That hack could literally kill you some day

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A poten­tial­ly fatal hack of a smart device, a change in tac­tics for ran­somware attacks, and more destruc­tive hack­tivist attacks will be in the mix in 2016, accord­ing to cyber­se­cu­ri­ty pre­dic­tions from Trend Micro. One pre­dic­tion: the rise and hack­ing of smart, con­nect­ed devices could cause someone’s death. The team did not point at a hack as the pri­ma­ry cause of the poten­tial fatal­i­ty, but sug­gest­ed that with mil­lions of such devices in the pub­lic domain, it’s a mat­ter of time before a cyber attack takes a life. “As more drones encroach on pub­lic air space for var­i­ous mis­sions, more devices are used for health care-relat­ed ser­vices, and more home and busi­ness appli­ances rely on an Inter­net con­nec­tion to oper­ate, the more like­ly we will see an inci­dent involv­ing a device mal­func­tion, a hack, or a mis­use that will trig­ger con­ver­sa­tion on cre­at­ing reg­u­la­tions on device pro­duc­tion and usage,” the report stat­ed. Increased cas­es of online extor­tion per­formed though ran­somware also are expect­ed. Trend Micro sees improve­ments in per­son­al­iz­ing such attacks using social engi­neer­ing tricks, mak­ing it more like­ly that a per­son or busi­ness will pay up and not risk hav­ing their per­son­al infor­ma­tion released. Source: SC mag­a­zine

Infrastructure at cyber risk, president says

sh_power grid_280The Unit­ed States isn’t spend­ing enough to defend its pow­er grid from cyber attacks, Pres­i­dent Oba­ma warned Thurs­day as he declared Novem­ber Crit­i­cal Infra­struc­ture Secu­ri­ty and Resilience Month. Lag­ging invest­ments in pow­er grids and ener­gy sys­tems, espe­cial­ly, have been increas­ing­ly sin­gled out as a loom­ing dan­ger. The inat­ten­tion has left these net­works exposed to poten­tial­ly cat­a­stroph­ic cyber attacks that could cause mas­sive black­outs and leave peo­ple with­out basic ser­vices or resources. Nation­al Secu­ri­ty Agency Direc­tor Adm. Michael Rogers told law­mak­ers last fall that Chi­na and “one or two” oth­er coun­tries are capa­ble of such a dig­i­tal assault. Researchers sus­pect Iran also is in that camp. Source: The Hill

British Gas hack causes gut cramps

The details of some British Gas cus­tomers have appeared online, the third such prob­lem to affect a major U.K. com­pa­ny in a week. The firm says its sys­tems are secure, after send­ing an email to cus­tomers inform­ing them of the inci­dent. It also said it was con­fi­dent the data leak had not come from with­in the com­pa­ny. Details will be sent to the Infor­ma­tion Commissioner’s Office fol­low­ing the leak, it said. The email address­es and account pass­words for around 2,200 cus­tomers appeared online. The email from British Gas claimed the infor­ma­tion had not come from the com­pa­ny, and said no pay­ment data would have been at risk. Ear­li­er this week, Marks & Spencer and Talk­Talk expe­ri­enced cyber secu­ri­ty issues. Source: Metro

White-hat hackers to demo oil and gas attacks

sh_oil pipeline_280Hack­ers can exploit weak­ness­es in enter­prise resource plan­ning (ERP) sys­tems on oil and gas firms’ cor­po­rate net­works to sab­o­tage pipeline pres­sure or hide oil spills, researchers have dis­cov­ered. At Black Hat Europe next month in Ams­ter­dam, they’ll demon­strate these and oth­er attacks on oil and gas net­works by abus­ing holes in SAP ERP appli­ca­tions used in the indus­tri­al sec­tor. Oil and gas indus­tri­al net­works rely on ERP soft­ware to help man­age and over­see the pro­duc­tion and deliv­ery process­es. “We want to show that not only Stuxnet-type attacks using USB are pos­si­ble,” says Alexan­der Polyakov, founder of ERP­Scan. Polyakov, with Math­ieu Geli, a researcher with ERP­Scan, will demon­strate sev­er­al proof-of-con­cept attacks at Black Hat. An attack­er could hack the sys­tems remote­ly over the Inter­net, he says, or from the oil and gas firm’s cor­po­rate net­work. Source: Dark Read­ing

OPM letters going out, at last

sh_OPM_750The Office of Per­son­nel Man­age­ment has mailed out 3.7 mil­lion noti­fi­ca­tion let­ters to cyber-breach vic­tims in the month since the agency announced it would begin noti­fy­ing those affect­ed by the hack. The agency expects to mail an addi­tion­al 700,000 let­ters by the end of the month, with a total of 10 mil­lion let­ters mailed by mid-Novem­ber. The let­ters include infor­ma­tion about free iden­ti­ty theft pro­tec­tion and cred­it mon­i­tor­ing ser­vices. About 162,000 peo­ple have enrolled for the ser­vices as of Oct. 26. More than 21 mil­lion peo­ple were affect­ed by the data breach, which jeop­ar­dized per­son­al data includ­ing birth dates and Social Secu­ri­ty num­bers. About 25 per­cent of those vic­tims also had their fin­ger­print records stolen. Source: Fed­er­al News Radio

Put your info where your mouth is

More than 30 pri­va­cy and civ­il lib­er­ties orga­ni­za­tions are chal­leng­ing Direc­tor of Nation­al Intel­li­gence James Clap­per to uphold the promise he made to increase trans­paren­cy in the intel­li­gence com­mu­ni­ty. Specif­i­cal­ly, they are ask­ing Clap­per to pro­vide more infor­ma­tion about how many Amer­i­cans are “inci­den­tal­ly” spied on in the course of for­eign intel­li­gence gath­er­ing under Sec­tion 702 of the For­eign Intel­li­gence Sur­veil­lance Act. “Dis­clos­ing this infor­ma­tion is nec­es­sary, we believe, to enable informed pub­lic debate in advance of any leg­isla­tive reau­tho­riza­tion efforts in 2017,” said the let­ter from the Bren­nan Cen­ter for Jus­tice, the Elec­tron­ic Fron­tier Foun­da­tion, the Gov­ern­ment Account­abil­i­ty Project, and more than two dozen oth­er orga­ni­za­tions. Clap­per announced a new 16-page plan to share more infor­ma­tion, and said he would be host­ing a live Tum­blr chat about it in the com­ing weeks. Sec­tion 702, the NSA claims, autho­rizes two mas­sive com­mu­ni­ca­tions sur­veil­lance pro­grams: PRISM and Upstream. As long as com­mu­ni­ca­tions are rea­son­ably believed to belong to for­eign­ers and are swept up in the pur­suit of for­eign intel­li­gence, the NSA says they’re fair game. PRISM sucks up hun­dreds of mil­lions of Inter­net com­mu­ni­ca­tions of for­eign intel­li­gence “tar­gets” direct­ly from providers’ databases—Facebook mes­sages, emails, Skype calls. But it also sweeps up com­mu­ni­ca­tions of peo­ple who talk to those tar­gets, and some unre­lat­ed communications—“incidental” col­lec­tion, which includes Amer­i­can cit­i­zens. Source: The Inter­cept

Lesson one: Technology comes at a cost

sh_computers in school_280As schools con­tin­ue the push to inte­grate tech­nol­o­gy into the class­room through the use of iPads and laptops—with some dis­tricts also giv­ing stu­dents their own per­son­al devices to bring home—legal advo­cates are rais­ing con­cerns about how much pri­va­cy stu­dents have online dur­ing and after school hours. A report released by the Amer­i­can Civ­il Lib­er­ties Union of Mass­a­chu­setts looked into 35 cities and towns and found that while tech­nol­o­gy has become increas­ing­ly inter­twined with edu­ca­tion, laws reg­u­lat­ing stu­dent pri­va­cy rights have not been able to keep up. Stu­dents in some school dis­tricts are told they shouldn’t have any expec­ta­tions of pri­va­cy at all, accord­ing to the report, an atti­tude that has been called “author­i­tar­i­an” by Kade Crock­ford, direc­tor of the ACLU of Mass­a­chu­setts’ Tech­nol­o­gy for Lib­er­ty Pro­gram. “Schools are where young peo­ple learn what to expect from soci­ety,” Crock­ford said. “So to teach them that they have no right to pri­va­cy is a very dan­ger­ous mes­sage. You could even say it’s an author­i­tar­i­an mes­sage.” No offi­cials from local school dis­tricts could be reached for com­ment. Source: The Mil­ford (Mass.) Dai­ly News

From the tool box

Many con­sumers who keep per­son­al infor­ma­tion on their phones might be look­ing for a way to pro­tect it. LEO Pri­va­cy Guard is a secu­ri­ty app that allows users to lock apps and hide mes­sages and con­tacts. Users are asked to set a pass­word only they can access and make changes with­in the app itself. If you for­get your pass­word, there is a secu­ri­ty ques­tion to fill out so you can still gain access. The main fea­ture is App Lock, which allows you to pro­tect whichev­er apps you want behind the same pass­word you set at the begin­ning. Putting an app behind a pass­word is fair­ly sim­ple. You tap on App Lock, select the apps you wish to pro­tect, and you’re done. Source: Android Guys

That’s my DNA you’re talking about

sh_dna_280Shar­ing genom­ic infor­ma­tion among researchers is crit­i­cal to the advance of bio­med­ical research. Yet genom­ic data con­tains iden­ti­fi­able infor­ma­tion and, in the wrong hands, pos­es a risk to indi­vid­ual pri­va­cy. If some­one had access to your genome sequence, they could check to see if you appear in a data­base of peo­ple with cer­tain med­ical con­di­tions, such as heart dis­ease, lung can­cer or autism. Work by a pair of researchers at the Stan­ford Uni­ver­si­ty School of Med­i­cine makes that genom­ic data more secure. Suyash Shringarpure and Car­los Bus­ta­mante have demon­strat­ed a tech­nique for hack­ing a net­work of glob­al genom­ic data­bas­es and how to pre­vent it. They are work­ing with inves­ti­ga­tors from the Glob­al Alliance for Genomics and Health to imple­ment pre­ven­tive mea­sures. Source: Stan­ford University

He feels the need for speed

The Pen­ta­gon does not yet move fast enough to deal with the speed at which cyber war­fare moves, the department’s chief infor­ma­tion offi­cer said. “I think the big dif­fer­ence in cyber that we’re hav­ing to react to is it moves faster than any oth­er war­fare,” Ter­ry Halvors­en said. “That’s a chal­lenge. The things we do today in cyber prob­a­bly won’t be the same things we do tomor­row. It’s accel­er­at­ed change, and we’re gen­er­al­ly not good at accel­er­at­ed change.” Halvors­en says his office is try­ing to fix that, doing every­thing from teach­ing employ­ees basic secu­ri­ty mea­sures to part­ner­ing with the tech­nol­o­gy indus­try. Some of the basics include iden­ti­fy­ing phish­ing web­sites, insti­tut­ing two-step authen­ti­ca­tion and mak­ing sure servers are behind a fire­wall or oth­er bound­ary. Halvors­en cre­at­ed a “score­card” to mea­sure how well peo­ple do with these areas so the Pen­ta­gon can quan­ti­fy cyber readi­ness in the same way it does oth­er areas. Source: The Hill