Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[United Airlines' SHARES passenger reservation system had a two-hour system-wide outage on 28 Aug 2012 that affected United's website, flight check-in, and boarding, and also caused ground-stops at UAL hubs in Houston, Newark, and SFO. SHARES (the former Continental system) has had various troubles since it was adopted by UAL after the merger. PGN] Among other interesting tidbits, United was handing out hand-written boarding passes today (dozens of pictures of these posted on Twitter). More details on the outage here plus picture of boarding pass: *United Airlines Network Outage Snarls Air Traffic* http://www.frequentbusinesstraveler.com/2012/08/united-airlines-network-outage-snarls-air-traffic/ [An earlier item noted by Dave Farber: United reservation system crashes, FAA issues ground stop. PGN] http://travel.usatoday.com/flights/post/2012/08/united-reservation-system-crashes-faa-issues-ground-stop/833343/1
What could go wrong? I mean, aside from flocks of birds and schools of fish having had millions of years to evolve compatibly, and there being Windows/iOS/Android cars trying to collaborate seamlessly in real time. Plus people having rooted their cars... [See the article by Adam Rogers:] http://www.wired.com/autopia/2012/08/observation-deck-what-happens-when-cars-start-talking-to-each-other/ Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold
... What replaces many of those buttons is Cadillac's intuitive new CUE system, which uses a large touch screen at the center of the dashboard; think of it as an embedded iPad. Using Apple-style gestures and swipes, the driver can scroll through various apps until finding the right one for a particular task. Those tasks include navigation, sound system and Bluetooth phone controls. Throw in some voice controls and the CUE interface sets a new standard for ease of use. Also replacing some switches are touch-sensitive strips that control the ventilation system while continuing the design theme. This effectively and elegantly extends the use of gesture-based controls beyond the touch screen. ... [Source: John Pearley Huffman, *The New York Times*, 26 Aug 2012] http://www.nytimes.com/2012/08/26/automobiles/autoreviews/the-cadillac-your-livery-driver-has-been-dreaming-of.html
Hiawatha Bray, *The Boston Globe*, 27 Aug 2012, Cellphones' role in crashes doubted Don't blame the technology. For those who argue that a ban on cellphone use while driving will make highways safer, there's bad news: People who chat behind the wheel often drive more aggressively even after they hang up, according to a study from the Massachusetts Institute of Technology, "The people who are more willing to frequently engage in cellphone use are higher-risk drivers, independent of the phone," said Bryan Reimer, associate director of MIT's New England University Transportation Center. "It's not just a subtle difference with those willing to pick up the phone. This is a big difference." Reimer and a team of MIT researchers studied the behavior of 108 Greater Boston drivers. About half acknowledged frequent phone use when driving; the rest said they rarely used their phones behind the wheel. ... http://bostonglobe.com/business/2012/08/26/not-cellphone-but-driver-that-high-risk-not-cellphone-but-driver-that-high-risk/nVKDgqQTnn91287ZZ30v7N/story.html?s_campaign=8315
Great, Just when you though you were safe running a VM: The Windows version of a piece of Malware discovered in July, called Crisis, has been found to be capable of infecting VMware virtual machines as well as Windows Mobile devices, and removable USB drives. When originally discovered Crisis was thought to target just Windows and Mac OS users. It has the capability to record Skype conversations, capture traffic from instant messaging programs, and track websites visited in Firefox or Safari. According to Symantec, Crisis "searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool. This may be the first malware that attempts to spread on to a virtual machine." [ZDnet, 22 Aug 2012] http://www.v3.co.uk/v3-uk/news/2200412/crisis-malware-infects-vmware-virtual-machines http://www.zdnet.com/crisis-malware-targets-virtual-machines-7000002986/ Bob DeSilets, Information Security Officer, Perelman School of Medicine University of Pennsylvania desilets@mail.med.upenn.edu (215)746-5578
http://j.mp/O6UCpX (Digital Bond via NNSquad) "Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom devices yesterday. This time, Justin took a different track with the device firmware and showed that all products use the same SSL private key, hard-coded in the firmware. This is fairly typical in cheap consumer-grade embedded products, and has the unfortunate effect that easy Man-In-The-Middle attacks can be performed against products. For example, any compromised host on the switch management network can be used to spoof affected RuggedCom switches, meaning that the bad guy or gal could capture legitimate usernames and passwords for the switch." [This item is all over the Web, including slashdot. But check out the DigitalBond.com website. with Dale Peterson and others. It is loaded with RISKS-related goodies. PGN]
A double-hitter here. (Two Risks in One!) http://www.cio.com/article/713753/How_to_Secure_Data_by_Addressing_the_Human_Element Thor Olavsrud, CIO.com, 15 Aug 2012 Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends. 1. The article reports on a DEFCON 18 contest to do human engineering. Standard RISKS stuff. 2. At one point is this interesting paragraph: "We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution," Bonneau writes. "Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists."
Cyrus Farivar, Ars Technica, Aug 15 2012 Largely unregulated, cameras now collect millions of travel records every day. Tiburon, a small but wealthy town just northeast of the Golden Gate Bridge, has an unusual distinction: it was one of the first towns in the country to mount automated license plate readers (LPRs) at its city borders-the only two roads going in and out of town. Effectively, that means the cops are keeping an eye on every car coming and going. A contentious plan? Not in Tiburon, where the city council approved the cameras unanimously back in November 2009. The scanners can read 60 license plates per second, then match observed plates against a "hot list" of wanted vehicles, stolen cars, or criminal suspects. LPRs have increasingly become a mainstay of law enforcement nationwide; many agencies tout them as a highly effective "force multiplier" for catching bad guys, most notably burglars, car thieves, child molesters, kidnappers, terrorists, and-potentially-undocumented immigrants. Today, tens of thousands of LPRs are being used by law enforcement agencies all over the country-practically every week, local media around the country report on some LPR expansion. But the system's unchecked and largely unmonitored use raises significant privacy concerns. License plates, dates, times, and locations of all cars seen are kept in law enforcement databases for months or even years at a time. In the worst case, the New York State Police keeps all of its LPR data indefinitely. No universal standard governs how long data can or should be retained. Not surprisingly, the expanded use of LPRs has drawn the ire of privacy watchdogs. In late July 2012, the American Civil Liberties Union and its affiliates sent requests to local police departments and state agencies across 38 states to request information on how LPRs are used. ... http://arstechnica.com/tech-policy/2012/08/your-car-tracked-the-rapid-rise-of-license-plate-readers/
Victorinox is allowing its security program's VeriSign certificate to lapse on September 15th. Without this certificate the contents of the secure partition can't be decrypted.. "Swiss army knife maker Victorinox has decided to take the sting out of ditching support for the security software in its range of USB-knife drives by offering customers a full refund. I"n a message posted to Facebook but not apparently anywhere else, the company said customers unhappy with the ending of the security features on the company's combined penknife/flash memory drives could send them back for a refund. "The company announced the end of support for the security features a few days ago in an ambiguous Facebook post that failed to clarify that all of the drive's security features - including an encrypted partition, biometric authentication and secure password management - would cease functioning. "However, the seriousness of the issues was underlined by the company setting 15 September as the date by which customers must back up all data on the encrypted section of the drives." http://news.techworld.com/security/3377751/victorinox-offers-refunds-after-usb-swiss-army-drives-lose-security/ http://www.engadget.com/2012/08/21/victorinox-stops-software-updates-secure-usb-drives/
Your devices are eager to make all your content line up nicely. Sometimes the results are not so nice. Craig Forman, *Wall Street Journal*, 26 Aug 2012 http://online.wsj.com/article/SB10000872396390443324404577594873646163262.html The trouble started when I innocently downloaded a free IKEA catalog app to my iPad. The trouble nearly ended with a $1,200 charge from AT&T. I was traveling in Europe for a short family trip. Before leaving the U.S., I downloaded the image-heavy catalog using a standard broadband connection. Aware of the costs of digital Internet access while abroad, my wife, son and I thought we had taken all the correct precautions. Were location-based services off? Check. Notifications off? Check. All three iPhones switched to Wi-Fi only? Check, check and check. So the midnight e-mail from AT&T came as a surprise: "Unusually high volumes of data. 750 megabytes downloaded. Please check your phone." I checked my phone-but all potential digital gotchas had been put to rest. We were jet lagged and exhausted. Surely a couple hours' sleep couldn't put us in digital harm's way? But in these modern days of anytime, anywhere, cloud-based synchronization, those few hours of shut-eye were plenty costly. I awoke to a buzzing of my phone, an SMS and an e-mail from AT&T: The data download had nearly doubled while I was sleeping. My account was in imminent danger of being shut off unless I called them. ...
http://youtu.be/YB5WsZjtses (Watch in HD full-screen to see text) Is a video of how to change the text and headers of an e-mail in your own Hotmail account. It is perfectly legal and is acknowledged by Microsoft as a design feature of their Windows Live Hotmail client. Up until this was described by myself, Richard Boddington, and Grant Boxall, it was assumed that Hotmail e-mails could not be altered. As such they have been used as evidence in court cases. Our paper is available to Subscribers of the Journal of Digital Forensics, Security and Law http://www.jdfsl.org/ The technique we show can tracelessly alter any part of an e-mail including all headers. It is possible for instance to create a fictitious e-mail sent at some date in the past and with wording as desired. Examples of this could be forging an e-mail admitting liability or offering to pay money. The list is endless. The 'hack' works because Microsoft introduced a new protocol called DeltaSync that enables Windows Live clients to synchronize e-mails across machines via Hotmail. Altering a local copy of an e-mail on a client and then syncing will cause that copy to overwrite the Hotmail copy and as well overwrite copies on other clients. Using this technique you can also add payloads to an e-mail - e.g. some malware and have it automatically delivered to a target machine. As an example in ingenious felon could break into some-ones house and insert malware into an e-mail and by syncing the package could then get onto a synced work computer bypassing any mail scanning system. We looking are at similar schemes with e-mail syncing via web-server—e.g., IMAP
John Leyden, *The Register*, 20 Aug 2012 Romney mobile application even requests permission to record audio ... Security researchers have uncovered privacy shortcomings in the mobile applications offered by both the Barack Obama and Mitt Romney presidential campaigns. The campaign teams of the incumbent US President and his Republican challenger have each released apps for both iOS and Android, in good time for the election on November 6. Experts at GFI Software looked at the Android versions of both apps, discovering both to be surprisingly invasive. Obama for America and Mitt's VP request permissions, access to services and data, and capabilities beyond their core mandate. For example, each of the apps features the ability to cross-post on users' behalf and report back to base. One app even has a tool to encourage users to go canvassing on behalf of the candidate, which in GFI's test directed Obama supporters to an unsafe part of a US town - just north of downtown Clearwater, Florida. Both Android apps slurp the details of users' contacts and log location data, as a rundown by GFI on both apps and the permissions they seek explains. The Romney app even requests permission to record audio for unspecified (and so-far unactivated) purposes. ... http://www.theregister.co.uk/2012/08/20/us_pres_campaign_mobile_app_privacy/
Source: Austin Considine, *The New York Times*, 23 Aug 2012, via NNSquad http://j.mp/O7snpe "It may be the worst-kept secret in the Twittersphere. That friend who brags about having 1,000, even 100,000 Twitter followers may not have earned them through hard work and social networking; he may have simply bought them on the black market. And it's not just ego-driven blogger types. Celebrities, politicians, start-ups, aspiring rock stars, reality show hopefuls - anyone who might benefit from having a larger social media footprint - are known to have bought large blocks of Twitter followers."
Bill Snyder, *InfoWorld*, 30 Aug 2012 From Lady Gaga to Obama, paid tweets and inflated followings game online reputations and call the whole system into question http://www.infoworld.com/d/the-industry-standard/twitters-fake-followers-influence-sale-201295 selected text: Organizations are in fact buying fake followers, including both major candidates for the White House, numerous other politicians, and scads of celebrities. Republican presidential nominee Mitt Romney, for example, had 673,002 followers on July 20. One day later, that number soared by 17 percent, or 117,000 new followers. On the other side of the partisan divide, President Barack Obama's campaign boasts that he has nearly 19 million followers. However, an analysis by StatusPeople, a social media management company based in London, shows that only 30 percent of them actually exist or have active accounts. To be fair, it's possible that spam bots are creating at least some of the fake accounts. The implications are serious: Twitter has changed how politics is reported in the United States and has been a weapon used by pro-democracy advocates in countries like Egypt and Iran. It's also a tool used by businesses to stay in touch with customers. To its credit, Twitter has tried to stop the spread of fake accounts and the like, but cheaters and petty profiteers are still eroding its value as a communications tool. Sincerely,
http://j.mp/PKSimw (Techcrunch via NNSquad) "In fact, Facebook keeps "improving" their design so that more of us will add apps on Facebook without realizing we're granting those apps (and their creators) access to our personal information."
Doug Jones, a long-time observer of elections, has written an excellent guest editorial in the Iowa Press-Citizen on risks of using databases to disqualify voters. As this is a problem that is increasingly prevalent, it seems worth noting here. PGN http://www.press-citizen.com/article/20120823/OPINION02/308230009
You thought that the Elections Ontario submission was a winner? I got this from a reader: > Woah! The staff thought that encryption meant zipping it up. LOL. Utterly > amazing. No wonder there is very little effort needed to crash e-mail > accounts and FTP server accounts. :) Most people don't understand even > the basics. Amazing. Unfortunately, winning means losing here.
[Via Dave Farber's IP distribution. PGN] http://www.bloomberg.com/news/2012-08-29/spyware-matching-finfisher-can-take-over-iphone-and-blackberry.html FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc.'s iPhone and Research in Motion Ltd. (RIM)'s BlackBerry, an analysis of presumed samples of the software shows. Systems that can be targeted include Microsoft Corp.'s Windows Mobile, the Apple iPhone's iOS, BlackBerry and Google Inc.'s Android, according to the company's literature. The program can secretly turn on a device's microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs' Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyberweapon. ...
[Re: via Dave Farber's IP] Interesting but wrong when it comes to iOS and the iPhone and iPad. "A mobile device's user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy. As Gamma's promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks like it comes from the phone maker, and asking the user to “please install this system update,'' Marquis-Boire says." It's impossible to install software on iOS in this manner. The May 2012 white paper from Apple ( http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf) explains why (see Execute Never).
This gives new meaning to the term "Fly by Knight"... Seriously, as others had already pointed out, the problem is not a software bug, but the fact that the trading system had accepted the bad data as genuine. The problem is, the system has no sanity checks; but as long as money can be made by insane actions (whether intended or not), I'm afraid that insanity will stay as an inherent part of the system.
Am I the only one who sees the RISKS attendant on this partnership and a off-the-shelf crime prevention and investigation system? [UNLIKELY! PGN] Off the top of my head (and based on the minimal information available in the article): * Expectation of sales will certainly dilute the quality and effectiveness of the product for the original client. Instead of being made purely on the merits of functionality and usefulness for NYPD, decisions on features and fixes will instead be vetted through a commercial viability test. The product is likely to end up as bloatware, losing all contact with the needs of the force on the ground in the process. * Presumably this product is not Free/Open Source Software. Unless there's an existing understanding that clients (other than NYPD) will have access to the source code, with permission to modify for their own requirements, popularity of the product would result in straitjacketing of procedures at other police forces. What suits NYPD may not be right for New Delhi or Rome. Heck, it may not even be right for Des Moines. Easy availability of such a package would promote processes and documentation that works for the NYPD, at the cost of local innovation and locally appropriate processes. Unless the original design and development has been done with full customisability as one of the primary criteria (an expensive, time-consuming and ultimately still limited process), we are more likely to see police forces adapting to the system rather than the other way around. * If the product becomes even reasonably popular, vulnerabilities and exploits will eventually be available in the wild to permit criminals to game—or worse, misuse—the system. * [Rant] Is there any reason at all for a police force to become a commercially viable entity? In my opinion, crime prevention and law enforcement on the one hand and economic viability on the other are completely separate objectives, and mixing the two is unlikely to result in any benefit to the first. Raj Mathur http://otheronepercent.blogspot.com raju@kandalaya.org http://kandalaya.org http//schizoid.in
The Science Time idea is good, but I have a much simpler suggestion. Keep UTC exactly as it is for civil timekeeping. And the people who don't like leap seconds or find them hard to deal with can switch to TAI, which already exists. Need a cheap local source of TAI? Get a GPS. And start setting up an NTP network of TAI timeservers—anyone doing this yet? The people who don't want leap seconds in their timescale can stop having them today. There's nothing much standing in their way, except perhaps lack of a good way to indicate TAI in Internet timestamps. But instead, the proposal is to abolish UTC. I use the word 'abolish' because the whole point of UTC is that it's kept in sync with astronomical time via leap second adjustments; if you get rid of the leap seconds, you just have TAI with a fixed offset. So the calls to abolish UTC are really about tricking people into switching to TAI for civil timekeeping without knowing they're doing it. That way we don't have to get governments involved and have a democratic discussion, right? If the proposal was to switch to TAI for system clocks and then apply appropriate translation to civil time for display, I'd support it. http://www.pobox.com/~meta/
Please report problems with the web pages to the maintainer