Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 5th December, 2015, the River Lune in the city of Lancaster in northwest England overflowed its banks. The flood took out an electricity substation on Caton Road, on the banks of the river, which blacked out the entire city centre. The distinguished engineer Roger Kemp lives in the affected area and wrote a fascinating short account. Roger kindly agreed to let my RVS group publish it on our WWW pages. "Power cuts - a view from the affected area" is the item from 24 January 2016 under http://www.rvs.uni-bielefeld.de/publications/#WhatsNew I think it is one of the most important notes on engineered-systems resilience which I have ever read. Fifty years ago in the UK, during a power cut you would lose the lights, and the TV if you had one. Heating wasn't affected (except for the affluent few), neither was cooking or telephone communications or your transistor radio for information and entertainment, and young people did what they always did, which apart from playing table tennis was mostly without lights. Your local pub could still pull a pint and it was more fun by candlelight. (A decade earlier, though, you'd have lost the radio as well. Thank you Messrs. Bardeen, Brattain and Shockley.) Nowadays, .... well, read about it! Is it progress to replace critical independent systems with interdependent systems subject to single points of failure? Almost every standard for critical systems warns you not to do it, but that's what we've done. Prof. Peter Bernard Ladkin, University of Bielefeld, 33594 Bielefeld, Germany
Kate Knibbs, Gizmodo, 8 Jan 2016 A Gizmodo reader told us that his Nest had a software bug that caused his battery to drain—which caused Nest to shut off and leave him with a frigid home. This is, of course, exactly the opposite of what you want a smart thermostat to do. Nest has admitted that people are having problems with its batteries. A Nest spokesperson told Gizmodo. “We are aware of a low-battery issue impacting some Nest Thermostat owners. In some cases, this may cause the device to respond slowly or become unresponsive, We are actively investigating the issue and working on a solution. In the meantime, performing a manual restart of the thermostat will help until a fix is put in place.'' http://gizmodo.com/nest-thermostats-are-having-battery-problems-and-theres-1751800309
The U.S. Transportation Department and 17 automakers have reached agreement on efforts to enhance safety, including sharing information to thwart cyber-attacks on their increasingly wired vehicles, according to Bloomberg. "Automakers including General Motors Co., Ford Motor Co. and Toyota Motor Corp. also agreed to reform the way they report fatalities, injuries and warranty claims to the government," Jeff Plugis writes. "The companies agreed to keep meeting regularly to exchange information and identify emerging safety issues."
Trustwave disputes some of the following story, from Affinity. https://www.trustwave.com/home/ Different news media have different dates for some events. We may need to use data from the law suit to clarify. Here is the law suit: http://668781195408a83df63a-e48385e382d2e5d17821a5e1d8e4c86b.r51.cf1.rackcdn.com/external/trustwave-complaint_24dec2015.pdf https://cdn.arstechnica.net/wp-content/uploads/2016/01/trustwave-complaint.pdf Casino company Affinity Gaming learned about an Oct 2013 data breach and card malware outbreak from customers and local law enforcement. Affinity, HQ in Las Vegas NV, operates 11 casinos in 4 US states, also runs hotels and restaurants. Affinity immediately informed card issuers, and their Cyber Security Insurance company = ACE. Card companies had to re-issue cards for the approx 300,000 customers impacted. ACE told Affinity that they should hire a digital forensic investigation firm, of which Trustwave (based in Chicago IL) was one ACE recommended. [Truncated for RISKS. Lots more... PGN]
This message is addressed to the RISKS group as a whole, though the primary target is the group of security researchers who often post here. I read only the digests—and those, grouped together, at intervals, when I want to catch up on recent events and developments. Folks with substantive responses are encouraged to email me personally, as well as the newgroup. Just yesterday I received my letter from OPM regarding the records compromise, and directing me to their website to avail myself of the identity protection services they're offering under contract through "ID Experts". This prompted me to pose a question that has vexed me for some time. In the late seventies researchers working on or associated with Multics came to the conclusion that truly secure computing was possible only with direct hardware support. In the following decade, I saw at least two proposed commercial ventures to build SW/HW architectures with at least the beginnings of such hardware support. Oddly enough, neither venture found sufficient interest. Of course, at the time such added hardware would have been prohibitively expensive for all but the largest organizations with extremely sensitive information. Still, it seemed to me that at least some government agencies and defense contractors would have been eager customers. Of course, with today's miniaturization, boutique silicon architecture shops, and foundries, implementing basic features, or even a full secure kernel, would be straightforward, though establishing user-friendly configuration mechanisms, or suitable default configurations for different markets, would still be somewhat of a challenge. Equally obviously, the formal design, proof, and testing would be expensive. Presumably some consortium of government and corporate organizations could fund the initial work on the premise that as volume rose on marketing these relatively secure systems at commodity scale, the revenues and security benefits would reward their efforts handsomely It's possible that at some point researchers determined that security through software alone was at least possible, if, perhaps, really difficult, but I never encountered reports of such a discovery. If this has happened, I would appreciate one or more pointers to the relevant literature. If not, perhaps some among you who have had greater insight into related design and marketing decisions could share what rationale has prevented relatively secure architectures from appearing in commodity systems. It's my perception that such HW/SW architectures, reasonably configured and deployed, would increase the difficulty - in resource costs - of what, for want of a better phrase, I will call 'routine hacking' by at least an order of magnitude. For systems configured for intensive use of security hardware features, or a security kernel, the increase might be two or three orders of magnitude. Of course, we'd still need much more attention to security-aware software engineering for systems handling life-critical and mission-critical systems, but there's already some awareness of that, and it seems to be increasing, albeit with agonizing slowness. Nonetheless, unless someone has shown that security is achievable on commodity architectures in software alone, it seems extremely wasteful to push more security-aware software engineering, anti-malware software, and security appliances out into an architectural environment that is severely handicapped at its lowest levels. Perceptual corrections welcome. Nicky L. Sizemore (retired), bolshev (at) theriver (dot) com Agent, 2nd Class, The Turing Authority ;)
http://blogs.wsj.com/washwire/2016/01/22/pentagon-to-protect-encrypt-federal-security-clearance-data/ The White House Friday announced an overhaul of the government's security clearance system, creating a new division to handle screenings and directing the Pentagon to protect the data. The creation of the National Background Investigations Bureau—and its close partnership with the Department of Defense—is the latest change to come after the sweeping cyber attack that hit the Office of Personnel Management last year. In that breach, which U.S. officials have said likely emanated from Chinese hackers, more than 20 million background check records and millions of fingerprint reports were stolen. Many lawmakers were astonished after the breach to find that none of the background check records were encrypted, making it much easier for thieves to potentially use the information. The NBIB will be a division of OPM, but the responsibility for protecting the information will shift to the Pentagon. The NBIB will incorporate an existing agency—the Federal Investigative Service—which already conducts background checks for more than 100 federal agencies. The NBIB's chief will be appointed by the president and [is] expected to have a higher profile than its predecessor. Richard Hale, the Pentagon's deputy chief information officer for cyber security, said Friday that “we will use encryption everywhere [*} that [is] appropriate'' and will look closely at what information should remain online and what records will be essentially disconnected from this network. “We intend to apply the best practices that we've been able to apply at the Pentagon, said Marcel Lettre, the Defense Department's under secretary for intelligence. The U.S. government conducts more than 600,000 security clearance checks each year for a wide range of agencies, including posts within the military and law enforcement. [* Encryption everywhere, with backdoors so that it can easily be exploited by everyone else? By the way, if you received a letter from OPM offering free security/privacy services as compensation for your having been included in the purloined data, you might find that if you subscribe to the offered services, you will be asked many of the questions the answers to which were already in the compromised OPM data source! PGN]
http://www.theregister.co.uk/2016/01/15/france_backdoor_law/ [Thanks to Steven M. Bellovin. PGN]
“Patient safety has always been our highest priority and has been maintained ... Elective surgeries and outpatient appointments are continuing as normal.'' http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-damaging-computer-virus-20160118-gm8m3v.html
[Thanks to Richard I Cook MD] http://www.dailytribune.net/news/virus-hits-trmc-computers/article_ec2e44bc-bf83-11e5-97be-7fdbf276996d.html
http://www.nytimes.com/2016/01/19/technology/upstarts-are-leading-the-fintech-movement-and-banks-take-heed.html A millennial-led shift to digital financial services could upend the consumer banking industry.
WSJ via NNSquad http://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-security-1453136285 The reason: A component maker had included the 2002 version of Allegro's software with its chipset and hadn't updated it. Router makers used those chips in more than 10 million devices. The router makers said they didn't know a later version of Allegro's software fixed the bug. The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked. The flaw's creator must develop a fix, or "patch." Then it often must alert millions of technically unsophisticated users, who have to install the patch. The chain can break at many points: Patches aren't distributed. Users aren't alerted or neglect to apply the patch. Hackers exploit any weak link.
Nice bug in linux/android: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ The question is, how would you detect something like this?
Kaleigh Rogers, Cheetahs are Hard, Motherboard, 11 Jan 2016 http://motherboard.vice.com/read/cheetahs-are-hard Adam Roberts, the CEO of Born Free USA, posits that the biggest threat right now is the capture of wild cheetahs as exotic pets. From the article: Around the world, but in particular the Middle East, pet cheetahs have become a status symbol and getting your hands on exotic pets in some areas is “as easy as acquiring a cupcake.'' With Instagram making it convenient to flaunt cheetahs-as-accessories, the market for big cats is growing.
Facebook is facing an unusually stiff resistance from Indian regulators in offering its Free Basics service. India's Internet regulator just called Facebook's Free Basics campaign 'crude' and 'dangerous'; Rohan Venkataramakrishnan, Scroll.in, 19 Jan 2016 http://scroll.in/article/802128/indias-internet-regulator-just-called-facebooks-free-basics-campaign-crude-and-dangerous Anuj Srivas, Net Neutrality Standoff Escalates As TRAI Hauls Facebook Over the Coals in New Letter, The Wire, 19 Jan 2016 http://thewire.in/2016/01/19/free-basics-standoff-scales-new-height-as-trai-hauls-facebook-over-the-coals-in-new-letter-19658/ Although reports in the US press (e.g., below) implied the battle was over, it continues. Vindu Goel, Indian Regulators Suspend Facebook's Free Basic Services, *The New York Times*, 23 Dec 2015, http://bits.blogs.nytimes.com/2015/12/23/indian-regulators-suspend-facebooks-free-basic-services/
[subject to government censorship] (via NNSquad) http://www.reuters.com/article/us-pakistan-youtube-idUSKCN0UW1ER "On the recommendation of PTA, Government of Pakistan has allowed access to recently launched country version of YouTube for Internet users in Pakistan," the ministry said. "Google has provided an online web process through which requests for blocking access of the offending material can be made by PTA to Google directly and Google/YouTube will accordingly restrict access to the said offending material for users within Pakistan." Blasphemy is a highly sensitive subject in Pakistan, where angry mobs have killed many people accused of insulting Islam. The crime of blasphemy can carry the death penalty, although a death sentence has never been carried out. Pakistan has blocked thousands of web pages it deems undesirable in the last few years as Internet access spreads, but activists say the government sometimes blocks sites to muzzle liberal or critical voices. Government-censorship-enabled YouTube. Not the first time, but an extremely notable case and potentially the current example with the broadest implications for creating a slippery slope of ever expanding government censorship demands made of Google by governments around the planet. Google must obey national laws where they choose to operate—but voluntary participation in such politically-oriented censorship regimes as the price of doing business in such countries—even with the benefits to users there that limited access to YouTube or other Google services can bring—still remains highly problematic to say the least.
Understandable but Very Wrong: Google Enables Government YouTube Censorship in Pakistan http://lauren.vortex.com/archive/001146.html Literally within hours of the horrifying and sickening news of a 15-year-old boy in Pakistan who cut off his own right hand after he was the target of hysterical false accusations of blasphemy, comes word that Google—in a successful bid to get a three year YouTube ban in Pakistan lifted—will be permitting government officials in that country—apparently all the way down to the local level—essentially unfettered rights to censor and block individual YouTube videos from view in Pakistan. This is an enormously troubling development for free speech advocates around the world, particularly because it's impossible to overlook the relationship between the boy's actions and the upcoming Pakistan/YouTube censorship system. [...] The powers being ceded to the government there to censor Google at the individual YouTube video level—arguably even worse than the EU's awful "Right To Be Forgotten" (RTBF) scheme—continues our acceleration down the slippery slope of permitting governments to demand rights to micromanage information for their own political benefit and the personal enrichment (politically and in some cases financially) of their leaders and other politicians. I like to think of myself as a "responsible" free speech advocate. That is, I strongly assert the importance of free speech, but acknowledge that sometimes, in carefully delineated circumstances that must be minimized as completely as possible, some restrictions are necessary. So, for example, I generally strongly support Google/YouTube's global Terms of Service that prohibit videos that are directly violent—such as videos that show physical abuse of people or other animals. And I have nothing but respect for the Google policy and legal teams that must deal with these complex multinational situations. Similarly, the work done by Google engineers on politically neutral abuse detection systems and that of the human teams that help apply YouTube anti-abuse rules are also all exemplary. I've explicitly noted the exceptional circumstances of videos that incite terrorism, e.g., recently in my discussion of "A Proposal for Dealing with Terrorist Videos on the Internet" ( http://lauren.vortex.com/archive/001139.html ). But in Pakistan the concepts of (for example) blasphemy and government control are intertwined—accusations of the former are frequently used for purposes of the latter—and any discussions that the government there feels are blasphemous (by their own broad and self-serving definitions) -- or speaking out against the government in any manner—are key targets for abusive censorship. With Google now explicitly buying into this censorship regime as the price of removing an overall Pakistan block on YouTube—and note that the Pakistani government apparently will be setting the standards under which YT videos will be judged in violation—the situation in my view becomes much worse for the population there than would be the case without access to YT at all (yes, we know that some relatively small number of people have always gotten through with VPNs and proxies, but that's largely irrelevant to the overall population). The Pakistan version of Google-enabled national censorship isn't as straightforward as say, a relatively "simple" ban against Nazi memorabilia-related materials in France. In Pakistan, Google has become much more of a direct partner in the government's very broad, politically-motivated and personally suppressing censorship actions. The kind of YT censorship that will be enabled in Pakistan is much more akin to how China censors its population—where what will or will not be allowed to be seen in any media is carefully chosen and restricted to promote the government line and muzzle dissenting points of view. I absolutely understand the pragmatic realities of having to obey laws in those countries in which Google chooses—voluntarily—to operate, but I find the newly announced and apparently Google-endorsed government controls over YouTube content in Pakistan to be extremely disturbing, and a horrific precedent for other countries going forward.
Ars Technica via NNSquad http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions-of-pcs-servers-and-android-phones/ For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years. The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.
The opening of a National Cyber Intelligence Center in Colorado Springs is expected to accelerate efforts to make the city a national hub for cybersecurity that will help the thriving local industry grow more quickly, officials say. Source: *Colorado Springs Gazette*, 17 Jan 2016 http://gazette.com/national-cybersecurity-center-could-become-huge-economic-driver-for-colorado-springs/article/1567957 W. Warren Pearce, email@example.com, Colorado Springs, Col. 1-719-548-1748
January 21, 2016 5:00 a.m. "It started the first month that Christina Lee and Michael Saba started living together. An angry family came knocking at their door demanding the return of a stolen phone. Two months later, a group of friends came with the same request. One month, it happened four times. The visitors, who show up in the morning, afternoon, and in the middle of the night, sometimes accompanied by police officers, always say the same thing: their phone-tracking apps are telling them that their smartphones are in this house in a suburb of Atlanta." "The most frustrating thing for Saba and Lee is that there's no definite answer for why it's happening, no government agency willing to take ownership over the issue, and so no way to get it to stop. Since Lee's parents own the house, moving isn't an option, said Saba." http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/
There is almost never a good reason to hit *reply all*. Especially not when *all* includes a listserv that goes out to thousands of employees at Time Inc., the country's largest magazine publisher. http://deadspin.com/time-inc-is-in-the-midst-of-a-replyallpocalypse-1754078898
I was co-editor of two RFCs regarding HTTP Cookies, RFC 2109 and RFC 2965. I also wrote a paper about the evolution of the cookie RFCs . I don't usually go ego surfing, but I was drawn to the Wikipedia article on HTTP Cookies  by a remark and reference in an IETF mailing list email. I proceeded to read the article's History section and learned to my surprise that "... the group, headed by Kristol himself and Aron Afatsuom, soon decided to use the Netscape specification...". I have never heard of Aron Afatsuom (Lou Montulli was my collaborator), but his name has proliferated around the web as people have more or less copied the (erroneous) text from the Wikipedia article. I have an edit pending to correct the error on Wikipedia, at least. The most obvious risk is that people believe what they read on the Internet. Another is that this person might use the search results for personal puffery. I'd love to know when, how, and why that name got into the Wikipedia article.  <http://arxiv.org/abs/cs.SE/0105018>  <https://en.wikipedia.org/wiki/HTTP_cookie> [Aron Afatsuom = Nora Moustafa reversed? PGN]
via NNSquad https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7#.443qscsws Mike Hearn writes: "I've spent more than 5 years being a Bitcoin developer. The software I've written has been used by millions of users, hundreds of developers, and the talks I've given have led directly to the creation of several startups. I've talked about Bitcoin on Sky TV and BBC News. I have been repeatedly cited by the Economist as a Bitcoin expert and prominent developer. I have explained Bitcoin to the SEC, to bankers and to ordinary people I met at cafes. From the start, I've always said the same thing: Bitcoin is an experiment and like all experiments, it can fail. So don't invest what you can't afford to lose. I've said this in interviews, on stage at conferences, and over email. So have other well known developers like Gavin Andresen and Jeff Garzik. But despite knowing that Bitcoin could fail all along, the now inescapable conclusion that it has failed still saddens me greatly. The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards. I will no longer be taking part in Bitcoin development and have sold all my coins."
We read: London's City Airport also recently won \243800,000 of funding Hmmm, $ unicode pound U+00A3 POUND SIGN UTF-8: c2 a3 UTF-16BE: 00a3 Decimal: £ Octal: \0243 $ unicode dollar U+0024 DOLLAR SIGN UTF-8: 24 UTF-16BE: 0024 Decimal: $ Octal: \044 So a pound is worth 243/44 times as much as a dollar. Actually more, as a dollar is ASCII and thus safe from getting mangled...
Luthor Weeks wrote: "There is no easy solution. It would likely require a Constitutional Amendment." After several years as an election integrity researcher and activist, I came to a similar but more far reaching conclusion. I think election integrity in the US would require not just a Constitutional Amendment, but an entirely new Constitution, one that vested supreme power over government in the hands of the people rather than in the hands of an unelected supreme court or any other government officials, branches, or agencies. Such a Constitution would require that all votes be counted, that the electoral process be transparent and verifiable, and that disputes be resolved only by recourse to the voters themselves--since they alone would have the supreme power to resolve such disputes. It would also establish that all elected officials could quickly and directly be held accountable by the voters who elected them if said officials failed to represent their constituents, and that all ultimate policy decisions be put to a public vote rather than being decided by elected officials without regard to the wishes of the people who elected them. Coincidentally, the vesting of supreme power over government in the hands of the people happens to be a primary dictionary definition of a democratic form of government. In other words, the problem is not what author Edward B. Foley called, "...a failure of American government to operate as a well-functioning democracy," but the failure of the Constitution to have established a democratic form of government in the first place. In a democratic form of government, voters do not delegate their power to those they elect, in the form of a blank check or a full power of attorney, but merely delegate to elected officials the duties of carrying out the wishes of the people. As long as we do not have a democratic form of government, our elections are not likely to be democratic in nature either.
> The State of Michigan had an IT audit, with poor results. Whether cybersecurity is real or a bubble about to burst, it has at least a few bubbly features: it's where the jobs are so it's where "teach yourself IT security in 14 days" professionals get employed. It's also where investors invest—and expect an ROI back. I've seen a couple of audits and met an auditor or two. Comments based on that very limited experience: > Critical state operations are on 30 unsupported (obsolete) versions of UNIX. I'm having a hard time naming 30 versions of UNIX. A typical security audit reports a version of a software as "obsolete bright red security hole" because the assessment is: check reported version string against a list of—typically "known good"—version strings. It does not take into account for example vendor's patches. > 90 % of the servers are not kept current with patches. If they get hacked, > they don't have the controls to detect that. (very unhealthy) If they're all obsolete and unsupported, how come 10% of them are still receiving patches? In real life turnkey systems don't get patched because it'll void your warranty. Ditto for installing "un-vetted" software like said controls. So you defend them at the perimeter instead—far from ideal, but that the best you can do. I've never seen an audit take that into account. > 84% of the servers had not had passwords changed in a timely fashion, with > one had not been changed in nine years. (I have seen worse.) There's been plenty said in this forum and elsewhere about how forced password changes make passwords worse. Sadly, useless metrics are a very common feature of IT security audits. > 47% of the tested servers had had no vulnerability scans in over a month. Well, if you have a system that hasn't been updated in 10 years, the only new vulnerabilities are if the hackers got in installed backdoors. In that scenario periodic vulnerability scans are only useful as part of an intrusion detection system. Out of context that metric is of questionable value. In other words, > $2.9 million had been spent on a security tool, not installed on all > servers, for which this tool was paid for. I'm having difficulties with that idea. I mean, if there is a security tool capable of running on 30 different obsolete versions of unix, $2.9M would be a fair price tag. I strongly suspect that in reality the tool was for "80% untested Windows servers" and had nothing to do with the rest of the bullet points.
I wonder how many students answer truthfully. From what I can see of the sample screens, you'll get through the online course a lot faster if you answer all the questions zero, never, and none.
Springer [Berlin-Heidelberg] takes great pleasure in announcing that its peer-reviewed Health & Technology Journalintends to publish a Special Issue on a subject of vital significance; the topic of Privacy, especially as it pertains to Healthcare. This issue will be published during the latter half of 2016. The Journal Special Issue aims to produce a volume that will be prodigious in its scope of inquiry, and contents; beginning with one's understanding of, and a clarity into the subject of Privacy, and a noticeable command of its many working components. Please accept a Letter of Invitation. [https://www.hawaii.edu/csati/SI-LoI.pdf] Dr. Robert Mathews, D.Phil., Office of Scientific Inquiry & Applications University of Hawai'i, 1 703 655 7124
Please report problems with the web pages to the maintainer