Link

Turns Out You Can’t Trust Russian Hackers Anymore

Turns Out You Can’t Trust Russian Hackers Anymore :

Navalny denies receiving funding from Soros and says he has had no support from Yandex. Laura Silber, a spokesperson for Open Society, said the foundation has never supported Navalny and that the edited documents posted by Cyber Berkut amounted to a libelous claim.

The Kremlin, Navalny wrote in an email to Foreign Policy, “really likes that type of tactics: posting fake documents among real hacked documents.” The goal, he wrote, is to create a mess for the opposition.

“At the end of the day everyone will understand — documents are fake, but it will be a two-week-long discussion: ‘Is [the] opposition and Navalny in particular using Soros’ money?’,” Navalny wrote.

The Kremlin hates George Soros because Open Society, his marquee philanthropy, focuses on boosting democracy in the former Soviet bloc and elsewhere. Silber says Open Society “supports human rights, democratic practice, and the rule of law in more than 100 countries around the world.”

We can’t fully believe all the documents that are stolen, and then subsequently posted online by Russian-affiliated groups with an agenda of discrediting certain parties?

Shocking.

With Remote Hacking, the Government’s Particularity Problem Isn’t Going Away

Crocker’s article is a defining summary of the legal problems associated with the U.S. Government’s attempts to use malware to conduct lawful surveillance of persons suspected of breaking the law. He explores how even after the law is shifted to authorize magistrates to issue warrants pertaining to persons outside of their jurisdictions, broader precedent concerning wiretaps may prevent the FBI or other actors from using currently-drafted warrants to deploy malware en masse. Specifically, the current framework adopted might violate basic constitutional guarantees that have been defined in caselaw over the past century, to the effect of rendering mass issuance of malware an unlawful means of surveillance.

Link

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

Hackers Hijack a Big Rig Truck’s Accelerator and Brakes:

When WIRED reached out to trucking industry body the National Motor Freight Traffic Association about the Michigan research, the NMFTA’s chief technology officer Urban Jonson said the group is taking the researchers’ work seriously, and even funding future research from the same team. And Jonson acknowledged that the possibility of the nightmare scenario they present, of a remote attack on heavy vehicles, is real. “A lot of these systems were designed to be isolated,” says Jonson. “As automobile manufacturers are increasingly connecting vehicles with telematics systems, some of these issues need to be addressed.”

That the Association’s reaction is to work with researchers instead of trying to sue them is a very good sign.

Link

The Security of Our Election Systems

The Security of Our Election Systems:

Government interference with foreign elections isn’t new, and in fact, that’s something the United States itself has repeatedly donein recent history. Using cyberattacks to influence elections is newer but has been done before, too ­ most notably in Latin America. Hacking of voting machines isn’t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.

Last April, the Obama administration issued an executive orderoutlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they’re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.

Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.

The effects of a decade of focusing on attack capabilities at the expense of defence is now becoming apparent. And I’d bet that we’ll see democratic governments call for heightened national ‘defence’ capabilities that entail fully inspecting packets. Which will require laws that water down communicative privacy rights. Which will themselves damage the democratic characters of our political systems.

Link

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison | Toronto Star

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:

Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.

The Act will introduce fines up to $100,000 for deliberately not reporting a breach.

“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”

There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.

Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.

“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.

“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.

“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”

 

Link

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Link

FBI watched as hacker dumped Bell Canada passwords online

FBI watched as hacker dumped Bell Canada passwords online:

When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

Christopher Parsons, a postdoctoral fellow who studies state access to telecommunication data at the Citizen Lab at the Munk School of Global Affairs in Toronto, said it made “good tactical sense” that the FBI used confidential informants and an undercover server to build their case.

It was the fact they did nothing to stop the crime before it occurred that makes this case unusual, Parsons said.

“In this case it sounds like the FBI had that ability, had that option to prevent these things from happening, perhaps with a weaker case, but instead they opted to endanger innocents in order to build a stronger case,” said Parsons. “The problem there is there is no indication Bell had been notified. This wasn’t dummy data that was released — this was live, real customer data.”

 

Link

Mississauga man pleads guilty in international Xbox hacking ring | Toronto Star

Mississauga man pleads guilty in international Xbox hacking ring:

Prosecutors said the small group of gaming enthusiasts called itself the Xbox Underground.

“These were extremely sophisticated hackers. Don’t be fooled by their ages,” Assistant U.S. Attorney Ed McAndrew said after Tuesday’s court hearing. McAndrew told reporters the other members of the group looked to Pokora as a leader.

Chris Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab and expert in Internet security, told the Star the technique used by the group, known as “SQL injection,” is one of the most common attacks used.

“I’m not saying that these individuals are more or less sophisticated, but you really do not have to be terribly clever to run SQL injections,” said Parsons, who has no involvement in the case.

The technique at its most simple involves tricking a database used by the organization into thinking that the hacker has the power to run administrator-level commands.

Parsons says the value of intellectual property and material like the group was after is difficult to gauge. He said they could sell it, or trade it online.

“Certainly some information would be more valuable than others. There might be a large variation for how much you might pay for a prototype Xbox One, versus information about how the U.S. military trains its apache helicopter pilots,” said Parsons. “It would vary substantially in terms of what the information is and the completeness of it.”

There’s no indication in the court documents that the group attempted to sell military information.

 

Link

Your TV as a Beachhead

The Internet of Things is moving apace and consumers are increasingly purchasing Internet-connected devices for their homes. In the case of SmartTVs it appears that manufacturers’ poor security design(s) could pose a direct threat to the network the TV is integrated with:

Since the well-known Javascript object XmlHttpRequest is available within the DAE, not only the TV is the target of possible attacks but also other networked devices in the user’s home network.

Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet. This could be used for user profiling and for finding further attack targets.

The next step for the attackers could be the reconfiguration of components in the local area network in order to facilitate further attacks via different vectors. For example the home router – which in many cases has no password protection when accessed from the LAN – could be reconfigured by the attacker to have no protection against attacks from the internet.

In order to gain personal information, attackers could access well-known services like UPnP or http in the user’s network via the connected TV. For example IP cameras or printers could be compromised using this technique.

Also using the XmlHttpRequest object, attackers can transfer all of the gained information to arbitrary Internet drop-zones, which would also expose the victim’s IP address.

As a lot of these attacks have been publicized in the context of browser hacking, there is a lot of available code on the Internet that might be used for also compromising Smart TVs.

While the researcher who’s done this work is presently posing SmartTVs as potential – rather than necessary, or actual – threats, now that the cat’s out of the bag it’s almost guaranteed that more people will be working on weaponizing your TV. Isn’t the pervasive connection of equipment to the Internet just great?

Aside

This promotional video of the FinFisher surveillance malware has some interesting components:

  1. they are talking about older Blackberry devices – I’m curious to know if they already have a ‘solution’ for more contemporary devices;
  2. the video speaks of infecting websites, which seems to suggest that an element of the FinFisher process is attacking unrelated website to then hunt targets. Crazy illegal in most jurisdictions I’m familiar with;
  3. the company focuses on TrueCrypt, which confirms the position the TC is a pretty awesome way of securing things you want to remain confidential….so long as you’re not infected with surveillance malware.