State-Sponsored Cyber Theft

Nine Iranian citizens—working at the behest of the government of Iran—have been charged in a massive computer hacking campaign that compromised U.S. and foreign universities, private companies, and U.S. government entities, including the Department of Labor and the Federal Energy Regulatory Commission.

The hackers were affiliated with the Mabna Institute, an Iran-based company created in 2013 for the express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions. Members of the institute were contracted by the Islamic Revolutionary Guard Corps—one of several entities within the Iranian government responsible for gathering intelligence—as well as other Iranian government clients.

During a more than four-year campaign, these state-sponsored hackers “compromised approximately 144 U.S.-based universities and 176 foreign universities in 21 countries,” said FBI Deputy Director David Bowdich during a press conference today at the Department of Justice in Washington to announce the indictments. When the FBI learned of the attacks, he said, “we notified the victims so they could take action to minimize the impact. And then we took action to find and stop these hackers.”

Initially, the cyber criminals used an elaborate spearphishing campaign to target the e-mail accounts and computer systems of their victims, which in addition to the universities included nearly 50 domestic and foreign private-sector companies, the states of Hawaii and Indiana, and the United Nations.

According to the indictments unsealed today in a Manhattan federal court, the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data contained in the print collection of the Library of Congress.

“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said a special agent who investigated the case from the FBI’s New York Division. “That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government,” he added.

Read More

FBI agrees to help Arkansas prosecutors open iPhone after hack

The FBI has agreed to help prosecutors gain access to an iPhone 6 and an iPod that might hold evidence in an Arkansas murder trial, just days after the agency managed to hack an iPhone linked to the San Bernardino terror attacks, a local prosecutor said Wednesday.

Cody Hiland, prosecuting attorney for Arkansas’ 20th Judicial District, said that the FBI’s Little Rock field office had agreed to help his office gain access to a pair of locked devices owned by two of the suspects in the slayings of Robert and Patricia Cogdell.

It was not immediately clear whether the FBI planned to use the same method it used to access data on Syed Rizwan Farook’s phone. Calls to the FBI’s Little Rock field office were not immediately returned. An FBI spokesman in Washington declined to comment.

The couple were killed in their home just outside Little Rock in July, according to the Associated Press. Four suspects, ages 14 to 18, have been charged in the killings, Hiland said.

Prosecutors asked for a delay in the trial of 18-year-old Hunter Drexler on Tuesday, less than 24 hours after the FBI said it had successfully gained access to an iPhone 5c that Farook used.

Farook and his wife, Tashfeen Malik, carried out the deadly attacks at the Inland Regional Center on Dec. 2, leaving 14 dead and many more wounded. Federal prosecutors went to court to force Apple to help them unlock Farook’s phone, but the historic court battle was staved off earlier this week when a third party helped the FBI gain access to the device.

Read More


When you start your first day at Quartz, you get peppered with passwords.

There’s a password to log into your new Mac, which you are immediately prompted to change once you’re up-and-running. The new password allows you log into your email. Once there, you are invited to join our password protected—with double-authentication—CMS. It’s not much of an exaggeration to say your first Quartz workday consists largely of password management.

I had that in mind, as I helped a new hire settle in on Monday. So, I urged him—repeatedly—to take a moment and sign-up for a password client that I had used to help me beat my own long-standing struggle with password amnesia: LastPass. For months, the service, which essentially creates an encrypted vault of all your passwords and protects it with a master password, had made my life much better.

Until Tuesday morning. That’s when I received an opened an from LastPass indicating that the service had been compromised, and that some sensitive information—including email addresses, password reminders—had been taken. For its part, LastPass says its “vaults” where users keep their passwords to various sites and applications were not compromised.

“So no data stored in your vault is at risk,” officials said. But I still had to explain this to the guy I had convinced to use it less than 24 hours before.

A recent survey commissioned by Telesign—a company that sells two-step verification technology—found that roughly 70% of 2,000 people in the UK and US they surveyed don’t trust that their password will protect them. They shouldn’t. After all, it’s abundantly clear that we are living in an era of profound data insecurity.

I mean, Russian hackers read President Obama’s unclassified email. And just to review, over the last few months alone we’ve learned that hackers have breached not only the White House, the but the IRS and the Federal government’s office of personnel management, where they perused—among other things—the form people fill out as they apply for security clearances.

What’s more, today we learned that the FBI is investigating front office officials from the St. Louis Cardinals in connection with hacking into the Houston Astros’ “baseball operations database.” The New York Times reports:

Investigators believe Cardinals officials, concerned that [former Cardinals executive, and current Astros general manager Jeff] Luhnow had taken their idea[s] and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

There’s a reason why hackers—whether they be associated Red China or the St. Louis red birds—aim for passwords. Long ago, we reached the human limits of our ability to remember them. The human mind has pretty strict limitations on remembering long sequences numbers and letters. (Essentially it’s about seven items, plus or minus two.) And they’re best remembered when they’re in familiar chunks, you know, like letters in words. This is why consumers have an average of 24 online accounts, but only about six unique passwords, according to the Telesign study.

In other words, passwords aren’t the problem. We are.

And humans will remain the problem until we get to the post-password era.

Over the next few years we’ll increasingly be authenticating ourselves not with passwords, but with our fingerprints, faces, irises, retinas, palm-prints and speech patterns. But humanity still presents profound engineering problem.

“Passwords or tokens are easy to change while it is compromised. But, biometric traits are inherent and fixed forever, that is, the biometric data is irrevocable,” wrote academics in a paper published in April.

If you think the resetting your password is a pain, trying resetting your fingerprint.

Engineers are addressing the problem, coming up technologies that enable cancelable crypto-versions of our biometric data that can be reset. But I can’t help but be overcome by the suspicion that that the digital world might just work a lot better if it didn’t have to put up with all these people.

View Source


Last week, millions of government employees were probably quite nervous to hear their personal data had been stolen by hackers (likely from China), who gained access to a trove of data from the Office of Personnel Management.

This week, the same office is opening up even more government employees to more risk, based on its response to the breach. OPM announced it will notify all impacted individuals by email, which makes not only the affected individuals, but also anyone else who is worried they might be affected now a ripe target for a phishing attack.

In its announcement, OPM said, “The email will come from and it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach.”

OPM is using a third party, CSID, to manage this communication, and has now, in essence, provided phishers with a blueprint for creating an attack. Of note, CSID does at least use DMARC, which is one good step it has taken to see how others may be spoofing its domain.

Imagine you have had any kind of interaction with the OPM in the past five years or so. You may be wondering “was I one of the ones compromised?” Soon enough, an email shows up in your inbox, notifying you that you have indeed been breached, and offering credit monitoring and identity protection services. It directs you to a website, where you provide some basic information, including your name, email address, mailing address (and maybe more) and promises the credit and ID monitoring services will start immediately.

But what if you didn’t read the email closely enough? What if it came from, or from What if you never saw the announcement to know exactly what email address you should be looking for?

Now each of these employees have willingly handed over this information to a second group of hackers (this time, through the phishing attack), who likely have different ambitions than China. These hackers can easily keep you placated by sending you false credit report info (hey, your credit still looks great, nothing to worry about here), while destroying your actual credit.

OPM is in a difficult situation, and is trying to respond as quickly and cost effectively as possible to a massive breach affecting millions of government employees. But it must take a step back and make sure it does not cause greater harm to these employees with its follow-on actions.

Instead, OPM should send notifications via physical mail, or secured Intranet communication. OPM should also provide education to all employees on the risk of phishing attacks.

And finally, OPM should conduct thorough penetration testing of the third-party provider, CSID, to ensure that by handing this project off to another party, it’s not opening up its employees to yet another attack.

View Source


In a bid to close potential vulnerabilities in the government’s Web presence, the White House is mandating every public federal website switch to a more secure Internet connection standard within about a year and a half.

The connection technology, Hypertext Transfer Protocol Secure, provides site visitors more privacy and confidence they are looking at official government websites. The secure protocol also prevents a lot of Web surfing behavior from being watched or toyed with.

Come Dec. 31, 2016, every public federal site must be protected with HTTPS.

Today, most of the federal government’s roughly 1,200 websites use HTTP technology, which exposes website content, browser format, search terms and other user information to eavesdroppers.

Anyone observing the network, including an employer or Internet service provider, can see what topics a computer user is interested in. Or instead of just watching traffic, the interloper could redirect the user to fraudulent content.

HTTPS cannot protect Web servers and other networking systems from being hacked, however. For example, HTTPS would not have stopped self-described Syrian government backers from defacing the official website of the U.S. Army earlier Monday. In that instance, Syrian Electronic Army hacktivists broke into a military contractor’s system and posted a message reading, “YOUR COMMANDERS ADMIT THEY ARE TRAINING THE PEOPLE THEY HAVE SENT YOU TO DIE FIGHTING.”

The White House rule will eliminate the burden of deciding what Web content is sensitive enough to merit HTTPS protection and ensure stronger privacy governmentwide, federal Chief Information Officer Tony Scott said in a blog post.

“With this new action, we are driving faster Internetwide adoption of HTTPS and promoting better privacy standards for the entire browsing public,” he said.

The transition to the new format will take elbow grease and money, officials acknowledged. Manual work often is required to transition sites with external images, scripts and fonts that aren’t secure, for example.

The public can see which dot-gov websites are protected with HTTPS by checking an official government website, Pulse, that launched last week., and were early converts to HTTPS. To date, about 160 government sites default to the secure protocol.

There also is a HTTPS help website for federal web managers.

HTTP sites “will not keep pace with privacy and security practices used by commercial organizations,” the HTTPS regulation states. “This leaves Americans vulnerable to known threats, and may reduce their confidence· in their government.”

The White House Office of Management and Budget in March first proposed HTTPS requirements.

View Source

Hackers Could Commandeer New Planes Through Passenger Wi-Fi

SEVEN YEARS AFTER the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.

“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.

Read More

Android Apps Vulnerable to Hijacking

Almost half of Android smartphones are vulnerable to being hacked through third-party apps downloaded from stores outside the official outlet.

Discovered over a year ago, a Time-of-Check to Time-of-Use (TOCTTOU) vulnerability was uncovered. what is being called “Android Installer Hijacking” allows an attacker to hijack the usual Android APK installation process. It does not work on the Google Play store because a Play Store app cannot be accessed by other installed apps.

“On affected platforms, we discovered that the PackageInstaller has a “Time of Check” to “Time of Use” vulnerability. In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps,” according to the blog post at Palo Alto Networks.

The PackageInstaller installs a different app than grants permissions to attackers. Legitimate apps could be replaced with malware apps.

Android version 4.4 and later versions have fixed the vulnerability. Android 4.3 and before may have the vulnerability.

A vulnerability scanner app is available in the Google Play store. For security researchers, the open source version of the app has been made available on Github.

Investigators advise users to only install apps from the Google play store on infected devices. To use Android 4.3 or later, though some 4.3 are vulnerable. Don’t give apps permission to use logcat. And don’t use a rooted device.

Read More

Even Biometric Locks Can be Picked

How can we ensure that someone is who they say they are? How can be sure that the person in our system, both digitally speaking or physically in front of us, is who whom they claim to be?

You may think that a good password is the answer, but with so many ways to break into a computer system these methods are clearly not always effective – as can be seen from the unfortunate hacked celebrities whose naked pictures were strewn across the internet recently, or the Oleg Pliss ransomware that locks iPhones until the extortioner is paid. Even a combination of a good username and password may not be enough.

An organic alternative to passwords

What about biometrics? This technology uses human physical attributes as locks and keys, such as fingerprints, iris scans or, as is now suggested, the veins in the human fingertip, making them highly individual ways to identify one user from another.

Using biometrics is not especially new. For example, while the likes of iris scanners may be familiar from sci-fi films, they’re also (or were until recently) found in real life airports too. Often mistakenly called retinal scanners, they are based on scanning the unique pattern of the iris, the coloured part of the eye.

But the technology needed to complete an effective and trusted scan is expensive and can be tricked by technologically capable hackers. These are great for entry control systems on the buildings of large organisations, or for the occasional secret bunker seen in films. But they are extremely costly – prohibitively so if a bank was to insist that every customer had one at home – and false readings become a problem as the number of people using it scales.

On the other hand, fingerprint technology has become cheaper and more available – fingerprint scanners are now sufficiently small and accurate that they started appearing in laptops 10 years ago, and are even in small devices like the iPhone 5S. This is one way that banks could allow smartphone and laptop users to access their financial services, with users presenting a finger rather than a passcode.

In fact it’s easy to obtain a range of low-cost scanners for all sorts of authentication uses. But that doesn’t mean the users will like doing so – there are ethical issues to consider, as some UK schools discovered in 2012 when their use of fingerprint scanners to monitor pupil attendance led to an outcry and a government ban without explicit consent from parents.

Read More

Phone Firewall Identifies Rogue Cell Towers Trying to Intercept Your Calls

Rogue cell phone towers can track your phone and intercept your calls, and it’s only a matter of time before they’re as ubiquitous as GPS trackers. But at least now there’s a way to spot them.

A firewall developed by the German firm GSMK for its secure CryptoPhone lets people know when a rogue cell tower is connecting to their phone. It’s the first system available that can do this, though it’s currently only available for enterprise customers using Android phones.

GSMK’s CryptoPhone 500, a high-end phone that costs more than $3,000 and combines a Samsung Galaxy S3 handset with the CryptoPhone operating system, offers strong end-to-end encryption along with a specially hardened Android operating system that offers more security than other Android phones and the patented baseband firewall that can alert customers when a rogue tower has connected to their phone or turned off the mobile network’s standard encryption.

The problem with rogue cell towers is widespread. The FCC is assembling a task force to address the illicit use of so-called IMSI catchers—the devices that pose as rogue cell towers. But the task force will only examine the use of the devices by hackers and criminals—and possibly foreign intelligence agencies—not their warrantless use by law enforcement agencies bent on deceiving judges about their deployment of the powerful surveillance technology.

IMSI catchers, stingrays or GSM interceptors as they’re also called, force a phone to connect to them by emitting a stronger signal than the legitimate towers around them. Once connected, pings from the phone can help the rogue tower identify a phone in the vicinity and track the phone’s location and movement while passing the phone signals on to a legitimate tower so the user still receives service. Some of the IMSI software and devices also intercept and decrypt calls and can be used to push malware to vulnerable phones, and they can also be used to locate air cards used with computers. The systems are designed to be portable so they can be operated from a van or on foot to track a phone as it moves. But some can be stationary and operate from, say, a military base or an embassy. The reach of a rogue tower can be up to a mile away, forcing thousands of phones in a region to connect to it without anyone knowing.

Read More

FBI and Apple Investigate Celebrity Photo Leaks

The FBI says it was addressing allegations that online accounts of several celebrities, including Oscar-winner Jennifer Lawrence, had been hacked, leading to the posting of their nude photographs online.

The agency did not say what actions it was taking to investigate who was responsible for posting naked photos of Lawrence and other stars. Apple said it was looking into whether its online photo-sharing service had been hacked to obtain the intimate images.

Lawrence, a three-time Oscar nominee who won for her role in “Silver Linings Playbook,” contacted authorities after the images began appearing Sunday.

Naked images purporting to be of other female stars were also posted, although the authenticity of many couldn’t be confirmed. The source of the leak was unclear.

“This is a flagrant violation of privacy,” Lawrence’s publicist Liz Mahoney wrote in a statement. “The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

The FBI said it was “aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.”

“Any further comment would be inappropriate at this time,” spokeswoman Laura Eimiller wrote in a statement.

Apple Inc. spokeswoman Natalie Kerris said the company was investigating whether any iCloud accounts had been tampered with, but she did not give any further details.

“We take user privacy very seriously and are actively investigating this report,” she said.

Actress Mary Elizabeth Winstead also confirmed that nude photos of her were posted online.

“To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” Winstead posted on Twitter. Winstead, who starred in “Final Destination 3″ and “Abraham Lincoln: Vampire Hunter,” wrote that she thought the images had been destroyed.

Read More