Jeanne Shaheen (U.S. Senator from New Hampshire (Dem)) Kaspersky Lab is too close to the Kremlin to trust its software Op-Ed in today's issue of *The New York Times* https://www.nytimes.com/2017/09/04/opinion/kapersky-russia-cybersecurity.html Kaspersky Lab, the cybersecurity company, is close to Putin's government. So why is the U.S. government using its software? [This op-ed is a rather comprehensive warning. See previous related items in RISKS-30.10, 30.34, 30.37. PGN]
Nicole Perlroth, Michael Wines, and Matthew Rosenberg *The New York Times*, 1 Sep 2017 https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html “The more places we looked, the worse things looked. In fact, we discovered that VR Systems was not the only back-end supplier of election services that was hacked by Russians ahead of Election Day. Two more vendors that provide critical election services were also hacked.'' See also https://www.nytimes.com/2017/09/01/insider/in-election-interference-its-what-reporters-didnt-find-that-matters.html?_r=0
#Antifa and #Berkeley were hot topics last weekend in America and in Russia. Caroline O., Medium, 1 Sep 2017 https://medium.com/@RVAwonk/how-russian-alt-right-twitter-accounts-worked-together-to-skew-the-narrative-about-berkeley-f03a3d04ac5d Social media [sic] has an important role in shaping perceptions of current events, as well as influencing mainstream news coverage of those events. Platforms like Twitter provide real-time access to events going on around the world, allowing anyone to get a front-row seat for breaking news. But as much as it has opened up new channels of information, social media has also open ed up new avenues for manipulating perceptions of reality. Misinformation and disinformation often spread faster than the truth, and by the time the narrative is corrected, social media has already moved on to the next big thing. The narrative surrounding last weekend's protests in Berkeley took shape on social media and was picked up, at least in part, by mainstream news outlets. The result was a skewed presentation of events that was almost entirely devoid of the context in which they took place. Even more troubling: that narrative was influenced by pro-Russian social media networks, including state-sponsored propaganda outlets, botnets, cyborgs, and individual users. In the case study below, I describe how the narrative surrounding Berkeley was picked up and shaped by Russian-linked influence networks, which saw a chance to drive a wedge in American society and ran with it. Next, I look at the individual accounts and users that were identified as top influencers on Twitter, and explore what they were posting, how they worked together to craft a narrative, and the methods they used to amplify their message. Finally, I look at how news coverage of the events in Berkeley was shaped by the skewed narrative that emerged on social media. This is just a single case study in a larger story, but it serves as an important reminder that Russia is still exploiting social media to harm U.S. interests—and that plenty of Americans are willing to join in on the effort. The Russian Connection Russian-linked influence networks and propaganda arms quickly took interest in the Berkeley protests last weekend. On Sunday afternoon, the top story on the front page of Russian propaganda outlet RT was about the events in Berkeley. (Note that this was the main landing page, not the America section). RT tweeted stories about the protests throughout the day Sunday (and some on Saturday), posting dramatic images and using trending hashtags to maximize their reach. Many of these tweets were retweeted by the semi-automated pro-Kremlin account @TeamTrumpRussia [...,] which spent much of the day amplifying the hashtags #Berkeley and #Antifa. On Twitter, the hashtag #Berkeley was amplified by Russian-linked influence networks, as evidenced by the output of the Hamilton 68 dashboard, a project of the Alliance for Securing Democracy, which tracks the activity of 600 Twitter accounts linked to Russian influence operations. These include state-sponsored propaganda outlets like Sputnik and RT, as well as individual users, automated accounts (bots), and cyborgs (accounts that produce automated content some of the time, but are human-controlled at other times) that actively and frequently amplify Kremlin propaganda (knowingly, and in some cases, potentially unknowingly).
Dominic Fracassa, San Francisco considers open-source voting system San Francisco Chronicle, 4 Sep 2017 http://www.sfchronicle.com/politics/article/San-Francisco-could-become-first-local-government-12170869.php&cmpid=twitter-premium [Open-source voting systems could be a major step forward compared with outsourced proprietary systems with no accountability. However, please remember that everything else in the election process is still a potential source of risks. PGN]
via NNSquad http://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579 The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC. The 4 million TWC records are not all tied to unique customers, meaning 4 million individual people were not exposed by the breach. Due to the sheer size of the cache, it was not immediately clear precisely how subscribers were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information--though it does not appear that any Social Security numbers or credit card information was exposed. Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010. [TWC could be an abbreviation for TrustWorthy Computing or Time Warner Cable, but not both at the same time! PGN]
NNSquad https://www.eff.org/deeplinks/2017/08/internet-censorship-bill-would-spell-disaster-speech-and-innovation There's a new bill in Congress that would threaten your right to free expression online. If that weren't enough, it could also put small Internet businesses in danger of catastrophic litigation.
In November of 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind. He decided to drive to the local branch of the restaurant in Chico, California. While there, still in the mindset of testing the restaurant's security, he noticed a tray of unactivated gift cards sitting on the counter. So he grabbed them all—the cashier didn't mind, since customers can load them with a credit card from home via the web—and sat down at a table, examining the stack as he ate his vegetarian burrito. As he flipped through the gift cards, he noticed a pattern. While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. By the time he finished his burrito, he had a plan to defraud the system. https://www.wired.com/story/gift-card-hacks
http://www.nbcnews.com/id/32675980/ns/us_news-weird_news/t/banks-thumbprint-rule-irks-man-no-arms/ John Utteridge, Software Engineer - Wireless Solutions Ltd., Station House, 50 North St., Havant, Hants. PO9 1QU http://www.wireless-solutions.ltd.uk [There also seem to be older people with sufficiently worn-down fingers that are not recognizable on some fingerprinting devices. PGN]
It looks to me as if fingerprint scanners would be just as convenient to use as waving an embedded chip, offer better affordance (you can see what to put where), and are a *lot* cheaper than embedded chips. Near as I can make out from the IT Professionals NZ code of ethics, this is unethical. As for the security claims, try these cartoons: http://www.gocomics.com/brewsterrockit/2017/08/29 http://www.gocomics.com/brewsterrockit/2017/08/30 http://www.gocomics.com/brewsterrockit/2017/08/31 [Groan. See the previous item from John Utteridge. PGN]
> ... It will be trivial to design a microchip that not only reports the > current id, but can be reprogrammed to a new id from a simple > device. Secondly, it will be fairly easy to build a scanner that picks up > the ids of anyone nearby. Quick scan and reprogram and I am a new person > with your credit limit. While I agree that chipping yourself is a bad idea, this is not why. Chips used for financial transactions don't just broadcast an account number, they sign transactions. Hence a spy can replay a transaction but it can't create new ones. Contact and contactless EMV chips have worked this way for 20 years. Banks can certainly be stupid but they're not quite *that* stupid.
> People with cracked touch screens or similar smartphone maladies have a new > headache to consider: the possibility the replacement parts installed by > repair shops contain secret hardware that completely hijacks the security of > the device. [...] > On the other hand, these stories play right into the hands of those trying > to kill "the right to repair" supported by the EFF. On the contrary. If you have the right to repair your device on your own initiative, you can always choose to go to a repair shop *you* trust, or even do it yourself. If you do not have that right, you *must* go to the official dealer—who may not be trustworthy. Right To Repair is not only important to cheapskates, researchers, hobbyists and mafiosi in the Western world, but also to "terrorists" (read: non-conformists) in more dictatorial countries. Those may not be right to assume that an official Apple repair shop in *cough*Insert Undemocratic Country Apple Has Close Ties With Here*cough* will supply the same, spyware-free* replacement part that we get in Europe. And that may happen with or without Apple's support, or even knowledge. * I was about to insert a question mark here, but let's not be that cynical - yet.
I am afraid that Amos Shapir is in error when he refers to the wording on British one pound banknotes, or indeed any British banknote issued by the Bank of England since 1853. The wording was just: "I promise to pay the bearer on demand the sum of ...". There was no mention of the means by which that would be achieved. It is possible that wording which included the means of payment might have appeared on bank notes issued by other than the "Old Lady of Threadneedle Street", but the last notes issued by a private bank in England and Wales were b y Fox, Fowler and Co in 1921, and their notes did not carry such wording. Further, since 1694 although with some breaks, and until 1931 when Britain left the "Gold Standard" and the notes became backed by securities, the means of settlement was gold, not silver; in the form of a gold sovereign. The gold sovereign began circulation in 1489 as the "English gold sovereign" , but which was last minted in 1604. The 'modern' gold sovereign was minted from 1817 until withdrawal in 1932. Guinea coins were also issued - a "guinea" being one pound and one shilling (one pound and five pence in decimal coinage) - but not guinea notes. The guinea was last minted in 1816, but the reference value is still used in horse racing (the "Two Thousand Guineas Stakes" run at Newmarket in April/May) and d in the market sale of sheep. I would add for RISKS readers' further information, that "sterling" derives from the silver pennies introduced after 1066 by the Norman invaders (from one of whom, Grimbaldus, I am descended). Then, 240 sterlings weighed one pound, hence 240 (later, copper) pennies to the "pound". The shilling, of which there were 20 in a pound (and therefore 12 pennies to the shilling) was also introduced by William the Conquerer. There's logic behind our old currency. Of course, gold and silver coins would wear away with handling, and since their value was based on weight, they were not really practical as a coinage in common and frequent use, and so were replaced by cupronickel and other alloy facsimiles.
password: hint: birthday: 4/17/1992 04/17/1992 1992/4/17 1992/04/17 4/17 birthday 0417 April 17 April 17, 1992 04.17 Error: Too many attempts. Locked out. [1992.04.17? or 17.04.1992? Maybe even just "Friday", since all it wants is a birth *day*, not a birth date! Then you would need a max of seven tries. PGN]
Please report problems with the web pages to the maintainer