China hack attacks on US continue despite commercial spying pact

If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…

Hackers Can Silently Control Siri From 16 Feet Away

Well this is concerning:

A pair of researchers at ANSSI, a French government agency devoted to information security, have shown that they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack. Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.

You can disable Siri whenever your iOS device is locked by going to Settings > Touch ID & Passcode > Allow Access When Locked and toggling the Siri switch to the “off” (as in not green) position. This doesn’t guarantee a hack like the one deascribed above won’t work on your device, but it does guarantee you’ll see Siri doing something weird and can thus be alerted to the hackery.

Federal Court’s data breach decision shows new tilt toward victims, class-action lawsuits

John Fontana writes at ZDNet:

In an interesting twist, the Court said the fact Neiman Marcus offered free credit monitoring services was evidence that there was harm to these victims. The ruling turned on its head the way courts historically view such services as compensation for harm while negating a victim's right to file a lawsuit (re: standing).

This may get very interesting very fast: if companies are at risk of being held ot have tacitly admitted liability by offering credit protection services to potential breach victims, they will stop offering that stuff.

The possibility of class actions instead of free credit monitoring may appeal to those whose data has been stolen, but it’s not really a great trade at all. Credit monitoring is expensive and the industry is still suffering growing pains, but class actions usually net plaintiffs an insignificant amount of money in damages while making lawyers very, very rich.

China-Tied Hackers That Hit U.S. Said to Breach United Airlines

This is starting to look like a concerted effort to gather a specific data set for some sort of coordinated use:

The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests -- which include information on flights’ passengers, origins and destinations -- according to one person familiar with the carrier’s investigation.

Michael Riley and Jordan Robertson, reporting a fascinating story at Bloomberg:

In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.

The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.

Diplomacy and the courts are clearly inadequate channels for preventing, halting or discouraging foreign-based hacking.

The question, then, is whether the U.S. government will use its broader “revenge” authority under the CFA to defend not only itself but private U.S. companies. This method would be problematic from a funding perspective, and may cause diplomatic friction.

Alternatively, the CFA could be amended to allow “proportional responses” by private U.S. companies to foreign-based hacking. This method would be problematic from oversight and transparency perspectives, subjecting revenge hacking to market dynamics and the “black box” in which companies conduct so much of their business (especially when they’re privately held).

Yes, companies often have to deal with reporting requirements in the aftermath of a major data breach, but they don’t have to disclose any countermeasures under any current state or federal notification regime I can find.

Perhaps the best solution would involve some hybrid of these. For example, a department of government investigators and hackers could be assigned in small groups to companies facing imminent or ongoing foreign-based hacking.

They could embed into the companies like journalists sometimes embed into military units, assisting the company in its response and pulling the trigger on revenge hacks, insulating the company from CFA immunity.

The hybrid method minimizes government expense, maximizes company involvement and allows for the use of transparency laws such as the Freedom of Information Act by journalists and policy analysts to peek inside the black box.

I’m obviously not going to come up with a perfect solution in a short blog post, but it’s worth thinking about.

Image by the author

Employees sue Sony over email leaks

Heartbleed: When no encryption is better than bad encryption

MIT wants pre-release review of Secret Service file on Aaron Swartz

China is very serious about cyberespionage

US suspects Iran behind DDoS attacks on banks

96.36 billion cyberattacks against the US Navy each year

Wireless attack could fatally turn pacemakers against patients