Digital Bad Citizen? My insurance company won't
let me drive a car once the passenger side airbags go off because the
driver's airbag might not deploy if there was another accident. GM
would have let me drive around with the possibility my brakes could
be disabled. Digital Bad Citizen!
GM Took 5
Years to Fix a Full-Takeover Hack in Millions of OnStar Cars
When a pair of security researchers showed they
could hack
a Jeep over the Internet earlier this summer to hijack its brakes
and transmission, the impact was swift and explosive: Chrysler
issued
a software fix before the research was even made public. The
National Highway Traffic and Safety Administration launched
an investigation. Within days Chrysler issued
a 1.4 million vehicle recall.
But when another group of researchers quietly
pulled off that same automotive magic trick five years earlier, their
work was answered with exactly none of those reactions. That’s in
part because the prior group of car hackers, researchers at the
University of California at San Diego and the University of
Washington, chose not to publicly name the make and model of the
vehicle they tested, which has since been revealed to be General
Motors’ 2009 Chevy Impala. They also discreetly shared their
exploit code only with GM itself rather than publish it.
The result, WIRED has learned, is that GM took
nearly five years to fully protect its vehicles from the hacking
technique, which the researchers privately disclosed to the auto
giant and to the National Highway Traffic Safety Administration in
the spring of 2010. For nearly half a decade, millions of GM cars
and trucks were vulnerable to that privately known attack, a remote
exploit that targeted its OnStar dashboard computer and was capable
of everything from tracking vehicles to engaging their brakes at high
speed to disabling brakes altogether.
Another Ashley Madison oops!
Once seen
as bulletproof, 11 million+ Ashley Madison passwords already cracked
When the Ashley Madison hackers leaked close to
100 gigabytes' worth of sensitive documents belonging to the online
dating service for people cheating on their romantic partners, there
seemed to be one saving grace. User passwords were cryptographically
protected using bcrypt, an algorithm so slow and computationally
demanding it would literally
take centuries to crack all 36 million of them.
Now, a crew of hobbyist crackers has uncovered
programming errors that make more than 15 million of the Ashley
Madison account passcodes orders of magnitude faster to crack. The
blunders are so monumental that the researchers have already
deciphered more than 11 million of the passwords in the past 10 days.
In the next week, they hope to tackle most of the remaining 4
million improperly secured account passcodes, although they cautioned
they may fall short of that goal. The
breakthrough underscores how a single misstep can undermine an
otherwise flawless execution. Data that was designed to
require decades or at least years to crack was instead recovered in a
matter of a week or two.
Yeah, there's an App for that. Unfortunately.
CoreBot
Becomes Full-Fledged Banking Trojan
IBM
reported in August that its researchers had come across CoreBot,
a new piece of malware designed to steal data from infected devices.
Initially, the threat only had limited capabilities, but IBM now says
CoreBot has become a full-fledged banking Trojan.
The
first CoreBot samples analyzed by IBM were designed to steal locally
stored sensitive information, but they lacked the capability to
intercept and steal data in real time. However, experts noted at the
time that the malware used a modular plugin system that allowed its
developers to easily add new capabilities.
The
latest samples analyzed by researchers include new features such as
browser
hooking, real-time form grabbing, a virtual network
computing (VNC) module for remote control, man-in-the-middle (MitM)
functionality for session takeovers, a custom web injection
mechanism, and on-the-fly web injections.
While
CoreBot seems to have evolved from a basic data stealer to a
full-fledged financial malware overnight, IBM believes its authors
were until recently undergoing a long process of developing and
testing the new capabilities.
The
new
CoreBot monitors browsing sessions to see if one of 55 targeted
URLs is visited by the victim. These URLs are associated with the
websites of 33 financial institutions from the United States (62%),
Canada (32%) and the United Kingdom (6%).
For my Computer Security and Ethical Hacking
students. Easy to program and it will even work if the hacker has
taken no steps to obfuscate their location and implemented no
counter-hacking techniques.
Hayley Tsukayama reports on a nifty-sounding
hack-back program. Whether it’s legal or not is unclear:
Have you ever gotten an e-mail from a service warning that someone is trying to hack into your account and wondered: Who is doing this to me?
A password manager called LogMeOnce now gives you the option to take a picture of whoever is trying to access the accounts that you’ve registered with its service. It does this by hacking the hacker’s camera, whether that is attached to a computer or mobile device, and secretly taking a photo.
Read more on Washington
Post.
[From
the article:
The feature, which is called Mugshot and launched
Tuesday, also provides you with information on where your attacker is
located and the hacker’s IP address -- the unique set of numbers
that identify each computer on a network. And it offers the option
to grab a photo from the rear-facing camera of a mobile device, so
you can get a look at the hacker's surroundings.
How
do I surveil thee?
Let
me count the ways...
How the
Government Surveils Cell Phones: A Primer
… If law enforcement wants to surveil your
cell phone, they have two ways to do it. They can do it through a
phone company; or they can do it directly, using a device like a
Stingray.
Surprise?
Or am I missing something?
California
governor vetoes bill banning drones over private property
Legislation that would have restricted drone
pilots in California has been struck
down by governor Jerry Brown. The bill, spearheaded by state
senator Hannah-Beth Jackson, would have banned quadcopters from
flying
below 350 feet around private properties -- at least, not without
the permission of the building's owner, anyway. It passed both the
state
Assembly and state
Senate in August, prompting opposition from GoPro and advocacy
groups with ties to Amazon and Google. Brown has now dismissed the
bill, however, because of its potential to "expose the
occasional hobbyist and FAA-approved commercial user to burdensome
litigation." He admitted the bill was "well-intentioned,"
but stressed that all parties need to discuss the issue further
"before we go down that path." Jackson, meanwhile, has
gracefully
accepted defeat, meaning Senate Bill 142 is shelved for now.
Promises, Promises. Is the right to remedy too
big a hurdle? Would law enforcement be the target?
Access writes:
Negotiators from the United States and the European Union recently reached a preliminary deal on the so-called Umbrella Agreement, a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. However, one key hurdle remains before the agreement will get sign off: the U.S. must grant a right to remedy for E.U. citizens who suffer privacy violations (a right that already exists in the E.U. for U.S. citizens in similar circumstances). It remains to be seen whether the U.S. will follow through on providing that protection, and whether it will be meaningful enough to meet E.U. standards.
Read more on Access.
Somehow I don't think the Chinese leadership is
too worried.
These Four
Charts Show How Obama's Leverage Over Xi Is Increasing
The tables are starting to turn.
For years after the global financial crisis,
China's steady growth kept the world economy churning while the U.S.
and other advanced nations slumped. Now, after China's summer of
financial
turmoil and increasing signs of a slowdown, President Xi
Jinping's economic hand is weaker heading into his state visit to
Washington later this month. Here are four charts that tell the
story.
Are we heading toward “Free Delivery” for
everything purchased online?
EBay Set to
Offer Shipping Club, Starting in Germany
Fresh from its split with PayPal, eBay Inc. is
addressing one of its longstanding challenges: shipping.
The e-commerce giant on Tuesday is set to
introduce a speedy shipping membership in Germany it is calling eBay
Plus. The 19.90 euro ($22) membership promises free delivery within
two days on many items, as well as free returns within 30 days of a
purchase.
For my iPhone toting students.
Hands on:
Paper by FiftyThree comes to your pocket with iPhone support
We’ve been
big fans of FiftyThree’s Paper
for a while. It may not be the most feature-packed
drawing app out there, but it’s well designed and easy to use,
making it an ideal choice for jotting down quick sketches and
diagrams.
Statistically speaking...
2015 NFL
Preview: Peyton’s Broncos Headline The AFC West For At Least One
More Season
Denver Broncos
2014 Record: 12-4 |
2015 Projected Wins: 9.9
| Playoff Odds: 73.0%
Offensive Rank: 4th |
Defensive Rank: 13th | Special Teams Rank: 6th
(Related) We need a
fantasy football club. er... This is for my Statistics students.
NFL Elo
Ratings Are Back!
A good
deal of FiveThirtyEight’s NFL coverage last season used Elo
ratings, a simple
system that estimates each team’s skill level using only the
final scores and locations of each game. For 2015, we’re not only
bringing Elo back (with a few small tweaks — more on those in a
moment), but we’ve also built a continually updating Elo
NFL predictions page that allows you to see the latest
rankings, plus win
probabilities and point spreads for the current week of
NFL games.
Apparently “doing” is what I'm doing wrong.
No comments:
Post a Comment