IEEE Cipher --- Items from security-related news (E140)

  • BitCoins diverted? Or not
    Pennsylvania police, hunting for stolen laptops, say they stumbled on $40 million bitcoin scam
    The Washington Post
    By Kyle Swenson
    Jul 24, 2017

    Bitcoin, phishing, and AlphaBay, Theodore Price's story has all the elements for a good tech detective thriller. The Pennsylvania man is headed to trial, but will his confession to stealing Bitcoin wallets stand up in court? Initially investigated to stealing a few laptops and some jewelry, Price upped the ante by confessing to buying software on AlphaBay that used a phishing attack to replace his victims' Bitcoin wallets with his wallet, one of small value. Can you prove Bitcoin theft in court? We'll see.

  • Roomba the Spy
    Roomba maker may share maps of users' homes with Google, Amazon or Apple
    Technology | The Guardian
    By Alex Hern
    Jul 25, 2017

    It used to be that time was money, but now data is money. Any data. IRobot, the maker of the Roomba robotic vaccuum, sees the device as enabling an ecosystem of smart home IoT components. The Roomba, could, they say, create a detailed map of a home while going about its business of sucking up floor-level debris. The information would be provided to IoT home device manufacturers. Privacy advocates feel this is a dirty trick. Jim Killock, executive director of the Open Rights Group, called it "creepy" [Ed. in both senses, we presume].

  • Wifi worst case scenario
    Bug in top smartphones could lead to unstoppable malware, researcher says
    Technology | The Guardian
    By Alex Hern
    Jul 28, 2017

    The economy of scale can lead to a lack of diversity in electronic devices, and this hit home when a basic wifi vulnerability was revealed at Black Hat. Broadcom supplies the wifi chips that are used iPhones, Samsung Galaxies, and Google Nexus devices, and unless those users upgrade to the July releases of their OS and security fixes, not only are they vulnerable to remote exploits, they can also become a vector for compromising any other device within wifi range. The exploit can launch itself against any device with the Broadcom chip, and it needs no other access point --- no compromised app, no evil router, etc. Just the chip, please.

  • Browser Extension for "Trust" Enables Privacy Breaches
    'Anonymous' browsing data can be easily exposed, researchers reveal
    Technology | The Guardian
    By Alex Hern
    Aug 1, 2017

    A journalist and a data scientist walked into a data broker and ordered the browsing history of 3 million German users. The data tender gave them 3 billion entries. The journalist and the data scientist unraveled the "anonymized" entries and exposed embarrassing information. That exploit was presented at DefCon. The two person team said that most of the information came from a browser plug-in called "Web of Trust".

    Perhaps "Web of Trust" should have been named "We Will Embarrass You". Its business model depends on users giving up their browsing history in exchange for a website rating service. The provider makes money by selling the browsing histories to third parties, like the ones that sold German user data to the journalist and data scientist. This actually old news: 'Web Of Trust' Browser Add-On Caught Selling Users' Data - Uninstall It Now in the Hacker News from November 7, 2016.

  • Voter Data and Amazon's Leaky Buckets
    1.8 million Chicago voter records exposed online
    CNN Money
    By Selena Larson
    Aug. 17, 2017

    Security researcher Jon Hendren of Upguard devotes one day a week to a sort of treasure hunt. Instead of taking a metal detector for a walk on the beach, he looks for leaky buckets, particularly for misconfigured settings on Amazon Web Services storage containers. He hit a small jackpot when he found personal information for 1.8 million Illinois voters. The Election Systems & Software company said they had stored backup copies of voter information with AWS. Hendren notified the company and the leak was patched. If anyone else accessed the data, forensic experts hope to find them. Hendren says that the misconfiguration is all too common.

    Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone's voting ballots, which are handled by a different vendor. [Ed. And does the Chicago Board of Elections intend to check compliance by that vendor?]

  • Cyber Command moves up
    President Trump announces move to elevate Cyber Command
    The Washington Post
    By Thomas Gibbons-Neff and Ellen Nakashima
    Aug 18, 2017


    The US military is organized into several structures, including 4 "departments", and nine "combatant commands". A tenth command has been added by elevating Cyber Command from its position within NSA. However, it will still be led by the director of the NSA for at least the next year while the process of nominating and confirming a replacement runs its course. Defense Secretary Jim Mattis will choose the nominee.

    Cyber Command is described as the Pentagon's offensive cyber-force, yet its new importance is said to "bolster US defenses".

  • Elections and the Software They Rely On
    Software Glitch or Russian Hackers? Election Problems Draw Little Scrutiny
    The New York Times
    By Nicole Perlroth, Michael Wines and Matthew Rosenberg
    Sep 1, 2017

    This is a good article about the wider problems of hacking election software. It is not just the ballot casting and tabulating that is at risk, but the infrastructure around registering and verifying voters is also a "juicy" target for hackers. Some people suspect that electronic pollbooks were hacked in the 2016 presidential elections, others feel that a few operational problems are par for the course. Was there hacking? Can we protect our systems before the next election? It is a question of national importance, but it is up to each state to find a solution.

  • Power to the hackers
    Hackers attacking US and European energy firms could sabotage power grids
    Technology | The Guardian
    By Alex Hern
    Sep 6, 2017

    The security firm Symantec warns that a hacker group called "Dragonfly" may have gathered a significant capability to infiltrate and disrupt energy grids in the US, Turkey, and Switzerland.

  • Yawn, YA Data Breach
    Equifax Says Cyberattack May Have Affected 143 Million Customers
    The New York Times
    By Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth and Ron Lieber
    Sep 7, 2017
  • Summary:
    The personal identifying data for 143 million Americans was exposed by the consumer reporting service Equifax. This was no theoretical, unexploited vulnerability. Forensic evidence showed that the information was accessed from mid-May to July. The company discovered the activity on July 29. This was an identity thief's dream, and it is not known how the 143 million consumers might have been or will be affected.

    Equifax Officially Has No Excuse
    By Lily Hay Newman
    Sep 14, 2017

    The vulnerability that disclosed consumers' personal identifying data from the Equifax website was in Apache Struts, a framework building websites. Apache found the problem in March, produced a patch, and provided information on how to remedy the situation. Equifax's failure to protect their data seems to indicate a lax attitude about security in general.

    Apache Struts Statement on Equifax Security Breach
    The Apache Software Foundation
    September 9, 2017

    The Apache Foundation issued a statement about the flaw in their product, Struts, that led to the Equifax data disclosure. Although the flaw had been present for nine years, Apache did not know about it until March of this year. At that point, they fixed the problem and issued a patch.

    How the Equifax data breach happened: What we know now
    by Jackie Wattles and Selena Larson
    September 16, 2017

    The Apache Struts security flaw was identified by "a cybersecurity arm of the US Department of Homeland Security". Equifax has said that they were aware of this in March and tried to patch their vulnerable systems. They apparently overlooked their "online dispute portal", and months later they discovered that 143 million consumers had had their personal information accessed by operators unknown.

  • Kaspersky too spooky for govmt use?
    Local governments keep using this software — but it might be a back door for Russia
    The Washington Post
    By Jack Gillum and Aaron C. Davis
    Jul 24, 2017

    The US General Services Administration removed Kaspersky Lab from its list of approved vendors. Although Kaspersky produces an effective anti-virus product, there are suspicions about the Moscow-based vendor and its possible collusion with the Russian government. Nonetheless, many state, county, and municipal governments continue to use the product, leaving questions about the security of their services, now and in the future.

    DHS says "nyet Kaspersky"
    U.S. moves to ban use of Kaspersky software in federal agencies amid concerns of Russian espionage
    The Washington Post
    By Ellen Nakashima and Jack Gillum
    Sep 13, 2017

    The acting directory of the US Department of Homeland Security, Elaine Duke, has ordered the removal of Kaspersky software from federal civilian agency computers within 90 days. The US military does not use Kaspersky. Although the security firm denies any ties to the Russian government, the founder has ties to Russian military intelligence in his background.

    The DHS order does not apply to state and local governments, and many of these entities use Kaspersky and have said they will continue to do so.