Still not an act of war. More like ‘industrial
espionage.’
Chinese
Government Hackers Steal Trove of U.S. Navy Data: Report
Chinese
government hackers have stolen a massive trove of sensitive
information from a US Navy contractor, including secret plans to
develop a new type of submarine-launched anti-ship missile, the
Washington Post reported Friday.
Investigators
told the newspaper that breaches were executed in January and
February by a division of the Chinese Ministry of State Security,
operating out of the Chinese province of Guangdong.
The
contractor, which was not named in the report, works for the Naval
Undersea Warfare Center, based in Newport, Rhode Island. It conducts
research and development for submarines and underwater weapons
systems.
According
to the Post, hackers swiped 614
gigabytes of data that included information relating to
sensors, submarine cryptographic systems and a little-known project
called Sea Dragon.
… Chinese
hackers have for years targeted the US military to steal information
and the Pentagon says they have previously swiped crucial data on the
new F-35 stealth fighter, the advanced Patriot PAC-3 missile system
and other highly sensitive projects.
Let’s
hope they get this right. It is not a game for individuals! Why
limit this to China and Russia?
US
Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation
Without Permission of Third-Party Country
US legislators are proposing new legislation that
would empower US cyber defenses to hack back at cyber aggressors,
even if they’re using a third-party country’s infrastructure,
without the explicit
consent of the respective country. [How
to win friends… Bob]
The National Defense Authorization Act would also
create a new cyber entity
with the technology and skills to strike back at cyber aggressors,
namely China and Russia, that seek to disrupt US critical
infrastructure or weaken its cyber resilience. If approved, the bill
not only let the US military “hack back” at aggressors, but also
creates a “Cyberspace Solarium Commission” whose purpose is to
propose and implement strategic cyber defenses that augment the
United States’ resilience towards cyber-attacks.
“The committee recommends a provision that would
authorize the National Command Authority to direct the Commander,
U.S. Cyber Command (CYBERCOM), to take appropriate and proportional
action through cyberspace to disrupt, defeat, and deter systematic
and ongoing attacks by the Russian Federation in cyberspace,” reads
the proposed bill. “The provision would also authorize the
Secretary of Defense to conduct, through the Commander, U.S. Cyber
Command, surveillance in networks outside the United States of
personnel and organizations engaged at the behest or in support of
the Russian Federation…”
Think
of them as self-driving Titanics. Another well known security
problem that still isn’t properly addressed.
Hackers Can
Hijack, Sink Ships: Researchers
Insecure
configurations and vulnerabilities in communications and navigation
systems can allow hackers to remotely track, hijack and sink ships,
according to researchers at penetration testing and cybersecurity
firm Pen Test Partners.
In
October 2017, Pen Test Partners presented its research into
vulnerabilities
affecting the satellite communications (satcom) systems used by
vessels. The company has continued to analyze software and hardware
used in the maritime industry and found that they are affected by
serious flaws.
It
has also created an interactive map that can be used to track
vulnerable ships. The tracker combines data from Shodan
with GPS coordinates and it can show vulnerable ships in real time.
However, the company will only periodically refresh the data shown on
the map in an effort to prevent abuse.
Satellite
communications is the component that exposes ships to remote hacker
attacks, as shown by Pen Test Partners last year and, at around the
same time, by
researchers at IOActive.
While
there are some vulnerabilities in these systems themselves, the
main issue is that many satcom terminals continue to use default
credentials, allowing unauthorized users to gain
admin-level access.
… An
even bigger problem, researchers warn, is that once an attacker gains
access to the satcom terminal, they can move laterally to other
systems. One of them is the Electronic Chart Display and Information
System (ECDIS), which is used by vessels for navigation.
Since
the ECDIS can be connected directly to the autopilot feature, hacking
this system can allow an attacker to take control of a ship.
Heads-up
students!
Patch your
Flash Player now! Zero-day actively exploited in the wild
Adobe has released patches for all users running
Flash Player 29.0.0.171 and earlier versions, addressing critical
flaws in its trouble-plagued platform.
Whether you are running the software on Windows,
macOS, Linux or Chrome OS, the Flash Player creators urge you to
install the newest version immediately!
… Users of Flash Player Desktop Runtime must
install version 30.0.0.113 via the update mechanism within the
product. The procedure applies to all desktop users, regardless of
their OS
… Adobe
Flash Player Download Center. [Be
sure to turn off the McAfee add ins! Bob]
An example of ‘overly broad?”
I woke up this morning, showered, and fired up the
laptop while I waited for the coffee to perc. My first clue that
something was up was seeing that I had 28 notifications waiting for
me on Twitter. That seemed high for overnight. I soon found the
explanation: a tweet by @abtnatural:
This apparently
genuine subpoena by @bsfllp
demands Twitter produce “documents sufficient to identify the owner
of” @popehat,
@PogoWasRight,
and every other account that ever tagged @wikileaks
in a tweet between 1/1/15 and 6/1/18.
https://t.co/cp7UhPmhFxhttps://t.co/m7VZEtBZRh
pic.twitter.com/mCBZ3hKCDC
WTH???
For those who do not recognize some of those
Twitter handles, back in October, 2017, @abtnatural (Virgil),
@Popehat (former federal prosecutor Ken White) and I had all been
informed by Twitter Legal that they had received legal process
compelling them to produce our information. A grand jury in Texas
had subpoenaed our details. Why had they subpoenaed mine, you
wonder? It turns out that they subpoenaed my information simply
because someone had tagged me in a tweet in a conversation that I was
never in. The tweet was a smilie – nothing more than that, but
because the tweeter was being prosecuted criminally and he tweeted to
me, the grand jury wanted my details. Needless to say, I was not
understanding of the grand jury’s demand for my details.
Eventually the subpoena for my details was
withdrawn, although I remained fully prepared to fight it in court,
if need be. Now my details were being subpoenaed again, it seems.
This time, it is a civil case, Rich vs.
Butowsky, and no court
had signed off on this subpoena.
Note that the subpoena, embedded below, does not
name my Twitter account specifically in Paragraph 3, but my account
would fall under “Secondary Accounts” as defined in Paragraph 4,
where a secondary account is any account that communicated with any
of the 20 named primary accounts.
To make matters even more offensive and absurd,
the overly broad subpoena includes not just details as to who owns an
account, but asks for the contents of the account, including tweets
and private (direct) messages, and also metadata.
If Michael Gottlieb of Boies Schiller Flexner,
attorneys for the plaintiff, wanted to provide a useful demonstration
of over-the-top disregard for free speech and privacy, he just did
it.
This subpoena deserves to be smacked down and
lawyers who engage in such conduct should face the wrath of a
privacy-conscious public.
I do not expect Twitter to ever provide my details
to Mr. Gottlieb or his law firm in this matter. I have not even
contacted my lawyers about this because it is so absurd.
Michael Gottlieb and I follow each other on
Twitter. If we run into each other at a privacy law conference or
privacy + security forum, I’d like to have a few words with him.
But no, this was not a good way to wake up this
morning.
An
exercise for my students.
We Built A
Powerful Amazon Facial Recognition Tool For Under $10
The democratization of mass surveillance is upon
us. Insanely cheap tools with the power to track individuals en masse
are now available for anyone to use, as exemplified by a Forbes
test of an Amazon facial recognition product, Rekognition, that made
headlines last month.
… And because Rekognition is open to all,
Forbes decided to try out the service. Based on photos
staff consensually provided, and with footage shot across our Jersey
City and London offices, we discovered it took just a few hours, some
loose change and a little technical knowledge to establish a
super-accurate facial recognition operation.
… Amazon didn’t provide comment for this
article, but pointed Forbes to a blog
post from last week, in which the company noted there has been
“no reported law enforcement abuse of Amazon Rekognition.” Dr.
Matt Wood, general manager of artificial intelligence at AWS, wrote
that the company's Acceptable Use Policy (AUP) prohibits the use of
services for “any activities that are illegal, that violate the
rights of others, or that may be harmful to others.” [Does
that make you feel all warm and fuzzy? Bob]
… To get things started with Rekognition, we
enlisted the help of independent researcher Matt Svensson. He set up
an AWS database (known as an S3 bucket) into which we poured a mix of
stock photos and Forbes staff mugshots.
… Our video teams in Jersey City and London
took some simple footage mimicking CCTV footage, shots still or
pivoting slightly. This meant employees might be at a distance or at
potentially difficult angles for Rekognition to recognise.
As we’d expected, though, Amazon’s tech didn't
struggle. It had little trouble picking up people’s faces as soon
as we put the footage through it. In
every case where a Forbes
employee was included in the database and a filming, a successful
match was made, as shown by the little red squares drawn
around their faces.
… This small-scale test was essentially free,
largely thanks to Svensson not charging. In a professional
deployment the cost would still be minuscule. “Even if we include
costs of testing, figuring out AWS and actually running the facial
recognition on our scenario, it’s going to be under $10,”
Svensson added.
Law enforcement are already enjoying the low cost:
the ACLU found the Orlando Police Department spent just $30.99 to
process 30,989 images.
(Related)
Drew Harwell reports:
The facial-recognition cameras installed near the bounce houses at the Warehouse, an after-school recreation center in Bloomington, Ind., are aimed low enough to scan the face of every parent, teenager and toddler who walks in.
The center’s executive director, David Weil, learned earlier this year of the surveillance system from a church newsletter, and within six weeks he had bought his own, believing it promised a security breakthrough that was both affordable and cutting-edge.
Since last month, the system has logged thousands of visitors’ faces — alongside their names, phone numbers and other personal details — and checked them against a regularly updated blacklist of sex offenders and unwanted guests. The system’s Israeli developer, Face-Six, also promotes it for use in prisons and drones.
Read more on Washington
Post.
Filled already? Perhaps these ads were “fake
news?”
Facebook
Wants To Make Its News More Credible With New Hires And Partnerships
… On Thursday, Facebook posted job listings at
its California headquarters for two news credibility specialists.
The person who takes the position would, in theory, evaluate the
various companies and outlets that publish media on the site to
promote more trustworthy outlets, according
to Business Insider.
According to the now-removed
listing, the two new hires, who we can only hope would be
credible, journalistic editors, would have to evaluate Facebook’s
media policies and help find credible sources of news among those
that publish on Facebook.
Interesting ideas.
… In our
recent HBR article, we argued that financial statements fail to
capture the value created by modern digital companies. Since then,
we interviewed several chief financial officers (CFOs) of leading
technology companies and senior analysts of investment banks who
follow technology companies. We asked: (i) what makes the valuation
of digital companies more challenging?; and (ii) how can digital
firms improve their financial reports to communicate sources of value
creation in their businesses? We distilled seven key insights from
those discussions.
Financial capital is
assumed to be virtually unlimited, while certain types of human
capital are in short supply.
Risk is now considered a
feature, not a bug.
Investors are paying more
attention to ideas and options than to earnings.
Corporate venturing is
becoming more important.
Financial reporting
requirements won’t change any time soon.
Analysts increasingly rely
on non-GAAP metrics.
Sadly, accounting is no
longer considered a value-added function.
Perspective.
… Built by IBM and Nvidia for the US
Department of Energy’s Oak Ridge National Laboratory, Summit is a
200 petaflop machine, meaning it can perform 20
quadrillion calculations per second. That’s about a
million times faster than a typical laptop computer.
… The machine, with its 4,608 servers, 9,216
central processing chips, and 27,648 graphics processors, weighs 340
tons. The system is housed in a 9,250 square-foot room at Oak Ridge
National Laboratory’s facility in Tennessee. To keep this machine
cool, 4,000 gallons of water are pumped through the system. The 13
megawatts of energy required to power this behemoth could light up
over 8,000 US homes.
Summit is now the world’s most powerful
supercomputer, and it is 60 percent faster than the previous title
holder, China’s Sunway TaihuLight.
… As MIT Technology Review explains,
Summit is the first supercomputer specifically designed
to handle AI-specific applications, such as machine
learning and neural networks. Its thousands of AI-optimized
chips, produced by Nvidia and IBM, allow the machine to crunch
through hideous amounts of data in search of patterns imperceptible
to humans. As noted in an Energy.gov release,
“Summit will enable scientific discoveries that were previously
impractical or impossible.”
How I find the best security blogs…
Finalists
of European Security Blogger Awards 2018