Friday, September 11, 2015

Digital Bad Citizen? My insurance company won't let me drive a car once the passenger side airbags go off because the driver's airbag might not deploy if there was another accident. GM would have let me drive around with the possibility my brakes could be disabled. Digital Bad Citizen!
GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars
When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public. The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions. That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala. They also discreetly shared their exploit code only with GM itself rather than publish it.
The result, WIRED has learned, is that GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010. For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.

Another Ashley Madison oops!
Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked
When the Ashley Madison hackers leaked close to 100 gigabytes' worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them.
Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two.

Yeah, there's an App for that. Unfortunately.
CoreBot Becomes Full-Fledged Banking Trojan
IBM reported in August that its researchers had come across CoreBot, a new piece of malware designed to steal data from infected devices. Initially, the threat only had limited capabilities, but IBM now says CoreBot has become a full-fledged banking Trojan.
The first CoreBot samples analyzed by IBM were designed to steal locally stored sensitive information, but they lacked the capability to intercept and steal data in real time. However, experts noted at the time that the malware used a modular plugin system that allowed its developers to easily add new capabilities.
The latest samples analyzed by researchers include new features such as browser hooking, real-time form grabbing, a virtual network computing (VNC) module for remote control, man-in-the-middle (MitM) functionality for session takeovers, a custom web injection mechanism, and on-the-fly web injections.
While CoreBot seems to have evolved from a basic data stealer to a full-fledged financial malware overnight, IBM believes its authors were until recently undergoing a long process of developing and testing the new capabilities.
The new CoreBot monitors browsing sessions to see if one of 55 targeted URLs is visited by the victim. These URLs are associated with the websites of 33 financial institutions from the United States (62%), Canada (32%) and the United Kingdom (6%).

For my Computer Security and Ethical Hacking students. Easy to program and it will even work if the hacker has taken no steps to obfuscate their location and implemented no counter-hacking techniques.
Hayley Tsukayama reports on a nifty-sounding hack-back program. Whether it’s legal or not is unclear:
Have you ever gotten an e-mail from a service warning that someone is trying to hack into your account and wondered: Who is doing this to me?
A password manager called LogMeOnce now gives you the option to take a picture of whoever is trying to access the accounts that you’ve registered with its service. It does this by hacking the hacker’s camera, whether that is attached to a computer or mobile device, and secretly taking a photo.
Read more on Washington Post.
[From the article:
The feature, which is called Mugshot and launched Tuesday, also provides you with information on where your attacker is located and the hacker’s IP address -- the unique set of numbers that identify each computer on a network. And it offers the option to grab a photo from the rear-facing camera of a mobile device, so you can get a look at the hacker's surroundings.

How do I surveil thee?
Let me count the ways...
How the Government Surveils Cell Phones: A Primer
… If law enforcement wants to surveil your cell phone, they have two ways to do it. They can do it through a phone company; or they can do it directly, using a device like a Stingray.

Surprise? Or am I missing something?
California governor vetoes bill banning drones over private property
Legislation that would have restricted drone pilots in California has been struck down by governor Jerry Brown. The bill, spearheaded by state senator Hannah-Beth Jackson, would have banned quadcopters from flying below 350 feet around private properties -- at least, not without the permission of the building's owner, anyway. It passed both the state Assembly and state Senate in August, prompting opposition from GoPro and advocacy groups with ties to Amazon and Google. Brown has now dismissed the bill, however, because of its potential to "expose the occasional hobbyist and FAA-approved commercial user to burdensome litigation." He admitted the bill was "well-intentioned," but stressed that all parties need to discuss the issue further "before we go down that path." Jackson, meanwhile, has gracefully accepted defeat, meaning Senate Bill 142 is shelved for now.

Promises, Promises. Is the right to remedy too big a hurdle? Would law enforcement be the target?
Access writes:
Negotiators from the United States and the European Union recently reached a preliminary deal on the so-called Umbrella Agreement, a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. However, one key hurdle remains before the agreement will get sign off: the U.S. must grant a right to remedy for E.U. citizens who suffer privacy violations (a right that already exists in the E.U. for U.S. citizens in similar circumstances). It remains to be seen whether the U.S. will follow through on providing that protection, and whether it will be meaningful enough to meet E.U. standards.
Read more on Access.

Somehow I don't think the Chinese leadership is too worried.
These Four Charts Show How Obama's Leverage Over Xi Is Increasing
The tables are starting to turn.
For years after the global financial crisis, China's steady growth kept the world economy churning while the U.S. and other advanced nations slumped. Now, after China's summer of financial turmoil and increasing signs of a slowdown, President Xi Jinping's economic hand is weaker heading into his state visit to Washington later this month. Here are four charts that tell the story.

Are we heading toward “Free Delivery” for everything purchased online?
EBay Set to Offer Shipping Club, Starting in Germany
Fresh from its split with PayPal, eBay Inc. is addressing one of its longstanding challenges: shipping.
The e-commerce giant on Tuesday is set to introduce a speedy shipping membership in Germany it is calling eBay Plus. The 19.90 euro ($22) membership promises free delivery within two days on many items, as well as free returns within 30 days of a purchase.

For my iPhone toting students.
Hands on: Paper by FiftyThree comes to your pocket with iPhone support
We’ve been big fans of FiftyThree’s Paper for a while. It may not be the most feature-packed drawing app out there, but it’s well designed and easy to use, making it an ideal choice for jotting down quick sketches and diagrams.

Statistically speaking...
2015 NFL Preview: Peyton’s Broncos Headline The AFC West For At Least One More Season
Denver Broncos
2014 Record: 12-4 | 2015 Projected Wins: 9.9 | Playoff Odds: 73.0%
Offensive Rank: 4th | Defensive Rank: 13th | Special Teams Rank: 6th

(Related) We need a fantasy football club. er... This is for my Statistics students.
NFL Elo Ratings Are Back!
A good deal of FiveThirtyEight’s NFL coverage last season used Elo ratings, a simple system that estimates each team’s skill level using only the final scores and locations of each game. For 2015, we’re not only bringing Elo back (with a few small tweaks — more on those in a moment), but we’ve also built a continually updating Elo NFL predictions page that allows you to see the latest rankings, plus win probabilities and point spreads for the current week of NFL games.

Apparently “doing” is what I'm doing wrong.

No comments: