Way to go VTech.

One month ago a hacker revealed that he had broken into the toymaker VTech and retrieved a lot of information that was disturbing. Apparently, VTech had been storing  images, chat logs, home addresses, emails, names, genders and even birthdays of every customer. This would include the parents and their children who the products were most likely being used by.  Around 4,000,000 parents and 200,000 of the children using the products information was readily available for anyone who knew what they were doing. The hacker did not relinquish the way he was able to break into VTech, probably in an attempt to keep this information secret from people who want it but do not know how to hack, but has commented that he retrieved 190GB worth of photos and shared 3832 images with motherboard, a blogging site, with all the faces blocked out.VTech has yet to concretely say what their exact reasoning was but the wording of their attempt to justify it was so that they can send the password to the user directly. You know because that is such a GREAT idea, instead of just having them reset their password every time they forgot it because the company made it entirely impossible for them to access it on their own and with ease, I will just send you it back. The person that thought this was a good idea should get fired, like, two years ago.

https://nakedsecurity.sophos.com/2015/12/01/photos-of-kids-and-parents-chatlogs-audio-files-stolen-in-vtech-breach/

Apple watch security risks (and benefits)

http://www.esecurityplanet.com/mobile-security/apple-watch-security-risks-and-benefits.html

In short, this article is informing the public about an issue that is overlooked when it comes to apple smartwatches, how “weak” the security on those watches actually is. There are several openings in these apple smartwatches that can be exploited due to their lack of actual security. For example, an apple smartwatch can be easily “bluejacked” a term used to describe a 3rd party gaining access said watch. As a result, the 3rd party can access many parts of the phone and send things like images,sounds, or even viruses to the smartwatch (some of which can take over the phone and listen in on conversations or block out owners control of the phone for however long the hacker chooses). The worst part is, this is not even the worst thing that could happen, when it comes to loopholes in the security of the device. Like all devices that can download apps without restraints, the apple smartwatch is capable of downloading apps which can contain harmful malware that could take on a variety of forms and become difficult to combat. There seems to be a claim that even if the smartwatch is vulnerable to many variations of malware, viruses, and other methods of attack used by hackers, since the smartwatch is tied to apple which is already a target of hackers it does not seem to cause much concern. In fact, since the smartwatch will automatically lock if taken of the users wrist it is presumed to be more safe than a phone if both are left unaccounted for in a public place.

Government vs Corporations: The Battle of Security and Privacy

After Edward Snowden released information that the NSA was tapping into private companies servers and getting their information without their knowledge, corporations have made promises to customers and buffed up security on their servers immensely. Higher levels of encryption, no backdoors, and buffing up servers make it much harder for hackers to break into your sensitive information, but it also keeps the government out.

The United States is currently in or contemplating legal battles with large tech companies such as Apple, Google, and Microsoft to compel them to give them information, break encryptions, or leave them a way in to look at the data themselves. Specifically with Microsoft, the company refuses to hand over data to the government without an Irish warrant because the servers the data is stored in are in Dublin.  Companies aren’t willing to cooperate with the government on this because of the promises they made to their customers and the huge security breaches it could cause leaving possible holes for hackers to steal or tamper with data.

The UK is facing a similar issue where their MI5 is looking for more power from Parliament to keep up with technological advances, and Andrew Parker, Director General of MI5, recently said in an interview that companies have an ethical responsibility to to turn over the information the government wants to them.

Major corporations remain hesitant to readily give over information to the government for fear of backlash from consumers and the fact that the government has not really been truthful with them in the past.  This argument is definitely one that comes down to ethics and we must determine what point we sacrifice too much privacy for the sake of security.  We will have to see what the courts or Congress say on the matter.

Sources:

http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0

http://www.scmagazine.com/andrew-parker-says-mi5-needs-greater-cyber-security-powers/article/439663/

– Quinn White

Hackers Take Control of ‘smart’ Sniper Rifle

TrackingPoint is a company that specializes in applied technology. They’re based in Austin, Texas and are known for building the first Precision Guided Rifle. A Precision Guided Rifle (PGF) is a long range rifle system meant to improve accuracy of shooting targets for long distances. A PGF is able to improve accuracy by using target tracking, HUD Display, and advanced fire-control. The purpose of a PGF is to account for human error such as misaiming, trigger jerk, or a miscalculation when setting up. A TrackingPoint Precision Guided Rifle could allow even a novice to reliably hit targets from over a mile away.

A pair of security researchers Runa Sandvik and Michael Auger bought two of the $13,000 TrackingPoint Rifles spent a year reverse engineering and hacking the rifles’ computer system. They were able to get into the rifle via the Wi-Fi and exploit vulnerabilities in the software. Once they were into the rifles’ system they could make the gun miss the target completely or can change a single number in the software and have the gun shoot to the right or left and hit an entirely different target all while having the HUD display normal readings. They also found that they could lock the gun owner out by becoming root and disabling the firing pin, or they could render the gun useless by deleting important files making the scope unusable. While the attacker can do a lot, the one thing the attacker cannot do is fire the gun randomly, because the TrackingPoint guns are built to only shoot when the trigger is pulled manually.

Gun Hackers

Sandvik and Auger said they will not release the code for their exploit because they feel that TrackingPoint in their current state would not have the manpower to fix the issue in their software. Sandvik states that the real issue here is that as we and our objects become more interconnected and attached to the internet, companies need to when you start putting technology into devices that have never had it before you need to take precautions and realize there will be security challenges that you did not have before.

TrackingPoint stated that after talking with Sandvik and Auger about the research they did, the company will look into developing a software update to patch the issues with the rifle’s vulnerabilities, and customers who already own it will be sent USB devices that contain the patch.

Sources:

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

http://bgr.com/2015/07/30/hackers-smart-sniper-rifle-disabled/

-Peter Carenzo

Assassination through hacking possible?

accident-734594_1920

Threats to high ranking and influential officials may no longer be a lone gunman on a rooftop. A new frightening and precarious threat is evolving and becoming ever more ominous. Car hacking is this new threat. This threat is a subject of recent recalls and news headlines, however this threat is more omnipresent as these headlines may lead people to believe. It is not difficult to envisage that this threat extends to an significant amount of modern automobiles.

The use of the microchip in the automobile has had enumerable benefits, including improving efficiency, safety, reliability, and the drivability. However with these benefits, dangers come with them. For example, the new Mercedes Benz has a system called Intelligent Drive, in their new models available on the market today. This system has the ability, to influence braking, steering, and throttle to keep the car in the lane, and autonomously come to a stop. Most luxury brands have a very similar system in their models. This innovation also opens a door for some very precarious hacking opportunities. All these systems are controlled by a central computer called an ECU. An individual who gains access to this CPU, it is conceivable that said individual could influence the control of the vehicle to do a malicious deed.

Will the headlines of the near future be reading stories of assassinations of influential individuals through hacking? Possibly. However in the current state of technology this form of hacking is difficult and risky. Currently hacking an automobile involve in gaining physical access to the automobile. However as more and more new models become internet connected, this physical access problem that hackers face, may fade away.

http://www.wired.com/2014/08/car-hacking-chart/

http://www.computerworld.com/article/2473920/cybercrime-hacking/car-hacking–car-cyberattack-a-possible-theory-behind-journalist-s-death.html

http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/

http://www.mercedes-benz-intelligent-drive.com/com/en/

~Michael Boc