Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Sacramento, Calif. A glitch with CalPERS' (California Pension System) new half-billion-dollar computer system has delayed death benefit checks to widowed spouses and incorrectly triggered letters notifying some members that their health insurance has been canceled. http://www.mcclatchydc.com/2011/11/23/131256/computer-glitch-in-californias.html#storylink=misearch
Robot wardens are about to join the ranks of South Korea's prison service. http://www.bbc.co.uk/news/technology-15893772 A jail in the eastern city of Pohang plans to run a month-long trial with three of the automatons in March. The machines will monitor inmates for abnormal behaviour. Researchers say they will help reduce the workload for other guards. South Korea aims to be a world leaders in robotics. Business leaders believe the field has the potential to become a major export industry. It actually gets even better: "The South Korean defence company DoDAAM is also developing robotic gun turrets for export which can be programmed to open fire automatically." Oh yeah, you want those turrets on that robot in a prison. New, untried OS, vendor under competitive pressure, gun with real bullets and a high likelihood of this thing having some form of remote management. What could possible go wrong? PS: good luck recruiting service engineers...
(Nestor E. Arellano) I have submitted news of a number of Facebook security breaches. Now, it appears that they (whoever that is) have you coming and going. The title says it: Facebook bans at work linked to increased security breaches Companies that ban employees from using social media are 30 per cent more likely to suffer computer security breaches than firms that are more lenient on the issue of workers tweeting and checking Facebook posts in the office, according to recent survey. Nestor E. Arellano, *IT Business*, 24 Nov 2011 http://www.itbusiness.ca/it/client/en/home/News.asp?id=65068
(John P. Mello Jr.) http://www.itbusiness.ca/it/client/en/home/News.asp?id=65094 Hired posters degrading Web's information credibility A new study says paid posters are poisoning the Internet with their untrustworthy content. John P. Mello Jr., *IT Business*, 24 Nov 2011
can lead to prosecution (NNSquad) http://j.mp/vZ2fnM (TheNextWeb) The government of Thailand has contacted Facebook to request the removal of more than 10,000 of its pages that are deemed in breach of laws preventing the defamation of the country's royal family. - - - http://j.mp/v7FD57 (Bangkok Post) Local Facebook users risk violating the computer law unknowingly by pressing the "like" or "share" button included with posted comment on anti-monarchy messages on the most popular social networking site, Information and Communication Technology Minister Anudith Nakornthap said on Thursday. Anyone doing so could be arrested on charges of violating the Computer Crime Act and committing lese majeste because the law prohibits the dissemination of content deemed insulting to the monarchy, he said. Facebook users should not press the “like'' button or post comments on lese majeste-related content. - - - How about this for a way to prod these Neanderthals into the 21st century? Cut them off the Net totally until these practices cease. Be sure to read the part about the 61-year-old man just handed a 20 year prison sentence for sending SMS messages "insulting" to the royal family.
Telemarketers increasingly are disguising their real identities and phone numbers... Caller ID [properly, Calling Number ID] is becoming Fake ID. New FCC rules have been instituted to combat this practice, but are apparently very limited in their effectiveness... [Source: Matt Richtel, *The New York Times* front page, 23 Nov 2011; PGN-ed]
You might think that a program written by Donald Knuth and Leslie Lamport would be an ideal example of good programming, rather than the kind of encrusted monstrosity we expect from Microsoft. But perhaps it's the way of all things to end up like that, no matter who wrote it. http://vallettaventures.tumblr.com/post/13124883568/the-price-of-a-messy-codebase-no-latex-for-the-ipad
Mark, TEX is complicated. Don Knuth once told me he never used it, and just handed raw text (on paper?) to his secretaries to be TEXed. LaTeX was created by Les Lamport initially primarily for his own use (reminds you a little of Unix?). He gave it away for free, but his son's college education was funded from the book sales. But LaTeX significantly simplified many of the more challenging corners of TEX, and yet it deals with huge numbers of fonts, IEEE and ACM styles for formatting and bibliographies and whatever, automated indexing, and miraculously it usually works once you have figured out how to use it, with copious additional advice existing on the Web. But it is nontrivial to get it working seamlessly. Complex system are intrinsically complex. That's not a surprise. One question is whether the human interface can be usable. Another question is whether it is sufficiently well software engineered and modularly encapsulated to be easily extendable by others. For those reasons, I am still addicted to LaTeX and emacs. But I don't think I would want to use them for creating large documents on an iPad.
(Lemos, R 26 62) <http://www.pcmag.com/article2/0,2817,2396835,00.asp> The Department of Homeland Security and the FBI on Wednesday shot down reports that a cyber attack recently took down a pump at an Illinois public water utility. "After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois," a DHS spokesman said in a statement. [...] DHS, however, said the reports seen by Weiss "were based on raw, unconfirmed data and subsequently leaked to the media." After evaluating the situation, officials found "no evidence ... that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant." "In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported," DHS continued. "Analysis of the incident is ongoing and additional relevant information will be released as it becomes available." I guess most people excited by the original report will never see the rebuttal.
(Re: Lemos, RISKS-26.62) http://j.mp/vLku0D (Wired) "A report from an Illinois intelligence fusion center that a water utility was hacked cannot be substantiated, according to an announcement released late Tuesday by the Department of Homeland Security. Additionally, the department disputes assertions in the fusion center report that an infrastructure-control software vendor was hacked prior to the water utility intrusion in order to obtain user names and passwords to break into the utility company and destroy a water pump." - - - Some of you may recall I was skeptical of this report early on. While there's still confusion, I will say again that the "Quick! Blame the evil hackers and foreign governments testing our defenses!" excuse for local screw-ups should always be considered as a strong contender in these situations. Lauren Weinstein (email@example.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org
"A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide. The hacking software, FinFisher, is used to spy on intelligence targets' computers. It is known to be used by British agencies and earlier this year records were discovered in abandoned offices of that showed it had been offered to Egypt's feared secret police." http://j.mp/tglKss (Telegraph) - - - I have no additional info about this report yet, one way or another.
Today's Internet is a work in progress. Indeed the current implementation lends itself to tracking because the current implementation depends on a central authority for names and addresses (DNS and IP) and because bits are tracked in order to support the current telecommunications business model. The real risk is confusing these artifacts with the larger idea of the Internet which shows what can done without a central authority or, for now, despite these central authorities. As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not fundamental. This means that the Internet is not easier to control once there is a funding model that doesn't require controlling the path. To put it another way—the reason that the Internet is easy to control is that we have stakeholders who embrace control and not because such control is necessary. -----Original Message----- From: Amos Shapir [mailto:firstname.lastname@example.org] Sent: Sunday, November 20, 2011 09:59 Subject: [risks 26.63] Re: The Coming Fascist Internet (Weinstein, RISKS-26.61) Comparing the Internet to other rather new technologies shows that prognosis is not good. Take driving as a case in point: about 20 years after the invention of the automobile, anyone could drive anything anywhere; now no one can drive anywhere unless both vehicle and driver are licensed and registered by some government. The Internet is even easier to control than roads, as all infrastructure is supplied by a few big companies, which usually comply with the government. China seems to be the future.
Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems (Richard Austin) EXCERPTED FROM: Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 105 November 22, 2011 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org Book Review By Richard Austin November 18, 2011 Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems Eric D. Knapp Syngress 2011. ISBN 978-1-59749-645-2 Amazon.com, U.S. $32.90 Table of Contents: http://www.elsevierdirect.com/toc.jsp?isbn=9781597496452 Whether based on the success of STUXNET, Richard Clarke's "Cyber War" or Joel Brenner's "America the Vulnerable", a convincing case has been made that we, as security professionals, should be concerned about the security measures (or lack thereof) being applied to the industrial control systems that manage power generation and distribution as well as many other critical infrastructure components. At the same time, many of us, like your humble correspondent, would be forced to admit that our knowledge in this area doesn't go much further than being able to spell out the acronym "SCADA". Knapp recognizes this lack and provides a quite readable introduction to industrial networks and how familiar security principles can be translated to apply in this complex area. The first third of the book provides an introduction to industrial networks, their protocols and how they operate. Peppered throughout the introduction are sidelights on security incidents and previews of how security measures may be applied. Acronyms multiply quickly and readers will likely want to maintain a cheat sheet to avoid having to flip back and forth to find their meanings (many, but not all, are in the glossary). The majority of the book is devoted to parsing out what "information security" really means in the context of industrial networks. Familiar topics such as "vulnerability and risk management" and "situational awareness" are placed in context and the unique considerations imposed by an industrial control network are identified. For example, many of us will have had the experience of crashing a piece of network equipment when scanning its management interface to assess its attack surface. What is an inconvenience in that context may have a much wider impact when the device is controlling a real-world process. As you might expect, compliance is a major concern and a very useful chapter reviews the relevant standards/regulations and provides recommendations for demonstrating compliance. Knapp also provides a "reverse mapping" that even identifies the relevant chapter of the book. The closing chapter's review of why-things-often-go-wrong includes many of the usual suspects ("Compliance vs. Security", "Misconfigurations", etc) and serves as a final reminder that though industrial networks present many unique features, they also have much in common with the more familiar areas of information security. Whether you are charged with defending an industrial network or curious about all the "buzz" over SCADA security, Knapp's book will provide a solid introduction to this fascinating area. Definitely a recommended read. [Before beginning life as a university instructor and independent cybersecurity consultant, Richard Austin (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry in positions ranging from software developer to security architect. He welcomes your thoughts and comments at raustin2 at spsu dot edu .]
Please report problems with the web pages to the maintainer