DefCon may be in the books, but the hacks keep coming. Make sure to keep an eye on your Corvette’s brakes, lest you find yourself at a dead stop on the road. It looks like even gas pumps aren’t safe from attackers. Oh, and that GM OnStar hack can also affect internet-connected vehicle services, including BMW’s Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and the alarm system Viper’s Smartstart.
What else happened this week? Hillary Clinton agreed to hand over her private email server to the FBI, so maybe we’ll find out whether it contained classified information after all. Hackers were busted in an insider training scheme. Oracle’s CSO had some not-so-kind words for security researchers in a (now-deleted) company blog post, but the company immediately started backpedaling. And that’s just the start of it!
Here’s the rest of the news that happened this week that we didn’t cover in WIRED. As always, click on the headlines to read the full story in each link posted. And be safe out there!
From the “how to restrict freedoms while not necessarily preventing much of anything” files: No-fly lists don’t actually rely on hard evidence of violent crimes, but rather on ‘predictive assessments,’ and the US Justice Department and FBI admitted as much in a court filing in May, Guardian journalist (and former WIRED Security writer) Spencer Ackerman reports. In fact, there’s no real evidence that the government’s guesswork (er, prediction model) about who might be a threat to aviation and national security has any scientific validity. There’s no research on how often it results in errors, either. One would hope that a history of violent crimes is what would lead to being on the blacklist, but previous reports indicate that things like social media postings, or even being Muslim and refusing to become an FBI informant, could be all it takes. And since the Obama administration is secretive about how predictions are made, people who wind up on the No Fly list for reasons unknown to them may have a hard time meaningfully challenging the government’s predictions of future misconduct. The ACLU first filed a legal challenge on behalf of people on the No Fly list back in June 2010, and argued against blacklisting based on “predictive assessment” in court on August 7th. The case is ongoing.
Volkswagen apparently spent two years trying to suppress this car hacking vulnerability in court: the cryptography and authentication protocol used in Megamos Crypto transponders can be targeted by attackers looking to get their paws on a fancy new Audi or Lamborghini. (Other models are affected as well—police warn that tech-savvy criminals can steal BMWs and Range Rovers within 60 seconds.) A paper describing the vulnerability, presented at the USENIX security conference this week, was originally disclosed to Volkswagen in May 2013, but VW filed a lawsuit to block the publication of the paper. Now, the research—except for one redacted sentence—is out to the public. The researchers listened to communications between the key and transponder and brute forced the transponder’s 96-bit crypto system open. It took less than 30 minutes to run through fewer than 200,000 secret key options until the right one was found. The attack is advanced and requires some level of skill (and access to the key signal, according to VW), but it has no easy fix—the actual RFID chips in the keys and transponders in the cars must be replaced.
Nice Android App you’ve got there. It’d be a shame if anything were to happen to it. Unfortunately, a series of vulnerabilities revealed by security researchers at IBM and presented at Usenix show that attackers can exploit and take over Android apps, siphon information off of ‘em, and even replace them with decoy apps designed to steal sensitive information. After being contacted by researchers in late May, Google issued patches for the bugs, but the patch has yet to be pushed out by manufacturers and carriers. Time to update to the latest version of Android, if you haven’t already.
According to a top secret NSA briefing paper obtained by NBC news, spies in China have been accessing emails belonging to top Obama administration officials since at least April 2010. And according to an anonymous senior US intelligence official, not only were private emails of “all top national security and trade officials” targeted, but the intrusion is still ongoing. The government has come up with two fancy code names for the intrusion—“Dancing Panda” and “Legion Amethyst”—but, it looks like, has yet to find a way to stop it. Although official government email addresses were not compromised, the Chinese spies did send malware to targeted officials’ social media contacts.
Twitter’s biannual transparency report showed that information requests have increased by 52 percent over the past six months, the largest increase between reporting periods thus far. Requests from the US government rose 50.2 percent, from 1,622 to 2,436. (That’s 56 percent of total requests Twitter received internationally. In contrast, Japan—the second largest requester—only made 425 requests.) There is one silver lining: Twitter typically notifies users of requests for account information prior to disclosure unless legally prohibited from doing so.
Looks like Lenovo really wants users of its laptops to use its software—so much so that the company is using a new Windows anti-theft feature to inject it—even if the computer operating system is cleanly installed from a DVD. The software is sneakily installed on both desktop and laptop computers. For desktop computers, it simply sends basic information to a Lenovo server just one time, but laptops are continually “optimized” in a way that’s unnecessary at best and not secure at worst. There’s a way to opt out by updating firmware and running a removal tool to get the files off of your disks, but it has to be executed manually.
Reza Moaiandin is the latest in a long line of people who have pointed out privacy issues with Facebook. The Leeds-based software engineer was able to take advantage of a default privacy setting allowing people to find Facebook users by their mobile number, even if the user’s number is posted but not displayed publicly on their Facebook profile. By guessing phone numbers using a simple algorithm, Moaiandin was able to harvest data—including names, locations, and images—for thousands of users. Facebook does have rate limits to prevent API abuse, which could mitigate some of the damage. Otherwise, switching your privacy settings to “friends only” under “who can find me?” can help stop your data from being harvested—though, of course, it’ll make you a bit harder to find.
It’s unclear how attackers have gained access to valid administrative credentials, but they’ve been using them to hijack critical networking gear from Cisco, replacing ROM Monitor firmware with maliciously altered firmware images. (The ROM Monitor, or ROMMON, is how Cisco’s IOS operating system is booted.) They’ll need either valid admin credentials or physical access to successfully complete the attack. (Incidentally, NSA files released with Glenn Greenwald’s book, No Place to Hide, and previously reported on in Ars Technica, include photographs of an NSA ‘upgrade’ factory where ‘load stations’ implanted beacons in Cisco hardware.)
