Cyberattacks while driving? A Senator wants answers

December 23, 2013 Administrator Leave a comment Security

Senator wants cybersecurity answers from automakers (Tom’s Guide, 5 Dec 2013) – A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy. “I write to request information regarding your company’s protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles,” wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson , CEO of General Motors, on Monday (Dec. 2). Markey’s questions imply that he wants carmakers to apply computer-industry security processes, including implementation of anti-virus software, incident logging, incident-response planning, software vulnerability patching and third-party penetration testing – the last of which would stage real hacker attacks on mass-production vehicles. Markey, one of the half-dozen lawmakers on Capitol Hill who has demonstrated a clear understanding of computer technology, cited research done earlier this year by two Pentagon-funded “white hat” hackers. “In a recent study that was funded by the Defense Advanced Research Projects Agency (DARPA),” Markey wrote, “Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle’s computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components.”

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/stockimages.

The Truth About Bitcoin

December 19, 2013 Administrator Leave a comment Finance

How the Bitcoin protocol actually works (by Michael Nielsen and recommended by Bruce Schneier, 6 Dec 2013) – Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We’ll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction. Understanding the protocol in this detailed way is hard work. It is tempting instead to take Bitcoin as given, and to engage in speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That’s fun, but severely limits your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas.

Provided by MIRLN.

Image courtesy of techinasia.com/bitcoin-illegal-thailand/cdn.btcpedia.com.

 

 

FBI Malware a Fourth Amendment Violation?

December 17, 2013 Administrator Leave a comment Privacy

FBI surveillance malware in bomb threat case tests constitutional limits (ArsTechnica, 6 Dec 2013) – The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report. The growing sophistication of the spyware—which can report users’ geographic locations and remotely activate a computer’s camera without triggering the light that lets users know it’s recording—is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday. Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known. The 2,000-word article recounts an FBI hunt for “Mo,” a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new. “The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed onto his Yahoo e-mail account, from any computer anywhere in the world, according to the documents,” reporters Craig Timberg and Ellen Nakashima wrote. “The goal of the software was to gather a range of information—Web sites he had visited and indicators of the location of the computer—that would allow investigators to find Mo and tie him to the bomb threats.” “We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. “Judges are having to make up these powers as they go along.”

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/renjith krishnan.

British Gov: Want the Job?…How’s Your Firewall?

December 16, 2013 Administrator Leave a comment Security

Firms will need cyber “badge” to win some British govt business (Reuters, 12 Dec 2013) – Britain will announce on Thursday that firms wishing to bid for certain areas of government procurement will have to meet a new standard demonstrating basic levels of cyber security. The scheme forms part of the latest plank of Britain’s attempt to counter a growth in hostile cyber assaults, which has been earmarked as a top national security issue but whose progress has come in for severe criticism from lawmakers. The plans will include creation of a government-backed cyber standard for businesses which would be adopted for future procurement, while also designed to give insurers, investors and auditors something “they can bite on” when they weigh how good companies are at managing risks.

Is this a necessary precaution, a protectionist measure, an innovation killer, or all of the above?

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Victor Habbick.

Following Your Digital Trail: Tricks of the NSA Trade

December 12, 2013 Administrator Leave a comment Privacy

New documents show how the NSA infers relationships based on mobile location data (Washington Post, 10 Dec 2013) – Everyone who carries a cellphone generates a trail of electronic breadcrumbs that records everywhere they go. Those breadcrumbs reveal a wealth of information about who we are, where we live, who our friends are and much more. And as we reported last week, the National Security Agency is collecting location information in bulk — 5 billion records per day worldwide — and using sophisticated algorithms to assist with U.S. intelligence-gathering operations. How do they do it? And what can they learn from location data? The latest documents show the extent of the location-tracking program we first reported last week. Read on to learn more about what the documents show. The NSA doesn’t just have the technical capabilities to collect location-based data in bulk. A 24-page NSA white paper shows that the agency has a powerful suite of algorithms, or data sorting tools, that allow it to learn a great deal about how people live their lives. Those tools allow the agency to perform analytics on a global scale, examining data collected about potentially everyone’s movements in order to flag new surveillance targets. For example, one NSA program, code-named Fast Follower, was developed to allow the NSA to identify who might have been assigned to tail American case officers at stations overseas. By correlating an officer’s cellphone signals to those of foreign nationals in the same city, the NSA is able to figure out whether anyone is moving in tandem with the U.S. officer.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Arvind Balaraman.

France Faking Google Domain Certificates

December 10, 2013 Administrator Leave a comment All

Google catches French govt spoofing its domain certificates (ZDnet, 9 Dec 2013) – France’s cyberdefence division, Agence nationale de la sécurité des systèmes d’information (ANSSI), has been detected creating unauthorised digital certificates for several Google domains. Google states on its own security blog that an intermediate certificate authority (CA) issued the certificate, which links back to ANSSI. “Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate,” Google wrote. In a statement by ANSSI, the cyberdefence organisation revealed that this intermediate CA is actually its own infrastructure management trust administration, or “L’infrastructure de gestion de la confiance de l’administration” (IGC/A). ANSSI itself is the cyber response and detection division of the French republic. ANSSI states that the fraudulent certificates were a result of “human error, which was made during a process aimed at strengthening overall IT security”. Google states that the certificate was used in a commercial device, on a private network, to inspect encrypted traffic. According to the web giant, users on that network were aware that this was occurring, but the practice was in violation of ANSSI’s procedures. Google used the incident to highlight the need for its Certificate Transparency project, aimed at fixing flaws in the SSL certificate system that could result in man-in-the-middle attacks and website spoofing. Google’s answer to these flaws is for CAs to adopt a framework that monitors and audits these certificates, thus outing rogue CAs or when certificates are illegitimately issued. This is not the first time that the flaws of SSL certificates have been exposed. The US National Security Agency is alleged to have used man-in-the-middle attacks through unauthorised certificates against Google in the past. Additionally, in August 2011, abreach at DigiNotar, another CA, found that an Iranian hacker had created rogue certificates for Google domains, intercepting user passwords for Gmail.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Vichaya.