108512916
submission
chicksdaddy writes:
Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk. (https://securepairs.org/top-cybersecurity-experts-stand-up-for-digital-right-to-repair/)
The experts have launched securepairs.org (https://www.securepairs.org), a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols. Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios (@xssniper) of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel.
Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.
“False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws,” said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger (https://www.securityledger.com), an independent cyber security blog. “Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future.”
“As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws,” said Joe Grand of Grand Idea Studio (https://www.grandideastudio.com/), a hardware hacker and embedded systems security expert.
The group will counter a stealthy but well-funded industry effort to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center (https://securityledger.com/2018/02/new-lobbying-group-fights-right-repair-laws/) which has enlisted technology industry executives and academics to write opinion pieces (https://www.sctimes.com/story/opinion/2019/04/22/keep-repair-secure/3502493002/) casting right to repair laws as a giveaway to cybercriminals.
Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.
107488520
submission
chicksdaddy writes:
The grandson of Theo Brown, a legendary engineer and inventor for John Deere who patented, among other things, the manure spreader (https://patentimages.storage.googleapis.com/54/ff/82/f0394b8734e070/US1139482.pdf) is calling out the company his grandfather served for decades for its opposition to right to repair legislation being considered in Illinois.
In an opinion piece published by The Security Ledger entitled "My Grandfather's John Deere would support Our Right to Repair," (https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/), Willie Cade notes that his grandfather, Theophilus Brown is credited with 158 patents (https://patents.google.com/?inventor=Theophilus+Brown), some 70% of them for Deere & Co., including the manure spreader in 1915. His grandfather used to travel the country to meet with Deere customers and see his creations at work in the field. His hope, Cade said, was to help the company's customers be more efficient and improve their lives with his inventions.
In contrast, Cade said the John Deere of the 21st Century engages in a very different kind of business model: imposing needless costs on their customers. An example of this kind of rent seeking is using software locks and other barriers to repair — such as refusing to sell replacement parts — in order to force customers to use authorized John Deere technicians to do repairs at considerably higher cost and hassle. "It undermines what my grandfather was all about," he writes.
Cade , who founded the Electronics Reuse Conference (https://www.ereuseconference.com/). He is supporting right to repair legislation that is being considered in Illinois (https://illinoispirg.org/feature/ilp/right-repair) and opposed by John Deere and the industry groups it backs.
"Farmers who can’t repair farm equipment and a wide spectrum of Americans who can’t repair their smartphones are pushing back in states across the country."
106541108
submission
chicksdaddy writes:
New Hampshire lawmakers got an early taste last week of the arguments that manufacturing, technology and telecommunications lobbyists will use to try to hobble and defeat right to repair legislation in 16 states this year, The Security Ledger reports (https://securityledger.com/2019/02/in-granite-state-industry-groups-paint-dark-picture-of-right-to-repair/). Their message: 'Be afraid. Be very afraid.'
The bill HB 462 (HB 462 (https://legiscan.com/NH/text/HB462/id/1842976), ) is sponsored by NH Rep. David Luneau (http://www.gencourt.state.nh.us/house/members/member.aspx?member=377307), an MIT graduate with degrees in Electrical Engineering and Computer Science. It is similar in scope to right to repair bills filed in 16 other states, from Massachusetts to Hawaii (https://r2rsolutions.org/news/update-tracking-right-repair-legislation-across-50-states/)). It would require original equipment manufacturers (OEMs) that do business in New Hampshire to make the same documentation, parts and tools available to device owners and independent repair professionals as they make available to their licensed or “authorized” repair professionals. Documentation, tools, and parts needed to reset product (software) locks or digital right management functions following maintenance and repair would also need to be made available to owners and independent repair professionals on “fair and reasonable terms.
But that didn't stop industry groups and their lawyers from arguing that there will be dark times in the Granite State should the bill become law. At a hearing NH House's Commerce and Consumer Affairs Committee, lawmakers heard that curious children could find themselves dismembered by run-away washing machines. Industry reps warned that a illegally modified lawn tractors and leaf blowers could belch pollution in defiance of the EPA.
Representatives from a wide range of industries opposing the legislation filled a small hearing room in the New Hampshire state house. They included the Association of Equipment Manufacturers, wireless industry group CTIA, TechNet, the technology industry lobby, the Association of Home Appliance Manufacturers (AHAM) and more. Their message: repairs performed by the owners of lawn equipment, electronics and home appliances or independent repair professionals carry serious economic, safety and security risks.
Christina Fisher, the Executive Director for Massachusetts and the Northeast at technology industry lobby TechNet said the right to repair bill was “legislation in search of a problem." The servicing of home security and other smart devices make repair a “life or death” issue, she warned, adding that New Hampshire would be branded an “anti competitive” state if it passed the law.
“There is a lot at stake when it comes to Right to Repair, and you could feel those stakes in the room,” Nathan Proctor, the head of the right to repair campaign (https://uspirg.org/feature/usp/right-repair) at the US Public Interest Research Group (PIRG), told The Security Ledger. “Legislators have their work cut out for them sifting through all the frantic opposition and their deceptive, and at times bizarre, arguments,” he wrote.
Right to repair legislation was defeated in 17 states in 2018, with most bills failing to make it out committee. (https://repair.org/legislation/). The same forces are lining up to square off against the legislation in 2019, said Gay Gordon-Byrne of the Repair Coalition. (https://www.repair.org)
“There is the same opposition, same arguments, and often the same lobbyists at all of these hearings,” wrote Gay Gordon-Byrne, Executive Director of the Repair Association in an email. “The larger problem is not the lobbyist testimony at hearings, which are often laughable, but the behind the scenes damage done by opposition.”
106251684
submission
chicksdaddy writes:
The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) cybersecurity regulations. But who violated the standards and much of what the agency found remains secret, The Security Ledger reports. (https://securityledger.com/2019/02/secrecy-reigns-as-nerc-fines-utilities-10m-citing-serious-cyber-risks/)
In a heavily redacted 250 page regulatory filing (https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_FinalFiled_NOP_NOC-2605_Part%201.pdf), NERC fined undisclosed companies belonging to a so-called “Regional Entity” $10 million for 127 violations of the Critical Infrastructure Protection standards, the U.S.’s main cyber security standard for critical infrastructure including the electric grid. Thirteen of the violations listed were rated as a “serious risk” to the operation of the Bulk Power System and 62 were rated a “moderate risk.” Together, the “collective risk of the 127 violations posed a serious risk to the reliability of the (Bulk Power System),” NERC wrote.
The fines come as the U.S. intelligence community is warning Congress of the growing risk of cyber attacks on the U.S. electric grid. In testimony this week, Director of National Intelligence Dan Coats specifically called out Russia’s use of cyber attacks to cause social disruptions, citing that country’s campaign against Ukraine’s electric infrastructure in 2015 and 2016. (https://www.lawfareblog.com/intel-chiefs-testify-global-threats-cybersecurity-and-elections)
The extensively redacted document provides no information on which companies were fined or where they are located, citing the risk of cyber attack should their identity be known. Regional Entities account for virtually all of the electricity supplied in the U.S. They are made up of investor-owned utilities; federal power agencies; rural electric cooperatives; state, municipal, and provincial utilities; independent power producers; power marketers; and end-use customers.
However, details in the report provide some insight into the fines. For example, violations of a CIP statue that requires companies to “manage electronic access to (Bulk Electric System) Cyber Systems by specifying a controlled Electronic Security Perimeter” is rated a serious risk. So too are violations of CIP requirements calling for covered entities to “implement and document” access controls for “all electronic access points to the Electronic Security Perimeter(s).” Specific requirements that were violated suggest that the companies failed to implement access controls that “denies access by default,” “enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter,” and ensure the authenticity of parties attempting to remotely access the company’s “electronic security perimeter.”
105670724
submission
Geoffrey.landis writes:
Remember the recount in Wisconsin, in which the reliability of electronic voting machines was questioned by Green candidate Jill Stein?
The recount law allows expert examination of the source code of the voting machines... but a petition by the companies making the voting machines demanded that the report of the results of the examination should be kept secret. Now, in a victory for election integrity, a court decision denied the gag order. The source code itself is deemed proprietary, and cannot be disclosed, but the report on the result of the examination may be published.
Wisconsin voting machines have been criticized for possibly being vulnerable to manipulation.
105670670
submission
chicksdaddy writes:
What's the US Army doing advertising for a signals intelligence analyst to work out of St. Petersburg, Russia?(https://www.linkedin.com/jobs/search/?keywords=US%20Army%20Intelligence%20Analyst%20&location=Russian%20Federation&locationId=ru%3A0) No, its not Glasnost or a thawing in US-Russian relations — just a weird pattern of behavior spotted by researchers at the firm Evolver (https://evolverinc.com/is-your-company-hiring-in-russia-without-knowing-it-linkedin-job-postings-and-the-associated-cyber-risk/) that LinkedIn has yet to explain.
As reported by The Security Ledger (https://securityledger.com/2019/01/that-other-moscow-sketchy-linkedin-job-posts-mix-us-russian-locales/), LinkedIn ads with Russian locales have been spotted in association with open positions at a wide range of firms, from the State of Florida to defense contractor General Dynamics to Enterprise Medical Service (https://www.enterprisemed.com/) a medical office in Moscow...Idaho, on the border with Washington State.
Location appears to be the common thread. Firms affected have job openings in US cities with Russian namesakes, including St. Petersburg, Florida, Moscow Idaho and others.
Chip Block of Evolver said the purpose of the bogus ads is unclear, but seems suspicious, if not malicious. “We are pretty sure this is a man-in-the-middle data capture scheme,” he told Security Ledger. “If you go to the links, you are asked to enter your e-mail before being redirected to the job site. This is not being done by LinkedIn, but someone external. Someone is using this to capture emails and create potential targets,” he said.
LinkedIn said it is investigating “a potential issue with our job ingestion tool that seems to have incorrectly assigned the location of a job post on a small number of job listings."
105669626
submission
secwatcher writes:
A penetration testing tool published by Polish security researcher Piotr Duszyski can bypass login protections for accounts protected by two-factor authentication (2FA). In his write-up on the tool, (which is dubbed Modlishka, meaning “mantis” in English), he asked, “is 2FA broken?”
It’s a question that’s worth exploring, given that this isn’t the first time in recent months that 2FA has been defeated. So, to add context to this latest in a string of high-profile blows against the technology, we decided to ask authentication experts what they thought.
105663178
submission
reporter writes:
According to a report by The Economist, "An analysis of 17.2m papers in 2013-18, by Nikkei, a Japanese publisher, and Elsevier, a scientific publisher, found that more came from China than from any other country in 23 of the 30 busiest fields, such as sodium-ion batteries and neuron-activation analysis. The quality of American research has remained higher, but China has been catching up, accounting for 11% of the most influential papers in 2014-16.
Such is the pressure on Chinese scientists to make breakthroughs that some put ends before means. Last year He Jiankui, an academic from Shenzhen, edited the genomes of embryos without proper regard for their post-partum welfare — or that of any children they might go on to have. Chinese artificial-intelligence (AI) researchers are thought to train their algorithms on data harvested from Chinese citizens with little oversight. In 2007 China tested a space-weapon on one of its weather satellites, littering orbits with lethal space debris. Intellectual-property theft is rampant."
105446578
submission
chicksdaddy writes:
Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product.
The company said in an email to Blur users that some of their information was “potentially exposed.” Customers were advised to change their Blur password and the password for any other online accounts that share that password, backup their data and enable multi-factor authentication on their Blur account, according to a copy of the email obtained by The Security Ledger. (https://securityledger.com/2019/01/abine-says-blur-password-manager-user-information-exposed/)
In a blog post (https://www.abine.com/blog/2018/blur-security-update/), Abine said that a file containing information about Blur users who registered prior to January 6th, 2018 was “potentially exposed.” The file contained users’ email addresses, first and last names, password hints (for some users), IP-addresses associated with user logins and bcrypt-encrypted password values. Abine did not disclose how many Blur users were affected. The company claims that it sports “millions” of active users each month on Blur.
Security Ledger reports that the leak was the result of an exposed Amazon Web Services container on which Abine had stored customer data for use in reporting and maintenance. The company said it did not know whether the exposed data had been accessed. Insecure cloud containers have become a frequent source of data leaks.
105425176
submission
chicksdaddy writes:
Customers who use the Blur secure password manager ([spam URL stripped]) by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product.
The company said in an email to Blur users that some of their information was “potentially exposed.” Customers were advised to change their Blur password and the password for any other online accounts that share that password, backup their data and enable multi-factor authentication on their Blur account, according to a copy of the email obtained by The Security Ledger. ([spam URL stripped])
In a blog post ([spam URL stripped]), Abine said that a file containing information about Blur users who registered prior to January 6th, 2018 was “potentially exposed.” The file contained users’ email addresses, first and last names, password hints (for some users), IP-addresses associated with user logins and bcrypt-encrypted password values. Abine did not disclose how many Blur users were affected. The company claims that it sports “millions” of active users each month on Blur.
Security Ledger reports that the leak was the result of an exposed Amazon Web Services container on which Abine had stored customer data for use in reporting and maintenance. The company said it did not know whether the exposed data had been accessed. Insecure cloud containers have become a frequent source of data leaks.Link to Original Source
104825268
submission
chicksdaddy writes:
Nearly a week after Marriott disclosed a massive breach of its Starwood room reservation system (https://securityledger.com/2018/12/massive-marriott-breach-underscores-risk-of-overlooking-data-liability/), customers complain that the company has not communicated with them to tell them whether they are affected.
Customers of the company's Starwood hotel chain complained in online forums that they had heard nothing from the company about whether their information was stolen by the hackers, who are believed to have lurked on Starwood's network for more than four years. An informal poll of some 30 Starwood customers by Security Ledger found just two who had been contacted by the company by Thursday — nearly a week after Marriott announced the breach.
A Marriott spokesperson told The Security Ledger (https://securityledger.com/2018/12/days-after-massive-breach-marriott-customers-await-details/) that the company communicated about the breach "through multiple channels" and says it began sending emails "on a rolling basis" November 30 to affected guests.
By Thursday, almost a full week after disclosing the breach, the rolling emails hadn't reached Tom Williams of Athol, Massachusetts, who said he had received "nothing" from Marriott or Starwood, where he has been a member since 2016. "Nothing. Pretty lame," wrote Brian Colker, of Santa Monica, California. Colker said he changed his Starwood password only after receiving an alert about the breach from password management software he uses.
Marriott’s spokesman declined to say how many customers had been notified as of Thursday. The company said it “engaged leading security experts” after learning of the breach to “help determine what occurred,” the spokesman said.
The company also shared a copy of the letter it is sending to customers (https://securityledger.com/wp-content/uploads/2018/12/Guest-Letter-Copy.pdf). Signed by Marriott CEO Arne Sorenson, it is mostly a rehash of the company’s public statement on the incident. It also contains advice on preventing identity theft and, for U.S. residents, links to credit bureaus and state attorneys general offices. The company said it is “working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center.”
Whatever the cause, the delays could be expensive. Under the EU General Data Privacy Regulation (GDPR) Article 51, breached firms are required to notify “supervisory authorities” within their country within 72 hours of discovering the leak. The guidelines for notifying affected individuals are less specific, but also unequivocal. GDPR Article 34 requires breached firms to notify victims “without undue delay” when the stolen data is “likely to result in a high risk to the rights and freedoms of natural persons.”
102987404
submission
chicksdaddy writes:
Security Ledger reports (https://securityledger.com/2018/09/in-boston-exercise-election-hackers-bypass-voting-machines/) on an election hacking exercise involving public safety officials that demonstrated how determined hackers could sway the outcome of voting in a swing state without even bothering to target election systems.
From the article: It’s election day in Nolandia, an imaginary, mid-sized U.S. city in a key “swing” state, and things are not going as planned – at least for government officials. A day that started with snarled traffic and a suspicious outage of the 9-1-1 emergency call center that has put the public and first responders on edge. Already, the city’s police force was taxed keeping tabs on protests tied to a meeting of the International Monetary Fund.By afternoon, the federal Emergency Alert System (EAS) was warning Nolandia residents of massive natural gas leaks in neighborhoods in the north and west part of the city, prompting officials to order evacuations of the affected areas.
Later, bomb threats are called in to local television stations shut down a bridge linking the northern and southern halves of the city – a major artery for vehicles. Then, cyber attacks on a smart traffic light deployment in Nolandia snarl traffic further and sow chaos during the evening commute. The EAS warnings turn out to be a hoax. But, by then, the “Broken Eagle Task Force” (or BETF), a shadowy hacking collective protesting the ‘global order,’ has taken to social media to take credit for the mayhem.
This is election hacking 2018 style: a highly successful operation in which no voting machines or voting infrastructure were compromised, attacked or even targeted.
“A lot of press and scrutiny have been given to the voter rolls and the voting machines since 2016 as a result of what the Russians did,” said Ross Rustici of Cybereason (https://www.cybereason.com), who was the mastermind of the tabletop exercise. “We wanted to expand that scope and demonstrate that the threat landscape is actually much broader than those very specific vulnerabilities.”
100665908
submission
chicksdaddy writes:
Add sonic attacks to the list of threats to critical IT systems.
Security Ledger is reporting (https://securityledger.com/2018/05/researchers-use-sonic-attacks-to-crash-hard-drives/) on a presentation at the recent IEEE Security & Privacy Symposium in San Francisco (https://www.ieee-security.org/TC/SP2018/) during which researchers from The University of Michigan and and Zhejian University in China demonstrated how targeted sonic interference from commodity acoustic devices can both disrupt and cause damage to magnetic hard disk drives.
In controlled experiments, researchers used ultrasonic attacks to manipulate the "resonant frequency" of the drives, causing them to vibrate outside of accepted ranges and malfunction. While such vibrations aren't huge, even small alterations in the operation of the physical drive can have large consequences in the operation of the applications that use it.
In other experiments, researchers used sound waves to trigger the piezo shock sensors or MEMS capacitive accelerometers that are common in most modern HDDs to prevent them from being damaged when accidentally dropped. By fooling the accelerometers with sonic attacks, the researchers activated the shock sensor and induced a total loss in read/write capability on the affected hard drive.
The sonic attacks are merely proof of concept, but researchers warn that the could be easily reproduced and without the need of specialized equipment.
"We just used a $20 speaker and a Sony speaker amplifier that you might see in your home," said Connor Bolton, a graduate research assistant at University of Michigan, and one of the team of researcher who conducted the acoustic attack research.
The sonic attacks won't work on newer, solid state drives. However, older magnetic disk drives are still common in legacy IT environments, including hospitals and in industry. The sonic attacks could be exploited by sophisticated adversaries who wished to cause disruptions on a large scale inside a data center or other sensitive IT environment, researchers warned.
100245988
submission
hyperclocker writes:
Few things succeed in riling up the Internet faster, unleashing a unique cocktail of amazement and terror, than a new Boston Dynamics robot video.
In the past, the tech company, owned by Japan’s SoftBank Group, has released videos showing their robots climbing stairs, executing perfect back flips and opening doors with shocking facility.
The company’s latest YouTube submission: a 34-second clip of their boxy humanoid robot, Atlas, going for a jog in a grassy residential area on what appears to be a bright spring day.
With his electronic appendages unleashing a animatronic whine that falls somewhere between an electronic knife and a Xerox machine, Atlas even stops to hop over a log before casually going on his bipedal way.
100244826
submission
chicksdaddy writes:
Kremlin linked news sites like RT and Sputnik figure prominently in an online disinformation campaign portraying Syrian humanitarian workers (“White Helmets”) as terrorists and crisis actors, according to an analysis by researchers at University of Washington and Harvard. (http://faculty.washington.edu/kstarbi/Starbird-et-al-ICWSM-2018-Echosystem-final.pdf)
An online “echosystem” of propaganda websites including Russia backed news outlets Sputnik and RT is attacking the credibility of humanitarian workers on the ground in rebel occupied Syria, according to a new analysis by researchers at The University of Washington and Harvard University.
Online rumors circulated through so called “alternative” media sites have attacked the Syrian Civil Defence (aka “White Helmets”) as “crisis actors” and Western agents working on behalf of the U.S. and NATO. Statistical analysis of the online rumors reveal a tight network of websites sharing nearly identical content via Twitter and other social media platforms, wrote Kate Starbird, (https://medium.com/@katestarbird). Starbird is an Assistant Professor of Human Centered Design & Engineering at University of Washington and a leading expert on so-called “crisis informatics.”
In activity reminiscent of the disinformation campaigns that roiled the U.S. Presidential election in 2016 (https://democrats-intelligence.house.gov/facebook-ads/social-media-advertisements.htm), articles by what Starbird describes as “a few prominent journalists and bloggers” writing for self described “alternative” news sites like 21stCenturyWire, GlobalResearch, MintPressNews, and ActivistPost are picked up by other, smaller and more niche web sites including both left- and right-leaning partisan news sites, “clickbait sites” and conspiracy theory websites.
Government funded media outlets from Syria, Iran, Hezbollah and Russia figure prominently in the Syrian disinformation campaign, Starbird’s team found. In particular, “Russian government-funded media outlets (i.e. SputnikNews and RT) play a prominent and multi-faceted role within this ecosystem,” she wrote.
