hacking
China hack attacks on US continue despite commercial spying pact
China hack attacks on US continue despite commercial spying pact
If this surprises you, I’ve got a real-life, fully functional totally Back to the Future hoverboard to sell you…
Hackers Can Silently Control Siri From 16 Feet Away
Hackers Can Silently Control Siri From 16 Feet Away
Well this is concerning:
A pair of researchers at ANSSI, a French government agency devoted to information security, have shown that they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack. Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone. Without speaking a word, a hacker could use that radio attack to tell Siri or Google Now to make calls and send texts, dial the hacker’s number to turn the phone into an eavesdropping device, send the phone’s browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.
You can disable Siri whenever your iOS device is locked by going to Settings > Touch ID & Passcode > Allow Access When Locked and toggling the Siri switch to the “off” (as in not green) position. This doesn’t guarantee a hack like the one deascribed above won’t work on your device, but it does guarantee you’ll see Siri doing something weird and can thus be alerted to the hackery.
Federal Court's data breach decision shows new tilt toward victims, class-action lawsuits
Federal Court’s data breach decision shows new tilt toward victims, class-action lawsuits
John Fontana writes at ZDNet:
In an interesting twist, the Court said the fact Neiman Marcus offered free credit monitoring services was evidence that there was harm to these victims. The ruling turned on its head the way courts historically view such services as compensation for harm while negating a victim's right to file a lawsuit (re: standing).
This may get very interesting very fast: if companies are at risk of being held ot have tacitly admitted liability by offering credit protection services to potential breach victims, they will stop offering that stuff.
The possibility of class actions instead of free credit monitoring may appeal to those whose data has been stolen, but it’s not really a great trade at all. Credit monitoring is expensive and the industry is still suffering growing pains, but class actions usually net plaintiffs an insignificant amount of money in damages while making lawyers very, very rich.
China-Tied Hackers That Hit U.S. Said to Breach United Airlines
China-Tied Hackers That Hit U.S. Said to Breach United Airlines
This is starting to look like a concerted effort to gather a specific data set for some sort of coordinated use:
The previously unreported United breach raises the possibility that the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that have been compromised. Among the cache of data stolen from United are manifests -- which include information on flights’ passengers, origins and destinations -- according to one person familiar with the carrier’s investigation.
Some policy thoughts on corporate "revenge hacking"
Michael Riley and Jordan Robertson, reporting a fascinating story at Bloomberg:
In the U.S., companies are prohibited by the 30-year-old Computer Fraud and Abuse Act from gaining unauthorized access to computers or overloading them with digital demands, even to stop an ongoing attack.The act exempts intelligence and law-enforcement activities, allowing the government to respond more aggressively than private-sector firms. There’s little indication, though, that military and intelligence agencies have used their most powerful tools to shut down attacks on businesses, as the U.S. has attempted to address foreign-based hacking through diplomacy and the courts.
Diplomacy and the courts are clearly inadequate channels for preventing, halting or discouraging foreign-based hacking.
The question, then, is whether the U.S. government will use its broader “revenge” authority under the CFA to defend not only itself but private U.S. companies. This method would be problematic from a funding perspective, and may cause diplomatic friction.
Alternatively, the CFA could be amended to allow “proportional responses” by private U.S. companies to foreign-based hacking. This method would be problematic from oversight and transparency perspectives, subjecting revenge hacking to market dynamics and the “black box” in which companies conduct so much of their business (especially when they’re privately held).
Yes, companies often have to deal with reporting requirements in the aftermath of a major data breach, but they don’t have to disclose any countermeasures under any current state or federal notification regime I can find.
Perhaps the best solution would involve some hybrid of these. For example, a department of government investigators and hackers could be assigned in small groups to companies facing imminent or ongoing foreign-based hacking.
They could embed into the companies like journalists sometimes embed into military units, assisting the company in its response and pulling the trigger on revenge hacks, insulating the company from CFA immunity.
The hybrid method minimizes government expense, maximizes company involvement and allows for the use of transparency laws such as the Freedom of Information Act by journalists and policy analysts to peek inside the black box.
I’m obviously not going to come up with a perfect solution in a short blog post, but it’s worth thinking about.
Image by the author
Employees sue Sony over email leaks
Employees sue Sony over email leaks
Saba Hamedy and Meg James, at the LA Times:
Hackers began releasing sensitive data after the studio’s security breach became public on Nov. 24. The group, calling itself Guardians of Peace, has released data including thousands of pages of emails from studio chiefs, salaries of top executives, and Social Security numbers of 47,000 current and former employees.
Many are warning of the intellectual property fallout of hacks like this. And that could, indeed, lose companies much potential revenue. But the more serious liability here is failure to secure employee information. I anticipate we’ll see many similar class actions unless companies get serious about security.
Heartbleed: When no encryption is better than bad encryption
Heartbleed: When no encryption is better than bad encryption
Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:
servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.
How? The bug allows access even to information the encryption wasn’t protecting.
MIT wants pre-release review of Secret Service file on Aaron Swartz
MIT wants pre-release review of Secret Service file on Aaron Swartz
Kevin Poulsen, at Wired's Threat Level blog:
MIT argues that those people might face threats and harassment if their names become public. But it’s worth noting that names of third parties are already redacted from documents produced under FOIA.
MIT has screwed up repeatedly throughout this ordeal, and this is not a sign of improvement. If anything, their interference itself might prompt anonymous hackers to launch new salvos against their networks or dox their personnel.
China is very serious about cyberespionage
China is very serious about cyberespionage
Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”
China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.
The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:
The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”
They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.
This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.
US suspects Iran behind DDoS attacks on banks
US suspects Iran behind DDoS attacks on banks
These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.