Andy Greenberg, Security. *WiReD*, 21 Jul 2015 [noted by quite a few of you] I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn't touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car's digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought. "The Jeep's strange behavior wasn't entirely unexpected. I'd come to St. Louis to be Miller and Valasek's digital crash-test dummy, a willing subject on whom they could test the car-hacking research they'd been doing over the past year. The result of their work was ... a zero-day exploit ... that can target Jeep Cherokees and give the attacker wirele ss control, via the Internet, to any of thousands of vehicles. Their code is an automaker's nightmare: software that lets hackers send commands through the Jeep's entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country." http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Watch out for details of hacking via the Internet, obtaining control of: brakes, accelerator, door-locking, air conditioning, wipers, steering (only in reverse gear,-) and location. Black Hat presentation by Charlie Miller & Chris Valasek: Remote Exploitation of an Unaltered Passenger Vehicle ...In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ [Lots of submissions on this topic. See also http://bits.blogs.nytimes.com/2015/07/21/security-researchers-find-a-way-to-hack-cars/ PGN]
> Engineering a self-driving car is difficult enough. Now the public has > to be convinced that the technology works. In a recent speech I asked a question you might like this: "What Does the Future Hold for Cyber Security?", 19 June 2015 I leave to any policy discussion the question of whether the speeds at which cyber security automation must run will even allow occasional interruption to ask some human operator for permissions to act, or must cyber kill decisions be automated on the argument that only when so automated can they respond in time? If the latter holds, and I am certain that it will, science will be under the gun to encode human ethics into algorithms that will thereafter free run. Put differently, I predict that it is in cyber security, per se, where the argument over artificial intelligence will find its foremost concretization. Frankly, I very much side with Hawking, Gates, and Musk on such matters. As an example of an unevalu(at)able vignette, the self-driving car will choose between killing its solo passenger or fifteen people on the sidewalk. Many are the examples of airplane pilots sacrificing themselves to avoid crash landing in populated zones. Will you willingly ride in an altruistic vehicle? ...
Sens. Blumenthal, Markey Introduce Legislation to Protect Drivers from Auto Security, Privacy Risks with Standards & "Cyber Dashboard" Rating System, 21 Jul 2014 http://www.blumenthal.senate.gov/newsroom/press/release/sens-blumenthal-markey-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks ... “Drivers shouldn't have to choose between being connected and being protected," said Senator Markey. "We need clear rules of the road that protect cars from hackers and American families from data trackers. This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles. I look forward to working with Senator Blumenthal to ensure auto safety and security in the 21st century." "We feel that as cars become more connected, software security becomes more important," said Chris Valasek, Director of Vehicle Security Research at IOActive and Charlie Miller, security researcher. "In addition to robust, well-tested software, technology for monitoring, logging, detecting, and possibly stopping attacks should also be implemented. [...] [Dan Geer wrote about auto autosecurity, where this is just auto security. PGN]
FYI—More "recursion, noun. See recursion". I got the following error from Firefox while trying to access proposed legislation on cybersecurity. Perhaps Senator Markey will learn something about encryption & certificates while he's at it. http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system P.S.: You *can* download Markey's "SPY" proposed legislation here: http://www.markey.senate.gov/imo/media/doc/SPY%20Car%20legislation.pdf
A Lufthansa plane with 108 passengers on board nearly collided with a drone as it approached Warsaw's main airport on Monday afternoon, the airline said on Tuesday. The drone came within 100 metres (330 feet) of the Embraer plane when the Munich to Warsaw flight was at a height of about 760 metres, the airline and the Polish Air Navigation Services Agency (PANSA) said. Police are investigating, a PANSA spokesman said. The plane landed safely at 1409 GMT, a Lufthansa spokeswoman said. PANSA changed landing directions for other planes until the area was clear. However, police and military helicopters sent to the area did not spot the drone. The incident was first reported by the Aviation Herald. It cited the pilots as telling air traffic controllers they "should take care of your airspace" and "it is really quite dangerous". With the use of commercial drones for applications from filming to sports events and agriculture booming, the European Union is currently working on new regulations for drones to protect the safety and privacy of its citizens. The regulations are due to be presented in the autumn as part of the European Commission's new aviation package. Among the few member states with specific regulations, Germany <http://uk.reuters.com/places/germany> in June introduced new rules that prevent the use of drones within 1.5 km of airport perimeter fences. Anyone wishing to fly a drone beyond that exclusion zone and in controlled airspace must request permission from air traffic authorities and fly no higher than 50 metres, depending on the size of the aircraft. Drones caused alarm in France <http://uk.reuters.com/places/france> earlier this year when several flights were spotted operating over sensitive sites in Paris. [ID:nL5N0W617Y] Lufthansa CEO Carsten Spohr sees opportunities for the group in the field of commercial drones, saying last month Lufthansa's maintenance and pilot training units could provide expertise. (Reporting by Victoria Bryan <http://blogs.reuters.com/search/journalist.php?edition=uk&n=victoria.bryan&> in Berlin and Wiktor Szary in Warsaw; Editing by Mark Potter <http://blogs.reuters.com/search/journalist.php?edition=uk&n=mark.potter&>)
*Slashdot* items [Droning On?] <http://tech.slashdot.org/story/15/07/16/1455223/gun-firing-drone-raises-some-eyebrows> Police Not Issuing Charges For Handgun-Firing Drone—Feds Undecided <http://tech.slashdot.org/story/15/07/22/0441233/police-not-issuing-charges-for-handgun-firing-drone----feds-undecided>
A Virginia man attempted suicide after being accused of child rape, getting death threats and having his home broken into. http://www.washingtonpost.com/local/crime/reign-of-terror-online-trolls-destroy-a-virginia-familys-offline-life/2015/07/20/a467f9bc-19ba-11e5-93b7-5eddc056ad8a_story.html
Eddie Tipton, a man who worked for the Multi-State Lottery Association, has been convicted of rigging a computerized lottery game so he could win the $14 million jackpot. Tipton wrote a computer program that would ensure certain numbers were picked in the lottery game, and ran it on lottery system machines. He then deleted it and bought a ticket from a convenience store. Lottery employees are forbidden to play, so he tried to get acquaintances to cash the winning ticket for him. Unfortunately for him, Iowa law requires the original ticket buyer's name to be divulged before any money can be paid out. <http://yro.slashdot.org/story/15/07/22/1256226/ex-lottery-worker-convicted-of-programming-system-to-win-14m> <http://news.yahoo.com/ex-lottery-worker-convicted-rigging-system-win-14m-161505240.html> <http://yro.slashdot.org/story/15/04/14/1336201/allegation-lottery-official-hacked-rng-to-score-winning-ticket>
[FYI—Once again, how's that deterrence thingy workin' out fer ya, Cyber Command? Stupid question: BTW, is there any US govt agency whose responsibility it is to protect *ordinary citizens* from hackers, foreign and domestic? NSA is supposed to protect the govt itself, but who protects us voters?] U.S. decides against publicly blaming China for data hack Ellen Nakashima, *The Washington Post*, 21 Jul 2015 https://www.washingtonpost.com/world/national-security/us-avoids-blaming-china-in-data-theft-seen-as-fair-game-in-espionage/2015/07/21/03779096-2eee-11e5-8353-1215475949f4_story.html Months after the discovery of a massive breach of U.S. government personnel records, the Obama administration has decided against publicly blaming China for the intrusion in part out of reluctance to reveal the evidence that American investigators have assembled, U.S. officials said. The administration also appears to have refrained from any direct retaliation against China or attempt to use cyber-measures to corrupt or destroy the stockpile of sensitive data stolen from the Office of Personnel Management. “We have chosen not to make any official assertions about attribution at this point,'' said a senior administration official, despite the widely held conviction that Beijing was responsible. The official cited factors including concern that making a public case against China could require exposing details of the United States' own espionage and cyberspace capabilities. The official was among several who spoke on the condition of anonymity to describe internal deliberations. As a result, China has so far escaped any major consequence for what U.S. officials have described as one of the most damaging cyberthefts in U.S. government history—an outcome that also appears to reflect an emerging divide in how the United States responds to commercial vs. traditional espionage. [...] Ellen Nakashima is a national security reporter for *The Washington Post*. She focuses on issues relating to intelligence, technology and civil liberties.
[More really bad ideas for James Comey & Theresa May to ape. But why stop with watermarking? North Korea has so many more "recommendations" on "communications reform" that Comey & May will find appealing. What the Norks lack in strategy, they make up in execution.] Florian Grunow, RedStar OS Watermarking http://www.insinuator.net/2015/07/redstar-os-watermarking/ During the last few months information about one of North Korea's operating systems was leaked. It is a Linux based OS that tries to simulate the look and feel of a Mac. Some of its features have already been discussed on various blog posts and news articles. We thought we would take a short look at the OS. This blog post contains some of the results. As you can imagine, most interesting for us was to investigate features that impact the privacy of the users. There are some publications concerning the security of the OS, this is an aspect that we will not cover in this post. We will stick to a privacy issue that we identified in this post. As ERNW has a long history of Making the World a Safer Place, we consider this topic an important one. The privacy of potential users (especially from North Korea) may be impacted and therefore we think that the results must be made available for the public. So, here we go! When analyzing the OS the first thing that came to our attention is that they have built an own kernel module named rtscan. There is a binary running that is named opprc and a few more binaries, one that seems to simulate/pretend to be some kind of virus scanner (scnprc) and seems to share some code base with opprc. We will concentrate on opprc in this blog post, as it is one of the most interesting binaries at first glance. The first thing that came to our attention when looking at the functions in the binary was this: gpsWatermarkingInformation. And there are even more functions like this that sound interesting. You can see a short extract in the picture below. So it seems that there is some watermarking functionality included. If we look at the available functions there seems to be additional AES crypto involved. From the available functions we can also see that there is watermarking available for documents, images and even audio. By looking at the binary we were able to see that classic word documents are in the list of documents to be fingerprinted. So we thought we will give it a shot and created a simple DOCX file that we copied on a USB drive and attached the drive to the RedStar OS. Guess what: The MD5sum of the file changed. We did not open the file with the included “Sogwang Office” or touch it in any way, it just changed simply making it available to the OS. Now a DOCX file is basically a ZIP with multiple files included. If you look at a DOCX in a hex editor you will see that there are larger areas that are filled with null bytes at the beginning of the file. By looking at the same area again in a file that has once b een transfered to RedStar we see some garbage inserted into the file. [...]
[FYI—James Comey & Theresa May will absolutely *love* this device, except they would invert the shocking condition.] Web Training Collar https://jaspervanloenen.com/web-training-collar/ Many websites still only offer an unencrypted (HTTP) connection to their visitors. The communication between the visitor's computer and the server hosting the website is open, and can easily be intercepted by others. Possible attackers can see anything the user is seeing: text, images, links clicked, etc. Especially on open or public Wi-Fi networks there is always the chance of someone looking at your Internet usage. The Web Training Collar is aimed at Internet users who want to change this. If the owners of the websites don't offer a more secure connection, you can use the tested Pavlov-effect to condition yourself into not visiting these websites anymore. This is done using a dog collar that is able to apply a small electrostatic shock to its wearer. A small piece of software running in the background on the user's computer monitors the Internet traffic and applies a corrective shock when needed. The intensity of the shock increases with each consecutive visit to an unprotected website. All necessary code to use the Web Training Collar can be found in the github repository. https://github.com/javl/web-training-collar The Web Training Collar was built during medialab Setup's Controlegroep (control group) project. The 25 participants of the Controlegroep have set up experiments to see if and how their behavior can be monitored or altered with the help of apps and gadgets. The Web Training Collar uses a browser plugin combined with a local Flask webserver. To control the collar from the computer, an Arduino Nano was used in combination with a 433Mhz RF-transmitter to replace the original remote control.
Pavithra Mohan, Microsoft Will Remove Revenge Porn From Search Results The tech firm is the latest to advocate for victims of revenge porn <https://www.fastcompany.com/3048933/fast-feed/microsoft-will-remove-revenge-porn-from-search-results>
In the wake of the Ashley Madison hack, we're continuing to learn that there's no such thing as 100% security on the Internet. <https://www.fastcompany.com/3048871/why-deleting-personal-information-on-the-internet-is-a-fools-errand>
Digital media companies are struggling with a tough transition—from underfunded start-ups to mature businesses. http://www.nytimes.com/2015/07/22/business/media/limits-at-gawker-rules-at-reddit-wild-west-web-turns-a-page.html
FYI—Yes, this article is "Sponsor-Generated Content", aka advertising. "The day is coming when missiles can be printed." But what Raytheon can do, so can a high school student with his 3D printer, or as parts ordered online from materials like stainless steel. http://www.shapeways.com/materials/steel Sponsor-Generated Content: To Print a Missile Raytheon, 19 Jul 2015 The day is coming when missiles can be printed. http://thehill.com/sponsored/content/248294-to-print-a-missile [Weed it and reap! PGN]
FYI— The author of this paper is both a lawyer & PhD Computer Science. Excellent paper on Fourth Amendment issues, but does not evaluate First, Second, Third, and Fifth Amendment issues wrt to govt malware. Furthermore, the author focuses solely on domestic criminal procedure, and doesn't evaluate national security issues. Finally, he doesn't address at any length the types of SW and/or HW hacks necessary to install the malware; in particular, his paper sheds no light on the recent Comey "HackDoor" controversy. "I normatively argue that the super-warrant standard should apply to government hacking" https://papers.ssrn.com/sol3/papers.cfm?abstract_id&33247 Jonathan Mayer, J.D., Stanford Law School, 2013; Ph.D., Stanford University Department of Computer Science, Expected 2015. Constitutional Malware, 20 Jul 2015 Abstract: The United States government hacks computer systems, for law enforcement purposes. According to public disclosures, both the Federal Bureau of Investigation and Drug Enforcement Administration are increasingly resorting to computer intrusions as an investigative technique. This article provides the first comprehensive examination of how the Constitution should regulate government malware. When applied to computer systems, the Fourth Amendment safeguards two independent values: the *integrity of a device* as against government breach, and the *privacy properties of data* contained in a device. Courts have not yet conceptualized how these theories of privacy should be reconciled. Government malware forces a constitutional privacy reckoning. Investigators can algorithmically constrain the information that they retrieve from a hacked device, ensuring they receive only data that is in isolation constitutionally unprotected. According to declassified documents, FBI officials have theorized that the Fourth Amendment does not apply in this scenario. A substantially better view of the law, I conclude, is that *the Fourth Amendment's dual protections are cumulative*, not mutually exclusive. Applying this two-stage framework, I find that the Fourth Amendment imposes a warrant requirement on almost all law enforcement malware. The warrant must be valid throughout the duration of the malware's operation, and *must provide reasonable ex post notice to a computer's owner*. In certain technical configurations, the Constitution goes even further, requiring law enforcement to satisfy an exacting super-warrant standard. Reviewing public disclosures, I find that the government has a spotty record of compliance with these foundational privacy safeguards. Moving beyond established doctrine and current practice, *I normatively argue that the super-warrant standard should apply to government hacking*. The same considerations that prompted heightened judicial review of wiretapping in the 1960s should prompt close scrutiny of law enforcement malware today.
Please report problems with the web pages to the maintainer