Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Fire Department had to pay twice as much to lift throttling during wildfire response. https://arstechnica.com/tech-policy/2018/08/verizon-throttled-fire-departments-unlimited-data-during-calif-wildfire/ "Verizon representatives confirmed the throttling, but rather than restoring us to an essential data transfer speed, they indicated that County Fire would have to switch to a new data plan at more than twice the cost, and they would only remove throttling after we contacted the Department that handles billing and switched to the new data plan," Bowden wrote. "Regardless of the plan emergency responders choose, we have a practice to remove data speed restrictions when contacted in emergency situations," Verizon's statement said. "We have done that many times, including for emergency personnel responding to these tragic fires. In this situation, we should have lifted the speed restriction when our customer reached out to us. This was a customer support mistake. We are reviewing the situation and will fix any issues going forward." Well, a contract is a contract—maybe FD hadn't read fine print? But "unlimited" service that throttles to nearly nothing isn't a use of that word with which I'm familiar. OTOH, Verizon might have shown more sense during the incident, sorted it out later. Nice public spirit shown, plus clueless customer support in the moment. [Also noted by Richard Stein: If you don't ask, you won't get. Will emergency services wait until the next conflagration, earthquake or other natural disaster to request data throttle suspension? Rather than throttling their customer support, perhaps Verizon corporate sales policy should be revised to permanently waive or preclude data plan throttling for first responders.]
Given all the wildfires, as well as a messed up jet stream and a high pressure area that has been parked here for quite a while, it's smoky here in the northwest. A group in Spokane wants to blow the smoke into Canada. https://keprtv.com/news/offbeat/everyone-turn-your-fan-on-spokane-group-aims-to-blow-wildfire-smoke-back-to-canada or https://is.gd/xMSMWH https://www.facebook.com/events/2049472562029769/ (They say "back" to Canada, but there are some fires in Washington State as well, some of which have crossed into Canada ...) They want everyone to get five box fans (from where?), put them on the roof, and blow ... every fuse in town? Then there are the life safety issues of people falling off roofs, plus the fire safety issues of haywire extension cord setups ... cost-benefit, fire safety, forethought, life safety, planning, who did these calculations?
Zeynep Tufekci, MIT *Technology Review*, 14 Aug 2018 To understand how digital technologies went from instruments for spreading democracy to weapons for attacking it, you have to look beyond the technologies themselves. https://www.technologyreview.com/s/611806/how-social-media-took-us-from-tahrir-square-to-donald-trump/ BoingBoing had a piece on Zeynep's article: From Tahrir to Trump: How the Internet became the dictators' home turf http://boingboing.net/2018/08/23/we-didnt-start-the-fire.html Zeynep Tufekci (previously) leads Tech Review's politics issue with the best overview of the forces that have combined to make the Internet so hospitable to totalitarians and racist pigs. Tufekci describes how insurgent, democratic movements were early arrivals to the Internet, and how clumsy authoritarians' attempts to fight them by shutting the net down only energized their movements. But canny authoritarians mastered the platforms, figuring out how to game their automated algorithms to upvote their messages, and how to game their moderation policies to banish their adversaries.
Here's a wonderful opportunity for RISKS readers. The Swiss are developing on online voting system, which they hope will be ready for testing next year. More at swisspost.ch/pit
NNSquad http://www.wired.com/story/microsoft-facebook-tech-giants-defending-democracy/ On Tuesday, A trifecta of tech companies announced that they had thwarted what appear to be significant cyberattacks from Russia and Iran. First, Microsoft CEO Brad Smith announced that the company had caught another round of phishing attacks on political groups in the United States, which it attributed to the Russian hacking group Fancy Bear. Then it was Facebook's turn. On a call with reporters, CEO Mark Zuckerberg said his company had shut down 652 pages, accounts, and groups affiliated primarily with Iran, though some had ties to Russia. Twitter almost instantly followed suit, saying it too had taken 284 accounts offline, which appeared to have originated in Iran. In Washington, the news was met with a mixture of gratitude and anxiety.
As Facebook Use Goes Up in Germany, So Do Attacks on Refugees, Study Suggests A small German town exemplifies a phenomenon long suspected by researchers who study Facebook: that the platform makes communities more prone to racial violence. http://www.nytimes.com%2F2018%2F08%2F21%2Fworld%2Feurope%2Ffacebook-refugee-attacks-germany.html
John Toon, Georgia Tech News Center, 9 Aug 2018, via ACM TechNews, 17 Aug 2018 Georgia Institute of Technology (Georgia Tech) researchers have helped patch a security flaw that could have enabled the theft of encryption keys from OpenSSL software by briefly eavesdropping on "side channel" signals from smartphones. The hack involved using intercepted electromagnetic signals from the phones that could be analyzed with a small and inexpensive portable device that listened in on a single decryption cycle. Georgia Tech's Milos Prvulovic and Alenka Zajic eavesdropped on two different Android phones using probes in close proximity to the devices without any physical contact. Their hack analyzed signals in a 40-MHz-wide band around the phones' processor clock frequencies, which are nearly 1 GHz. Prvulovic says, "Once we got the attack to work, we were able to suggest a fix for it fairly quickly. Programmers need to understand that portions of the code that are working on secret bits need to be written in a very particular way to avoid having them leak." http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1c5bdx216c58x070160%26
http://www.washingtonpost.com%2Ftechnology%2F2018%2F08%2F23%2Fthis-firm-already-microchips-employees-could-your-ailing-relative-be-next%2F Continuous physiological monitoring, location tracking, voice-activation, baseline medical history comparison capability, and communication capability. Fueled by harvesting human body heat—thermoelectric generator (TEG) implanted into the flesh. If the implant's medical history is enciphered, emergency room access to active prescriptions, pre-existing conditions, and allergic history is a no-go, unless the key is readily available. The ER would also require an implant reader and decoder application. If not enciphered, and an RFID protocol can read implant content, then confidentiality maintenance issues materialize.
A research paper presented at the Usenix security conference last week detailed a new technique for retrieving encryption keys from electronic devices, a method that is much faster than all previously known techniques. The approach relies on recording electromagnetic (EM) emanations coming off a device as it performs an encryption or decryption operation. ... Attack requires close proximity to the device The attack's only downside is that it still requires quite a close proximity to the "sniffed" device. http://www.bleepingcomputer.com/news/security/new-attack-recovers-rsa-encryption-keys-from-em-waves-within-seconds/
>From the blog of the Dutch railway infrastructure company ProRail http:www.prorail.nl/nieuws/oorzaak-computerstoring-treinverkeersleiding-gevonden (my translation with some [editorial comments]) ProRail has discovered the cause of the computer disruption of 21-August that caused many trains in the Amsterdam area to be canceled. Due to a unique set of circumstances a software fault occurred, with the result that the computer system that manages the trains and tracks could only be partially used. The problem began around 0630 when a thief being chased by the police at Schiphol Airport station tried to escape by running into the train tunners [note: Schiphol Airport has an underground 6-track station with about 1.5 km tunnel on either side]. Therefore one train that was planned in the system had to be canceled. The Dynamic Traffic Management System (DVM) which regulates train service through the Schiphol Airport station was automatically re-assigning platforms to trains, but at the same time an operator was entering a manual change in the platform assignments. This caused a conflict [race condition?] [that had never been tested] so that the automatic system was automatically disabled in favour of a partial system where all the very heavy traffic around Schiphol Airport and Amsterdam had to be managed by hand. This caused many trains to be canceled or delayed. The fault in the automatic system has now been repaired, so it will not happen again"
Yesterday afternoon a shop-lifter at Schiphol airport in the Netherlands was on the run from the police and tried to get away by running into the train tunnel that runs underneath the airport. As a safety measure train traffic control ordered all trains around the tunnel to stop. One of these trains apparently stopped just when it had received both an automatic and a manual platform assignment In the minutes that followed those conflicting orders triggered over 32.000 planning records to be generated in the system effectively performing a denial of service attack. ProRail, the network operator, had no other choice than to shut down the entire computer system responsible for the train network around the Amsterdam area for hours. (The company says that the event caused a software bug to arise. LOL). Train traffic is still affected a day later because of scheduling problems as a result of the shutdown. ProRail stated that the error can no longer occur. No details were provided, but I hope they didn't just set a maximum to the number of records that can be generated. (in Dutch:) http://www.prorail.nl/nieuws/oorzaak-computerstoring-treinverkeersleiding-gevonden [Wow! Two ProRail items in the same issue. Dank U wel.]
Miranda Moore, *The Washington Post* Phone Line Connected To Computer Network Can Offer Access The fax machine is widely considered to be a dinosaur of inter-office communications, but it may also present a vulnerable point where hackers can infiltrate an organization's network, according to a new report from Israel-based software company Check Point. The company said that the vulnerability was identified as a result of research intended to discover potential security risks, and not as the result of any attack. Hackers can gain access to a network using the phone line connected to a fax machine, which is often connected to the rest of an organization's network. By sending an image file that contains malicious software over the phone line, hackers are able to take control of the device and access the rest of the network. The researchers were able to do this using only a fax number, which is often widely distributed by organizations on business cards and websites. The report estimates that there are more that 17 million fax machines in use in the United States alone. The legal and medical fields both continue to rely heavily on fax machines to conduct business, since they are widely considered to be a more secure form of transmitting sensitive information and signatures compared to email. Banking and real estate also frequently transfer documents containing signatures via fax. With the advent of all-in-one products that include fax functions as well as printing and scanning, fax machines may be more prevalent in homes and office than people realize. This particular vulnerability only applies if such a machine is connected to a telephone line, however. The only machines tested were from HP's line of all-in-one printers, but according to the report, these vulnerabilities are likely to be found in machines from any manufacturer that use similar technology. HP issued a patch for its products before the report was published, which is available for download from its support website. The report advises that if a fax machine is too old to support a software update, or if the manufacturer has yet to issue a patch to fix the vulnerability, fax capabilities should be used only on a segmented part of the network without access to critical data. The report also advises that the phone line connected to an all-in-one type machine should be disconnected if a user or organization does not use the fax functions.
Princeton researchers find army of high-wattage IoT devices could cripple electric grid. https://arstechnica.com/information-technology/2018/08/just-say-no-wi-fi-enabled-appliance-botnet-could-bring-power-grid-to-its-knees/
The Democratic National Committee had alerted the FBI to an apparent attempted hack of its voter database earlier this week. A security firm discovered that a fake DNC log-in page had been created to trick people into giving up their usernames and passwords, a Democratic official said. A person familiar with the incident said this. http://www.washingtonpost.com/news/politics/wp/2018/08/23/hack-attempt-on-dnc-voter-database-was-a-false-alarm-the-national-committee-says/ And here is the previous day's item in *The New York Times*: http://www.nytimes.com/2018/08/22/technology/democratic-party-says-it-has-thwarted-attempted-hack-of-voter-database.html
http://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/ Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out (or maybe all of the above). A security audit of the Western Australian government released by the state's auditor general this week found that 26 percent of its officials had weak, common passwords—including more than 5,000 including the word `password' out of 234,000 in 17 government agencies. Yikes. The legions of lazy passwords were exactly what you—or a thrilled hacker -- would expect: 1,464 people went for `Password123; and 813 used `password1'. Nearly 200 individuals used password'—maybe they never changed it to begin with? Almost 13,000 used variations of the date and season, and almost 7,000 included versions of `123'. [...]
http://www.nytimes.com/2018/08/21/technology/facebook-political-influence-midterms.html The social network removed hundreds of fake accounts and pages targeting people in different countries and regions that originated in Iran and Russia.
Liam Tung, ZDNet, 21 Aug 2018 http://www.zdnet.com/article/google-sued-for-tracking-you-even-when-location-history-is-off/ Google sued for tracking you, even when 'location history' is off A lawsuit accuses Google of tracking a man against his wishes and disguising what 'location history off' means. opening text: Google now faces a potential class action lawsuit over the revelation that it continues to store users' location data even if they turn off Location History. The lawsuit was filed on Friday, the day Google updated its help page to clarify that with Location History off it still stores some location data in other services such as Google Search and Maps. Until then, Google's help page on Location History stated that "with Location History off, the places you go are no longer stored". However, a report by the Associated Press found this statement wasn't true. The lawsuit accuses Google of falsely representing what 'History Location off' means to its millions of iPhone and Android users and seeks a class action status consisting of an Android Class and an iPhone Class.
Cars need to get faster—not on the road, but on the inside. Speed has always been part of the mystique of the automotive business. But cars have been notoriously slow when it comes to handling information. It is a problem that has only become more pressing as the era of autonomous vehicles looms, with competing interests racing to be the first with a solution. Cars have long relied on a relatively simple network standard called the CAN or Controller Area Network bus. The CAN bus coordinates all the microprocessors and electronic control units, or E.C.U.s, that need to trade engine, powertrain, and diagnostic information, transmitting details like transmission status and fluid levels. As more electronics like window and seat controls were added to cars, the CAN bus was tweaked over the years with additional local interconnection networks, or LINs, to handle the swelling communications load. But the CAN bus, which was originally developed by Bosch more than 33 years ago, is showing its age. https://www.nytimes.com/2018/08/16/business/cars-internal-data-networks.html
http://www.npr.org/2018/08/21/639646651/watch-self-driving-cars-need-to-learn-how-humans-drive Hope these lessons include simulating drivers experiencing some or all these scenarios, preferably simultaneously: 1) A bee in the vehicle; 2) Cosmetic application, especially lipstick and eyeliner; 3) Cat escape from transport carrier; 4) Coffee or slurpee spill; 5) The all important chili cheeseburger drip mess;
The ISC2 "community" has had a bunch of queries about blockchain in recent months. One person started a fairly active thread asking for a kind of a cheat sheet for blockchain security. The real issue is that, however it started out, blockchain has now become kind of a marketing term: it means whatever the vendor selling it to you thinks it means. (Which is not necessarily what you need it to mean.) Essentially, by now it's pretty meaningless. At base, it is an amalgamation of two ideas. Digital signing of transactions, and a distributed database of those transactions and signatures. Beyond that, we have implementation details. And those, as always, are where the problems arise. Are you really serious about the signatures? Are you doing confidentiality, or just the authentication? How serious is your signature algorithm? What about key management? Have you got all the bits you need for a full PKI? Are you using a hierarchical model or web of trust? And these are only the beginning of the questions. On the signature side. How are you going to distribute the transaction ledger? Is it going to be full everywhere? Is it going to be full *any*where? How can it be accessed and checked? Will a complete examination of the register identify an individual even if a single transaction doesn't? So, ultimately, the answer to your question is "no." There isn't any nugget. There isn't any cheat sheet. The hygiene depends upon what you build or buy. And that's why BLOCKCHAIN IS NOT THE ANSWER. (Blockchain isn't even the question. Even if the answer *is* "no.") (Sorry. As the dictionary guy I always get kind of bitter when a term that *might* have had a meaning or use gets abused to the point of being meaningless ...)
The value of ether has fallen 9 percent over the last 24 hours. http://arstechnica.com/tech-policy/2018/08/bitcoin-and-ether-are-both-down-more-than-two-thirds-from-their-peaks/ Earlier: The number of people who bought virtual currencies more than doubled last winter. For people who got in late, the bust has been disastrous. https://www.nytimes.com/2018/08/20/technology/cryptocurrency-investor-losses.html
*From Fortune magazine email:* *Game of telephones.* A man in California is suing AT&T https://click.email.fortune.com/%3Fqs%3D855aded26e1f3607aaf38868b35c5d2989f00592a9ea8c4d2cfd2d6d4ab82fbf45357d610f28a94006a2ccce70fd55e848a2569843531ce9 to the tune of $224 million for allegedly enabling a thief to steal $24 million worth of his cryptocurrency. (The other $200 million is for punitive damages.) The plaintiff, one Michael Terpin, says that AT&T gave the culprit access to his phone number without authorization, thus enabling the bandit to break into Terpin's digital accounts. AT&T said it disputes the allegations. https://www.cnbc.com/2018/08/15/cryptocurrency-investor-sues-att-for-224-million-over-loss-of-digita.html
Apple wants iPhone owners to be able to use their mobile devices as alternatives to a keyless entry system for their car, with a proposal that would let users unlock and start a vehicle simply by bringing their mobile device with them to the driving seat. ... Apple proposes the use of both magnetic antennas and radio frequency antennas to determine range, including analyzing the RF received signal strength indicator, time-f-flight value, and other signal properties. This would allow for an unlocking system to detect at a far longer range than available at present. https://appleinsider.com/articles/18/08/16/improved-keyless-entry-system-could-replace-car-key-fob-with-iphone Longer range—what could go wrong with that? Great comment on article: Awesome! iPhone thieves will now get a free car as a bonus! And if they ask Siri to navigate home they can have all my stuff too. It currently takes *three* different thieves to pull this off, but thanks to technological progress that will soon be accomplished by just one.
River O'Connor, Politico http://www.politico.com/magazine/story/2018/08/21/i-just-hacked-a-state-election-17-not-a-good-hacker-219374 It took me around 10 minutes to crash the upcoming midterm elections. Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board's database, I was able to shut down the website that would tally the votes, bringing the election to a screeching halt. The data were lost completely. And just like that, tens of thousands of votes vanished into thin air, throwing an entire election, and potentially control of the House or Senate—not to mention our already shaky confidence in the democratic process itself—into even more confusion, doubt and finger-pointing. I'm 17. And I'm not even a very good hacker. I've attended the hacking convention DEF CON in Las Vegas for over five years now, since I was 11 years old. While I have a good conceptual understanding of how cyberspace and the Internet work, I've taken only a single Python programming class in middle school. When I found out that the DNC was hosting a security competition for kids and teens, however, my interest in politics fed into curiosity about how easy it might be to mess with a U.S. election. Despite that limited experience, I understood immediately when I got to Las Vegas this year why the professionals tend to refer to state election security as "child's play." The Voting Machine Village at DEF CON, where attendees tackled vulnerabilities in state voting machines and databases, raised plenty of eyebrows among election boards and voting machine manufacturers alike. It's a hard pill to swallow for the public, too: No one wants to believe that -- after waiting in a lengthy line, taking time off from work or finding a babysitter in order to vote—their ballot could be thrown away, or even worse, altered. Consequently, people started to take notice as reports came in from both the intelligence community and organizations like the DNC, a co-sponsor of the Voting Village, about the ease with which a foreign power could potentially do such a thing. Since electronic voting was introduced in the early 2000s, leaders in Washington and our state capitals have repeatedly failed to keep up with rapid advances in information technology and cybersecurity. The replica state election websites used in this year's competition were built on MySQL, a database management system that stores data in simple tables containing columns and rows. By inputting a command into the search bar to see all the website's tables, I could then see all its data, including vote tallies, candidate names and tables of basic website functions. Once someone has that kind of access, they can do plenty of damage. The organizers instructed us to double candidates' vote tallies, for starters. Then, with the assistance of volunteers, some of us easily changed the names of candidates or even their parties, or inflated the vote tallies to ridiculously high, Putin-esque numbers. The entirety of the hacking came down to entering no more than two lines of code: the first to display all columns and rows for the site and the second to alter the vote tally. Of the few dozen participants, most completed the very simple hack assigned by the instructors. About a quarter figured out how to rename or delete other candidates and their parties from the list. But even after doing something as relatively tame, from a computer science perspective, as messing around with a few numbers, I wanted to see how much damage I could do *without* the competition's instructions or staff assistance. First, I wrote down the IP address of the server hosting the competition, no different than the first step a foreign agent would take. Then, I accessed the DEF CON website from a secure Wi-Fi spot and Googled a list of common MySQL commands. The whole thing, from search to shutdown, took me less than five minutes. To take down the entire website, all I needed to do was enter a command to drop the table—to remove it from the database entirely, in other words. This caused the page to return an execution error, which took a reset of the website's host server to fix. Essentially, I had crashed the website, similar to the denial-of-service attacks more familiar to the public, but more direct and even more effective. This is where the staff got a little bit confused, as the competition's instructions had told us only how to change the number of votes. I had to crash the website again, right in front of them, before they believed I had anything to do with it. The fact that someone as untrained as myself could bring an election to a screeching halt with nothing but a quick Google search should be a wake-up call. While inflating Gary Johnson's vote tally to over 90 billion is good for a laugh, a more malicious agent—not to mention a team of well-funded and highly skilled hackers—could do real damage. A close congressional race could be flipped by the addition of a few hundred extra votes, the installation of malware, stolen security credentials or the shutdown of a website during the final tally, like my DEF CON escapade last week. The possibility, or even the likelihood, of such an event is precisely why the chief security officer of the DNC, Bob Lord, interviewed me and my fellow competition participants to see what kind of defense those without experience could potentially develop. I didn't quite know what to expect when I started the competition, but I know it shouldn't have been that easy. Someone with my skills wouldn't have stood a chance against a professionally protected website. Anyone with a Wi-Fi-enabled device could theoretically have done what I did to the mock election database. Unfortunately, the people who have the power to do something about this issue are in denial. But that doesn't change the facts on the ground. America is supposed to set a world standard for free and open elections -- the idea of "one person, one vote" is part of our identity. The failure to address such a widespread and well-documented effort by foreign powers to compromise that principle puts our democracy, and our position of leadership, at risk. I'm still not particularly interested in a tech career, but one day I hope to be in a position to prevent something like this from happening in real life. After the competition, both the staff and the competitors agreed—we need a tech-literate government with the resources and the will to secure our elections. Or at least one that can stop a 17-year-old with basic command line skills and 10 free minutes between classes from electing Gary Johnson president-for-life. *River O'Connor is a senior at the Ocean Research College Academy in Everett, Wash.*
Targeted in police action, ISIS's news agency “went down fast,'' but it came back again and again. https://www.washingtonpost.com/world/national-security/in-fight-against-isiss-propaganda-machine-raids-and-online-trench-warfare/2018/08/19/379d4da4-9f46-11e8-8e87-c869fe70a721_story.html
Nawaz Sharif was Pakistan's Prime Minister three times—from late 1990 until July 1993, then from February of 1997 into the fall of 1999, and finally against from June 2013 until his ouster in July of 2017. Currently, he's in prison—and Calibri is partially responsible for that. http://nowiknow.com/the-font-which-toppled-a-government/
Friday marked a major milestone for the more than $15-billion adult toy industry, with the expiration of a longstanding patent. The basic idea behind the expiring patent is almost as old as the Internet—that two users might sexually stimulate each other using devices controlled over the Internet. http://fortune.com/2018/08/18/cybersex-patent-expiration-teledildonics/ Let the good times roll... [Monty Solomon noted this in Ars Technica: Cybersex toy industry heats up as infamous "teledildonics" patent climaxes. EFF lawyer: "At least startups in the space won't immediately get sued." https://arstechnica.com/tech-policy/2018/08/cybersex-toy-industry-heats-up-as-infamous-teledildonics-patent-climaxes/ PGN]
Web Informant, Aug 20, 2018 (via Gabe Goldberg) This is a story about how hard it is for normal folks to keep their computers secure. It is a depressing but instructive one. Most of us take for granted that when we bring up our web browser and go to a particular site, we are safe and we know what we see is malware-free. However, that isn't always the case, and is getting harder. <http://blog.strom.com/wp/wp-content/uploads/2018/08/ext.png> Many of you make use of browser add-ons for various things: Right now I am running a bunch of them from Google, to view online documents and launch apps. One extension that I rely on is my password manager. I used to have a lot of other ones but found that after the initial excitement (or whatever you want to call it, I know I live a sheltered life) wears off, I don't really take advantage of them. So my story today is about an add-on called Web Security. It is oddly named, because it does anything but what it says. And this is the challenge for all of us: many add-ons or smartphone apps have misleading names, because their authors want you to think they are benign. Initially, Mozilla wrote a recommendation for this add-on earlier this month. Then they started getting complaints from users and security researchers. Turns out that they made a big mistake. Web Security tries to track what you are doing in your browsing around the Internet, and could compromise your computer. When Mozilla add-on analyst (that is his real job) Rob Wu looked into this further, he found some very nasty behavior that made it finally clear to him that the add-on was hiding malicious code. Mozilla basically turned off the extension for the hundreds of thousands of users that had installed it and would have been vulnerable. This story on Bleeping Computer provides more details. https://www.bleepingcomputer.com/news/security/mozilla-removes-23-firefox-add-ons-that-snooped-on-users/ In the process of researching this one add-on's behavior, Wu found 22 other add-ons that did something similar, and they were also disabled and removed from the add-on store. More than half a million Firefox users had at least one of them add-ons installed. So what can we learn from this tale of woe? One thing is the sobering thought when security experts have trouble identifying badly behaving programs. Granted, this one was found and fixed quickly. But it does give me (and probably you too) pause. Here are some suggestions. First off, *take a look at your extensions*. Each browser does this slightly differently. Cisco has a great post here http://umbrella.cisco.com/blog/2016/06/16/finding-browser-extensions-find-evil/ to help you track them down in Chrome and IEv11. Make sure you don't have anything more than you really need to get your work done. Second, *keep your browser version updated*. Most of the modern browsers will warn you when it time for an update, and don't tarry when you see that warning. Finally, *be aware of anything odd *when you bring up a web page: look closely at the URL and any popups that are displayed. Granted, this can get tedious, but you are ultimately safer.
SkimReaper, subject of a USENIX Security paper, detects most common card skimmers. https://arstechnica.com/information-technology/2018/08/researchers-develop-device-to-aid-in-hunt-for-stealthy-atm-card-skimmers/
How one woman discovered excessive and unauthorized trading in a fund meant to support her mother and father in their later years. Their money manager was ripping them off, making large numbers of small trades and pocketing the fee. [PGN-ed] https://www.nytimes.com/2018/08/24/business/brokers-excessive-trading-retirement.html
1. Traceability (Vint Cerf) In recent months in the UK there's been a campaign in some sections of the media for social networking sites to have a legally-mandated duty of care, mainly aimed at protecting children and young people (under-18s in this context), e.g.: https://www.telegraph.co.uk/duty-of-care-campaign/ (Some of it behind paywall.) Also, the EU is becoming involved: http://www.dailymail.co.uk/news/article-6079547/Web-giants-ordered-delete-extremist-material-hour-face-fines.html Many of the demands for age-related controls are quite specific, such as parental controls, hours-per-day limits (even a curfew) and barring of sexually-explicit material, and then there's the usual concerns about bullying, grooming, suicide, etc. and of course the "billions of $$$$s in profits made by the social media giants". More generally, there are suggestions that ISPs, search engines, and suchlike should have legal responsibilities as publishers ("they can't keep hiding behind the feeble excuse of just being communications channels"), and thus be required to prevent trolling, fake news, the transmission of undesirable material, such as terrorist information, attempting to influence countries' elections, and so forth. Reportedly, the UK government is putting together a new Data Communications Act with a view to making it law in late 2019. Other RISKS readers will know more than me here, but I'm not sure how practical all of this is. It appears that anybody offering Internet access will have to verify the identity and age of any under-18 users, *and* who is their legal parent or guardian who can set whatever access controls are needed (lots of data-protection issues), *and* ensure that they can't set up illicit duplicate accounts under different identities, *and* do this for all countries, unless we have Chinese-style firewalls, which is where Vint Cerf's traceability may come in. For the 'publisher' issues, there must be billions of web sites out there and millions of them are added or changed every day, so much of the Internet could be unreachable if we're only allowed to look at sites which have been carefully editorially screened and fact-checked. Then there are the age-old debates about what actually is fake news and how one person's freedom of expression is another person's hate crime; who decides, and who pays the legal bills? Complying with all of these requirements must increase the operating costs of ISPs, search engines, social networking sites, and so forth, and may well reduce their traffic and advertising revenues, so how will they make up for this? (As I've posted here before, billing customers is quite a costly business.) As ever, it's a bit difficult to distinguish legitimate concerns which should be addressed and virtue-signalling with different groups of campaigners competing to see who can be toughest and most uncompromising, but I hope that we don't end up with North Korea looking like a beacon of freedom... 2. Re: The Ordinary License Plate's Days May Be Numbered (Shapir, RISKS-30.78) This is connected with another risk. When Internet access and e-mail at home were becoming popular 15-20 years ago, it seemed (at least in the UK) as if everybody and his dog was offering a service, not only tech companies but some other household names like supermarkets, presumably to be seen to be keeping up with the times (with the actual service provided on a white-label basis by regular ISPs). In recent years many of these have closed down, including long-established providers like Orange and O2 (cellphone companies), Freeserve, Wanadoo, and Tesco.net (a supermarket, due to close its Internet service in October this year), which means that their e-mail addresses no longer work. Of course notifying regular contacts with a change of e-mail address is a chore, but there's the risk of forgetting less-often used ones such as insurance companies who may only be contacted once a year or so, leading to the sort of problems mentioned above. Some people set up their own domains so can transfer their e-mail address between ISPs—fine for businesses, but I'm not sure how practicable it is for individuals.
I have a partial solution. Wrap live electrical lines around the fiber-optic cables. That might help knock hacker squirrels out of the gene pool.
There is a follow-up story at https://www.theregister.co.uk/2018/08/09/connected_car_legal/ In comments, they also add risks with the car media center, especially for rental cars (why uploading your phone contacts there? And not delete them when selling/giving back the car), and with driving fees like highway fees (the Dartford Crossing charges as the specific example), when they are based on the unchanged license plate number.
Dan Jacobson pointed out the issues of closed APIs to co-ordinate systems by pointing to the criticism of what3words here: > http://wiki.openstreetmap.org/wiki/What3words But this a more significant flaw I believe in that system. Their own *about* page says: https://what3words.com/about/ To avoid confusion, similar sounding addresses are also placed as far from each other as possible. It accompanies that with a map showing table.chair.lamps and table.chair.lamp being on different continents. But it didn't take long to find a simple transposition for which both spots are very close on a global scale. Consider this, which is in Singapore: https://map.what3words.com/slower.linen.live If you transpose the last two words of the first triplet, that's in Michigan, a respectable distance away: https://map.what3words.com/slower.live.linen But transpose the first two and you're less than 50km away, and still in Singapore: https://map.what3words.com/linen.slower.live I think that's far too close to pass a "similar sounding addresses are far apart" test. And how many other near misses lurk within this system? There's no easy way to find out.
However, note that the article ends by saying that a related problem is that parents working two jobs no longer have time to take their kids to swimming lessons and as a result many fewer people in Germany know how to swim. Might this not be the more important cause?
Please report problems with the web pages to the maintainer