Picture yourself hacking back in a hack attack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A pass­word man­ag­er called Log­Me­Once now gives you the option of tak­ing a pic­ture of the hack­er try­ing to access accounts that you’ve reg­is­tered with its ser­vice. It does this by hack­ing the hacker’s cam­era, whether it’s attached to a com­put­er or mobile device, and secret­ly tak­ing a pho­to. The fea­ture, called Mugshot, also pro­vides you with infor­ma­tion on where your attack­er is locat­ed, and what his or her IP address is. And it offers the option to grab a pho­to from the rear-fac­ing cam­era of a mobile device, so you can get a look at the hacker’s sur­round­ings. CEO Kevin Shah­bazi calls it a dig­i­tal bur­glar alarm. Source: The Wash­ing­ton Post

Health implications are frightening

sh_medical mannequin_180Stu­dents at the Uni­ver­si­ty of South Alaba­ma used wire­less med­ical devices in iStan, a wire­less patient sim­u­la­tor, to hack a pace­mak­er. “The sim­u­la­tor had a pace­mak­er so we could speed the heart rate up, we could slow it down. If it had a defib­ril­la­tor, which most do, we could have shocked it repeat­ed­ly. If it was the intent, we could def­i­nite­ly cause harm to the patient,” said Mike Jacobs, pro­fes­sor and the direc­tor of the human sim­u­la­tion pro­gram at the uni­ver­si­ty. “We could do it with an insulin pump, a num­ber of things that would cause life-threat­en­ing injuries or death.” While killing a sim­u­lat­ed human via hack­ing is less dra­mat­ic than wire­less­ly mur­der­ing a real human via a key­board, researchers said it can be done by “a stu­dent with basic infor­ma­tion tech­nol­o­gy and com­put­er sci­ence back­ground.” The med­ical man­nequin attack­ers had no pen­e­tra­tion test­ing skills, but suc­cess­ful­ly launched brute force and denial of ser­vice attacks as well as attacks on secu­ri­ty con­trols. “If med­ical train­ing envi­ron­ments are breached, the long-term rip­ple effect on the med­ical pro­fes­sion poten­tial­ly impacts thou­sands of lives due to incor­rect analy­sis of life-threat­en­ing crit­i­cal data by med­ical per­son­nel,” researchers said. Source: Com­put­er World

Over the border, out of reach? Maybe not

A U.S. appeals court on Wednes­day will con­sid­er whether U.S. law enforce­ment can make Amer­i­can tech­nol­o­gy com­pa­nies hand over cus­tomers’ emails held over­seas, in a case close­ly watched by pri­va­cy advo­cates and busi­ness groups. Microsoft is chal­leng­ing a U.S. search war­rant seek­ing the emails of an indi­vid­ual stored on a serv­er in Ire­land as part of a drug inves­ti­ga­tion. The case is the first in which a U.S. cor­po­ra­tion has fought a war­rant seek­ing data held abroad. Last year, a fed­er­al judge said Microsoft must turn over the infor­ma­tion. U.S. Dis­trict Judge Loret­ta Pres­ka said the issue was whether the com­pa­ny con­trolled access to the emails, rather than the loca­tion where they’re housed. In recent years, tech com­pa­nies have begun build­ing servers in for­eign coun­tries to speed up ser­vice for over­seas cus­tomers. In friend-of-the-court briefs, com­pa­nies such as Ver­i­zon and Cis­co warned their busi­ness could be harmed if users fear their pri­vate data is sub­ject to seizure by U.S. inves­ti­ga­tors regard­less of where they live. Source: Reuters via Yahoo

This little light of mine, I’m gonna let it drive

sh_self-driving car_280The laser appa­ra­tus used by most self-dri­ving cars can be hacked with a laser point­er that costs just $60. Most pro­to­type self-dri­ving cars use a kind of laser tech­nol­o­gy sim­i­lar to radar to detect and evade objects in front of them, such as pedes­tri­ans or oth­er vehi­cles. Jonathan Petit, a research fel­low at the Uni­ver­si­ty Col­lege of Cork, Ire­land, has dis­cov­ered how to use a low-pow­er laser and a pulse gen­er­a­tor to trick an autonomous car into think­ing it is sur­round­ed by obsta­cles, there­by either forc­ing it to slow down or immo­bi­liz­ing it alto­geth­er. “I can take echoes of a fake car and put them at any loca­tion I want. And I can do the same with a pedes­tri­an or a wall,” Petit said. “I can spoof thou­sands of objects and basi­cal­ly car­ry out a denial of ser­vice attack on the track­ing sys­tem so it’s not able to track real objects.” Source: The Hill

Apple, Justice Department face off

sh_encryption_280The fight between law enforce­ment and tech com­pa­nies about encryp­tion and pri­va­cy is get­ting nas­ti­er. The Jus­tice Depart­ment obtained a court order for real-time mes­sages between sus­pects using iPhones to com­mu­ni­cate, but Apple didn’t com­ply. Gov­ern­ment offi­cials had warned that this type of stand­off was inevitable as tech­nol­o­gy com­pa­nies such as Apple and Google embraced tougher encryp­tion. The case, com­ing after sev­er­al oth­ers in which sim­i­lar requests were rebuffed, prompt­ed some senior Jus­tice Depart­ment and FBI offi­cials to advo­cate tak­ing Apple to court, sev­er­al cur­rent and for­mer law enforce­ment offi­cials said. In some cas­es, Apple can’t com­ply even if it hires a team of law-enforce­ment super­fans: Encryp­tion on phones and tablets run­ning Apple’s new­er (iOS 8) soft­ware means that the com­pa­ny can’t access pass­word-pro­tect­ed data, whether or not there’s a search war­rant. Source: Giz­mo­do

Parents, opt out of that innocuous-sounding ‘directory’

Schools are allowed by fed­er­al law to share or sell “direc­to­ry infor­ma­tion” about their stu­dents with anyone—including data bro­kers and mar­ket­ing companies—unless they have a parental opt-out form on file. That could sub­ject par­ents and, in some cas­es even young stu­dents, to a tor­rent of adver­tis­ing. “Direc­to­ry infor­ma­tion may sound innocu­ous, but it can include sen­si­tive infor­ma­tion about each stu­dent that is quite detailed,” said Pam Dixon, exec­u­tive direc­tor of the World Pri­va­cy Forum. “After the school releas­es this data, it is con­sid­ered to be pub­lic infor­ma­tion and you’ve lost con­trol of it.” Under the Fam­i­ly Edu­ca­tion­al Rights and Pri­va­cy Act, a student’s direc­to­ry infor­ma­tion includes home address, email address, tele­phone num­ber, date and place of birth, height and weight, the clubs or sports teams they’ve joined—even a pho­to­graph. “A pho­to of a child, along with their email and home address, is a recipe for dis­as­ter in the wrong hands,” Dixon says. Source: NBC News

Google privacy settlement opposed, appealed

sh_google_400Google should not have been allowed to set­tle a pri­va­cy class-action law­suit by agree­ing to donate mon­ey to orga­ni­za­tions it already sup­ports, activist Theodore Frank argues in papers filed with a fed­er­al appel­late court. Frank, founder of the Wash­ing­ton-based Cen­ter for Class Action Fair­ness, is urg­ing the 9th U.S. Cir­cuit Court of Appeals to vacate the $8.5 mil­lion set­tle­ment. The deal resolved a 2010 law­suit alleg­ing that Google “leaked” the names of search engine users to out­side com­pa­nies. The set­tle­ment requires Google to pay around $6 mil­lion to six nonprofits—Carnegie Mel­lon Uni­ver­si­ty, World Pri­va­cy Forum, Chica­go-Kent Col­lege of Law, Stan­ford Law, Harvard’s Berk­man Cen­ter and the AARP Foundation—and more than $2 mil­lion to the attor­neys who brought the law­suit. Frank argues that none of the mon­ey went to search engine users who were affect­ed by Google’s prac­tice. The court ruled last year that indi­vid­ual pay­outs weren’t nec­es­sary, giv­en that more than 100 mil­lion peo­ple might have been affect­ed by the alleged data leaks. Google declined to com­ment on Frank’s argu­ment. Source: Media Post

Still just a bill, waiting on Capitol Hill

The Cyber­se­cu­ri­ty Infor­ma­tion Shar­ing Act is com­ing up in the Senate’s crowd­ed Sep­tem­ber cal­en­dar, though its out­look is still ques­tion­able. Octo­ber action might still be an option, if law­mak­ers can work through amend­ments. There are 22 on the agen­da, which could con­sume valu­able floor time that Repub­li­can lead­ers might rather spend else­where, Pro Cybersecurity’s Tim Starks reports. An orga­ni­za­tion of near­ly 50 busi­ness groups, the Pro­tect­ing America’s Cyber Net­works Coali­tion, has offered its sup­port for the manager’s amend­ment, and New America’s Robyn Greene has sup­plied a pro/con list about amend­ments from the per­spec­tive of pri­va­cy advo­ca­cy groups. Source: Politi­co

Size doesn’t matter with chip-and-pin switch

sh_pin and chip card_280The dead­line for mer­chants to install cred­it card read­ers for chip-and-pin cards is Oct. 1, less than a month away. Many big box mer­chants already have made the shift; how­ev­er many small busi­ness­es haven’t. A study from SoftwareAdvice.com report­ed that 26 per­cent of small busi­ness retail­ers are not ready for the dead­line, while 7 per­cent don’t even know about it. This same study found that 34 per­cent say they don’t have the time to research and imple­ment it, while 33 per­cent say it’s too expen­sive to adopt, and 23 per­cent say its unnec­es­sary. But small busi­ness­es need to be aware that they may be held respon­si­ble for in-store fraud if they have not adopt­ed the nec­es­sary chip tech­nol­o­gy. Banks also will be held respon­si­ble if they have not the made adjust­ment. Mark Ranta, Senior Solu­tion Con­sul­tant for Retail Bank­ing, ACI, says, “the con­se­quences could be poten­tial­ly dev­as­tat­ing” for small busi­ness­es that don’t make nec­es­sary changes. Once the lia­bil­i­ty shift occurs, if the pro­pri­etor accepts a fraud­u­lent charge via swipe, they will be held liable for that charge if the ter­mi­nal is not EMV com­pli­ant. The shift moves the lia­bil­i­ty from the issu­ing bank to the mer­chant. Source: Forbes