RISKS Forum mailing list archives
Risks Digest 31.37
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 19 Aug 2019 17:38:51 PDT
RISKS-LIST: Risks-Forum Digest Monday 19 August 2019 Volume 31 : Issue 37 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.37> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Russian nuclear-powered cruise missile blows up, creating `mini-Chernobyl' (Ars Technica) Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU (LATimes) Major breach found in biometrics system (The Guardian) Security Database leak reveals: Biometric data, plaintext passwords and much more... (VPN Mentor) "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure" (U.Waterloo) "Why blockchain-based voting could threaten democracy" (Lucas Mearian) Steam vulnerability reportedly exposes Windows gamers to system hijacking (Charlie Osborne) Critical Windows 10 Warning: Millions Of Users At Risk (Forbes via Gabe Goldberg) Null is Not Nothing (WiReD) Trend Micro fixes privilege escalation security flaw in Password Manager (Charlie Osborne) Ransomware Attack Hits 20 Local Governments In Texas (Kut) Computer Outage Delays International Travelers Arriving at Dulles (NBC4 Washington) London Exchange Is Delayed by Technical Problem (NYTimes) Cascading Effect of putting your data in a single cloud basket (Telus) Electric car charging stations may be portals for power grid cyber-attacks (Tech Xplore) How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes) Hack in the box: Hacking into companies with "warshipping" (Ars Technica) Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (Chiaki Ishikawa) Re: Password policy recommendations: Here's what you need to know (R A Lichensteiger, Gabe Goldberg) Re: Climate change: how the jet stream is changing your weather (R. G. Newbury) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 13 Aug 2019 11:29:00 +0900 From: Dave Farber <farber () gmail com> Subject: Russian nuclear-powered cruise missile blows up, creating `mini-Chernobyl' (Ars Technica) Atomic research agency acknowledges "isotope power source" of "rocket engine" exploded. Ars Technica: https://apple.news/ACGIU3viPQvmd1MPkMUV_uQ ------------------------------ Date: August 14, 2019 at 9:45:24 AM GMT+9 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU (LATimes) https://www.latimes.com/california/story/2019-08-12/facial-recognition-software-mistook-1-in-5-california-lawmakers-for-criminals-says-aclu ------------------------------ Date: Wed, 14 Aug 2019 17:59:51 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Major breach found in biometrics system (The Guardian) Israeli security researchers have found that a database belonging to web-based Biostar 2 biometrics lock system, was unprotected and mostly unencrypted. It exposed fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees. https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms [Also noted by John Utteridge. PGN] ------------------------------ Date: Wed, 14 Aug 2019 14:16:39 +0200 From: Anthony Thorn <anthony.thorn () atss ch> Subject: Security Database leak reveals: Biometric data, plaintext passwords and much more... (VPN Mentor) A huge data breach in security platform BioStar 2": https://www.vpnmentor.com/blog/report-biostar2-leak/ If this leak -- discovered by Vpnmentor researchers -- has been exploited by criminals the results would be disastrous. According to Vpnmentor blog, the database contains plaintext -- *not* hashed -- passwords and biometric data for millions of users. These users are employees of firms using the Biostar 2 access control application (including administrators). You can change a compromised password, but your fingerprint is not only fixed, but shared across all applications which use fingerprint recognition. What is your contingency plan? ------------------------------ Date: Mon, 19 Aug 2019 11:51:25 -0400 From: ACM TechNews <technews-editor () acm org> Subject: "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure" (U.Waterloo) University of Waterloo News (14 Aug 2019) via ACM TechNews, 19 Aug 2019 Researchers in the Cheriton School of Computer Science and the Department of Management Science of Canada's University of Waterloo have incorporated blockchain into energy systems, which could expand charging infrastructure for electric vehicles (EVs). An open blockchain platform will give EV owners, property owners, and charging service operators access to charging data, and alert them to tampering; EV owners will be able to see whether they are being overcharged for charging their vehicles, and property owners will be alerted to instances of underpayment. Said Waterloo's Christian Gorenflo, "Mitigating trust issues in EV charging could result in people who have charging stations and even those who just have an outdoor outlet being much more willing to team up with an EV charging service provider, resulting in much better coverage of charging stations." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21235x21d3e7x0 69144& ------------------------------ Date: Tue, 13 Aug 2019 11:34:28 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: "Why blockchain-based voting could threaten democracy" (Lucas Mearian) Lucas Mearian, Computerworld As the desire to increase voter turnout remains strong and the number of online voting pilot projects rises in the U.S. and abroad, some security experts warn any Internet-based election system is wide open to attack, regardless of the underlying infrastructure. https://www.computerworld.com/article/3430697/why-blockchain-could-be-a-threat-to-democracy.html selected text: Even as there's been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through "wholesale fraud" or "manipulation tactics." Thirty-two states permit various kinds of online voting -- such as via email -- for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts. "Tampering with mailed paper ballots is a one-at-a-time attack. Infecting voters' computers with malware or infecting the computers in the elections office that handle and count ballots are both effective methods for large-scale corruption," Epstein said. ------------------------------ Date: Tue, 13 Aug 2019 12:03:23 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Steam vulnerability reportedly exposes Windows gamers to system hijacking (Charlie Osborne) Charlie Osborne for Zero Day | 13 Aug 2019 The researcher was asked not to disclose the bug but did so anyway. https://www.zdnet.com/article/steam-vulnerability-reportedly-exposes-windows-gamers-to-system-hijacking/ The Steam gaming platform reportedly contained a severe vulnerability which could subject users to privilege escalation attacks but was not considered in scope for Valve to fix. "So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn't offer any explanation to me," Kravets said. "Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve." ------------------------------ Date: Tue, 13 Aug 2019 15:13:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Critical Windows 10 Warning: Millions Of Users At Risk (Forbes) As the Black Hat security conference comes to an end in Las Vegas, so the DEF CON hacker convention begins. It didn't take long for the first critical warnings for Windows users to emerge as a result. This one is particularly worrying as, according to the Eclypsium researchers who gave the presentation, the issue applies "to all modern versions of Microsoft Windows," which leaves millions of Windows 10 users at risk of system compromise. What did the researchers reveal? In a nutshell, the researcher found a common design flaw within the hardware device drivers from multiple vendors including Huawei, Intel, NVIDIA, Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of hardware vendors affected runs to 20 and includes every major BIOS vendor. The nature of the vulnerability has the potential for the widespread compromise of Windows 10 machines. https://www.forbes.com/sites/daveywinder/2019/08/11/critical-windows-10-warning-confirmed-millions-of-users-are-at-risk/#521532402b51 [Gabe later added this on 18 Aug 2019:] Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7 Users The latest Patch Tuesday update from Microsoft included several critical security fixes. Unfortunately, as Microsoft has now confirmed, it also borked some things. If you haven't applied that August 13 update and are running on Windows 10, Windows 8.1 or Windows 7, you may want to read this before you do. What's the problem with the latest Patch Tuesday Windows update? Microsoft has confirmed a bunch of "known issues" with the August 13 Windows update. Some, such as the "black screen during first logon after installing updates" issue, have hit users after previous updates. That can be filed in the annoying but ultimately not much to worry about folder: it only impacts a "small number" of users and only the first time they logon after the update. Anything that impacts millions of users is a far more serious thing. And so it is that Microsoft has confirmed that this Patch Tuesday update does just that. "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an "invalid procedure call error," Microsoft has stated. https://www.forbes.com/sites/daveywinder/2019/08/17/microsoft-confirms-update-warning-for-windows-10-windows-81-and-windows-7-users/#281fcef23063 [The risk? Automatic updates? GG] ------------------------------ Date: Wed, 14 Aug 2019 10:58:59 -0400 From: David Lesher <wb8foz () panix com> Subject: Null is Not Nothing (WiReD) "Security researcher Joseph Tartaro thought NULL would make a fun license plate. He's never been more wrong." <https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell> An old risk comes back to life (RISKS-6.40) and many other cases. Little Johnny Tables <https://xkcd.com/327/> comes to mind, too. [David, Thanks. You have a good memory back to 9 Mar 1988. PGN] [Also noted by Gabe Goldberg, who remarked, "Nice to see the old standards are still playing..." PGN] ------------------------------ Date: Thu, 15 Aug 2019 10:14:06 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Trend Micro fixes privilege escalation security flaw in Password Manager Charlie Osborne for Zero Day | 15 Aug 2019 The vulnerability could be used for privilege escalation and code execution attacks. https://www.zdnet.com/article/trend-micro-fixes-hijack-security-flaw-in-password-manager/ ------------------------------ Date: Sat, 17 Aug 2019 10:27:16 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Ransomware Attack Hits 20 Local Governments In Texas (Kut) A coordinated ransomware attack has affected at least 20 local government entities in Texas, the Texas Department of Information Resources said. It would not release information about which local governments have been affected. The department said the Texas Division of Emergency Management is coordinating support from other state agencies through the Texas State Operations Center at DPS headquarters in Austin. DIR said the Texas Military Department and the Texas A&M University Systems' Cyber-response and Security Operations Center teams are deploying resources to "the most critically impacted jurisdictions."... https://www.kut.org/post/ransomware-attack-hits-local-governments-texas ------------------------------ Date: Fri, 16 Aug 2019 17:28:16 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Computer Outage Delays International Travelers Arriving at Dulles (NBC4 Washington) Customs and Border Protection computers are down nationwide, and international arrivals at Dulles International Airport are being delayed, according to the Metropolitan Washington Airports Authority. CBP officers are processing passengers manually Some passengers say they have been waiting for two hours at passport control. "CBP is experiencing a temporary outage with its processing systems at various air ports of entry & is taking immediate action to address the technology disruption," the agency tweeted. "CBP officers continue to process international travelers using alternative procedures until systems are back online." [Reportedly, at least 5,000 passengers stuck in line. PGN] [Monty Solomon noted Officials said service was restored after about two hours but travelers then faced long waits to be processed. https://www.nytimes.com/2019/08/16/us/customs-computer-shutdown.html PGN] ------------------------------ Date: Fri, 16 Aug 2019 13:13:02 -0400 From: Monty Solomon <monty () roscom com> Subject: London Exchange Is Delayed by Technical Problem (NYTimes) https://www.nytimes.com/2019/08/16/business/lse-delay-stocks.html Opening of trading was pushed back one hour and 40 minutes as the stock exchange tried to determine the cause. ------------------------------ Date: Mon, 19 Aug 2019 15:45:16 -0400 From: Kelly Bert Manning <bo774 () freenet carleton ca> Subject: Cascading Effect of putting your data in a single cloud basket (Telus) Most business and home TELUS e-mail customers have been impacted to a large degree by an telus.net e-mail outage that began Aug 15 and is still affecting some customers across Alberta and BC, as well as customers trying to connect from elsewhere. The outage was aggravated by the lack of information. TELUS kept saying that the Root Cause was unknown until Aug 19, when reports began to surface attributing the outage to a failed Dell EMC Cloud server repair: https://www.telus.com/en/internet/email-outage "This issue occurred during an overnight update to our servers in the early hours of Thursday, August 15, in partnership with our vendor Dell EMC, when a flawed repair procedure took the TELUS.net email system offline." My experience was that pop connection attempts fared better than web mail or imap. There is apparently some risk of at least temporary e-mail loss for customers who kept their e-mail on TELUS servers, rather than downloading it. Generally TELUS has a well earned reputation for Continuous Availability and ability to roll back failed updates promptly. Businesses that have come to rely on e-mail for orders and other functions have been heavily impacted. My personal view, using e-mail for work since the 1980s, is that it is not yet a reliable or secure form of business communication. This reminded me of Dr. Nancy Leveson's analogy of Software and the early days of high pressure steam. The economic incentive to push ahead with unreliable, potentially unsafe, methods overwhelmed the voices of caution. If you pushed ahead you made money faster, until the boiler blew up on your workers. Cloud seems to have been motivated by the idea of simplifying the addition and management of servers and storage. Looks like there is some work to be done to balance that saving against the risk of you and your customers being impacted for days at a time if something in the cloud goes wrong. ------------------------------ Date: Sat, 17 Aug 2019 10:33:59 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Electric car charging stations may be portals for power grid cyber-attacks (Tech Xplore) Electric cars are an essential component of a lower-carbon future, but a new report from researchers at the New York University Tandon School of Engineering raises the specter that plug-in electric vehicles -- and the charging stations that supply them -- could be prime vectors for cyber-attacks on urban power grids. "In simulations using publicly available information about charging station usage in Manhattan and the structure of the island's power grid, our research team found that a fleet of just roughly 1,000 simultaneously charging electric vehicles would be adequate for mounting an attack whose effects could rival the blackout that affected the city's West Side last month," said Yury Dvorkin, assistant professor in NYU Tandon's Department of Electrical and Computer Engineering. NYU Tandon doctoral candidate Samrat Acharya led the research in collaboration with Dvorkin and Professor Ramesh Karri, also from the Department of Electrical and Computer Engineering. "This simulation is a wake-up call to the public and policymakers, and an encouragement to take steps to protect the data generated between electric cars and charging stations -- most of which could be co-opted by a hacker with college-level skills," Dvorkin said... https://m.techxplore.com/news/2019-08-electric-car-stations-portals-power.html ------------------------------ Date: Fri, 16 Aug 2019 16:55:30 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes) What a photographer's struggle to raise money for his book of images tells us about Facebook and conspiracy theorists. About 24 hours after the ads were approved, he got a notification telling him the ad had been removed. He resubmitted it. It was accepted � and then removed again � 15 or 20 times, he said. The explanation given: He had run misleading ads that resulted in high negative feedback.� He understood that it was Facebook's algorithm that rejected the ads, not a person. Getting additional answers proved difficult, a common complaint with advertising on Facebook. The best clues he could find came in the comments under the ads, which he and his colleagues captured in screenshots before they were removed and in responses to other posts about the project: There were phrases such as The original moon landing technology. Some comments were hard to gauge, with users insisting that the earth was flat but that they'd buy the book anyway. <https://digiday.com/marketing/underlining-arrogance-media-buyers-frustrated-google-facebook-ad-reps/> ------------------------------ Date: Sat, 17 Aug 2019 10:46:06 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Hack in the box: Hacking into companies with "warshipping" (Ars Technica) (More on Warshipping in RISKS-31.36) *For under $100, compact hardware can turn a shipped package into a Trojan horse for attacks.* (Ars Technica) https://arstechnica.com/information-technology/2019/08/hack-in-the-box-hacking-into-companies-with-warshipping/ Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in -- something they've dubbed "warshipping." [Long item truncated for RISKS. PGN] ------------------------------ Date: Thu, 15 Aug 2019 10:08:17 +0900 From: "ISHIKAWA,chiaki" <ishikawa () yk rim or jp> Subject: Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your, Computer (VICE) So this cable allows attacker to access to the connected computer. The implant must have a Wi-Fi component as well since accessing the computer via Wi-Fi using the cable as antennae. Silent or passive monitoring of data that flows data and sending it out via low-power radio signal seems to be favored by spy agencies until Snowden released such a trick in one of his documents in wikileaks. I recall the USB cable for this purpose. Around 1996-2000 time frame, I noticed a USB cable with mysterious embedded chip inside (inside the plug portion). I found it in a photo blog of a second-hand part shop in Akihabara. Initially, I thought this could be similar to APC's UPS control cable that has some components inside (for proprietary connection, I guesss.) But it did not make sense, and the cable did act as ordinary USB cable. Years later, when I read the Wikileaks document, I realized that the cables could have been used as spying tool. My scenario was like this: A large company bought a ton of PCs from Lenovo/Dell/HP/Fujitsu/NEC/etc. you name it. The agent that delivered the PCs first assembled them in a warehouse before shipping them to the customer site (big trading agency/banks or even a Japanese government office?). Then the warehouse was "attacked" and all the USB cables inside the PC delivery boxes were replaced with this spying cable. However, back then, rack computers were expensive and scarce. Many startup e-Commerce companies used ordinary PCs sans PCs and keyboards to act as rack computers. Thus most, if not all, of the delivered keyboard and USB cables were dumped to second hand market. Thus they were sold at an outlet in Akihabara and noticed by the store clerk who accidentally broke the plug and found the strange implant and opened a few others and found the implants there, too. And since he posted the strange USB cable that works in a shop blog with the photo and I noticed it. Nobody knows how that cable was used for spying and where. Intriguing mind wants to know. The cable was so strange and this is why I remembered it until I read wikiweaks document. ------------------------------ Date: Tue, 13 Aug 2019 16:31:34 -0400 From: R A Lichtensteiger <rali () tifosi com> Subject: Re: Password policy recommendations: Here's what you need to know (Goldberg, RISKS-31.36) I think the true RISK here is an article like this that propagates the myth that the password complexity rules from NIST's 1980s era document are STILL a good idea. I find it especially egregious that the author of this article chose to reference NIST SP-800-63b while espousing overly complex password rules. Permit me to quote from the appendix to that document: Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner Worse, because it was touted on a large computer company website, this article might give weight to their inanity. ------------------------------ Date: Thu, 15 Aug 2019 16:31:19 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Re: Password policy recommendations: Here's what you need to know (Lichtensteiger, RISKS-31.37) Second part of sentence you quote: "but new recommendations have led to changes around password policies". After recapping password history, article notes new defaults, changes, resources: The default levels are changing But in May 2019, Microsoft announced changes in the Security Baselines for Windows 10 and Windows Server build 1903 <https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/>: The minimum and maximum password ages will no longer be set in the baselines and therefore will not be enforced. Microsoft cites research (see "An Administrator's Guide to Internet Password Research <https://cormac.herley.org/docs/WhatsaSysadminToDo.pdf>" and "The Security of Modern Password Expiration <https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf>") to claim that password expiration policies are no longer considered to have great value. Other measures, such as checking lists of banned passwords, are more effective. As they note, Windows Group Policies don't provide for checking such lists, so neither can the Security Baselines, which is a good example of why you should not rely only on the baselines. Microsoft offers some of the more advanced capabilities in Azure AD Password Protection <https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-and-Smart-Lockout-are-now-in-Public/ba-p/245423>. Password complexity: The ground rules What is the default Windows password complexity policy <https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements>? * The password may not contain the account name or variations on the account name. * It must contain characters from three of the following five groups (quoted from the Microsoft document): o Uppercase letters of European languages (A through Z, with diacritical marks, Greek and Cyrillic characters) o Lowercase letters of European languages (A through Z, sharp S, with diacritical marks, Greek and Cyrillic characters) o Base 10 digits (0 through 9); non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/) o Currency symbols such as the euro or British pound are not counted as special characters for this policy setting. o Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. Everyone who has had to deal with these policies, which are enabled in the Security Baselines, knows what a pain they can be. As the Microsoft document says, enabling the policies "may cause some additional help desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve." The default password length requirement <https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length> is seven characters, but elsewhere Microsoft recommends eight characters, as do the NIST requirements. In the Security Baselines, the minimum password length is 14 characters. The NIST policies specifically reject (though they do not ban) complexity requirements. Microsoft has not removed the default imposition of these requirements from Windows or the Security Baselines, but it may be a change you want to make yourself. If you want finer control of password filtering but want to stick with Active Directory <https://www.hpe.com/us/en/insights/articles/5-ways-to-see-whats-going-on-in-your-windows-server-system-right-now-1812.html>, you can replace Microsoft's standard Passfilt.dll <https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters> with a commercial one or write one yourself, as Yelp did, based on an open source implementation <https://engineeringblog.yelp.com/2018/04/ad-password-blacklisting.html>. Examples of commercial replacements are those from nFront Security <https://nfrontsecurity.com/products/nfront-password-filter/>, ManageEngine <https://www.manageengine.com/products/self-service-password/password-policy-enforcer.html>, and Anixis <https://anixis.com/products/ppe/faq.htm>. Using one of these replacements, you can implement current best practices within your otherwise standard Active Directory infrastructure. SecLists keeps a collection of many large common password lists. <https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials> Beyond banned passwords Banned password lists are useful, but another way may be better. Have I Been Pwned <https://haveibeenpwned.com/> is a site that keeps records of major user ID and password breaches and allows you to check whether any of your logins have been compromised. The site was built and is maintained by Troy Hunt, a Microsoft regional director <https://rd.microsoft.com/en-us/> and well-known security expert. It has data on 369 breached sites and 7,860,402,548 breached accounts. The site also has an API that allows you to check whether a particular account has been breached or just if a particular password exists in the breach database. <https://haveibeenpwned.com/API/v2#PwnedPasswords>� Hunt thinks that, once a list is as large as his, it is ``exceptionally unlikely to have anything outside that collection which is both terrible and actively used.'' The answer is to check against the separate Pwned Passwords database <https://haveibeenpwned.com/Passwords>, which contains 551 million passwords that have been in one or more of the breaches, using its API. Hunt says he would set a minimum of six characters and then block anything that shows up in Pwned Passwords. One more tip from Hunt: ``I'd block every variation of the company name; nobody on the Acme Corp. website can use AcmeCorp, AcmeCorp1, AcmeC0rp, etc.'' If you want to use the Pwned Passwords API, you can build on one of the many projects already doing so <https://haveibeenpwned.com/API/Consumers>. Typically, they create an environment-native interface to the API, such as with the many PHP libraries, Python and Perl scripts, WordPress plugins, and Java clients, as well as an IFTTT recipe. In addition to many weak passwords, Pwned Passwords has a large number of passwords that would satisfy any set of complexity rules, so it might seem to be overkill. But compared with the range of possible passwords, 551 million isn't as big a number as it seems. Nearly all of my own passwords are randomly generated by my password manager, but I tested several passwords I made up on my own in recent years, and none appear in the Pwned Passwords database. So maybe relying on Hunt's API and a minimum length and blocking organization name variants is the easiest route to strong protection. I wrote a program to check the contents of one of the SecLists lists of `common credentials' against the Pwned Passwords database. All but 3,663 of 262,000 passwords tested were in Pwned Passwords, and more than half of those that weren't had fewer than eight characters. Perhaps this means that Hunt is right that checking banned password lists is largely redundant, though if you're going to check one or the other, it's easy enough to check both. But all of this is about usernames and passwords, a technology that we should all hope will someday be deprecated. At the same time you make sure your passwords are strong, move forward with multifactor authentication <https://www.hpe.com/us/en/insights/articles/with-webauthn-web-authentication-is-finally-getting-smart-1808.html> and biometrics <https://www.hpe.com/us/en/insights/articles/biometric-authentication-from-speeding-travel-to-providing-id-for-the-marginalized-1903.html> that bypass the inherent problems with passwords. Password policy best practices: Lessons for leaders * Stay up to date with recommendations for creating and maintaining secure passwords. * Minimize opportunities for user password failures. * Make use of public databases of password failures and account breaches. ------------------------------ Date: Tue, 13 Aug 2019 00:39:25 -0400 From: "R. G. Newbury" <newbury () mandamus org> Subject: Re: Climate change: how the jet stream is changing your weather (RISKS-31.36)
As temperatures rose across the massive ice sheet, which blankets an area five times the size of Germany, around 60 per cent of the surface started to melt, one of the largest ever recorded.
Except it didn't: And the last sentence is a basically a lie. Even if that one station had recorded an above zero temperature, it would not mean that 60% of the surface was also melting. https://wattsupwiththat.com/2019/08/12/greenlands-record-temperature-denied-the-data-was-wrong/ Now from the Danish Meteorological Institute (DMI), via the news website The Local, the cooler reality: Danish climate body wrongly reported Greenland heat record The Danish Meteorological Institute, which has a key role in monitoring Greenland's climate, last week reported a shocking August temperature of between 2.7C and 4.7C at the Summit weather station, which is located 3,202m above sea level at the the centre of the Greenland ice sheet, generating a spate of global headlines. But on Wednesday it posted a tweet saying that a closer look had shown that monitoring equipment had been giving erroneous results. ``Was there record-level warmth on the inland ice on Friday? No! A quality check has confirmed out suspicion that the measurement was too high.'' Shoot out the headlines first, ask questions later. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.37 ************************
Current thread:
- Risks Digest 31.37 RISKS List Owner (Aug 19)