCTV of vehicles involved, before the collision, but also data about them from every vehicle close to them in driving prior to the accident, and records from their prior maintenance. City redesign, more bike paths. Autonomous vehicles can follow each other faster with less of an air gap, so we'll need more pedestrian bridges, less reliance on cross-walks. Supply those bridges with coin operated escalators, supporting transit by wheel chairs and other disabled. If when school bus fleets get equivalent modernization, they can learn from past troubles unfixable under the old technology. 1. Please change U.S. state laws to support shoulder harnesses, designed for child size passengers, in addition to the lap seat belts. 2. School buses can send signals ordering relevant autonomous vehicles to halt while stop sign is hanging out. What will auto passengers DO when autonomous vehicle driving? We can legalize drinking while commuting again. The happy hour will be in the commute home. More in-vehicle entertainment systems.
https://www.google.com/search?q=chromium+sheriffbot Here's an example of it hard at work: Comment #2 on issue 12345 by sheriffbot@chromium.org: Issue has not been modified or commented on in the last 365 days, please re-open [we can't, only they can] or file a new bug if this is still an issue. For more details visit https://www.chromium.org/issue-tracking/autotriage Your friendly Sheriffbot So what is the problem? Well, you might say it is like a virus/worm that eats through one's bug database, closing things. And how is the user to be convinced that filing a new(!) bug again won't just end up with the same result? (Same for enthusiasm for filing other bugs too.)
NNSquad https://www.itnews.com.au/news/ipv6-attacks-bypass-network-intrusion-detection-systems-457476 A paper has been published by researchers at the NATO defence alliance's Cooperative Cyber Defence Centre of Excellence and Estonia's Tallinn University of Technology. It outlines how attackers can create covert data exfiltration channels and system remote control, using IPv6 transition mechanisms.
It's now easier than ever to find a plumber to fix your leaky toilet by simply searching Google Maps for nearby journeymen. However, there's a chance that the plumbers you may contact could be scammers who got their bogus listings displayed on Google's online map service. To address the troublemakers, Google said this week that it's cracking down on fake business listings and is making it harder for crooks to game its mapping service. The search giant and the University of California, San Diego released a research paper based on an analysis of over 100,000 scam listings to discover some of the most common ways fraudsters trick people on Google Maps. Additionally, the research paper said that some of the scamming methods it discovered could also "apply to other map services, such as Yelp and Bing Maps." http://fortune.com/2017/04/07/google-scammers-maps/
https://www.cyberscoop.com/security-researchers-occasionally-disrupt-fbi-investigations-heres-how/
Being able to control devices in your kitchen via your phone is convenient, at least that was the case for owners of the Anova Precision Cooker. But many of those consumers say a recent update to the sous vide cooker's app requires them to create an account and share personal information with the company in order to use all of the features of the device. https://consumerist.com/2017/04/12/anova-ticks-off-customers-by-requiring-mandatory-accounts-to-cook-food/ IoT food prep. What could go wrong with that? [Remember, I never sausage nonsense. The wurst is yet to come. PGN]
http://www.princeton.edu/main/news/archive/S49/20/23S03/?section=topstories “Computer scientists need to develop a culture of government service, I think it should be evident right now that it is not the best thing for our field, or for society, to sit back.'' Felten said society is facing significant, rapid changes from developments ranging from self-driving cars to artificial intelligence. If society is going to adapt to these developments and avoid disruption, technical experts must play a central role. “If our community of scientists and engineers doesn't show up and participate in the process, the decisions are still going to get made but they will get made without the full input they need, It is very important to show up.''
"I am convinced that the massive rise in Internet hate speech -- including on YouTube in continuing conflict with Google's own terms of service—has been largely driven by ad network-based monetization systems." I wonder how much "social" media's enthusiasm for eradicating fake news and hate speech will increase if they realise this has created yet another argument for ad blocking. This is yet again a case of neglect creating consequences: in their quest for volume, they did not screen for malware, which is now the main driver for people to block advertising (more so than to protect their privacy). Not checking content has created a high volume of fake news, ironically called into life by giving it its own, new name rather than calling it what it is: lies. I've seen quite a few of these accounts under credible names, the giveaway is usually the fact that they're recent (late 2016 or 2017), of course their content and often using a computer generated voice in the material, which suggests that those creating the material either do not speak English or with a sufficiently strong accent to give the game away. Using computer speech prevents that - all they need is a script. It is all rather too intelligent for it to be done by casual operators. Unfortunately, this neglect is not victimless: sites that depend on ad revenue suffer as a consequence because they don't have the resources to build up their own client base - what I find interesting is that big news setups don't seem to be able to go it alone either and host their own ads. If I were a business dependent on ads I'd try to find an outlet with a sufficiently discerning policy that ensured sensible placement - a quest that may just spur the advertising agencies into creating their own network after all. They too are finally discovering that "free" carries a hefty price..
This operator's attitude problem just serves to demonstrate the real problem with this device (and many other IOT devices): The gadget requires a continuous and permanent Internet connection to the operator's site. This opens up a Pandora box of possible problems, each one of which can render the device useless (at best). I wouldn't touch anything like that with a ten-foot pole (or any other means of connection).
In Europe, there are mutterings about making ISPs, search engines, social networking sites, etc. legally responsible for whatever they handle (i.e., making them publishers instead of transmission systems), which may well have the same result but for a very different reason. Right now, internet/computer companies are accused of promoting terrorism by allowing extremists to communicate freely and (gasp!) secretly, thus allowing them to broadcast propaganda and plot their acts of violence, while at the same time people can send and receive objectionable 'adult' material, Fake News, financial scams and other swindles, and the problem of illegal file-sharing of copyrighted material has never gone away. (And the companies make money from this, as if it was somehow OK if they were government departments or not-for-profit organisations.) While I'm no expert, it looks like there's the obvious problem of the huge resources needed to vet the vast amount of information available, which would in turn require funding not likely to be available with current business models. In the case of social networking sites, much of their appeal (so they tell me) is the spontaneity of being able to post a message visible around the world in seconds, which would be lost if posts had to be submitted to an editorial panel for consideration, after payment of a fee... Of course the USA tends to have a more-robust approach to freedom of speech than Europe so there's the additional problem of material that's acceptable in one part of the world but not elsewhere, hence the possibility of separate walled gardens in different territories. Getting back to the original post: > So far, the story of the Internet has followed the same tragic narrative > that's befallen other information technologies over the past 160 years: > > * Inventors discovered the technology. > * Hobbyists pioneered the applications of that technology, and > popularized it. > * Corporations took notice. They commercialized the technology, > refined it, and scaled it. > * Once the corporations were powerful enough, they tricked the government > into helping them lock the technology down. They installed themselves > as natural monopolies. Having worked in telecomms, I can't see that, say, the telephone could have developed into a worldwide mass speech communications system without the resources of large companies or governments to invest in the expensive hardware required, and standards are needed so that individual countries' and companies' systems can interconnect.
Please report problems with the web pages to the maintainer