A man learned his wife was pregnant from her Fitbit data.
The details of the story are weird. The man posted the data to Reddit and asked for analysis help. But the point is that the data can reveal pregnancy, and this might not be something a person wants to tell a company who can sell that information for profit.
And remember, retailers want to know if one of their customers is pregnant.
HOORAY FOR NOT LEAVING THE HOUSE!!
My only quibble is that Dating Divas labels all of these valentines "Man-Approved." Hey guys, how about "Geek-Approved" instead? And if you're feeling SUPER generous, some lady superhero - or supervillain - cards for next year would be extra-mega-duper-awesome.
A few of my favorite submissions this week:
You and me both, Tiffany:
You and me both.
Her baby's name is Izzy, but apparently the bakery thought Bonnie was a fan of Japanese cars?
Meanwhile, Laura asked for a "big monogrammed P" on her cake:
I'll be honest, I was kinda hoping that would go a different way.
There is absolutely nothing wrong with this next cake, you guys:
It is glorious and should inspire all your future birthday cakes.
ALL OF THEM.
The History Of This Next Cake, Which Is Also My Favorite This Week:
Baker: "Oh wow, these icing roses turned out GORGEOUS!"
...I should add a bunch of sh*t around them."
Thanks to Tiffany H., Bonnie F., Laura C., Dawna Z., & Mindy H. for helping me give John the best Valentines present: my man LOVES him some poop jokes. YOU'RE WELCOME, BABE.
Interesting research: "CPV: Delay-based Location Verification for the Internet":
Abstract: The number of location-aware services over the Internet continues growing. Some of these require the client's geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates or employing a non-local IP address through proxy and virtual private networks. We devise Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a device's presence inside a prescribed geographic region. CPV does not identify devices by their IP addresses. Rather, the device's location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating measured delays. To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client's participating device, and mines these delays for evidence supporting/refuting the asserted location. We evaluate CPV through detailed experiments on PlanetLab, exploring various factors that affect its efficacy, including the granularity of the verified location, and the verification time. Results highlight the potential of CPV for practical adoption.
Today I released my worldwide survey of encryption products.
The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to choose from. These foreign products offer a wide variety of secure applications -- voice encryption, text message encryption, file encryption, network-traffic encryption, anonymous currency -- providing the same levels of security as US products do today.
- There are at least 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total.
- The most common non-US country for encryption products is Germany, with 112 products. This is followed by the United Kingdom, Canada, France, and Sweden, in that order.
- The five most common countries for encryption products -- including the US -- account for two-thirds of the total. But smaller countries like Algeria, Argentina, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and Thailand each produce at least one encryption product.
- Of the 546 foreign encryption products we found, 56% are available for sale and 44% are free. 66% are proprietary, and 34% are open source. Some for-sale products also have a free version.
- At least 587 entities -- primarily companies -- either sell or give away encryption products. Of those, 374, or about two-thirds, are outside the US.
- Of the 546 foreign encryption products, 47 are file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and 61 virtual private networking products.
I know the database is incomplete, and I know there are errors. I welcome both additions and corrections, and will be releasing a 1.1 version of this survey in a few weeks.
Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.
KrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from Kohls.com stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to Kohls.com — which confirmed her fears that her password had been changed.
On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change the password.
“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”
Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.
“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”
Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).
“Since the orders were being shipped to me, even though they were above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.
More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.
“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”
Perry said she was shocked by the scam’s complexity and sheer gumption.
“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”
Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”
“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”
This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.
It’s unclear how much is lost annually to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at Colloquy.com estimated in 2011 that some 2.6 billion loyalty memberships generated $48 billion in rewarded points and miles.
Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.
Wonky hearts and cupid bows are so predictable.
Why not spice up this Valentines Day with something a little... you know... [eyebrow waggle]
Of course you want to leave some things to the imagination:
As big as WHAT can be, you ask?
Well, now, [WINK] that's up to YOU to... ok, a rainbow. They meant the rainbow. Happy?
There's also the direct approach:
("Bloody L, I can't tell if I should censor this or not!")
But try not to confuse your baker:
For once I'm siding with the seller - 'cuz that shiz is hilarious.
And finally, the best/worst Valentines cake for anyone who loves cake, Tom Selleck, edible chest hair, and, of course, the word "moist."
Thanks to Anony M., Chris T., Linda H., Kim W., & Carley C. for the classic Cake Wrecks throwback.
Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.
One big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.
Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).
If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. 126.96.36.1996. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).
Patch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.
Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.
This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).
If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.
Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.
I went to the first ever local ACM-W celebration held in Ontario way back in 2010. At the time, it was the Ontario Celebration of Women in Computing. I was doing the student thing full-force at that event, with two posters and one talk that covered both research and our Women in Science and Engineering group. Since then, other local celebrations cropped up around Canada until this year, when they amalgamated into CAN-CWIC.
AT&T's CEO believes that the company should not offer robust security to its customers:
But tech company leaders aren't all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn't have any say in the debate.
"I don't think it is Silicon Valley's decision to make about whether encryption is the right thing to do," Stephenson said in an interview with The Wall Street Journal. "I understand [Apple CEO] Tim Cook's decision, but I don't think it's his decision to make."
His position is extreme in its disregard for the privacy of his customers. If he doesn't believe that companies should have any say in what levels of privacy they offer their customers, you can be sure that AT&T won't offer any robust privacy or security to you.
Does he have any clue what an anti-market position this is? He says that it is not the business of Silicon Valley companies to offer product features that might annoy the government. The "debate" about what features commercial products should have should happen elsewhere -- presumably within the government. I thought we all agreed that state-controlled economies just don't work.
My guess is that he doesn't realize what an extreme position he's taking by saying that product design isn't the decision of companies to make. My guess is that AT&T is so deep in bed with the NSA and FBI that he's just saying things he believes justifies his position.
Here's the original, behind a paywall.
And now, as a service to our readers' dieting endeavors:
7 MORE Things That Should Never Be On Cake
7. Anything that looks like a spleen
Also, why is the spleen the go-to organ for icky descriptions? You never hear someone say, "Hey, that organesque thing sure looks like a gallbladder!" Which begs the questions: is "organesque" a word? 'Cuz if not, it totally should be.
Hey, don't get me wrong; nipples are great. Heck, I even have one myself. But cake should not have nipples. It just shouldn't. And the fact that I had to bring that sentence into the world makes me seriously question the direction this country is going.
Because anything I spend time and money trying to kill should not be something I have to pick off my cake.
3. Actual Feathers Plucked From Actual Birds
Let me get this straight: you jammed real feathers into the icing you expect me to eat?
So how about I fetch a beaver pelt and throw that sucker on there, too? Because if there's one thing we've learned about cake decorating, it's that animal outsides are both appetizing and completely sanitary!
BAKERS WHY DO I EVEN HAVE TO EXPLAIN THIS WHAT IS WRONG WITH YOU PEOPLE.
1. Back hair
Actually, this is kind of hilarious.
Assuming those are chocolate shavings, of course.
SOMEONE PLEASE TELL ME THOSE ARE CHOCOLATE SHAVINGS.
Thanks to wreckporters Kathryn B., Kerrigan W., Ashlee, Kelly G., Rocky J., Tami F., & Anony M. for the inspiration to just have a salad today.
- the problem of language | b. binaohan on Medium (February 8): “All of this, at the end, has me thinking about instruction, leaky pipelines, and diversity in tech. In a lot of ways, I represent a perfect example of the convergence of socio-economic factors that make pipes leaky. Based on my age and interests, I *could’ve* been one of those “I taught myself how to code as a teen and spent two years in college then dropped out to make lots of money” types. But I was poor, trans, gay, not-white-enough, and life got in the way”
- Meet Marvel’s Newest Comic Series About a Badass Superhero You Already Love | PopSugar (February 8): “”I have an 11-year-old daughter. She is a huge comics nerd,” said Cain. “There are a ton of girls her age who read comics. But the industry loses a lot of them in middle school. Maybe because they’re generally mortified. Or maybe they catch on that there’s not as much for them as they thought there was.” Hopefully Mockingbird is just what they need to retain their love of comics.”
- FilterScout | Civic Workbench: “FilterScout is a browser extension allows User to set rules for content display, muting unwanted content on the Web, including social media websites. Twitter, Facebook, Reddit, newspapers, blogs can be filtered.”… “We’re mitigating one vector for abuse so that people can continue to engage with communities and (we hope) build communities where abuse isn’t normal.”
- Library publishing and diversity values | College and Research Libraries News (February): “What are the consequences of this lack of diversity in publishing, librarianship, and faculty? We know already that privilege can bias access to material, which is part of why the open access movement exists, to alleviate the barriers that cost can create for researchers. However, one possible consequence is a feedback loop in scholarship that privileges and publishes the majority voice, which is often white and male.”
- An R update | Adventures in Data (February 2): “what I need is the confidence that the system will work not just forme, who knows some of the R Foundation and Core folks in a passing way, but for people who don’t. That we actually have a way of handling these kinds of problems in the future, that is scalable and generalisable and not based on who you know.”
- When life gives you lemons, make science | Adventures in Data (February 5): “If you’re going to harass people for science bear in mind that they may science your harassment. Happy browsing to all. And remember, kids: nobody likes total strangers offering their very important opinion about how you are totally wrong. So, please: don’t be that stranger.”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
It's National Threat Assessment Day. Published annually by the Director of National Intelligence, the "Worldwide Threat Assessment of the US Intelligence Community" is the US intelligence community's one time to publicly talk about the threats in general. The document is the results of weeks of work and input from lots of people. For Clapper, it's his chance to shape the dialog, set up priorities, and prepare Congress for budget requests. The document is an unclassified summary of a much longer classified document. And the day also includes Clapper testifying before the Senate Armed Service Committee. (You'll remember his now-famous lie to the committee in 2013.)
The document covers a wide variety of threats, from terrorism to organized crime, from energy politics to climate change. Although the document clearly says "The order of the topics presented in this statement does not necessarily indicate the relative importance or magnitude of the threat in the view of the Intelligence Community," it does. And like 2015 and 2014, cyber threats are #1 -- although this year it's called "Cyber and Technology."
The consequences of innovation and increased reliance on information technology in the next few years on both our society's way of life in general and how we in the Intelligence Community specifically perform our mission will probably be far greater in scope and impact than ever. Devices, designed and fielded with minimal security requirements and testing, and an ever -- increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US Government systems. These developments will pose challenges to our cyber defenses and operational tradecraft but also create new opportunities for our own intelligence collectors.
The document then calls out a few specifics like the Internet of Things and Artificial Intelligence -- so surprise, considering other recent statements from government officials. This is the "...and Technology" part of the category.
Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decisionmaking, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI -- in settings such as public utilities and health care -- will only exacerbate these potential effects. Russian cyber actors, who post disinformation on commercial websites, might seek to alter online media as a means to influence public discourse and create confusion. Chinese military doctrine outlines the use of cyber deception operations to conceal intentions, modify stored data, transmit false data, manipulate the flow of information, or influence public sentiments - all to induce errors and miscalculation in decisionmaking.
Russia is the number one threat, followed by China, Iran, North Korea, and non-state actors:
Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny. Russian cyber operations are likely to target US interests to support several strategic objectives: intelligence gathering to support Russian decisionmaking in the Ukraine and Syrian crises, influence operations to support military and political objectives, and continuing preparation of the cyber environment for future contingencies.
China continues to have success in cyber espionage against the US Government, our allies, and US companies. Beijing also selectively uses cyberattacks against targets it believes threaten Chinese domestic stability or regime legitimacy. We will monitor compliance with China's September 2015 commitment to refrain from conducting or knowingly supporting cyber -- enabled theft of intellectual property with the intent of providing competitive advantage to companies or commercial sectors. Private -- sector security experts have identified limited ongoing cyber activity from China but have not verified state sponsorship or the use of exfiltrated data for commercial gain.
Also interesting are the comments on non-state actors, which discuss both propaganda campaigns from ISIL, criminal ransomware, and hacker tools.
If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.
In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.
“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”
The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards. Such alternative methods avoid placing the skimmer on the ATM card entry bezel, which is where most anti-skimming technology is located.
NCR said cash machine operators must consider all points where card data may be accessible — in addition to the traditional point of vulnerability at the card entry bezel — and that having ATM network communications cables and connections exposed in publicly accessible locations only invites trouble.
If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.
Now that we've all had a day to recover, let's review:
played the Bronchos:
(Dangit, now I want brownie nachos.)
in the annual:
That, or maybe the Bronco's
played the Phanters:
At the Super Bwol:
Which makes me want to play the Princess Bride "Mawwaige" speech again.
There were some... interesting... predictions:
And plenty of questionable advice:
(Pfft. Everyone knows you dribble at Football, bakers. I mean, COME ON.)
And though the [INSERT WINNING TEAM] prevailed in the end, the important thing is that both sides had terrible, terrible cakes.
And also that puppymonkeybaby has scarred us all for life. [shudder]
Now, let's get back to celebrating some real milestones, mmkay?
There's the spirit.
Thanks to Stephanie H., Jodi A., Howard G., Anna F., Beverly M., Brew C., Beth P., Chas C., Elizabeth L., & Amy K. for the home runs.
As part of a child pornography investigation, the FBI hacked into over 1,300 computers.
But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered" by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.
While Playpen was being run out of a server in Virginia, and the hacking tool was infecting targets, "approximately 1300 true internet protocol (IP) addresses were identified during this time," according to the same complaint.
The FBI seems to have obtained a single warrant, but it's hard to believe that a legal warrant could allow the police to hack 1,300 different computers. We do know that the FBI is very vague about the extent of its operations in warrant applications. And surely we need actual public debate about this sort of technique.
Also, "Playpen" is a super-creepy name for a child porn site. I feel icky just typing it.
Today, Data and Goliath is being published in paperback.
Everyone tells me that the paperback version sells better than the hardcover, even though it's a year later. I can't really imagine that there are tens of thousands of people who wouldn't spend $28 on a hardcover but are happy to spend $18 on the paperback, but we'll see. (Amazon has the hardcover for $19, the paperback for $11.70, and the Kindle edition for $14.60, plus shipping, if any. I am still selling signed hardcovers for $28 including domestic shipping -- more for international.)
I got a box of paperbacks from my publisher last week. They look good. Not as good as the hardcover, but good for a trade paperback.
Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:
-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch
In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats. These thermostats feature large color LCD screens and a Busybox-based computer that connects directly to your wireless network, allowing the device to display not just the temperature in your home but also personal photo collections, the local weather forecast, and live weather radar maps, among other things.
Cisco researchers found that the ComfortLink devices allow attackers to gain remote access and also use these devices as a jumping off point to access the rest of a user’s network. Trane has not yet responded to requests for comment.
One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.
The two other bugs Cisco reported to Trane would allow attackers to install their own malicious software on vulnerable Trane devices, and use those systems to maintain a persistent presence on the victim’s local network.
On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts.
What does this mean for the average user?
“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”
Hidden accounts and insecure defaults are not unusual for IoT devices. What’s more, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. Trane’s instructions for applying the latest update are here.
“For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario,” Williams wrote in an email explaining the research. “I suspect as we start seeing more IoT devices that require security updates this is going to become a common problem as the lifetime of IoT devices greatly exceed what would be thought of as the typical software lifetime (2 years vs 10 years).”
If these IoT vulnerabilities sound like something straight out of a Hollywood hacker movie script, that’s not far from the truth. In the first season of the outstanding television series Mr. Robot, the main character [SPOILER ALERT] plots to destroy data on backup tapes stored at an Iron Mountain facility by exploiting a vulnerability in an HVAC system to raise the ambient temperature at the targeted facility.
Cisco’s writeup on its findings is here; it includes a link to a new Metasploit module the researchers developed to help system administrators find and secure exploitable systems on a network. It also can be used by bad guys to exploit vulnerable systems, so if you use one of these ComfortLink systems, consider updating soon before this turns into a Trane wreck (sorry, couldn’t help it).
Since I started this blog I've seen my share of cakes crammed onto real live ladies. Here's a croquembouche dress:
Here's a cupcake skirt:
(I'd eat that.)
And here's an edible wedding dress guaranteed to make you never want an edible wedding dress:
[slowly backing away in horror]
But all of that pales in comparison to whatever the heck is happening in this photo:
Now, I know there's a lot of crazy to take in up there, but keep your eyes on the bananas.
Now you can scroll down:
Ok, so, a few things:
1) There are now bananas artfully draped on the womens' shoulders. I bet you never thought someone could artfully drape a banana. Or that someone would consider a conjoined torso cake with real live ladies sticking out of either end an appetizing idea. BUT THERE THEY BOTH ARE.
2) The candles. Why? Is this a birthday party?
3) WAIT. Is it Beetlejuice's birthday? THAT WOULD EXPLAIN... well, at least the stripey parts.
4) Now I want shrimp cocktail.
5) You Beetlejuice fans got that one. You're welcome.
Thanks to Amy, Evelyn D., Jessica S., & Jemma S. for sending in those pics with absolutely no explanation. I mean, it's just more fun to imagine all the many, MANY reasons why this is a thing that happened.
I'll, uh, come up with one eventually, I'm sure.
The New York Times has a long article on fraudulent locksmiths. The scam is a basic one: quote a low price on the phone, but charge much more once you show up and do the work. But the method by which the scammers get victims is new. They exploit Google's crowdsourced system for identifying businesses on their maps. The scammers convince Google that they have a local address, which Google displays to its users who are searching for local businesses.
But they involve chicanery with two platforms: Google My Business, essentially the company's version of the Yellow Pages, and Map Maker, which is Google's crowdsourced online map of the world. The latter allows people around the planet to log in to the system and input data about streets, companies and points of interest.
Both Google My Business and Map Maker are a bit like Wikipedia, insofar as they are largely built and maintained by millions of contributors. Keeping the system open, with verification, gives countless businesses an invaluable online presence. Google officials say that the system is so good that many local companies do not bother building their own websites. Anyone who has ever navigated using Google Maps knows the service is a technological wonder.
But the very quality that makes Google's systems accessible to companies that want to be listed makes them vulnerable to pernicious meddling.
"This is what you get when you rely on crowdsourcing for all your 'up to date' and 'relevant' local business content," Mr. Seely said. "You get people who contribute meaningful content, and you get people who abuse the system."
The scam is growing:
Lead gens have their deepest roots in locksmithing, but the model has migrated to an array of services, including garage door repair, carpet cleaning, moving and home security. Basically, they surface in any business where consumers need someone in the vicinity to swing by and clean, fix, relocate or install something.
What's interesting to me are the economic incentives involved:
Only Google, it seems, can fix Google. The company is trying, its representatives say, by, among other things, removing fake information quickly and providing a "Report a Problem" tool on the maps. After looking over the fake Locksmith Force building, a bunch of other lead-gen advertisers in Phoenix and that Mountain View operation with more than 800 websites, Google took action.
Not only has the fake Locksmith Force building vanished from Google Maps, but the company no longer turns up in a "locksmith Phoenix" search. At least not in the first 20 pages. Nearly all the other spammy locksmiths pointed out to Google have disappeared from results, too.
"We're in a constant arms race with local business spammers who, unfortunately, use all sorts of tricks to try to game our system and who've been a thorn in the Internet's side for over a decade," a Google spokesman wrote in an email. "As spammers change their techniques, we're continually working on new, better ways to keep them off Google Search and Maps. There's work to do, and we want to keep doing better."
There was no mention of a stronger verification system or a beefed-up spam team at Google. Without such systemic solutions, Google's critics say, the change to local results will not rise even to the level of superficial.
And that's Google's best option, really. It's not the one losing money from these scammers, so it's not motivated to fix the problem. Unless the problem rises to the level of affecting user trust in the entire system, it's just going to do superficial things.
This is exactly the sort of market failure that government regulation needs to fix.