Saturday, June 09, 2018

Still not an act of war. More like ‘industrial espionage.’
Chinese Government Hackers Steal Trove of U.S. Navy Data: Report
Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.
Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.
The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.
According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.
Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

Let’s hope they get this right. It is not a game for individuals! Why limit this to China and Russia?
US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country
US legislators are proposing new legislation that would empower US cyber defenses to hack back at cyber aggressors, even if they’re using a third-party country’s infrastructure, without the explicit consent of the respective country. [How to win friends… Bob]
The National Defense Authorization Act would also create a new cyber entity with the technology and skills to strike back at cyber aggressors, namely China and Russia, that seek to disrupt US critical infrastructure or weaken its cyber resilience. If approved, the bill not only let the US military “hack back” at aggressors, but also creates a “Cyberspace Solarium Commission” whose purpose is to propose and implement strategic cyber defenses that augment the United States’ resilience towards cyber-attacks.
“The committee recommends a provision that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command (CYBERCOM), to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace,” reads the proposed bill. “The provision would also authorize the Secretary of Defense to conduct, through the Commander, U.S. Cyber Command, surveillance in networks outside the United States of personnel and organizations engaged at the behest or in support of the Russian Federation…”

Think of them as self-driving Titanics. Another well known security problem that still isn’t properly addressed.
Hackers Can Hijack, Sink Ships: Researchers
Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.
In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.
It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.
Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.
While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.
An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.
Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

Heads-up students!
Patch your Flash Player now! Zero-day actively exploited in the wild
Adobe has released patches for all users running Flash Player and earlier versions, addressing critical flaws in its trouble-plagued platform.
Whether you are running the software on Windows, macOS, Linux or Chrome OS, the Flash Player creators urge you to install the newest version immediately!
… Users of Flash Player Desktop Runtime must install version via the update mechanism within the product. The procedure applies to all desktop users, regardless of their OS
Adobe Flash Player Download Center. [Be sure to turn off the McAfee add ins! Bob]

An example of ‘overly broad?”
I woke up this morning, showered, and fired up the laptop while I waited for the coffee to perc. My first clue that something was up was seeing that I had 28 notifications waiting for me on Twitter. That seemed high for overnight. I soon found the explanation: a tweet by @abtnatural:
This apparently genuine subpoena by @bsfllp demands Twitter produce “documents sufficient to identify the owner of” @popehat, @PogoWasRight, and every other account that ever tagged @wikileaks in a tweet between 1/1/15 and 6/1/18.
For those who do not recognize some of those Twitter handles, back in October, 2017, @abtnatural (Virgil), @Popehat (former federal prosecutor Ken White) and I had all been informed by Twitter Legal that they had received legal process compelling them to produce our information. A grand jury in Texas had subpoenaed our details. Why had they subpoenaed mine, you wonder? It turns out that they subpoenaed my information simply because someone had tagged me in a tweet in a conversation that I was never in. The tweet was a smilie – nothing more than that, but because the tweeter was being prosecuted criminally and he tweeted to me, the grand jury wanted my details. Needless to say, I was not understanding of the grand jury’s demand for my details.
Eventually the subpoena for my details was withdrawn, although I remained fully prepared to fight it in court, if need be. Now my details were being subpoenaed again, it seems.
This time, it is a civil case, Rich vs. Butowsky, and no court had signed off on this subpoena.
Note that the subpoena, embedded below, does not name my Twitter account specifically in Paragraph 3, but my account would fall under “Secondary Accounts” as defined in Paragraph 4, where a secondary account is any account that communicated with any of the 20 named primary accounts.
To make matters even more offensive and absurd, the overly broad subpoena includes not just details as to who owns an account, but asks for the contents of the account, including tweets and private (direct) messages, and also metadata.
If Michael Gottlieb of Boies Schiller Flexner, attorneys for the plaintiff, wanted to provide a useful demonstration of over-the-top disregard for free speech and privacy, he just did it.
This subpoena deserves to be smacked down and lawyers who engage in such conduct should face the wrath of a privacy-conscious public.
I do not expect Twitter to ever provide my details to Mr. Gottlieb or his law firm in this matter. I have not even contacted my lawyers about this because it is so absurd.
Michael Gottlieb and I follow each other on Twitter. If we run into each other at a privacy law conference or privacy + security forum, I’d like to have a few words with him.
But no, this was not a good way to wake up this morning.

An exercise for my students.
We Built A Powerful Amazon Facial Recognition Tool For Under $10
The democratization of mass surveillance is upon us. Insanely cheap tools with the power to track individuals en masse are now available for anyone to use, as exemplified by a Forbes test of an Amazon facial recognition product, Rekognition, that made headlines last month.
… And because Rekognition is open to all, Forbes decided to try out the service. Based on photos staff consensually provided, and with footage shot across our Jersey City and London offices, we discovered it took just a few hours, some loose change and a little technical knowledge to establish a super-accurate facial recognition operation.
… Amazon didn’t provide comment for this article, but pointed Forbes to a blog post from last week, in which the company noted there has been “no reported law enforcement abuse of Amazon Rekognition.” Dr. Matt Wood, general manager of artificial intelligence at AWS, wrote that the company's Acceptable Use Policy (AUP) prohibits the use of services for “any activities that are illegal, that violate the rights of others, or that may be harmful to others.” [Does that make you feel all warm and fuzzy? Bob]
… To get things started with Rekognition, we enlisted the help of independent researcher Matt Svensson. He set up an AWS database (known as an S3 bucket) into which we poured a mix of stock photos and Forbes staff mugshots.
… Our video teams in Jersey City and London took some simple footage mimicking CCTV footage, shots still or pivoting slightly. This meant employees might be at a distance or at potentially difficult angles for Rekognition to recognise.
As we’d expected, though, Amazon’s tech didn't struggle. It had little trouble picking up people’s faces as soon as we put the footage through it. In every case where a Forbes employee was included in the database and a filming, a successful match was made, as shown by the little red squares drawn around their faces.
… This small-scale test was essentially free, largely thanks to Svensson not charging. In a professional deployment the cost would still be minuscule. “Even if we include costs of testing, figuring out AWS and actually running the facial recognition on our scenario, it’s going to be under $10,” Svensson added.
Law enforcement are already enjoying the low cost: the ACLU found the Orlando Police Department spent just $30.99 to process 30,989 images.

Drew Harwell reports:
The facial-recognition cameras installed near the bounce houses at the Warehouse, an after-school recreation center in Bloomington, Ind., are aimed low enough to scan the face of every parent, teenager and toddler who walks in.
The center’s executive director, David Weil, learned earlier this year of the surveillance system from a church newsletter, and within six weeks he had bought his own, believing it promised a security breakthrough that was both affordable and cutting-edge.
Since last month, the system has logged thousands of visitors’ faces — alongside their names, phone numbers and other personal details — and checked them against a regularly updated blacklist of sex offenders and unwanted guests. The system’s Israeli developer, Face-Six, also promotes it for use in prisons and drones.
Read more on Washington Post.

Filled already? Perhaps these ads were “fake news?”
Facebook Wants To Make Its News More Credible With New Hires And Partnerships
… On Thursday, Facebook posted job listings at its California headquarters for two news credibility specialists. The person who takes the position would, in theory, evaluate the various companies and outlets that publish media on the site to promote more trustworthy outlets, according to Business Insider.
According to the now-removed listing, the two new hires, who we can only hope would be credible, journalistic editors, would have to evaluate Facebook’s media policies and help find credible sources of news among those that publish on Facebook.

Interesting ideas.
… In our recent HBR article, we argued that financial statements fail to capture the value created by modern digital companies. Since then, we interviewed several chief financial officers (CFOs) of leading technology companies and senior analysts of investment banks who follow technology companies. We asked: (i) what makes the valuation of digital companies more challenging?; and (ii) how can digital firms improve their financial reports to communicate sources of value creation in their businesses? We distilled seven key insights from those discussions.
Financial capital is assumed to be virtually unlimited, while certain types of human capital are in short supply.
Risk is now considered a feature, not a bug.
Investors are paying more attention to ideas and options than to earnings.
Corporate venturing is becoming more important.
Financial reporting requirements won’t change any time soon.
Analysts increasingly rely on non-GAAP metrics.
Sadly, accounting is no longer considered a value-added function.

… Built by IBM and Nvidia for the US Department of Energy’s Oak Ridge National Laboratory, Summit is a 200 petaflop machine, meaning it can perform 20 quadrillion calculations per second. That’s about a million times faster than a typical laptop computer.
… The machine, with its 4,608 servers, 9,216 central processing chips, and 27,648 graphics processors, weighs 340 tons. The system is housed in a 9,250 square-foot room at Oak Ridge National Laboratory’s facility in Tennessee. To keep this machine cool, 4,000 gallons of water are pumped through the system. The 13 megawatts of energy required to power this behemoth could light up over 8,000 US homes.
Summit is now the world’s most powerful supercomputer, and it is 60 percent faster than the previous title holder, China’s Sunway TaihuLight.
… As MIT Technology Review explains, Summit is the first supercomputer specifically designed to handle AI-specific applications, such as machine learning and neural networks. Its thousands of AI-optimized chips, produced by Nvidia and IBM, allow the machine to crunch through hideous amounts of data in search of patterns imperceptible to humans. As noted in an release, “Summit will enable scientific discoveries that were previously impractical or impossible.”

How I find the best security blogs…
Finalists of European Security Blogger Awards 2018

No comments: