Picture yourself hacking back in a hack attack

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A password manager called LogMeOnce now gives you the option of taking a picture of the hacker trying to access accounts that you’ve registered with its service. It does this by hacking the hacker’s camera, whether it’s attached to a computer or mobile device, and secretly taking a photo. The feature, called Mugshot, also provides you with information on where your attacker is located, and what his or her IP address is. And it offers the option to grab a photo from the rear-facing camera of a mobile device, so you can get a look at the hacker’s surroundings. CEO Kevin Shahbazi calls it a digital burglar alarm. Source: The Washington Post

Health implications are frightening

sh_medical mannequin_180Students at the University of South Alabama used wireless medical devices in iStan, a wireless patient simulator, to hack a pacemaker. “The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient,” said Mike Jacobs, professor and the director of the human simulation program at the university. “We could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.” While killing a simulated human via hacking is less dramatic than wirelessly murdering a real human via a keyboard, researchers said it can be done by “a student with basic information technology and computer science background.” The medical mannequin attackers had no penetration testing skills, but successfully launched brute force and denial of service attacks as well as attacks on security controls. “If medical training environments are breached, the long-term ripple effect on the medical profession potentially impacts thousands of lives due to incorrect analysis of life-threatening critical data by medical personnel,” researchers said. Source: Computer World

Over the border, out of reach? Maybe not

A U.S. appeals court on Wednesday will consider whether U.S. law enforcement can make American technology companies hand over customers’ emails held overseas, in a case closely watched by privacy advocates and business groups. Microsoft is challenging a U.S. search warrant seeking the emails of an individual stored on a server in Ireland as part of a drug investigation. The case is the first in which a U.S. corporation has fought a warrant seeking data held abroad. Last year, a federal judge said Microsoft must turn over the information. U.S. District Judge Loretta Preska said the issue was whether the company controlled access to the emails, rather than the location where they’re housed. In recent years, tech companies have begun building servers in foreign countries to speed up service for overseas customers. In friend-of-the-court briefs, companies such as Verizon and Cisco warned their business could be harmed if users fear their private data is subject to seizure by U.S. investigators regardless of where they live. Source: Reuters via Yahoo

This little light of mine, I’m gonna let it drive

sh_self-driving car_280The laser apparatus used by most self-driving cars can be hacked with a laser pointer that costs just $60. Most prototype self-driving cars use a kind of laser technology similar to radar to detect and evade objects in front of them, such as pedestrians or other vehicles. Jonathan Petit, a research fellow at the University College of Cork, Ireland, has discovered how to use a low-power laser and a pulse generator to trick an autonomous car into thinking it is surrounded by obstacles, thereby either forcing it to slow down or immobilizing it altogether. “I can take echoes of a fake car and put them at any location I want. And I can do the same with a pedestrian or a wall,” Petit said. “I can spoof thousands of objects and basically carry out a denial of service attack on the tracking system so it’s not able to track real objects.” Source: The Hill

Apple, Justice Department face off

sh_encryption_280The fight between law enforcement and tech companies about encryption and privacy is getting nastier. The Justice Department obtained a court order for real-time messages between suspects using iPhones to communicate, but Apple didn’t comply. Government officials had warned that this type of standoff was inevitable as technology companies such as Apple and Google embraced tougher encryption. The case, coming after several others in which similar requests were rebuffed, prompted some senior Justice Department and FBI officials to advocate taking Apple to court, several current and former law enforcement officials said. In some cases, Apple can’t comply even if it hires a team of law-enforcement superfans: Encryption on phones and tablets running Apple’s newer (iOS 8) software means that the company can’t access password-protected data, whether or not there’s a search warrant. Source: Gizmodo

Parents, opt out of that innocuous-sounding ‘directory’

Schools are allowed by federal law to share or sell “directory information” about their students with anyone—including data brokers and marketing companies—unless they have a parental opt-out form on file. That could subject parents and, in some cases even young students, to a torrent of advertising. “Directory information may sound innocuous, but it can include sensitive information about each student that is quite detailed,” said Pam Dixon, executive director of the World Privacy Forum. “After the school releases this data, it is considered to be public information and you’ve lost control of it.” Under the Family Educational Rights and Privacy Act, a student’s directory information includes home address, email address, telephone number, date and place of birth, height and weight, the clubs or sports teams they’ve joined—even a photograph. “A photo of a child, along with their email and home address, is a recipe for disaster in the wrong hands,” Dixon says. Source: NBC News

Google privacy settlement opposed, appealed

sh_google_400Google should not have been allowed to settle a privacy class-action lawsuit by agreeing to donate money to organizations it already supports, activist Theodore Frank argues in papers filed with a federal appellate court. Frank, founder of the Washington-based Center for Class Action Fairness, is urging the 9th U.S. Circuit Court of Appeals to vacate the $8.5 million settlement. The deal resolved a 2010 lawsuit alleging that Google “leaked” the names of search engine users to outside companies. The settlement requires Google to pay around $6 million to six nonprofits—Carnegie Mellon University, World Privacy Forum, Chicago-Kent College of Law, Stanford Law, Harvard’s Berkman Center and the AARP Foundation—and more than $2 million to the attorneys who brought the lawsuit. Frank argues that none of the money went to search engine users who were affected by Google’s practice. The court ruled last year that individual payouts weren’t necessary, given that more than 100 million people might have been affected by the alleged data leaks. Google declined to comment on Frank’s argument. Source: Media Post

Still just a bill, waiting on Capitol Hill

The Cybersecurity Information Sharing Act is coming up in the Senate’s crowded September calendar, though its outlook is still questionable. October action might still be an option, if lawmakers can work through amendments. There are 22 on the agenda, which could consume valuable floor time that Republican leaders might rather spend elsewhere, Pro Cybersecurity’s Tim Starks reports. An organization of nearly 50 business groups, the Protecting America’s Cyber Networks Coalition, has offered its support for the manager’s amendment, and New America’s Robyn Greene has supplied a pro/con list about amendments from the perspective of privacy advocacy groups. Source: Politico

Size doesn’t matter with chip-and-pin switch

sh_pin and chip card_280The deadline for merchants to install credit card readers for chip-and-pin cards is Oct. 1, less than a month away. Many big box merchants already have made the shift; however many small businesses haven’t. A study from SoftwareAdvice.com reported that 26 percent of small business retailers are not ready for the deadline, while 7 percent don’t even know about it. This same study found that 34 percent say they don’t have the time to research and implement it, while 33 percent say it’s too expensive to adopt, and 23 percent say its unnecessary. But small businesses need to be aware that they may be held responsible for in-store fraud if they have not adopted the necessary chip technology. Banks also will be held responsible if they have not the made adjustment. Mark Ranta, Senior Solution Consultant for Retail Banking, ACI, says, “the consequences could be potentially devastating” for small businesses that don’t make necessary changes. Once the liability shift occurs, if the proprietor accepts a fraudulent charge via swipe, they will be held liable for that charge if the terminal is not EMV compliant. The shift moves the liability from the issuing bank to the merchant. Source: Forbes