Nov 15 2016

Lauri Love faces hacking trial in US after UK signs extradition order

Enlarge (credit: Justin Tallis/AFP/Getty Images)

The UK's home secretary Amber Rudd has signed an extradition order agreeing that hacking suspect Lauri Love should face trial in the US.

Love's family plan to appeal against the decision. The 31-year-old—who has Asperger's syndrome—faces up to 99 years in prison and fears for his own life, his lawyers have said.

A home office spokesperson told Ars: "On Monday 14 November, the secretary of state, having carefully considered all relevant matters, signed an order for Lauri Love’s extradition to the United States. Mr Love has been charged with various computer hacking offences which included targeting US military and federal government agencies."

Read 10 remaining paragraphs | Comments

Oct 04 2016

Yahoo’s CISO resigned in 2015 over secret e-mail search tool ordered by feds

(credit: David Ramos/Bloomberg via Getty Images)

According to a new report by Reuters citing anonymous intelligence officials, in 2015, Yahoo covertly built a secret “custom software program to search all of its customers' incoming emails for specific information.”

Reuters noted that Yahoo “complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.” It is not clear what data, if any, was handed over.

Presuming that the report is correct, it would represent essentially the digital equivalent of a general warrant—which is forbidden by the Fourth Amendment, as Electronic Frontier Foundation lawyer Andrew Crocker noted on Twitter.

Read 3 remaining paragraphs | Comments

Oct 03 2016

McAfee Labs – McAfee 2016-10-03 03:08:11

Over the last several days, we’ve seen headlines on potential cyber-attacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts.

Intel Security CTO Steve Grobman fielded a number of questions on these events and revelations:

What do you make of the FBI and DHS announcements that the agencies have detected cyber-attacks on voter registration websites in more than a dozen states?

“These announcements certainly raise concerns. Elections are meant to be anonymous and not traceable back to the individual voter. Thirty-one states and DC offer the kind of online voter registration that the FBI says was targeted. The perpetrators are hacktivists. They probably seek to shake voter confidence in the American electoral system, and they only have to have one high profile attack to achieve this goal.”

What do you make of reports that cybercriminals are behind the theft of 500 million Yahoo! users’ accounts, not government-backed hackers, and these actors sold the data to a state actor?

“Some nation-states have the same cyber gap in their offensive operations as the rest of the world has in defensive operations. Moreover, they face the threat of kinetic repercussions resulting from the digital attribution of a cyber-attack. Therefore, it’s conceivable that these state actors could use a wide range of tactics to mitigate these issues. This could indeed include partnering with criminal or private organizations to achieve their strategic objectives.

Because of this, we need to be careful not to interpret what little we see as definitive proof of a conclusion.

For example, the fact that stolen data can be leaked through criminal underground networks could simply indicate that a nation-state is attempting to mask a cyber espionage operation as a standard cybercriminal breach. It may also be a side effect of a criminal actor acting on a nation state’s behalf. A similar deception can occur in reverse where a criminal or terrorist group can use tactics to falsely implicate a nation-state.”

What should we make of the possibility of a nation-state potentially hacking a U.S. corporation for user emails as an act of espionage?

“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles.

Consider the recent compromise and disclosure of Former Secretary of State Colin Powell’s personal email messages. While probably more tame than the average citizen’s messages, the public disclosure of his communications revealed statements that proved controversial in political and other government circles.

The emails of the less tame or even reckless candidate, three-letter agency chair, general, or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions.”

Regarding Verizon’s planned acquisition of Yahoo!, is an analysis of a company’s computer security expected as part of the due diligence in a purchase?

“It is common practice for technology companies conducting due diligence of a potential acquisition to evaluate the cybersecurity posture of that target. This due diligence often includes requesting a list of IT breaches, reviewing the results of any security audits or certifications, evaluating the company’s policies and procedures for IT security, reviewing the company’s privacy policies, and assessing the nature of personal information held by the business, among others.”

Who generally performs such an analysis? Are they paid by the buyer or the seller?

“Security-related diligence is often conducted through a combination of internal teams employed by the acquirer, and, if needed, third-party specialists. The cost of any third-party evaluation is typically borne by the acquirer.”

Would such an analysis have picked up this breach?

“The due diligence process generally requires disclosure of known IT breaches. Security audits or other evaluations conducted during the course of diligence would attempt to assess the likelihood of future breaches or potentially undiscovered IT breaches.”

What was your reaction to the prominent mention of cybersecurity in the presidential debate between Hillary Clinton and Donald Trump?

“It’s refreshing to see cybersecurity at the forefront of the national security conversation during tonight’s debate. In just a few years, we’ve seen cybersecurity go from a function of the IT back office, to the nation’s Oval Office.

While events have tended to drive government into action, more and more of our nation’s top leaders understand the cyber battlefield is as critical as land, sea, air, and space. The prominence of cybersecurity in this week’s debate is tremendous progress, with the promise of further progress to come in the coming months and years.”

 

 

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee.

Sep 20 2016

iPhone passcode bypassed with NAND mirroring attack

Enlarge (credit: Sergei Skorobogatov/YouTube)

Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.

Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."

In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.

Read 13 remaining paragraphs | Comments