The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | hacking

The BBC has a report on Chinese imports to Russia of small appliances being found with Wi-Fi chips inside. These chips are set up to access open Wi-Fi and broadcast spam.

Obviously they could also be used to capture personal or financial information, and gain access to poorly secured networks.

·

Play

Welcome to Episode 10 of The Privacy Blog Podcast, brought to you by Anonymizer.

In July’s episode, I’ll be talking about the storage capacity of the NSA’s data center in Utah and whether the US really is the most surveilled country in the world. Next, I’ll explain why the new royal baby is trying to hack you and how your own phone’s SIM card could be putting your privacy at risk.

Lastly, I’ll discuss the current legal status of law enforcement geolocation, Yahoo!’s decision to reuse account names, and  some exciting Anonymizer Universal news.

As always, feel free to leave any questions in the comments section. Thanks for listening!

· · · · · · · ·

Play

Welcome to The Privacy Blog Podcast for May 2013.

In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.

Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.

Leave any comments or questions below. Thanks for listening!

· · · · · · ·

Thanks to the Financial Times for their article on this.

When we hear that a company has been hacked by China what is usually meant is that the company has been hacked from a computer with a Chinese IP address. The immediate implication is that it is Chinese government sponsored.

Of course, there are many ways in which the attacks might not be from anyone in China at all. Using proxies or compromised computers as relays, would allow the attacker to be anywhere in the world while appearing to be in China. The fact that there is so much hype about Chinese government hacking right now, makes China the perfect false flag for any attacker. It sends investigators down the wrong path immediately. However, there is growing evidence that many of the attacks are actually being perpetrated by independent Chinese civilian criminal hackers out to make a buck. They are intent on stealing and selling intellectual property. The huge supply, and under employment, of computer trained people in China may be to blame. They have the skills, the time, and a need for money.

The Chinese government has also been very lax about trying to track down these individuals and generally suppress this kind of activity. The hacking activity is certainly beneficial to the Chinese economy, as the IP is generally stolen from outside China and sold to give advantage to Chinese companies. That gives a kind of covert and subtle support to the hacking activity without any actual material help or direction.

So, it is not quite government sponsored, and it IS actually Chinese. The bottom line is that it is a real problem, and a threat that is actually harder to track down and prevent because it is so amorphous.

· ·

Another from the “if the data exists, it will get compromised” file.

This article from the Washington Post talks about an interesting case of counter surveillance hacking.

In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.

Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.

I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.

Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.

· · · ·

It is often debated if, and how often, hackers are going after critical infrastructure like water plants, generators, and such.

MIT Technology Review reports on a security researcher Kyle Wilhoit’s exploration of this question. He set up two fake control systems and one real one (just not connected to an actual plant), which he then connected to the Internet.

Over the course of the one month experiment he detected 39 sophisticated attacks against his “honeypot” systems. The attackers did not just penetrate the systems, but also manipulated their settings, which would have had real world impacts had these been real systems.

One must assume that the same is happening to any real Internet accessible industrial control systems.

· ·

Play

Welcome to episode 7 of The Privacy Blog Podcast.

In April’s episode, we’ll be looking at the blacklisting of SSL certificate authorities by Mozilla Firefox – Specifically, what this complex issue means and why Mozilla chose to start doing this.

In more breaking online privacy news, I will be discussing the security implications of relying on social media following the hacking of the Associated Press Twitter account earlier this week.

Next, I’ll chat about the “right to be forgotten” on the Internet, which hinges on the struggle between online privacy and free speech rights. In a closely related topic and following Google’s release of the new “Inactive Account Manager,” I will discuss what happens to our social media presence and cloud data when we die. It’s a topic none of us likes to dwell on, but it’s worth taking the time to think about our digital afterlife.

· · · · · · · · · ·

Last week the Twitter account of the Associated Press was hacked, and a message posted saying that bombs had gone off in the white house, and the president was injured.

 

Obviously this was false. The Syrian Electronic army a pro regime hacker group has claimed responsibility, which does not prove that they did it.

There is talk about Twitter moving to two factor authentication to reduce similar hacking in the future. While this is all well and good, it will not eliminate the problem.

The bigger issue is that these poorly secured social media sites are used by people around the world as reliable sources of news.

Apparently much of the crash came from automated trading systems parsing the tweet, and generating immediate trades without any human intervention at all.

The DOW dropped 140 points in 5 minutes.

The creators of these trading algorithms feel that news from twitter is reliable enough to be the basis of equity trades without any confirmation, or time for reflection.

Certainly very large amounts of money were made and lost in that short period.

Why make the effort to hack into what we hope is a well defended nuclear power plant or other critical infrastructure, when you can get similar amounts of financial damage from subverting a nearly undefended twitter account.

Because individual twitter accounts are not considered critical infrastructure, they are hardly protected at all, and are not designed to be easy to protect.

Nevertheless we give it, and other social media, substantial power to influence us and our decisions, financial and otherwise.

Take for example the crowd sourced search for the Boston bombers on reddit. Despite the best of intentions, many false accusations were made that had major impact on the accused, and one can imagine scenarios which could have turned out much worse. What if the accused at committed suicide, been injured in a confrontation with authorities, or been the vicim of vigilante action? Now, what if there had been malicious players in that crowd intentionally subverting the process. Planting false information, introducing chaos and causing more damage.

 

This is an interesting problem. There are no technical or legislative solutions. It is a social problem with only social solutions. Those are often the hardest to address.

· · ·

The BBC has an article that powerfully reinforces what I have been saying for years about spear phishing. It is worth a read if just for the specific examples.

The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.

In Bruce Schneier’s blog post about this he quotes Brian Snow, former NSA Information Assurance Director. “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

Sobering….

· ·

The latest Java exploit has given another view into the workings of the cybercrime economy. Although I should not be, I am always startled at just how open and robustly capitalistic the whole enterprise has become. The business is conducted more or less in the open.

Krebs on Security has a nice piece on an auction selling source code to the Java exploit. You can see that there is a high level of service provided, and some warnings about now to ensure that the exploit you paid for stays valuable.

· ·

<< Latest posts

Older posts >>