News Bits

NewsBits, IEEE Cipher E136, E136.Jan-2017

  • What Did the Russians Do to the US Presidential Election?
    Obama orders review of Russian election-related hacking
    By Tal Kopan, Kevin Liptak and Jim Sciutto
    Fri December 9, 2016

    Questions about the effect of cyberhacking by the Russians during the US presidential campaign have dogged the aftermath of Donald Trump's electoral college victory. In December, President Obama ordered a review of what the intelligence community knew about the activity. This has resulted in a great deal of discussion about motivations and results.

  • One-Two Punch, Yahoo Account Hacks Move from .5 Million to 1 Billion
    Yahoo Says 1 Billion User Accounts Were Hacked
    The New York Times
    By Vindu Goel and Nicole Perlroth
    December 14, 2016

    As if the disclosure of a half million accounts hacked in 2012 were not sufficiently disturbing, Yahoo up the numbers considerably when it revealed that in 2013 one billion accounts were throroughly hacked. The result was disclosure of all information associated with the accounts: name, telephone number, password, etc. According to their chief information officer, the hackers stole source code that enabled them to forge web cookies. With that, they were able to get unfettered access to the accounts.

  • Fake Ad Views Divert Revenue to Hackers
    Russian Cyberforgers Steal Millions a Day With Fake Sites
    The New York Times
    Dec. 20, 2016
    by Vindu Goeldec

    When you view an online video ad, money changes hands. The owner of website that delivered the content to you will be paid for attracting the click that leads to the delivery. The advertiser will be billed for that service. A Russian cyberforgery ring has managed to infiltrate and automate that market, and the result is that advertisers are paying up to $5M per day for views that are inititated not by humans but by software impersonations.

  • NIST Releases New Hash Modes Document

    NIST SP 800-185, "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash". The document is available at . Received public comments will be posted at

  • For Confirming Stuxnet, a General Will Be Sentenced
    US Seeks 2-year Prison Term for Former Vice Chair of Joint Chiefs of Staff in Leak Case
    The Washington Post
    Jan 10, 2017
    By Spencer S. Hsu

    General James Cartwright pled guilty to lying to investigators about his role in confirming US involvement in the Stuxnet malware that crippled Iran's nuclear enrichment program.

    Related story:
  • Two Saved by the Obama Bell
    Obama commutes sentence of Chelsea Manning, U.S. soldier convicted for leaking classified information
    The Washington Post
    Jan 17, 2017
    By Ellen Nakashima and Sari Horwitz

    General James Cartwright and Chelsea Manning had their sentences commuted by outgoing US President Obama. Manning had leaked a trove of classified information to Wikileaks and served 7 years of a 35-year sentence.

  • Could We Survive Without GPS?
    Op-Ed: GPS, The looming national security threat everyone keeps ignoring
    The Washington Post By Dana Goward
    President of the Resilient Navigation and Timing Foundation
    Jan 12, 2017

    The Global Positioning System has been deemed a "single point of failure for critical infrastructure" by the Department of Homeland Security. The location service depends on satellite signals that can be easily jammed, either deliberately or by physical obstructions, solar storms, and innocent but faulty TV antennae. Since 2004 there have been recommendations to defuse the single-point failure vulnerability with a backup system of some kind, but this has never been a priority for the US administration.

  • Cardiac Rootkits: The Hackable Heart
    FDA confirms that St. Jude's cardiac devices can be hacked
    CNN Tech
    Jan. 9, 2017
    by Selena Larson

    The FDA stepped into an argument that had been brewing since last August. The agency confirmed that an implantable cardiac device could be accessed by hackers. The potential damage includes shocks, incorrect heart pacing, and battery depletion. The developer of the device promised to "continue to actively address cybersecurity risks." The device is designed to allow remote monitoring, but apparently hackers could use the transmitter access to get control of the device. The implants have a "universal code" that allows access.

  • Whats That MITM?
    WhatsApp 'backdoor' turns out to be known design feature
    Naked Security
    by John E Dunn
    Jan 19, 2017

    The WhatsApp messaging system is based on a widely respected encryption protocol, Signal. However, as in all things security, it is the totality of the application that determines its security. WhatsApp simplified the Signal system when dealing with users who need to move their account to a new device. At issue is whether or not the servers could be tricked into going through the key change protocol without the user's knowledge. If so, a man-in-the-middle attack might be feasible. However, neither WhatsApp nor Signal developers think that the trick is possible; other layers of security prevent it.

  • Film Frolic Phutzed
    Cyberattack causes outages at Sundance Film Festival
    The Salt Lake Tribune
    By Mariah Noble
    First Published Jan 21 2017, Updated Jan 22 2017

    Proving that nothing beneath the attention of cyberattackers, hackers apparently targeted the online box office site for the Sundance Film Festival, a major event for independent films held annually in Utah. No screenings were affected and a team went to work to alleviate the damage from the attack.