Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Most remarkable, however, is the IRS's account of tracking down Sterlingov using the very same sort of blockchain analysis that his own service was meant to defeat. The complaint outlines how Sterlingov allegedly paid for the server hosting of Bitcoin Fog at one point in 2011 using the now-defunct digital currency Liberty Reserve. It goes on to show the blockchain evidence that identifies Sterlingov's purchase of that Liberty Reserve currency with bitcoins: He first exchanged euros for the bitcoins on the early cryptocurrency exchange Mt. Gox, then moved those bitcoins through several subsequent addresses, and finally traded them on another currency exchange for the Liberty Reserve funds he'd use to set up Bitcoin Fog's domain. Based on tracing those financial transactions, the IRS says, it then identified Mt. Gox accounts that used Sterlingov's home address and phone number, and even a Google account that included a Russian-language document on its Google Drive offering instructions for how to obscure Bitcoin payments. That document described exactly the steps Sterlingov allegedly took to buy the Liberty Reserve funds he'd used. The case shows yet another example of how Bitcoin, once widely believed to be a powerful tool for making anonymous, untraceable transactions, has turned out to be in many cases the very opposite. The blockchain's ledger of all Bitcoin transactions since the cryptocurrency's creation has often instead served as a means for law enforcement to trace even years-old transactions. https://www.wired.com/story/bitcoin-drug-deals-silk-road-blockchain/ The risk? Tracing the untraceable.
Dark web child abuse image site with 400,000 members taken down in global police sting The three main suspects are accused of founding and maintaining the site, as well as giving members advice on how to avoid arrest, German police said. https://www.nbcnews.com/news/world/dark-web-child-abuse-image-site-400-000-members-taken-n1266108
The Biden administration is reportedly considering teaming up with private companies to monitor American citizens' private online activity and digital communications. According to news source CNN, multiple sources have said that the Department of Homeland Security (DHS) is actively seeking a way to monitor citizens online without having to first secure a warrant or prove that such monitoring is an essential part of an ongoing investigation. The sources said that a plan is being formed for the DHS to circumvent these established checks to the government's power by working directly with private firms. Currently, only the unprotected information that Americans share on social media sites and public online platforms can be accessed by federal authorities. However, the alleged plan being formed by the DHS would allow authorities to see what Americans are writing and sharing online in access-restricted spaces such as private Facebook groups. The plan is reportedly not centered on the decryption of data belonging to Americans but is instead focused on getting outside entities with legal access to the information being shared online to report what is being said to the government. Limits are also in place at the Central Intelligence Agency (CIA) and National Security Administration (NSA) when it comes to domestic espionage. https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/
A team of computer-science researchers has uncovered a line of attack that breaks all Spectre defenses, meaning that billions of computers and other devices across the globe are just as vulnerable today as they were when Spectre was first announced. https://www.sciencedaily.com/releases/2021/04/210430165903.htm [This appears to be somewhat misguided reporting. Spectre defenses generally require hardware changes, and cannot be adequately resolved with existing hardware. The new CHERI hardware is trying to provide real solutions. Maybe *Science Daily* meant Meltdowm? PGN]
Heavyweight task force proposes framework to tackle a major cybersecurity problem. https://arstechnica.com/information-technology/2021/05/an-ambitious-plan-to-tackle-ransomware-faces-long-odds/
OK, I have, elsewhere, expressed my opinion that paying the ransom for ransomware is a bad idea. https://community.isc2.org/t5/I/P/m-p/18736 First off, you are funding crime. Secondly, you are encouraging crime. (If nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?) Then there are the various reasons why paying the ransomware isn't a good idea in simply practical terms. Some of the ransomware was never intended to allow you to recover. Some is badly coded, and doesn't work when decrypting. Some of the ransomware families are simply based on symmetric encryption, and one key decrypts all. (You can find lists of those, and the ways to recover, at various places on the net.) Some of the ransomware groups are just disorganized, and lose their keys. (Then there are those who confuse ransomware with breachstortion, and are talking about people who actually do steal your data, and then threaten to publish it unless you pay up. Most of the same reasons why paying ransom to them is a bad idea hold, with the addition of the fact that, if you pay the ransom, you are relying on the promises and integrity of a bunch of thieves, liars, and extortionists.) (Oh, and that argument about the "business model" of ransomware and breachstortion being based on them doing what they promise? That business model only works if you are talking about return or repeat business. Are you telling me that you are going to go through ransom or extortion with the same group all over again? How stupid *are* you?) Now some research from Sophos backs that up. If you pay, you've got a less than 10% chance of getting all your data back. https://www.forbes.com/sites/daveywinder/2021/05/02/ransomware-reality-shock-92-who-pay-dont-get-their-data-back [Speaking of "backs that up", can you spell "backup"—which allows one to recover without paying. Yes, that does not help with breachstortion, but once again, the real answer seems to better security in hardware and software, and more-aware users and admins. PGN]
Some states put templates online, spurring pro-Trump and anti-vaccination forums to start spreading tips for how to create fake cards. https://www.nbcnews.com/tech/tech-news/covid-vaccination-card-fraud-prompts-cdc-action-rcna802
Let's say you are an extra big company, with an extra small single point of contact: the Feedback Form. But what if it breaks? Every other form of contact just plays a recording: "Please use the Feedback Form." How to give Feedback about the Feedback Form? 1) Determine the headquarters of aforementioned extra big company is merely a couple miles from the headquarters of RISKS moderator PGN. 2) Send PGN on a mission to give a certain Mr. Zuckerburg feedback. PGN says "Having walked all the way from SRI, I'll be dead soon." Alas, the secretary says "He's with a client. I don't know what to do." https://www.youtube.com/watch?v=Tp8XcAKYsKo
"Travelers should be aware that those seemingly safe animal souvenirs they purchase overseas may accidentally introduce animal diseases that could devastate our livestock industries, sicken our citizens, and impact our nation's economy," said Keith Fleming, acting director of Field Operations for CBP's Baltimore Field Office, in a release. "Customs and Border Protection remains on our nation's frontline as protectors of our agricultural resources, and we will continue to work with our partners to intercept all potential threats at our nation's ports of entry." https://patch.com/virginia/herndon/100-prohibited-porcupine-quills-seized-dulles-airport
> "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, > 2018, all four of the aircraft's flight control computers stopped > working." That description is misleading to the point of being incorrect. The incident began on the runway during a touch and go after several hours of training flights the same day. During that time there had been almost a dozen alerts that something was wrong with the pitch-control system. All alerts had been reset and then ignored. At some point one alert was not reset, causing a loss of redundancy. Indeed, one of the casual factors determined by the accident investigation was the training instructor's decision to continue the training flights despite the multiple fault messages. So arguably this was not a case of automation surprising pilots, but rather of poor decision-making. Accident investigation report: https://www.ojk.ee/et/system/files/fail/manus/ee0180_es_san_investigation_report.pdf
> "Shortly after a Smartlynx Estonian Airbus 320 took off on February 28, > 2018, all four of the aircraft's flight control computers stopped > working. ... Only the skill of the instructor pilot on board prevented a > fatal crash." This, of course, is nonsense. 1. The A320 has two elevator aileron computers (ELAC), three spoiler elevator computers (SEC), and two flight augmentation computers (FAC), for a total of seven. The aerodynamic control surface actuators are commanded by combinations of these. 2. There is no way to control the aircraft aerodynamically if all FCCs fail.
James Rundle wrote: "At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do what it is asking to do." The "Zero Trust Architecture" from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf Deployment of ZTA strategies appears to advocate a centralized policy decision point (PDP) and policy enforcement point (PEP) that oversees and continuously monitors identity, credential, access, and authorization to legitimate an organization's resources (devices, services, and users). A complex, multi-dimensional privilege matrix is likely monitored and characterized for resource operation based on access, authorization, feature/capability/purpose, role, etc. On paper, ZTA enhances infosec defense-in-depth and is proactive. A significant change from the reactive infosec practices widely deployed today that invite data breach/malware infection. Risk: Legitimized resource access through a control gateway. Compromise the PDP/PEP and/or the policy administrator who operates it, and the resource is compromised.
Me too. The source of the leaked (or rather publicized) email addresses is none other than the RISKS list itself, and its archives. These addresses are gathered in bunches which are sold over and over; a new wave of junk appears each time a bunch is bought by a new operator. (Your address may appear several times in each bunch).
[[Michael was really surprised that I ESCHEWED the opportunity to make a pun. How about "Beaver damns the Internet"> PGN]
Please report problems with the web pages to the maintainer