Story

Gang has cunning way of hiding itself by using multiple names Suspected hackers based in India have compromised thousands of computers, going about their business as far back as 2013.…

Kepler Communications has raised $5 million in seed funding to create a network of small, easily replaced satellites to create a real-time network through with internet of things (IoT) devices can communicate, essentially building a cellular network in space through which machinery and equipment can talk to one another and to its handlers. “You can think of it as a cell phone tower… Read More

Kashmir Hill is asking an interesting question over at Fusion: in the wake of Democratic National Committee email hacking, will political leaders start scaling back their war on encryption?

Privacy rights organization Privacy International has filed another legal challenge to the UK government’s use of bulk hacking against foreigners. The filing, with the European Court of Human Rights, follows Privacy International’s attempt earlier this year to challenge the use of bulk hacking against foreigners via the local oversight court for the UK’s intelligence… Read More

Auch Privacy International und andere Organisationen haben jetzt in Straßburg Beschwerde eingelegt gegen die Internet- und Computerspionage des britischen Geheimdiensts GCHQ. In London waren sie zunächst nicht erfolgreich.

Uber-nerd Tarah Wheeler aims to build bridges DEF CON Hardcore hackers and the corporate security industry have never really got on that well. Symantec is looking to change that after hiring Tarah Wheeler to act as its cybersecurity czar.…

Brit overseers not interested, so groups ask ECHR instead Having failed in its bid to block GCHQ's hacking activities at the UK's Investigatory Powers Tribunal, advocacy group Privacy International says it will now take its fight with the UK government to the European Court of Human Rights.…

Various degrees of hand-wringing (and hasty resignations) have greeted the news that our old Cold War foe -- the Russkies -- were behind the hacking of the Democratic National Committee's computers. (And the eventual embarrassment of those caught on unofficial record jumping on the Hillary Clinton bandwagon well before it became clear Bernie Sanders wasn't going to land the nomination.)Certainly, Vladimir Putin gives absolutely no indication that he cares at all what the rest of the world thinks of him, much less the United States. And if the US government feels the Russian government can't be trusted, a) it's probably right and b) Putin will remain unperturbed. There are indications this was done to assist Trump in his presidential run, but I imagine it makes little difference to those handing down hacking orders -- just as long as it embarrassed US government officials and political leaders.But if there's a high road to be had, the US government can't really claim it. As James Bamford explains in his commentary piece for Reuters, US spy agencies haven't exactly stayed out of world affairs, including local elections.

Malware Learnings Make Hideous Detriment People of Kazakhstan Black Hat The Electronic Frontier Foundation (EFF) has accused the Kazakhstan Government of sending malware-laced phishing emails to two investigative journalists in the country, along with activists, and family members to help spy, locate and extradite targets.…

Published at LXer: In a talk at the Embedded Linux Conference, Mike Anderson, CTO of The PTR Group, explored the unique security challenges that face Linux-based IoT devices. Read More......

During what was likely the first presidential campaign fundraiser held at the Black Hat security conference in Las Vegas, campaigners made their case for Hillary Clinton as the cyber candidate.Last night, Jeff Moss, the founder of Black Hat, and Jake Braun, a former Obama campaign staffer and security consultant to the Department of Homeland Security, pitched Clinton to the security pros… Read More

Published at LXer: myDevices announced Arduino support for its web- and mobile-based, Raspberry Pi compatible “Cayenne” drag-and-drop IoT development and management platform. Cayenne, with which...

Mr. Robot is a show built on hacks. The mother of all hacks serves as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activities — who got hacked, why, and how much magic would be required to make them actually work.* * * S P O I L E R S F O L L O W * * * Continue reading…

The EFF has put a lot of thought into how we should deal with the issue of government hacking and how it impacts digital security, and so we're reposting Andrew Crocker's excellent article here.In our society, the rule of law sets limits on what government can and cannot do, no matter how important its goals. To give a simple example, even when chasing a fleeing murder suspect, the police have a duty not to endanger bystanders. The government should pay the same care to our safety in pursuing threats online, but right now we don't have clear, enforceable rules for government activities like hacking and "digital sabotage." And this is no abstract question—these actions increasingly endanger everyone's security.The problem became especially clear this year during the San Bernardino case, involving the FBI's demand that Apple rewrite its iOS operating system to defeat security features on a locked iPhone. Ultimately the FBI exploited an existing vulnerability in iOS and accessed the contents of the phone with the help of an "outside party." Then, with no public process or discussion of the tradeoffs involved, the government refused to tell Apple about the flaw. Despite the obvious fact that the security of the computers and networks we all use is both collective and interwoven—other iPhones used by millions of innocent people presumably have the same vulnerability—the government chose to withhold information Apple could have used to improve the security of its phones.Other examples include intelligence activities like Stuxnet and Bullrun, and law enforcement investigations like the FBI's mass use of malware against Tor users engaged in criminal behavior. These activities are often disproportionate to stopping legitimate threats, resulting in unpatched software for millions of innocent users, overbroad surveillance, and other collateral effects.That's why we're working on a positive agenda to confront governmental threats to digital security. Put more directly, we're calling on lawyers, advocates, technologists, and the public to demand a public discussion of whether, when, and how governments can be empowered to break into our computers, phones, and other devices; sabotage and subvert basic security protocols; and stockpile and exploit software flaws and vulnerabilities.Smart people in academia and elsewhere have been thinking and writing about these issues for years. But it's time to take the next step and make clear, public rules that carry the force of law to ensure that the government weighs the tradeoffs and reaches the right decisions.This long post outlines some of the things that can be done. It frames the issue, then describes some of the key areas where EFF is already pursuing this agenda—in particular formalizing the rules for disclosing vulnerabilities and setting out narrow limits for the use of government malware. Finally it lays out where we think the debate should go from here.Recognizing That Government Intrusion and Subversion of Digital Security Is a Single IssueThe first step is to understand a wide range of government activities as part of one larger threat to security. We see the U.S. government attempt to justify and compartmentalize its efforts with terms like "lawful hacking" and "computer network attack." It is easy for the government to argue that the FBI's attempts to subvert the security of Apple iOS in the San Bernardino case are entirely unrelated to the NSA's apparent sabotage of the Dual_EC_DRBG algorithm. Likewise, the intelligence community's development of the Stuxnet worm to target the Iranian nuclear program was governed by a set of rules entirely separate from the FBI's use of malware to target criminals using Tor hidden services.These activities are carried out by different agencies with different missions. But viewing them as separate—or allowing government to present it that way—misses the forest for the trees. When a government takes a step to create, acquire, stockpile or exploit weaknesses in digital security, it risks making us all less safe by failing to bolster that security.Each of these techniques should involve consideration of the tradeoffs involved, and none of them should be viewed as risk-free to the public. They require oversight and clear rules for usage, including consideration of the safety of innocent users of affected technologies.There is hope, albeit indirectly. In the United States, high-ranking government officials have acknowledged that "cyber threats" are the highest priority, and that we should be strengthening our digital security rather weakening it to facilitate government access. In some cases, this is apparently reflected in government policy. For instance, in explaining the government's policy on software vulnerabilities, the cybersecurity coordinator for the White House and the Office of the Director of National Intelligence have both stated in blog posts that the there is a "strong presumption" in favor of disclosing these vulnerabilities to the public so they can be fixed.But the government shouldn't engage in "policy by blog post." Government action that actively sabotages or even collaterally undermines digital security is too important to be left open to executive whim.Finding Models for Transparency and Limits on When Government Can Harm Digital SecurityWhile government hacking and other activities that have security implications for the rest of us are not new, they are usually secret. We should demand more transparency and real, enforceable rules.Fortunately, this isn't the first time that new techniques have required balancing public safety along with other values. Traditional surveillance law gives us models to draw from. The Supreme Court's 1967 decision in Berger v. New Yorkis alandmark recognition that electronic wiretapping presents a significant danger to civil liberties. The Court held that because wiretapping is both invasive and surreptitious, the Fourth Amendment required "precise and discriminate" limits on its use.Congress added considerable structure to the Berger Court's pronouncements with the Wiretap Act, first passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. First, Title III places a high bar for applications to engage in wiretapping, so that it is more of an exception than a rule, to be used only in serious cases. Second, it imposes strict limits on using the fruits of surveillance, and third, it requires that the public be informed on a yearly basis about the number and type of government wiretaps.Other statutes concerned with classified information also find ways of informing the public while maintaining basic secrecy. For example, the USA Freedom Act, passed in 2015 to reform the intelligence community, requires that significant decisions of the FISA Court either be published in redacted form or be summarized in enough detail to be understood by the public.These principles provide a roadmap that can be used to prevent government from unnecessarily undermining our digital security. Here are a few areas where EFF is working to craft these new rules:Item 1: Rules for When Government Stockpiles VulnerabilitiesIt's no secret that governments look for vulnerabilities in computers and software that they can exploit for a range of intelligence and surveillance purposes. The Stuxnet worm, which was notable for causing physical or "kinetic" damage to its targets, relied on several previously unknown vulnerabilities, or "zero days," in Windows. Similarly, the FBI relied on a third party's knowledge of a vulnerability in iOS to access the contents of the iPhone in the San Bernardino case.News reports suggest that many governments—including the U.S.—collect these vulnerabilities for future use. The problem is that if a vulnerability has been discovered, it is likely that other actors will also find out about it, meaning the same vulnerability may be exploited by malicious third parties, ranging from nation-state adversaries to simple thieves. This is only exacerbated by the practice of selling vulnerabilities to multiple buyers, sometimes even multiple agencies within a single government.Thanks to a FOIA suit by EFF, we have seen the U.S. government's internal policy on how to decide whether to retain or disclose a zero day, the Vulnerabilities Equities Process (VEP). Unfortunately, the VEP is not a model of clarity, setting out a bureaucratic process without any substantive guidelines in favor of disclosure, More concerning, we've seen no evidence of how the VEP actually functions. As a result, we have no confidence that the government discloses vulnerabilities as often as claimed. The lack of transparency fuels an ongoing divide between technologists and the government.A report published in June by two ex-government officials—relying heavily on the document from EFF's lawsuit—offers a number of helpful recommendations for improving the government's credibility and fueling transparency.These proposals serve as an excellent starting point for legislation that would create a Vulnerabilities Equities Process with the force of law, formalizing and enforcing a presumption in favor of disclosure. VEP legislation should also:

ConnectedYard is the kind of company that could only have been cooked up at a backyard barbecue in Silicon Valley

Withdrawal limits mysteriously evaporated as someone lifted the loot One of the world's most popular Bitcoin exchanges Bitfinex has been torn apart with hackers making off with around US$65 million (£49 million, A$87 million) in the cryptocurrency.…

This Thursday, seven teams of researchers will face off in a live hacking challenge at Defcon, competing for a grand prize of $2 million. It’s a common sight at the conference, but this challenge comes with a twist — instead of human teams, Thursday’s challenge will be entirely automated, with experimental software programs hacking, patching, and defending networks with no human intervention.It’s the end of a three-year project by DARPA, the experimental military research group that brought us stealth motorcycles, high-speed self-piloting drones, and the internet. This particular contest is one of DARPA’s Grand Challenges, which have tasked researchers with building robots that can navigate obstacle courses and cars that can drive... Continue reading…

As the Internet of Things evolves into the Internet of Everything and expands its reach into virtually every domain, high-speed data processing, analytics and shorter response times are becoming more necessary than ever. Meeting these requirements is somewhat problematic through the current centralized, cloud-based model powering IoT systems, but can be made possible through fog computing. Read More

Speaking today in Ohio, Donald Trump moved from questioning the integrity of primary elections to questioning the integrity of the upcoming general election, which is not the most shocking thing he's done, but perhaps one of the most dangerous. "I'm afraid the election is going to be rigged," Trump said. Forget conspiracy theories about rigged voting machines and stolen elections — what Trump just said is the real danger.Trump has alarmed people of all political stripes for his ignorant and careless comments, so his latest throwaway remark is not surprising — but it is remarkably threatening nonetheless. US elections aren't plagued by fraud, but they are plagued by routine attempts by state and local governments to blockade minority... Continue reading…

After sparking a 1.4 million vehicle Chrysler recall, the security researchers offer a new lesson: It could have been---and could still be---much worse. The post The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse appeared first on WIRED.

Controlling human nerve cells with electricity could treat a range of disease including type-2 diabetes, a new company says.

The FBI is already having problems here at home with the hacking tool it deployed during its dark web child porn investigation. A few judges have ruled that the warrant used to deploy the Network Investigative Technique (NIT) was invalid because the FBI's "search" of computers around the United States violated Rule 41(b)'s jurisdictional limits.Now, we'll get to see how this stacks up against international law. It's already common knowledge that the FBI obtained user information from computers around the world during its two weeks operating as the site administrator for the seized Playpen server. More information is now coming to light, thanks (inadvertently) to a foreign government's inquiries into domestic anti-child porn efforts. Joseph Cox of Motherboard has the details:

Comments

Published at LXer: Well, it's about time. People are finally realizing how easy it would be to hack an election - assuming it hasn't happened already. Read More......

We've been writing about the lack of security (and accountability) in electronic voting machines almost since Techdirt began. Our very first post on the subject, way back in 2000, declared that e-voting is not safe. Of course, over the years, we've seen more and more examples of this, from the Diebold debacle to Sequoia's security disaster. Basically e-voting is a complete clusterfuck. The machines have long been easily hackable, and the companies behind them don't really seem to care much. They frequently don't do common security practices, such as allowing for outside testing of their machines (or, even better, open sourcing their code for security testing). Instead, it's a big "trust us" and any time security researchers have gotten their hands on these things, they've discovered that the trust is totally and completely misplaced. The machines are a disaster.

The contest next week will be a true test of how well software can protect software. If the bots succeed, they could transform the way cybersecurity works. The post Security Bots Will Battle in Vegas for Darpa's Hacking Crown appeared first on WIRED.

Donald Trump held a news conference in Miami in which he called on Russia to find Hillary Clinton's missing emails. So what does the former US ambassador to Russia think of Trump's comments?

Published at LXer: RTL has published a tutorial about creating a secure IoT platform based on its free “SharkSSL-lite” software, plus ARM mbed-enabled SBCs and a low cost VPS. Real Time Logic...

The new PC game "Quadrilateral Cowboy" is a love letter to '80s cyberpunk and collaborative creation. The post Hacking Game Quadrilateral Cowboy Is a Bit Messy, But You Won’t Forget It appeared first on WIRED.

Published at LXer: The ArchStrike developers have announced today that their Arch Linux-based operating system designed for ethical hackers now has official installation mediums as ISO images. ...

US officials want Love to face charges of hacking NASA, the FBI, and the US Army.

Bruce Schneier warns us that the Internet of Things security dumpster-fire isn't just bad laptop security for thermostats: rather, that "software control" (of an ever-widening pool of technologies); interconnections; and autonomy (systems designed to act without human intervention, often responding faster than humans possibly could) creates an urgency over security questions that presents an urgent threat the like of which we've never seen. (more…)

Comments

In Silicon Valley the term “hacker” has evolved to connote high praise for someone particularly creative, ingenious and adept at finding clever new ways to accomplish a difficult task. And it’s with that framework in mind, rather than some of the other meanings that “hack” has represented over time, that I suggested during my recent TEDx talk that Pope Francis and… Read More

I’ve ranted before about lacking security on Internet of Things devices. General consumers are often left to decipher the black box of security on their own or just resign themselves to having faith that companies make it a priority. The internet itself can be pretty insecure, too, which is why some people turn to Tor to help mask their identity. (Although Tor’s been attacked as well.) Now, a non-profit called Guardian Project is taking Tor’s technique for obscuring and encrypting users’ identities and applying it to smart home devices.Guardian Project took a Raspberry Pi and turned it into a smart hub that runs its new HomeAssistant software. The software acts like a Tor hidden service, which keeps server IP addresses hidden.... Continue reading…

Sentencing set for September Five men working at UK-based IT security reseller Quadsys confessed today to hacking into a rival's database.…

When he was seventeen, George “geohot” Hotz became the first person to jailbreak an iPhone, back when Apple really didn’t take too kindly to such things. Three years later, he moved his unlocking efforts over to the PlayStation 3. Again, Sony wasn’t feeling it. The young hacker has since joined forces with a number of high-profile tech corporations, first at… Read More

Published at LXer: Onion launched an [he]#8220[/he]Omega2[he]#8221[/he] module on Kickstarter, featuring a faster CPU, options for double the RAM and flash, and lower pricing than last...

Published at LXer: In this interesting ELC video, Grant Likely, a Linux kernel engineer and maintainer of the Linux Device Tree, describes his journey into embedded hardware. Sometimes the best...

UK watchdog barks at careless consumers Lessons have not been learned from an incident where a Russian website provided links to access baby monitor cameras, according to the UK’s data protection watchdog.…

HOUSTON (AP) A federal judge sentenced the former scouting director of the St. Louis Cardinals to nearly four years in prison Monday for hacking the Houston Astros' player personnel database and email system in an unusual case of high-tech cheating involving two Major League Baseball clubs.

Comments