IEEE Cipher --- Items from security-related news (E140)
Summary:
Bitcoin, phishing, and AlphaBay, Theodore Price's story has all the elements
for a good tech detective thriller. The Pennsylvania man is headed to
trial, but will his confession to stealing Bitcoin wallets stand up in court?
Initially investigated to stealing a few laptops and some jewelry, Price upped
the ante by confessing to buying software on AlphaBay that used a phishing
attack to replace his victims' Bitcoin wallets with his wallet, one of
small value. Can you prove Bitcoin theft in court? We'll see.
Summary:
It used to be that time was money, but now data is money. Any data.
IRobot, the maker of the Roomba robotic vaccuum, sees the device as
enabling an ecosystem of smart home IoT components. The Roomba,
could, they say, create a detailed map of a home while going about its
business of sucking up floor-level debris. The information would be
provided to IoT home device manufacturers. Privacy advocates feel
this is a dirty trick. Jim Killock, executive director of the Open
Rights Group, called it "creepy" [Ed. in both senses, we presume].
Summary:
The economy of scale can lead to a lack of diversity in electronic
devices, and this hit home when a basic wifi vulnerability was
revealed at Black Hat. Broadcom supplies the wifi chips that are used
iPhones, Samsung Galaxies, and Google Nexus devices, and unless those
users upgrade to the July releases of their OS and security fixes, not
only are they vulnerable to remote exploits, they can also become a
vector for compromising any other device within wifi range. The
exploit can launch itself against any device with the Broadcom chip,
and it needs no other access point --- no compromised app, no evil
router, etc. Just the chip, please.
Summary:
A journalist and a data scientist walked into a data broker and
ordered the browsing history of 3 million German users. The data
tender gave them 3 billion entries. The journalist and the data
scientist unraveled the "anonymized" entries and exposed embarrassing
information. That exploit was presented at DefCon. The two person
team said that most of the information came from a browser plug-in
called "Web of Trust".
Perhaps "Web of Trust" should have been named "We Will Embarrass You". Its business model depends on users giving up their browsing history in exchange for a website rating service. The provider makes money by selling the browsing histories to third parties, like the ones that sold German user data to the journalist and data scientist. This actually old news: 'Web Of Trust' Browser Add-On Caught Selling Users' Data - Uninstall It Now in the Hacker News from November 7, 2016.
Summary:
Security researcher Jon Hendren of Upguard devotes one day a week to a
sort of treasure hunt. Instead of taking a metal detector for a walk
on the beach, he looks for leaky buckets, particularly for
misconfigured settings on Amazon Web Services storage containers. He
hit a small jackpot when he found personal information for 1.8 million
Illinois voters. The Election Systems & Software company said they
had stored backup copies of voter information with AWS. Hendren notified
the company and the leak was patched. If anyone else accessed the data,
forensic experts hope to find them. Hendren says that the misconfiguration
is all too common.
Jim Allen, a spokesman for the Chicago Board of Elections, said the leak did not contain or affect anyone's voting ballots, which are handled by a different vendor. [Ed. And does the Chicago Board of Elections intend to check compliance by that vendor?]
Summary:
The US military is organized into several structures, including 4 "departments", and nine "combatant commands". A tenth command has been added by elevating Cyber Command from its position within NSA. However, it will still be led by the director of the NSA for at least the next year while the process of nominating and confirming a replacement runs its course. Defense Secretary Jim Mattis will choose the nominee.
Cyber Command is described as the Pentagon's offensive cyber-force, yet its new importance is said to "bolster US defenses".
Summary:
This is a good article about the wider problems of hacking election
software. It is not just the ballot casting and tabulating that is at
risk, but the infrastructure around registering and verifying voters
is also a "juicy" target for hackers. Some people suspect that
electronic pollbooks were hacked in the 2016 presidential elections,
others feel that a few operational problems are par for the course.
Was there hacking? Can we protect our systems before the next
election? It is a question of national importance, but it is up to
each state to find a solution.
Summary:
The security firm Symantec warns that a hacker group called "Dragonfly"
may have gathered a significant capability to infiltrate and disrupt
energy grids in the US, Turkey, and Switzerland.
Summary:
The personal identifying data for 143 million Americans was exposed by
the consumer reporting service Equifax. This was no theoretical,
unexploited vulnerability. Forensic evidence showed that the
information was accessed from mid-May to July. The company discovered
the activity on July 29. This was an identity thief's dream, and
it is not known how the 143 million consumers might have been or will
be affected.
Summary:
The vulnerability that disclosed consumers' personal identifying data from
the Equifax website was in Apache Struts, a framework building websites.
Apache found the problem in March, produced a patch, and provided information
on how to remedy the situation. Equifax's failure to protect their data
seems to indicate a lax attitude about security in general.
Summary:
The Apache Foundation issued a statement about the flaw in their product,
Struts, that led to the Equifax data disclosure. Although the flaw
had been present for nine years, Apache did not know about it until March
of this year. At that point, they fixed the problem and issued a patch.
Summary:
The Apache Struts security flaw was identified by "a cybersecurity arm
of the US Department of Homeland Security". Equifax has said that they
were aware of this in March and tried to patch their vulnerable systems.
They apparently overlooked their "online dispute portal", and months
later they discovered that 143 million consumers had had their personal
information accessed by operators unknown.
Summary:
The US General Services Administration removed Kaspersky Lab from its
list of approved vendors. Although Kaspersky produces an effective
anti-virus product, there are suspicions about the Moscow-based vendor
and its possible collusion with the Russian government. Nonetheless,
many state, county, and municipal governments continue to use the
product, leaving questions about the security of their services, now
and in the future.
Summary:
The acting directory of the US Department of Homeland Security, Elaine Duke,
has ordered the removal of Kaspersky software from federal civilian
agency computers within 90 days. The US military does not use Kaspersky.
Although the security firm denies any ties to the Russian government,
the founder has ties to Russian military intelligence in his background.
The DHS order does not apply to state and local governments, and many of these entities use Kaspersky and have said they will continue to do so.