China hack attacks on US continue despite commercial spying pact
China hack attacks on US continue despite commercial spying pact
If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…
China hack attacks on US continue despite commercial spying pact
If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…
Hackers Can Silently Control Siri From 16 Feet Away
Well this is concerning:
A pair of researchers at ANSSI, a French government agency devoted to information security, have shown that they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack. Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.
You can disable Siri whenever your iOS device is locked by going to Settings > Touch ID & Passcode > Allow Access When Locked and toggling the Siri switch to the “off” (as in not green) position. This doesn’t guarantee a hack like the one deascribed above won’t work on your device, but it does guarantee you’ll see Siri doing something weird and can thus be alerted to the hackery.
Federal Court’s data breach decision shows new tilt toward victims, class-action lawsuits
John Fontana writes at ZDNet:
In an interesting twist, the Court said the fact Neiman Marcus offered free credit monitoring services was evidence that there was harm to these victims. The ruling turned on its head the way courts historically view such services as compensation for harm while negating a victim's right to file a lawsuit (re: standing).
This may get very interesting very fast: if companies are at risk of being held ot have tacitly admitted liability by offering credit protection services to potential breach victims, they will stop offering that stuff.
The possibility of class actions instead of free credit monitoring may appeal to those whose data has been stolen, but it’s not really a great trade at all. Credit monitoring is expensive and the industry is still suffering growing pains, but class actions usually net plaintiffs an insignificant amount of money in damages while making lawyers very, very rich.
China-Tied Hackers That Hit U.S. Said to Breach United Airlines
This is starting to look like a concerted effort to gather a specific data set for some sort of coordinated use:
The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests -- which include information on flights’ passengers, origins and destinations -- according to one person familiar with the carrier’s investigation.
Michael Riley and Jordan Robertson, reporting a fascinating story at Bloomberg:
In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.
Diplomacy and the courts are clearly inadequate channels for preventing, halting or discouraging foreign-based hacking.
The question, then, is whether the U.S. government will use its broader “revenge” authority under the CFA to defend not only itself but private U.S. companies. This method would be problematic from a funding perspective, and may cause diplomatic friction.
Alternatively, the CFA could be amended to allow “proportional responses” by private U.S. companies to foreign-based hacking. This method would be problematic from oversight and transparency perspectives, subjecting revenge hacking to market dynamics and the “black box” in which companies conduct so much of their business (especially when they’re privately held).
Yes, companies often have to deal with reporting requirements in the aftermath of a major data breach, but they don’t have to disclose any countermeasures under any current state or federal notification regime I can find.
Perhaps the best solution would involve some hybrid of these. For example, a department of government investigators and hackers could be assigned in small groups to companies facing imminent or ongoing foreign-based hacking.
They could embed into the companies like journalists sometimes embed into military units, assisting the company in its response and pulling the trigger on revenge hacks, insulating the company from CFA immunity.
The hybrid method minimizes government expense, maximizes company involvement and allows for the use of transparency laws such as the Freedom of Information Act by journalists and policy analysts to peek inside the black box.
I’m obviously not going to come up with a perfect solution in a short blog post, but it’s worth thinking about.
Image by the author
Employees sue Sony over email leaks
Saba Hamedy and Meg James, at the LA Times:
Hackers began releasing sensitive data after the studio’s security breach became public on Nov. 24. The group, calling itself Guardians of Peace, has released data including thousands of pages of emails from studio chiefs, salaries of top executives, and Social Security numbers of 47,000 current and former employees.
Many are warning of the intellectual property fallout of hacks like this. And that could, indeed, lose companies much potential revenue. But the more serious liability here is failure to secure employee information. I anticipate we’ll see many similar class actions unless companies get serious about security.
Heartbleed: When no encryption is better than bad encryption
Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:
servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.
How? The bug allows access even to information the encryption wasn’t protecting.
MIT wants pre-release review of Secret Service file on Aaron Swartz
Kevin Poulsen, at Wired's Threat Level blog:
MIT argues that those people might face threats and harassment if their names become public. But it’s worth noting that names of third parties are already redacted from documents produced under FOIA.
MIT has screwed up repeatedly throughout this ordeal, and this is not a sign of improvement. If anything, their interference itself might prompt anonymous hackers to launch new salvos against their networks or dox their personnel.
China is very serious about cyberespionage
Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”
China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.
The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:
The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”
They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.
This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.
US suspects Iran behind DDoS attacks on banks
These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.
96.36 billion cyberattacks against the US Navy each year
The Next Web's Emil Protalinski, quoting HP's head of enterprise services Mikle Nefkens:
“This means the attacks average out at about 1,833 per minute or 30 every second.” Those figures are simply astonishing. Extrapolating the other way, it means the US Navy is attacked some 96.36 billion times every year.
If you ever doubted the importance of cyber-preparedness, this should go a long way toward assuaging those doubts.
Wireless attack could fatally turn pacemakers against patients
Patrick Gray, writing at The Register:
Jack also warned of a worst-case scenario in which a worm could infect multiple devices, spreading from patient to patient, re-flashing the devices with malicious code as it foes. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.
So many lives depend upon the safe operation of a device like a pacemaker, including some of my dearest family. The good news here is that the researcher who discovered the vulnerability is ready and willing to work with manufacturers to design around the security weaknesses in these devices.
But perhaps more importantly, what about devices that have already been implanted in patients? I hope the corrections can be made via a software update so that even current patients can receive the fixes.
As an aside, this technology could also be used in the cyberwarfare arena for exceptionally clandestine assassinations.
← An IndieWeb Webring 🕸💍 →