Items from security-related news (E126.May-2015)

US Will Sanction "Harmers" Outside Its Borders

Summary: The US now has a program to impose sanctions on individuals who are outside the country and harm it through cyberattacks. The "harms" are: attacking critical infrastructure such as a power grid; disrupting major computer networks; stealing intellectual property or trade secrets; or benefiting from the stolen secrets and property.

The Washington Post
By Ellen Nakashima
April 1, 2015
Full story:U.S. establishes sanctions program to combat cyberattacks, cyberspying
The executive order

Data Breach Laws: State vs. Federal

Summary: A proposed national standard for consumer protection after a data breach might result in weakening existing state provisions. Further, a transfer of enforcement responsibility from the Federal Communications Commission to the Federal Trade Commission might remove some communication companies from the protections.

The Washington Post
By Andrea Peterson
April 15, 2015
Full story: Why this national data breach notification bill has privacy advocates worried
New Targets

Summary: The security firm Symantec says that its incident response center has seen a shift from banks to health care systems as victims during 2014. The Privacy Rights Clearinghouse, however, says that universities are also becoming attractive targets for data breaches.

Associated Press
Apr 14, 2015
Full story: Hackers keep trying new targets in search of easy data
The Passenger Pilot

Summary: Modern aircraft rely on firewalls to separate the passenger wifi network from the flight operations network, but there may be vulnerabilities. There is a report of a bug that allow privileged access from the passenger network to satellite communications equipment, and there is also a claim of being able to issue flight control commands from the passenger compartment. [This makes the "PalmPilot" a rather prescient product].
Apr 15, 2015
Full story: GAO reports warns hackers could bring down plane using passenger Wi-Fi

Fox News
Apr 17, 2015
Full story: Security expert pulled off flight by FBI after exposing airline tech vulnerabilities
Iran Moving Ahead on the Cyberattack Curve

Summary: A Norwegian cybersecurity firm says that the Las Vegas Sands casino had its gaming computers disabled by a cyberattack orchestrated by Iran. The incident may have been retaliation for remarks by the casino's owner.

New York Times
April 15, 2015
By David E. Sanger and Nicole Perlroth
Full story: Iran Is Raising Sophistication and Frequency of Cyberattacks, Study Says
Oracle Does Java Evil?

Summary: Oracle provides Java software that has installation options for third party-party software. Unwary users lament the results of taking the default installation. The "" toolbar, for example, is reportedly very difficult to remove. This feature was reported for Windows in 2013, but as of this year it was added to the Java installation for the Apple MACOS.

Los Angeles Times
Apr 17, 2015
David Lazarus
Full story: can hijack your computer using Java updates

The Ed Bott Report
By Ed Bott
January 22, 2013
Full story: A close look at how Oracle installs deceptive software with Java updates
The Feds, Private Companies, Cyberthreats, and Privacy

Summary: Almost everyone wants to stop cyberattacks, and the federal government has for years sought access to information from private companies about how cyber criminals have attacked them. The feds may have their way if the House and Senate agree on a bill that "pushes" private companies to share data and receive liability protection if they have scrubbed the data to protect customer identities.
Apr 22, 2015
By Jennifer Steinhauer
Full story: Computer Attacks Spur Congress to Act on Cybersecurity Bill Years in the Making
Apr 22, 2015
By Jennifer Steinhauer
Full story: House Passes Cybersecurity Bill After Companies Fall Victim to Data Breaches
Watering Holes, ransomware, and the generally sad state of computer security

Summary: Symantec reports that 2014 was another banner year for malware. Overall, cyberattacks increased by 40%, according to their report center. This included 80% of all "large companies" in the US.

San Jose Mercury News
Pete Carey
April 23, 2015
Full story: Symantec: Hacker attacks up 40 percent in 2014, Apr 23, 2015
Poison Apple?

Summary: An Israeli company reports the ability to crash iOS devices by manipulating wifi network SSL certificates.

Bloomberg News
(reported in The Salt Lake Tribune)
Cornelius Rahn
April 23, 2015
Full story: Apple software bug lets hackers crash iPhones, researchers say
Your DHS Wants YOU!

Summary: At the annual RSA Conference, Homeland Security Secretary Jeh Johnson said the agency would be looking to recruit cybersecurity experts from Silicon Valley, even going so far as to open a local office.

The Washington Post
April 22, 2015
By Josh Hicks
Full story: Homeland Security is laying roots in Silicon Valley, and you might not like its reasons
Putin Checks Obama's Schedule

Summary: An investigation of an intrusion into the White House computer network last year has concluded that data and email on the unclassified network, including some of President Obama's, were accessed by Russian hackers. The article implies that the classified network was not involved in the breach.

The New York Times
By Michael S. Schmidt and David E. Sanger
April 25, 2015
Full story: Russian Hackers Read Obama's Unclassified Emails, Officials Say
Cyberthreat, cyberattack, cyberwar, a strategy

Summary: The editorial board of the New York Times concludes that a new report by the Pentagon about cybersecurity lays the groundwork for a policy about retaliation to cyberattacks. It contains conditions under which "if ordered by the president, the military could conduct operations to counter 'an imminent or ongoing attack against the U.S. homeland or U.S. interests in cyberspace.'" The editorial surmises that the Obama administration feels that the executive branch must take the lead because of Congressional inaction.

The New York Times
Editorial Board
April 28, 2015
Full story: Preparing for Warfare in Cyberspace
The end of "unfettered data collection"?

Summary: The Patriot Act gave the NSA the power to collect bulk information on phone calls. Congress is considering two bills, one to extend the act and another to curtail it.
By Beth Ethier
Apr 28, 2015
Full story: USA Freedom Act: Update to Patriot Act has bipartisan cosponsors, would end NSA bulk data collection,
Congressman with CS degree calls FBI encryption plan "stupid"

Summary: Rep. Ted Lieu of California has a computer science degree from Stanford University. He thinks that encryption "back doors" are infeasible because they cannot be restricted to "good guys". The members of House Government Oversight and Reform Committee's Information Technology subcommittee were "skeptical", but it is unclear if their opinions were founded on any understanding of cryptography.

The Washington Post
Apr 30, 2015
By Andrea Peterson
Full story: Congressman with computer science degree: Encryption back-doors are 'technologically stupid'
Now you can know, is B2 Multics secure?

Summary: Tom Van Vleck has caused the disinterment of a report on the landmark operating system, Multics.

Full story: The 1986 Final Evaluation Report for the B2 rating of Multics has been released by NSA and is available at
The next step, combining data breaches

Summary: Taxpayer information from an online IRS database was used to create false tax returns and claim refunds without the knowledge of the true account holders. This was possible because the hackers had previously obtained the taxpayers' personal identifying information from different data breaches. The combination of information defeated the authentication mechanisms used by the IRS. This has been done before on a small scale, but the technique now may be a potent weapon in fraud.

Full story: New York Times
By Patricia Cohen
May 27, 2015
I.R.S. Data Breach May Be Sign of More Personalized Schemes