Nicole Perlroth and Katie Benner, *The New York Times*, 23 March 2016 Excerpts (lightly PGN-ed): Google, Microsoft, Facebook, Twitter, Mozilla and many other tech companies all pay outside hackers two turn over bugs in their products and systems. Uber began a new bug bounty program [yesterday]. Google has paid outside hackers more than $6M since it announced a bug bounty program in 2010, and last week doubled its top reward to $100,000 for anyone who can break into Chromebook. Yet Apple has yet to give hackers anything more than a gold star. When hackers turn over serious flaws in its products, they may see their name(s) listed on the company's website. ... Apple could now be doing more, especially in this day and age where the conventions of finding bugs and fixing them have changed. Just this week, researchers at JHU uncovered a flaw that would allow attackers to decrypt the contents of photos and videos attached in Apple's iMessage program. [Actually, they reported it to Apple back in December, but diligently withheld announcing it publicly until Apple had fixed it.] ... Jay Kaplan, former NSA analysis and co-founder of Synack: “Apple can embrace security researchers, or try to facilitate programs that will secure its operating system, but it's never going to be able to compete with what is going on behind the scenes in the black market. It's just not going to happen.''
An Israeli newspaper has reported that data forensics experts at Cellebrite are involved in the case. [PGN-ed] http://www.ynetnews.com/articles/0,7340,L-4782246,00.html http://www.bbc.com/news/technology-35883441 Cellebrite told the BBC that it works with the FBI but would not say more. However, its website states that one of its tools can extract and decode data from the iPhone 5C—the model in question—among other locked handsets. <http://www.cellebrite.com/Pages/ios-forensics-physical-extraction-decoding-and-analysis-from-ios-devices> “File system extractions, decoding and analysis can be performed on locked iOS devices with a simple or complex passcode," Cellebrite's site states. ... Simple passcodes will be recovered during the physical extraction process and enable access to emails and keychain passwords. ... If a complex password is set on the device, physical extraction can be performed without access to emails and keychain.''
Andy Greenberg, *WiReD*, 21 Mar 2016 http://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/ For years, car owners with keyless entry systems have reported thieves approaching their vehicles with mysterious devices and effortlessly opening them in seconds. After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times' former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car's keyless entry system into thinking the key was in the thieves' hand. He eventually resorted to keeping his keys in the freezer. Now a group of German vehicle security researchers has released new findings about the extent of that wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC late last week made public a study it had performed on dozens of cars to test a radio *amplification attack* that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions, as first reported by the German business magazine WirtschaftsWoche. The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. “This clear vulnerability in [wireless] keys facilitates the work of thieves immensely,'' reads a post in German about the researchers' findings on the ADAC website. “The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.'' That car key hack is far from new: Swiss researchers published a paper detailing a similar amplification attack as early as 2011. But the ADAC researchers say they can perform the attack far more cheaply than those predecessors, spending just $225 on their attack device compared with the multi-thousand-dollar software-defined radios used in the Swiss researchers' study. They've also tested a larger array of vehicles and, unlike the earlier study, released the specific makes and models of which vehicles were susceptible to the attack; they believe that hundreds of thousands of vehicles in driveways and parking lots today remain open to the wireless theft method. The Vulnerable Makes and Models Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW 730d, Citroen DS4 CrossBack, Ford Galaxy and Eco-Sport, Honda HR-V, Hyundai Santa Fe CRDi, KIA Optima, Lexus RX 450h, Mazda CX-5, MINI Clubman, Mitsubishi Outlander, Nissan Qashqai and Leaf, Opel Ampera, Range Rover Evoque, Renault Traffic, Ssangyong Tivoli XDi, Subaru Levorg, Toyota RAV4, and Volkswagen Golf GTD and Touran 5T. Only the BMW i3 resisted the researchers' attack, though they were still able to start its ignition. And the researchers posit—but admit they didn't prove—that the same technique likely would work on other vehicles, including those more common in the United States, with some simple changes to the frequency of the equipment's radio communications. The ADAC released a video that shows surveillance camera footage of a real-world theft that seemed to use the technique, as well as a demonstration by the group's own researchers. [...]
This is really fun but it is the result of not having the simple role of user intent. Simply adding a timer to the fob could result in the fob only responding for 5 min after any button is pushed. This concept is similar to how any malware on a pc can use the users Smart card because it is left plugged in and the Operating system can easily steal the PIN and enable remote signing or encryption functions. User intent is a critical part of the formation of a modern transaction or instruction. Technologies like Trusted User Interface (TUI) which is part of the Trusted Execution Environment in Samsung handsets provides a solid capability to assure the user participates.
> This is really fun but it is the result of not having the simple role of > user intent. ....as exemplified by the same attack being used on NFC credit cards. The Apple (and I assume other NFC enabled smart devices) do capture intent so they are somewhat more secure.
I bought a nice leather wallet with a built in tinfoil hat: http://www.idstronghold.com/rfid-blocking-secure-wallet-10slots-idsh7005.asp It does seem to work—NFC apps on my phone can't read cards through the wallet, and tapping the wallet on a contactless credit card terminal never beeps. I originally got it to protect my NEXUS card (a passport card issued by the US and Canadian governments) but now I have several contactless credit and debit cards, too. Wallet also available on Amazon for $2 more.
I think it is useful to separate concerns with regard to the Ukrainian power outage in December 2015. One concern involves a cyber attack on the infrastructure related to electricity distribution ICT systems. Another involves electricity outages. First: There was a cyber attack on electricity-distribution infrastructure in Ukraine on 2015-12-24, as well as a DoS attack on the voice-telephone systems of the targeted energy companies. These cyberattacks did not cause the electricity outages, according to the SANS Report. Second: The electricity outages were caused by human control action, according to the SANS Report. These actions were apparently remotely executed. Here is the citation: [begin quote SANS Report] Regardless of the impact of the SCADA network environment, neither [of the two pieces of malware identified] contained the required components to cause the outage. The outages were caused by the use of the control systems and their software through direct interaction by the adversary. All other tools and technology, such as [the identified malware], were used to enable the attack or delay restoration efforts. [end quote SANS Report] The outages were apparently caused by human action using valid authentication for the control systems. There is apparently no public information, if any at all, on who the attackers were. I note that Ukraine is undergoing civil war which has lasted so far a couple of years. The attackers could have been employees with legitimate authentication credentials who wished to disrupt supply. They could also have been breakers-in who managed to obtain authentication credentials for the control systems through any of the well-known methods. The SANS report, and the RISKS contributions by Alister Macintyre, focus on the first of these concerns, the mechanisms of the cyber attacks. It is not at all surprising either that hostile actors disrupt computer systems to which they have access or that there is malware available for them to do so. I am not sure how much we can learn from this. I am also not sure at this point what we can learn from the outage itself. It is obvious that hostile actors using valid authentication can disrupt the function of a control system. The issue of remote access facilities to control systems on industrial plant, and the vulnerabilities that go along with it, is well-known to security professionals. However, there is a considerable challenge in raising the awareness of engineering-plant personnel about the criticality of the computer systems they might be using. I address those in a blog post at http://www.abnormaldistribution.org/2016/03/23/power-plants-and-cyberawareness/ Six years after Stuxnet, it appears that some nuclear-plant operators still think that if a system is "air-gapped" (that is, not connected to external computer communication networks) it is not vulnerable to disruption via malware. This from an eye-opening recent report by Chatham House, the Royal Institute of International Affairs, on cybersecurity in civil nuclear facilities. I recommend the report highly to Risks readers. https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks Peter Bernard Ladkin, University of Bielefeld and Causalis www.rvs.uni-bielefeld.de www.causalis.com
*WiReD* via NNSquad http://www.wired.com/2016/03/way-go-fcc-now-manufacturers-locking-routers/ HEY, REMEMBER WHEN the FCC reassured us last year that it wasn't going to lock down Wi-Fi routers? And everyone breathed a sigh of relief, because custom router firmware is actually a really good thing? Sure, it's fun to improve your router by extending the range or making your network friendlier for guests. But open firmware is important for other reasons: it enables critical infrastructure, from emergency communications for disaster relief and building free community access points to beefing up personal security. Well, there goes that. Because even though the FCC said its new requirements were not intended to lock down router software or block the installation of open source firmware, at least one large manufacturer has reacted by doing just that. And more could follow. Unfortunately, the folks rightly fighting against this have proven ineffective and refused suggestions for a campaign explaining the dangers of these lockdowns in terms of privacy and security. They seemed to feel that the FCC could be reasoned with on this. I disagreed. Oh well.
Kirsty Styles, The Next Web, 22 Mar 2016 http://thenextweb.com/us/2016/03/22/new-york-just-opened-massive-public-spying-network/ Free public Wi-Fi always sounds a little too good to be true and now American civil liberties campaigners have written to the Mayor of New York to tell him they are pretty creeped out about how much data the new LinkNYC booths will collect. The anticipated 10,000-strong network across New York will be paid for by advertising, which the team explains will represent a “Crich, context-aware platform to reach New Yorkers and visitors.'' Mayor de Blasio has so far only talked about this as a boon for the city as he expects it to generate $500 million in advertising sales but, of course, personalized ads require serious amounts of data. The Ts & Cs on signing up require you to turn over your email and then submit your future browsing data, as well as information about the specific content you read and what stuff you click on. As identified by the New York Civil Liberties Union, CityBridge says it'll only make *reasonable efforts* to clear out your data if it sees 12 months of inactivity on the network, so if you're a regular user, you're signing up to be stalked for life. Security and surveillance concerns The NYCLU explains that the network “retains a vast amount of information about users—often indefinitely—building a massive database that carries a risk of security breaches and unwarranted NYPD surveillance.'' Donna Lieberman, executive director of the NYCLU, adds: “Free public Wi-Fi can be an invaluable resource for this city, but New Yorkers need to know there are too many strings attached.'' The scheme already had to abandon part of its proposed advertising effort after a Buzzfeed investigation found that it planned on installing Bluetooth devices that would serve ads straight to people's phones as they walked by. A similar attempt to do this in London, via smartphone tracking Bluetooth bins, was halted after concerns were raised by privacy campaigners. [...]
An Unprecedented Look into Utilization at Internet Interconnection Points https://freedom-to-tinker.com/blog/feamster/the-interconnection-measurement-project-revealing-utilization-at-internet-interconnection-points/ Revealing Utilization at Internet Interconnection Points Nick Feamster, Princeton University http://arxiv.org/pdf/1603.03656v1.pdf
Please report problems with the web pages to the maintainer