Hospitals are patient zero for the Internet of Things infosec epidemic

As I have often noted, medical devices have terrifyingly poor security models, even when compared to the rest of the nascent Internet of Things, where security is, at best, an afterthought (at worst, it's the enemy!). Read the rest

Did the FBI pay Carnegie Mellon $1 million to identify and attack Tor users?

Documents published by Vice News: Motherboard and further reporting by Wired News suggest that a team of researchers from Carnegie Mellon University who canceled their scheduled 2015 BlackHat talk identified Tor hidden servers and visitors, and turned that data over to the FBI.

No matter who the researchers and which institution, it sounds like a serious ethical breach.

First, from VICE, a report which didn't name CMU but revealed that a U.S. University helped the FBI bust Silk Road 2, and suspects in child pornography cases:

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

Here's a screenshot of the relevant portion of one of the court Documents that Motherboard/Vice News published:

Later today, a followup from Wired about discussion that points the finger directly at CMU:

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

Read the rest

UK Snooper's Charter "would put an invisible landmine under every security researcher"

Respected UK tech elder statesman and journalist Rupert Goodwins blasts the UK government's plan to impose secret gag-orders on researchers who discover government-inserted security flaws in widely used products, with prison sentences of up to a year for blowing the whistle or even mentioning the gag orders in a court of law. Read the rest

The Economist's anti-ad-blocking tool was hacked and infected readers' computers

Pagefair is an ad-blocking circumvention tool that publishers can use to track readers who've taken technological countermeasures to protect their privacy. The company has sold its service to many publishers -- including the Economist -- by deploying moral arguments about the evils of ad-blocking. Read the rest

British government will (unsuccessfully) ban end-to-end encryption

Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers' Charter, and it is a complete disaster.

TSA screeners can't detect weapons and they never could

TSA screeners' ability to detect weapons in luggage is "pitiful," according to classified reports on the security administration's ongoing story of failure and fear.

We know about them because lawmakers are tiring of the charade and the complacency that comes with it. Ars Technica reports:

"In looking at the number of times people got through with guns or bombs in these covert testing exercises it really was pathetic. When I say that I mean pitiful," said Rep. Stephen Lynch (D-Mass.), speaking Tuesday during a House Oversight hearing concerning classified reports from federal watchdogs. "Just thinking about the breaches there, it's horrific," he added.

Auditors from the Inspector General's Office, posing as travelers, discovered enormous loopholes in the TSA's screening process. A leaked classified report this summer found that as much as 95 percent of contraband, like weapons and explosives, got through during clandestine testings. Lynch's comments were in response to the classified report's findings.

What will the future bring? We all love puppies, don't we? Read the rest

Blackmail: Manila airport security's "bullet scam"

Filipino politicians have decried an alleged blackmail scheme by Manila airport security officers, who are said to drop bullets into passengers' luggage and then demand cash payouts to stay out of jail. Read the rest

US Senate passes CISA, a very bad spying bill dressed up as a cybersecurity bill

CISA won't make you and I any more secure, and it threatens what's left of our online privacy. The very helpful sounding “Cybersecurity Information Sharing Act” will definitely help the government, though: it'll make it a lot easier for technology companies to share your personal data with the government, and everyone knows that this data never ends up in the wrong hands, so you're fine.

The gaping privacy flaws in CISA didn't stop the Senate from passing it by a wide margin today: 74 to 21. CISA now goes to a conference committee between House and Senate.

Here's the EFF's take, by Mark Jaycox:

CISA passed the Senate today in a 74-21 vote. The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities. The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.

The conference committee between the House of Representatives and the Senate will determine the bill's final language. But no amount of changes in conference could fix the fact that CISA doesn't address the real cybersecurity problems that caused computer data breaches like Target and the U.S. Office of Personnel Management (OPM).

Read the rest

Sixth grader sells artisanal Diceware passwords

11 year old Mira Modi, daughter of privacy journalist Julia Angwin, has a startup through which she hand-generates secure Diceware passwords for $2, which she mails in sealed letters through the USPS, "which cannot be opened by the government without a search warrant." Read the rest

Botnets running on CCTVs and NASs

Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose. Read the rest

Putting your kettle on the Internet of Things makes your wifi passwords an open secret

The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet -- and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it. Read the rest

Every email NSA says it got after asking Americans for tips on how to protect their privacy

At the Black Hat hacker convention in 2013, Former NSA director Keith Alexander asked hackers to help the NSA come up with ways to protect Americans' privacy and civil liberties.

"How do we start this discussion on defending our nation and protecting our civil liberties and privacy?" Alexander asked the Las Vegas crowd. "The reason I'm here is because you may have some ideas of how we can do it better. We need to hear those ideas."

Read the rest

The new Nexus phones: beautiful, secure, and a shot across the bow

Dan Gillmor has been playing with Google's new Nexus phones, the humungous 6P phablet and the smaller 5X, and he's written a shrewd and thorough review of what these phones do -- and more importantly, what they mean. Read the rest

How the market for zero-day vulnerabilities works

Zero-days -- bugs that are unknown to both vendors and users -- are often weaponized by governments, criminals, and private arms dealers who sell to the highest bidders. The market for zero-days means that newly discovered bugs are liable to go unpatched until they are used in a high-profile cyberattack or independently discovered by researchers who'd rather keep their neighbors safe than make a profit. Read the rest

FBI investigating ‘teen stoner hack’ of CIA Director John Brennan

A pair of self-described teen stoner hackers say they breached an AOL account used by CIA Director John Brennan, the New York Post reported today.

Read the rest

Exploiting smartphone cables as antennae that receive silent, pwning voice commands

In IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones, French government infosec researchers José Lopes Esteves and Chaouki Kasmi demonstrated a clever attack on smartphones that sent silent voice commands to OK Google and Siri by converting them to radio-waves and tricking headphone cables into acting as antennas. Read the rest

GPS, Plan B: US Navy teaches celestial navigation as fallback for cyberattack

The Naval Academy is digging sextants out of their storage spaces and asking the Merchant Marine Academy (which never stopped teaching celestial navigation) and training its students in celestial navigation so that the ships will still be able to find their way after their adversaries infect the GPS system with malware. Read the rest

More posts