Tag: security

If you need something else to worry about…

4 Comments

The “Special Inquiry into Counterfeit, Fraudulent, and Suspect Items in Operating Nuclear Power Plants,” by NRC Inspector General Robert Feitel, concluded that “counterfeit, fraudulent, and suspect items” (CFSI) believed to be present in U.S. reactors “present nuclear safety and security concerns that could have serious consequences for nuclear power plant equipment required to perform a safety function.” An inquiry report accompanied the IG’s audit.

The investigation was unable to pinpoint specific safety hazards because of insufficient information reported by reactor operators and collected by the NRC.

Interesting read. Doesn’t inspire confidence in normal government operations. Might help you pick out a new place to live, though.

There are alternatives. Just ask your Congress-critter.

Meta/Facebook bans cyber-mercenaries

1 Comment


Dado Ruvic/Reuters

Meta, Facebook’s parent company, has banned several “cyber-mercenary” groups thought to have been offering surveillance services aimed at activists, dissidents and journalists worldwide.

The social media giant said on Thursday it had begun warning about 50,000 people it believed may have come under scrutiny across more than 100 nations…

In a report, Meta called out seven private surveillance companies for hacking and other abuses, suspending roughly 1,500 mostly fake accounts across Facebook, Instagram and WhatsApp.

The Facebook parent said it deleted accounts tied to Cobwebs Technologies, Cognyte, Black Cube and Bluehawk CI – all of which were based or founded in Israel, a leading player in the cyber-surveillance business…India-based BellTroX, North Macedonian firm Cytrox and an unidentified entity in China also saw accounts linked to them removed from Meta platforms.

I’ve spent most of my adult life spied upon by one or another government agency. Most of them belonging to good old freedom-loving Uncle Sam. If you’ve ever been a civil rights activist, worked as hard as you could for peace and an end to wars designed for profit and power…any number of affronts to the powers-that-be in the GOUSA…you’re on “the list” budgeted by one or another agency in Washington, DC.

That’s not a solo act. Many nations have visible and hidden line items in their annual budget for spying on folks who speak up and speak out. It’s usually called something about national defense. Just understand. It’s a badge of honor whenever the few genuine history books are written.

Attaboy, Facebook!

Your coffeemaker been hacked [yet]?

1 Comment

With the name Smarter, you might expect a network-connected kitchen appliance maker to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s Internet-of-things coffee maker, you’d be wrong…

Security problems with Smarter products first came to light in 2015, when researchers at London-based security firm Pen Test partners found that they could recover a Wi-Fi encryption key used in the first version of the Smarter iKettle. The same researchers found that version 2 of the iKettle and the then-current version of the Smarter coffee maker had additional problems, including no firmware signing and no trusted enclave inside the ESP8266, the chipset that formed the brains of the devices. The result: the researchers showed a hacker could probably replace the factory firmware with a malicious one. The researcher EvilSocket also performed a complete reverse engineering of the device protocol, allowing reomote control of the device.

As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord…

The cautionary tale moves on and offers humor, corrective suggestions…and not a boatload of hope for up-to-date standards. Generally, firmware updates stop in a few years…even though beaucoup electronic products work for many more. As they should.

Trump resolves his ignorance of security, intelligence, by firing folks trying to educate him

Leave a comment

❝ United States Secret Service director Randolph “Tex” Alles is being removed from his position, multiple administration officials tell CNN.

President Donald Trump instructed his acting chief of staff, Mick Mulvaney, to fire Alles. Alles remains in his position as of now but has been asked to leave…

❝ Secret Service officials have been caught by surprise with the news and are only finding out through CNN…

❝ United States Citizenship and Immigration Services director Francis Cissna and Office of the General Counsel’s John Mitnick are expected to be gone soon, and the White House is eyeing others to be removed.

If American voters recover enough common sense to toss this dolt out onto the scrap heap of stupid in 2020 – at least there will be lots of job openings for folks intersting in rebuilding a somewhat modern administration. Best time for fixing stuff is after a disaster and the Fake President surely has made that point.

Keeping Sources Secure

Leave a comment


Birgit Püve for The New York Times

How do you keep communications with sources secure?

❝ Before moving to Europe this summer, I spent about a decade covering national security and intelligence in cities like Washington, so I’m pretty security conscious. Before I left, a friend who works in intelligence offered a gentle reminder that most countries would probably consider me fair game for intelligence collection.

So I use a cheap Chromebook when traveling to places where curious eyes might be tempted to sneak a peek. I set it up with a burner account, and I never connect it to any personal or business accounts.

And all those note-taking apps? If I’m working on something particularly sensitive or talking to someone who is sticking his neck out by meeting with me, those notes often don’t get saved digitally. When the story is done, the notebook gets tossed and that’s the end of it.

RTFA and check out what Matt uses/does when he’s not in Total Invasive Security Fear Mode.

Facebook PR Campaign says “Your info is safe, now” — WRONG!!

2 Comments

The Cambridge Analytica scandal exposed what wasn’t really a secret, that Facebook is harvesting a lot of user data and that the data is shared with others. The privacy breach revealed that Facebook wasn’t doing enough to protect your privacy and that developers like Cambridge Analytica could take your data and your Facebook friends’ data and use it for whatever they wanted.

Since these revelations, Facebook has been trying to convince everyone that it can be trusted, that it will take measures to stop these practices, that your privacy matters to the company. But while it was performing this massive PR campaign, a different quiz app that had as many as 120 million users left their data exposed for others to see. Facebook was warned about it and needed many weeks to address and fix it properly.

Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends.

RTFA originally published by the hacker who revealed the privacy breach.

For $1,000, anyone can track your location and app use

Leave a comment


Begin and end a morning commute. Red dots = standing still over 4 minutes.

❝ Privacy concerns have long swirled around how much information online advertising networks collect about people’s browsing, buying and social media habits — typically to sell you something.

But could someone use mobile advertising to learn where you go for coffee? Could a burglar establish a sham company and send ads to your phone to learn when you leave the house? Could a suspicious employer see if you’re using shopping apps on work time?

❝ The answer is yes, at least in theory. New University of Washington research, which will be presented Oct. 30 at the Association for Computing Machinery’s Workshop on Privacy in the Electronic Society, suggests that for roughly $1,000, someone with devious intent can purchase and target online advertising in ways that allow them to track the location of other individuals and learn what apps they are using…

❝ “Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about,” said co-author Franzi Roesner, co-director of the UW Security and Privacy Research Lab… “We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.”

Mail me a penny postcard when the advertising industry and our plastic, fantastic lawmakers take this seriously.

IRS Hands Equifax $7.25 Million No-Bid Contract to Help “Verify Taxpayer Identities”

8 Comments

❝ With no apparent sense of irony, the nation’s tax collectors have awarded embattled credit-reporting agency Equifax a contract to assist the IRS in verifying “taxpayer identities” as well as assist in “ongoing identity verification and validations,” according to contract award posted to the Federal Business Opportunities database.

The no-bid contract, which pays $7.25 million, is listed as a “sole source” acquisition, meaning the IRS has determined Equifax is the only business capable of providing this service — despite its involvement in potentially one of the most damaging data breaches in recent memory…

❝ Equifax, of course, is facing intense criticism over a cybersecurity incident which reportedly compromised the personal information of roughly 145 million Americans. The company’s former CEO, Richard Smith, was taken to task on Tuesday while testifying before the House Energy and Commerce subcommittee. Smith resigned last week amid backlash over the company’s handling of the breach.

Republicans and Democrats alike lambasted the former chief executive over Equifax’s response. Representative Greg Walden was perhaps the harshest in his criticism: “I don’t think we can pass a law that fixes stupid…”

Not a case I would say of “The blind leading the blind” — more like “Stupid leading the incompetent”.

Ad industry whines Apple Safari update is against tracking

Leave a comment

❝ Six ad industry organizations have crafted an open letter complaining about changes coming to Apple’s Safari browser, claiming that a new feature — “Intelligent Tracking Prevention” — will hurt both them — and the public.

Har!

❝ The technology’s restrictions on cookies blah, blah, blah!…Some of the groups behind the statement include the Interactive Advertising Bureau, the American Advertising Federation, and the Data and Marketing Association…

❝ Intelligent Tracking Prevention will be present in both iOS 11 and macOS High Sierra, launching Sept. 19 and 25, respectively. Apple has argued for the technology as an essential privacy measure, since people may not want their data captured for purposes they don’t consent to.

NSS. Mail me a penny postcard when someone discovers an honest and legitimate concern for public interests somewhere hidden in the bowels of ad agencies.

U.S. Military Marches Toward Energy Independence

Leave a comment


Hill AFBOfficial White House Photo by Lawrence Jackson

The U.S. is at a transformative moment in electricity. And the military is helping us move toward a new era of independence.

❝ The U.S. electrical grid was ranked by the National Academy of Engineering as the greatest achievement of the 20th century, and it was this vast infrastructure that helped to power our economy, enhance our communities and light up our lives. But the centralized power grid is not perfect, and it faces an array of risks from natural disasters to human and cyber attacks.

As electricity becomes more and more critical in our lives, wide-ranging blackouts won’t just be a personal annoyance — they could cripple our economy. A diversified energy portfolio that includes renewable generation creates a more resilient grid. A recent draft of a report from the Department of Energy also concluded that wind and solar energy create a more reliable grid.

❝ The added security provided by renewables is why everyone — from the military to Fortune 100 companies — is finding ways to use clean reliable distributed power systems to support their operations.

RTFA to learn how this understanding makes sense. Moving forward.