Link

Turns Out You Can’t Trust Russian Hackers Anymore

Turns Out You Can’t Trust Russian Hackers Anymore :

Navalny denies receiving funding from Soros and says he has had no support from Yandex. Laura Silber, a spokesperson for Open Society, said the foundation has never supported Navalny and that the edited documents posted by Cyber Berkut amounted to a libelous claim.

The Kremlin, Navalny wrote in an email to Foreign Policy, “really likes that type of tactics: posting fake documents among real hacked documents.” The goal, he wrote, is to create a mess for the opposition.

“At the end of the day everyone will understand — documents are fake, but it will be a two-week-long discussion: ‘Is [the] opposition and Navalny in particular using Soros’ money?’,” Navalny wrote.

The Kremlin hates George Soros because Open Society, his marquee philanthropy, focuses on boosting democracy in the former Soviet bloc and elsewhere. Silber says Open Society “supports human rights, democratic practice, and the rule of law in more than 100 countries around the world.”

We can’t fully believe all the documents that are stolen, and then subsequently posted online by Russian-affiliated groups with an agenda of discrediting certain parties?

Shocking.

With Remote Hacking, the Government’s Particularity Problem Isn’t Going Away

Crocker’s article is a defining summary of the legal problems associated with the U.S. Government’s attempts to use malware to conduct lawful surveillance of persons suspected of breaking the law. He explores how even after the law is shifted to authorize magistrates to issue warrants pertaining to persons outside of their jurisdictions, broader precedent concerning wiretaps may prevent the FBI or other actors from using currently-drafted warrants to deploy malware en masse. Specifically, the current framework adopted might violate basic constitutional guarantees that have been defined in caselaw over the past century, to the effect of rendering mass issuance of malware an unlawful means of surveillance.

Link

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.

Link

The Security of Our Election Systems

The Security of Our Election Systems:

Government interference with foreign elections isn’t new, and in fact, that’s something the United States itself has repeatedly donein recent history. Using cyberattacks to influence elections is newer but has been done before, too ­ most notably in Latin America. Hacking of voting machines isn’t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.

Last April, the Obama administration issued an executive orderoutlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they’re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.

Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.

The effects of a decade of focusing on attack capabilities at the expense of defence is now becoming apparent. And I’d bet that we’ll see democratic governments call for heightened national ‘defence’ capabilities that entail fully inspecting packets. Which will require laws that water down communicative privacy rights. Which will themselves damage the democratic characters of our political systems.

Link

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison | Toronto Star

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:

Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.

The Act will introduce fines up to $100,000 for deliberately not reporting a breach.

“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”

There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.

Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.

“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.

“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.

“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”

 

Link

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Link

FBI watched as hacker dumped Bell Canada passwords online

FBI watched as hacker dumped Bell Canada passwords online:

When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

Christopher Parsons, a postdoctoral fellow who studies state access to telecommunication data at the Citizen Lab at the Munk School of Global Affairs in Toronto, said it made “good tactical sense” that the FBI used confidential informants and an undercover server to build their case.

It was the fact they did nothing to stop the crime before it occurred that makes this case unusual, Parsons said.

“In this case it sounds like the FBI had that ability, had that option to prevent these things from happening, perhaps with a weaker case, but instead they opted to endanger innocents in order to build a stronger case,” said Parsons. “The problem there is there is no indication Bell had been notified. This wasn’t dummy data that was released — this was live, real customer data.”