Tuesday 31 March 2015
Bank names BigLaw firms threatened by hackers
Citigroup has been apologising to law firms after Fried Frank and Covington & Burling were named as being subject to the attentions of hackers – even though there were no breaches of the firms’ networks or client data in the instances cited.
In 2012, the Fried Frank website was subject to a ‘watering hole’ attack – through which malware is placed on the site and can then infect visitors. But Fried Frank information systems head Steve Lewis has said that the practice’s data had ‘never been breached and client information has never been compromised’. The site was hosted by an outisde consultancy and it contained no confidential information, he added.
Malicious actors
Citigroup included the information in a report which has been written up in the media. The report suggests that there is frustration on the part of banks about the reluctance of law firms to be more open on cyber attacks they experience. The report says: ‘Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.’ But the authors of the report expect law firms to remain as targets. It said they would ‘continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications’.
Covington
Covington & Burling was also mentioned for a 2012 incident when the firm’s name was used on fake emails – apparently by a group of Chinese hackers. Two other smaller law firms were also named.
Apology
However, Citigroup appears to regret finalising all the contents of the report. A spokeswoman said: ‘The analysis relied on and cited previously published reports. We have apologized to several of the parties mentioned for not giving them an opportunity to respond prior to its publication in light of the sensitive nature of the events described.’
Source:http://ift.tt/1IevbvC
from hacker samurai http://ift.tt/1Mv4DN7
via IFTTT
Monday 30 March 2015
On the cutting edge: Hackers experiment with technology during Penn State event
UNIVERSITY PARK — Hundreds of college hackers descended upon the Penn State campus this weekend, but they weren’t involved in any illegal activities.
Instead, these hackers looked to network, experiment with technology and learn.
“Hacking in this sense is finding a creative solution to a problem,” said Jon Gottfried, of Major League Hacking.
His organization sanctions about 150 events worldwide like the one Saturday and Sunday at Penn State, he said. Called Hackathons, Gottfried described them as “invention marathons” where teams of participants have 24 hours to work on a project that would solve a problem, create something or improve existing products using technology.
The event, held in the IST Building, drew students from as far away as MIT, Rutgers and the University of Pennsylvania. Some select high school students also compete in hacking events, Gottfried said.
The organization works with students at each university to set up events, Gottfried said. Sophomore Albert Guo was one of the organizers of this year’s event and said more than 400 participants took part this year, an increase of about 200 from last year.
Seniors Joshua Lee, Dylan Nguyen and Sujeet Bhandari, computer science students at Penn State, had competed in Hackathons on campus before, and this year, the trio constructed goggles that enabled the wearer to make 3-D drawings with their hands.
Although it looked like something from “Tron” or another science fiction movie, the device could be used in 3-D modeling in a field like engineering, Lee said. Current 3-D modeling programs are complicated to use, Lee said. The goggles could simplify that to the point anyone could use them merely by pointing, he said.
“You need a lot of technical knowledge with the current technology,” Lee said. “This would eliminate that cliff.”
A few tables down from the goggles stood a reading lamp and a coffee maker wired to a computer. Doctoral student Ken Hutchison operated the appliances using commands on the screen.
Sipping a cup of the remotely brewed coffee, Hutchison explained the program to event judges and interested spectators. Unlike most home automation systems, which run using Wi-Fi, the one on display Sunday used radio frequencies. Hutchison said the current systems available commercially use a lot of circuitry, are expensive to buy and install, and require a lot of energy to use. Special appliances equipped with Wi-Fi receivers are also needed, he said.
The radio equipment used by his team can be used with less expensive, standard analog or digital appliances, and the entire cost of the circuitry to install the radio receivers and transmitters is about $17, Hutchison said. By changing the model from Wi-Fi-based to one using radio, or a hybrid of the two, the technology could be made more widely available, he said.
“We want to bring it to more people,” Hutchison said. “Right now, it’s only available to the super wealthy.”
For others, the project was a matter of fun and games. Penn State juniors William Bittner, Paul Jang, Nick Denaro and Drew Lopreiato designed a website where users can log on to play the classic video game Pong. The first-time Hackathon participants then synced the game to a piece of poster board wired with dozens of LED lights. The lights on the board reflected the actions of the players competing on their cellphones.
The site and board took about 17 hours to create, they said, and any old arcade game could be used.
“Any classic kind of game, like Snake, you could do with this kind of resolution,” Denaro said.
Projects are judged at each event and prizes are awarded to winners, Gottfried said, but the primary motivation he has heard from most participants is the chance to work with like-minded people and also network with tech industry representatives. Local startups as well as companies like Microsoft were present this weekend.
Technology companies, like Dell, sponsor the events and provide tools and equipment that might be available in class or for personal use, Gottfried said. That’s something else welcomed by participants. The gear that went into the 3-D drawing goggles was supplied through the event and new to the hackers that used the supplies.
“It’s the first time we’ve worked with this technology,” Lee said. “It’s exciting to work with new things.”
from hacker samurai http://ift.tt/1ErB4aW
via IFTTT
SEBASTIAN SHAKESPEARE: Queen calls in cyber expert after hackers target young royals who are told to change email addresses and cut back on social media
The Queen has summoned one of Britain’s leading computer security experts to Buckingham Palace amid fears that the Royal Family could be targeted by foreign spies and hackers.
Sadie Creese, professor of cyber security at Oxford University, held private talks with the Queen last week. She was invited to a palace luncheon, where she was also able to speak to Prince Philip.
‘Her Majesty likes to keep abreast of the latest developments in technology and the problems they can also bring,’ a courtier tells me.
Professor Creese is eminent in her field and was able to share some of her knowledge with the Queen and the Duke of Edinburgh.’
Young royals were reportedly advised earlier this month to change their email addresses and cut back on social media use over fears they could be targeted by hackers.
Prince William later made a top-secret visit to GCHQ, the maximum security ‘listening station’ in Cheltenham, which tracks electronic traffic of terrorists and spy agencies around the world.
‘Most people understand the need to lock their car or front door, but don’t know how to relate that to cyberspace,’ Prof Creese has said. ‘Can your smart car get hacked? What about banking, social networking, TV watching? Are you safe?’
The Queen’s granddaughter Princess Beatrice left her role as a paid intern at Sony Pictures in January after her salary, address and other confidential information were among a vast amount of data stolen by hackers.
The attack is thought to have been carried out by North Korea in revenge for a Sony comedy that imagined the assassination of Kim Jong-un, the country’s leader.
Beatrice, her sister Princess Eugenie and their cousins Princes William and Harry were said to have been told to make urgent changes to their accounts after security officials detected a threat of corporate and government snooping — most probably from Russia.
The order came after GCHQ issued warnings about ‘chatter’ on the airwaves that prompted suspicion the Royal Family has been targeted. The younger royals are seen as particularly vulnerable because of their use of social media.
A Buckingham Palace spokesman confirmed that Prof Creese visited, but added: ‘We don’t make any comment on security for the Royal Family.’
Source: http://ift.tt/19pTs6F
from hacker samurai http://ift.tt/1abhuTH
via IFTTT
Sunday 29 March 2015
Saturday 28 March 2015
Anonymous message to the Republic of Ireland - Truth behind IrishWater charges
from Hacker Samurai http://ift.tt/1EOjrgs
via IFTTT
Friday 27 March 2015
Hotel Wi-Fi Routers Can Make Guest Vulnerable To Hackers
Travelers should be careful of connecting to free hotel Wi-Fi spots as a router commonly used in most hotels has a large flaw that allows hackers to compromise connected devices.
The research team from security vendor Cylance found the vulnerability in the InnGate Wi-Fi router in hotels. More than 270 of the ANTLabs-made routers in 29 different countries are affected by the exploit.
Cylance refuses to name the hotels which were using the vulnerable Wi-Fi router, according to Network World.
The research team named as SPEAR (Sophisticated Penetration Exploitation and Research) believes that revealing the affected hotels could result in the abuse of the said exploit.
SPEAR said that all kinds of hotels used the Inngate Wi-Fi router, ranging from cheap ones up to five-star hotels.
Customers were not the only ones at risk of being compromised by hackers. Justine Clarke from SPEAR said that the Wi-Fi router’s vulnerability can lead hackers to restricted hotel networks, where they can gather private information such as guests’ billing information, according to Wired.
Such attacks could also be used to gain access to a guest room with a key lock system. Hackers can enter the compromised hotel Wi-Fi network and gain access to its mainframe to open a door.
One famous example of a compromised hotel network is the high-profile assassination of a Hamas official who stayed in Dubai hotel in 2011. The authorities believe that the assassins were able to reprogram the electronic lock on the official’s hotel room.
“Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do,” said the SPEAR team.
Source: http://ift.tt/1EbIPlm
from hacker samurai http://ift.tt/1yjk8MB
via IFTTT
Hackers not involved in new Taiwan Internet safety department: Chief
TAIPEI, Taiwan – National Security Bureau (NSB) Director-General Lee Shying-jow yesterday said that the bureau is hiring Internet safety experts and not hackers for its soon-to-be established Internet safety department, which is currently designated as the 7th Internet Operations Department.
Lee made the statement while conducting a question-and-answer session during a routine operations report to the Legislative Yuan’s Foreign and National Defence Committee.
During the session, Lee predominantly answered questions from Kuomintang (KMT) Legislator Lin Yu-fang and Democratic Progressive Party Legislator Hsiao Bi-khim, who both formulated their questions around the idea that the employee candidates are regular civilian hackers who are not military personnel.
Lin said that that he was concerned about the detail of the establishment of the department.
The NSB faced 46,000 incidents of Internet attacks last year, Lin said, and that the nation definitely has an idea as to where the said attacks came from.
The KMT lawmaker said that the attacks are why legislators support the establishment of the department, but the lawmakers were also concerned with the listed civilian employees that are to be recruited.
Lin asked Lee to explain the legal status of such individuals: whether they would be full-time of just part-time employees, and what would be their military rank.
Lin also asked if a “Hacker Unit” were to conduct actions that violate the law, what would be the NSB’s response to the crimes?
The legislators also said that the reason such individuals are expert hackers has a lot to do with their creativity, and said such people do not enjoy being confined.
As such, though the Legislative Yuan supports the idea, the NSB must have a detailed plan about the management of such individuals.
In response, Lee said that the NSB will not have hackers but only Internet safety experts.
Lee also said that such individuals would be hired as full-time staff following proper orientation and training, and that a detailed draft of the hiring process is currently being formulated, so that the employment of such individuals would be in accordance with the law.
Lee also said that he has seen two NSB officers conducting Internet safety operations. Although he did not understand the logic or the technical terms the two used, Lee said that he was impressed at how successful the operation was carried out.
What needs to be taught, Lee said, is the method to use such individuals to their full potential, and to the benefit of the nation.
Source: http://ift.tt/1HWF3Kr
from hacker samurai http://ift.tt/1EbdD5D
via IFTTT
Thursday 26 March 2015
Hackers attempt to shut down TN.gov
NASHVILLE, TN (WSMV) -
An Internet hacker who has already successfully shut down several government websites has now made an attempt on Tennessee.
It’s unclear if it’s a person or group, but whoever is using the Twitter handle Vikingdom2015 has been lurking online and shutting down government websites.
“Usually when they attack a website, they’ll do what’s called a distributed denial of services, which means they’re just bombarding the website with traffic coming from all directions and just overloading it, essentially taking it down,” said Eric Near, with Dynamic Edge IT Consulting.
The hacker took down several government websites in Maine and a news station’s website, presumably for reporting the problem.
The hacker then went online to brag about it, essentially taunting the victims.
“Bragging rights are a big part of it,” Near said. “A lot of it is just getting your name out there and getting publicity. Even if it doesn’t mean anything, it’s just an ego boost.”
The attempt on TN.gov was made early Wednesday morning. Vikingdom2015 tweeted, “RIP Tennessee.” Apparently the state had the necessary tools in place to block the attack.
Tennessee officials turned down an interview, saying they don’t want to encourage a second attempt.
“There are services that that site provides,” Near said. “For example, Tennessee has a number of different sites for the different departments, like registering your license plates online, things like that.”
IT specialists said whether it’s a personal computer or an entire business, people should take preventative measures.
“What we recommend here is just be careful with what’s coming into your email,” Near said. “If you see a specific attachment, don’t open it. It could cause an infection to get to your computer.”
Near said there are many others out there like Vikingdom2015.
“I would recommend checking with your IT department of your IT vendor on what sort of security devices you have in place to make sure this doesn’t happen to you,” he said.
Wednesday afternoon, Twitter shut down the Vikingdom2015 Twitter account.
Source: http://ift.tt/1BtYRRE
from hacker samurai http://ift.tt/1BOw1Kq
via IFTTT
Official: Hackers breach Fairbanks city website; records OK
FAIRBANKS, ALASKA
The city of Fairbanks website was targeted by hackers outside Alaska, but no internal information was breached, officials said.
The hacker group replaced the website at http://ift.tt/1CLurvI with a message Tuesday, the Fairbanks Daily News-Miner newspaper (http://is.gd/clgzzt) reported.
City spokeswoman Amber Courtney declined to discuss details of the message or to identify the group. The hackers appear to have been motivated by a desire to show off their hacking abilities, she said.
“They didn’t really seem to have much of a message, if anything,” she said.
The website was down for about four hours before it was brought back online, according to Courtney, who said city internal records were not breached by the hacker group.
“There was no security breach, no breach of any information, no breach in our payment process,” Courtney said.
City technicians have determined how the site was hacked, she said. The City Hall server does not host the affected website.
from hacker samurai http://ift.tt/1NcLRr1
via IFTTT
Wednesday 25 March 2015
Mini Documentary - Million Mask March - Washington DC 2013
from Hacker Samurai http://ift.tt/1M02mcO
via IFTTT
Mentor CEO says chips can be protected against hackers
Silicon-based hacking problems are not yet seen as a threat to security on the internet.
But this may be because any breaches of security at the silicon level are not reported.
It could also be because there are easier ways to penetrate computer networks. Most of the security problems which the internet is seeing are because people are hacking intro user level software and apps.
This may be annoying, but it is not seen as a major problem. Hacks can be stopped and blocked relatively easily with software fixes and firewalls.
But Wally Rhines, CEO, Mentor Graphics believes there will be a different scale of problem if systems are hacked at the operating system or silicon level.
“It will be a much bigger problem affecting many more people,” says Rhines.
However, he believes there a number of design options available which chip designers can use to protect ICs from the hackers.
Hacking the silicon could involve unlocking an existing IC or introducing counterfeit chips into the supply chain, but a much bigger problem could be when the hackers have the ability to embed malicious logic elements inside the chip.
“Today design tools verify that a chip does what it is designed to do, in future we will have the tools to verify that a chip does not do what it shouldn’t,” says Rhines.
Unlocking a chip to discover how it operates so it can be tampered with is typically carried out in one of two ways. Either through analysis of the power profile of the device or through an analysis of its electromagnetic footprint.
“Both of these techniques make it possible to identify the activity of the chip and then faults can be injected,” says Rhines.
To tackle this form of silicon hacking you can harden the chip’s intellectual property (IP) and make it less prone to attacks.
Another countermeasure, says Rhines, is to make the chip harder to ‘read’ by spreading the signals around the chip and so make them more difficult to trace by the hacker.
“It is possible to include this in the design simulation and emulation before committing to silicon,” says Rhines.
“This can never be perfect, but if a company can do it better than its competitors then it has differentiation,” says Rhines
There is a growing threat from counterfeit parts entering the supply chain which also raises the threat of tampering. This is made easier because ICs travel widely in their life cycle; from design to fab to the OEM customer.
And the potential for introducing counterfeit parts is made greater because of the excess inventory and re-cycled ICs in the supply chain.
This is being tackled by adding greater traceability in the supply chain. The US authorities have been particularly active in this area with the AS6081 Counterfeit Avoidance Standard to ensure component traceability amongst independent component suppliers and distributors.
Rhines says it is also possible to design locks into the chip to provide better traceability.
Each IC could be given its own unique authentication code, or fingerprint, but this likely to add unacceptable cost to chip.
For example, an on-chip ‘odometer’ could track its movement. Or the chip could have an activation code which can only be unlocked with an encrypted key supplied by the manufacturer.
But even these countermeasures are no guarantee against hacking, says Rhines.
The biggest threat will come from a so-called Trojan attack where rogue hardware IP is introduced into the chip at the design stage.
“I believe a Trojan attack on the silicon will become a big problem,” says Rhines. “The complexity of the supply chain for chip design and production makes it vulnerable.”
The Trojan could be rogue IP designed into the chip, which is triggered by a specific event or time.
Use of third party IP or IP code re-use will make the introduction of Trojan IP easier, says Rhines.
To tackle this deep level of attack, Rhines believes it will become necessary for the chip to protect itself by monitoring its own activity.
“I believe it will become standard in the future to embed a co-processor in an IC design to monitor the activity within the chip,” says Rhines.
Rhines said work in this area has already started in the US and the government is supporting the semiconductor industry in the development of technologies to make silicon more secure.
But this is only in its early stages and government funding of $1m for the initiative looks surprisingly modest.
Rhines says he is starting to see customers asking for some level of silicon authentication, but there can be a cost associated with greater security.
Rhines believes it will take a major silicon security issue to convince companies of the need for greater silicon authentication.
“This is usually needed to trigger a big market reaction,” says Rhines, “but I am seeing a demand for silicon authentication from customers.”
“Until the customers of the chip companies say they will not buy ICs until the suppliers do something little is likely to happen,” says Rhines.
“But I do believe that an on-chip security monitoring requirement will happen at some time,” says Rhines.
Rhines believes the EDA industry must provide the necessary design and verification tools to support the various forms of on-chip authentication and activity monitoring.
This starts with secure software hypervisors. It includes partitioning the processor operation to keep critical software apart from more easily hacked applications software.
At the silicon level formal verification tools will be used to identity Trojan IP and to isolate it.
“I believe this will become an important new area of activity for EDA companies and the necessary research has already started, in companies and universities,” says Rhines.
Source: http://ift.tt/1EFY0xZ
from hacker samurai http://ift.tt/1xyEM0n
via IFTTT
Tuesday 24 March 2015
Flaw in Cisco VoIP phones allows hackers to intercept conversations
Cisco has issued a security alert warning users of several of its voice over Internet Protocol (VoIP) phones that a flaw in the products could allow hackers to listen in on users’ conversations.
The company said the products at risk are the Cisco Small Business SPA series 300 and series 500 IP phones.
A vulnerability in the machines “could allow an unauthenticated remote attacker to listen to the audio stream” of the phones, according to Cisco. Software updates are not available at this time.
“The vulnerability is due to improper authentication settings in the default configuration,” a warning from the company said. “An attacker could exploit this vulnerability by sending a crafted XML request to the affected device. An exploit could allow the attacker to listen to a remote audio stream of make phone calls remotely.”
Source: http://ift.tt/19NemNF
from hacker samurai http://ift.tt/19Nem0m
via IFTTT
Monday 23 March 2015
The Spook of Cambridge: Wills makes secret visit to GCHQ spy base after Royals warned over computer hacking
Prince William has made a top secret visit to Britain’s most secretive building, The Mail on Sunday can reveal.
The Duke of Cambridge made the unannounced ‘private visit’ on Thursday to Government Communications Headquarters (GCHQ) – the maximum security ‘listening station’ which tracks electronic traffic of terrorists and spy agencies around the world.
The Duke’s first ever trip to GCHQ, housed in a doughnut-shaped building in Cheltenham, Gloucestershire, comes after The Mail on Sunday revealed that he and other young Royals were being advised to change their email addresses and cut back on social media activities over fears they could be targeted by foreign spies and hackers.
But questions were asked last night about the Duke’s use of a publicly funded Royal helicopter to make the trip, as it was not an official public engagement and was not announced in the Palace’s Court Circular.
The Duke was flown from London’s Kensington Palace to Gloucestershire airport on the Queen’s helicopter Flight, funded by the taxpayer, and which is supposed to be only used for official engagements by the Royals.
Source: http://ift.tt/1DNzCPX
from hacker samurai http://ift.tt/1EIAtz4
via IFTTT
Sunday 22 March 2015
Chairman McCaul Discusses Latest on Terror Threat on ABC’s “This Week"
from Hacker Samurai http://ift.tt/1N47kjN
via IFTTT
Saturday 21 March 2015
Anonymous - Operation Shock Drop #OpFerguson #OpHandsUp #OpCopWatch
from Hacker Samurai http://ift.tt/1LG6uOT
via IFTTT
Friday 20 March 2015
Thanks to Facebook bug, hackers could have your personal pics
Facebook users’ personal photos could be in the hands of hackers, a security expert claims.
A bug in Facebook Photo Sync allows third-party apps to access photos originally stored on your smartphone, according to Laxman Muthiyah, a bounty hunter who discovered the bug.
The social network’s photo sync feature, introduced in 2012, will upload all your iOS and Android smartphone snaps to your Facebook account if you’ve opted in.
Ordinarily, those pictures will go to a private album that’s not visible to friends or other users of the social network.
But Muthiyah found a huge vulnerability in the Photo Sync API that grants third-party apps access to those personal pictures.
He discovered that an endpoint granting access to sync requests was vulnerable.
Explaining the bug on his blog, he wrote: “The vulnerable part is, it just checks the owner of the access token and not the application which is making the request.
“So it allows any application with user_photos permission to read your mobile photos.”
A large number of Facebook apps use the user_photos permission to read users’ public photos, he warned, adding: “A malicious app which you are using can read all of your private photos in few seconds.”
Facebook has no patched the bug, rewarding Muthiyah with a $10,000 cheque, but the bug researcher suggested users opt out of Photo Sync just in case.
Muthiyah’s no stranger to Facebook rewards, though, after bagging $12,500 last month when he discovered he could send a “delete” function to a Facebook for Mobile application via an API that gave him the power to delete any photo album on the site.
Source: http://ift.tt/1OdwbFn
from hacker samurai http://ift.tt/1OdwcZM
via IFTTT
Hackers expose private information of 50,000 VNPT clients
VietNamNet Bridge – DIE Group, a group of hackers, has posted personal information about 50,000 clients of VNPT, the largest telecom group in Vietnam, on the internet.
DIE Group said it had sent a warning about vulnerabilities to the website administrator but there has been no reply, while the security hole has not been fixed.
The information has been exposed on mega.co.nz, a site to share files online, according to Tran Quang Chien, the manager of Security Daily.
Though the information about 10,000 clients can be found on only this site, Chien said the figure would actually be 50,000. The information includes customers’ codes, names, addresses, mobile phone numbers, user accounts and passwords.
With the database, anyone could log on to the users’ accounts on VNPT’s website soctrang.vnpt.vn. However, some sources said hackers have erased important details to prevent people from exploiting the data.
SecurityDaily said on March 14 evening that the exposed information was still “alive”, which means that the information was still useful for criminals to penetrate the system through the vulnerabilities.
Analysts commented that the information exposure shows that dangerous security holes exist on VNPT’s website, which allow hackers to control and steal the database.
They said that it is highly possible that the admin account has also been hacked. The hole is likely to be SQL Injection, a dangerous hole which hackers like exploiting.
On March 16, Bui Quoc Viet, the spokesman of VNPT, confirmed that VNPT’s data was hacked and the information about 50,000 clients of VNPT Soc Trang branch was posted on the internet.
Viet said the hackers exploited a software module used to look up customers’ information at VNPT’s Soc Trang branch.
Viet said this is an old server system which is being gradually replaced by VNPT. Prior to that, hackers posted on the internet information about tens of thousands of VNPT’s accounts.
Sensational news appeared in some local newspapers on March 16 morning that SecurityDaily, which gave a warning about the attack, may “have relations” with the hackers.
A local newspaper reported that VNPT’s representative had a meeting with SecurityDaily on March 15 afternoon to discuss the problem.
It also quoted Tran Quang Chien of SecurityDaily as denying the “relations with hackers”. Chien said SecurityDaily had received the image from a member of the group of hackers.
In the latest news, VNPT has said that it had taken necessary measures and settled the problem to ensure safety for the data and 50,000 client accounts.
Source :
from hacker samurai http://ift.tt/1BaJI6E
via IFTTT
Anonymous - YOU CAN'T BREAK MY SOUL
from Hacker Samurai http://ift.tt/1I3VMfw
via IFTTT
Thursday 19 March 2015
(ISC)² Security Congress 2014: Day 2 Highlights
from Hacker Samurai http://ift.tt/1DE9as6
via IFTTT
McSally Questions Witnesses at Hearing on the Threat of Chemical Terrorism
from Hacker Samurai http://ift.tt/1H7TApw
via IFTTT
Wednesday 18 March 2015
Anonymous - WHAT WE ARE CAPABLE OF
from Hacker Samurai http://ift.tt/1BWYHWq
via IFTTT
Is Car Hacking Much Ado About Nothing?
First, it was phone tapping, then computer hacking and identity theft. Now, the electronic fear du jour is car hacking. As our cars are powered by ever-increasing numbers of computers and software programs, and as automakers promote connectivity (from traffic-monitoring apps to mobile phone synchronization and collision avoidance systems), alarms have been raised about the possibility of hackers obtaining access to a car’s computers. One particularly bleak scenario involves hackers wreaking havoc on self-driving cars, whose hapless passengers won’t even have time to grab the steering wheel before their four-wheeled mobile devices engage rampage mode.
While nothing like this has happened in real life, researchers (including two individuals funded by DARPA for a 2013 study) have been able to access a vehicle’s computer systems using a laptop and, reportedly, obtain control of the vehicle’s steering, brakes, engine, and other components. While conducted in a controlled environment, these experiments caught the attention of Washington, D.C. and the media. A report released last month by U.S. Senator Ed Markey’s office, “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” mentions those experiments and concludes that no major auto manufacturer is properly prepared to handle the hacking and data privacy risks posed by existing and forthcoming automotive technology. Yet the report also noted that none of the automakers questioned by Markey had received any indications of hacking or attempted hacking in the real world. Is car hacking the next great security threat, or much ado about nothing?
Dallas attorney Marc Stanley takes the position that car hacking is a threat. On March 10, Stanley’s law firm filed a putative class action lawsuit in the U.S. District Court for the Northern District of California against Toyota, Ford, and General Motors, alleging that those automakers’ vehicles are susceptible to hacking, thus breaching the manufacturers’ warranties and various state and federal consumer protection laws. The 343-page complaint requests injunctive relief (in the form of a recall or free replacement program), disgorgement, and other damages. As of this writing, the automakers had not responded to the complaint.
This lawsuit raises interesting questions. Since a real-world car hacking incident has never been reported, are the plaintiffs’ claims ripe? The complaint argues that the alleged ability of hackers to access vehicle computers renders false the manufacturers’ representations of their vehicles’ safety. Further, say the plaintiffs, since Toyota, Ford, and GM have refused to either repair the vehicles or replace them at no cost, the manufacturers have breached both express and implied warranties.
The argument that the vehicles at issue are not safe because they could be hacked is a creative attempt to circumvent the ripeness issue. But it seems likely that ripeness will present a large initial hurdle for the plaintiffs in this case. That a few researchers were able to access a vehicle’s computer system in a controlled setting is not necessarily evidence that the vehicles could be compromised by a malevolent third party, nor that such a hypothetical situation renders the vehicles unsafe to drive.
The plaintiffs have requested their money back from the manufacturers, yet they admit in the complaint that they are still driving their vehicles and make no assertions that the vehicles are otherwise unfit for their intended purpose. At this point in time, the plaintiffs’ allegations appear speculative at best.
This is not to say that automakers should not take the hacking threat seriously. The Markey report raises important questions about consumer safety that automakers would be well advised to attempt to answer. As cars increasingly become mobility devices, in which occupants can surf the Internet, download music and apps, monitor traffic and road conditions and the like, the proliferation of computer systems creates added risks, including hacking. That a vehicle has not been maliciously hacked does not mean that it could not happen or that it would not in the future. Should that happen, immediate media, political, and legal scrutiny will descend on the automaker at issue, who will be asked what it knew, what it should have known, and what safeguards it should have developed. All automakers have a common interest in preventing that day from ever happening.
To what extent will automakers remain responsible for the computer systems in their vehicles? Will those systems someday come with a separate warranty that is longer (or shorter) than existing bumper-to-bumper warranties? Will the consumer become responsible for updating firewalls, virus protection, etc.? If a vehicle is hacked and it is discovered that the owner had not brought the car in for service to have a software update performed, should the owner share the liability? Right now, these questions are being asked in the abstract. Sooner than we think, the answers will have real-world impact.
One issue raised by the Markey report but not included in Stanley’s class action is that of privacy. Vehicles record copious amounts of data, such as vehicle performance and geographic location. As drivers increasingly use their vehicles as an extension of their mobile devices, the proliferation of data stored in or transmitted through the computer systems will no doubt prove tempting to hackers. Indeed, it seems plausible that, in the future, a hacker might be more likely to attempt to steal your identity through your car’s computer than to try to disable your brakes or steering.
Interestingly, the Markey report expresses more concern with automakers’ use of vehicle data than with hackers. Given Washington’s interest in demonizing manufacturers since the General Motors ignition switch debacle, this is not surprising. Yet, it seems to paint only half the picture—the less concerning, though no doubt more politically convenient, half. Yes, automakers do record and store vehicle data, and may share some of that data with third parties. But Google and Facebook do the same thing, on a mind-boggling scale. To the extent vehicles record and store personal information, should Washington be protecting drivers from the automakers or from hackers? The hacking risk may be speculative at this point, while automakers’ collection of data is actually happening, yet the potential harm from hacking would likely be greater than any harm caused by automakers doing what all the major technology companies do.
In this brave new world of speculative but plausible threats, the best approach may be to stay calm and carry on and not let the premature panic or political pontificating obscure the fact that these issues are real and they do need to be addressed. But vehicles are not, and are not likely to become, mobile time bombs. Anyone interested in improving vehicle safety should start with the American public’s lack of driving skills. We have done an awfully good job of endangering ourselves on the roads already, with or without hackers.
Source: http://ift.tt/1x0E2AG
from hacker samurai http://ift.tt/1GXhEYT
via IFTTT