A Ukrainian group calling itself Cyber Hunta released emails October 28 from aides close to Vladimir Putin that show Russia heavily influencing the separatist movement in Ukraine. The incident could be retaliation by the United States for Russian political hacking, which would be big enough news on its own, but there was lots more happening this week. The security community began intense debriefing in the wake of last week’s DDoS attack on the internet infrastructure company Dyn, which was powered largely by an Internet of Things botnet. It turns out that most of the devices used to mount the attack weren’t consumer IoT devices in homes but enterprise products like webcams and DVRs built for commercial use. As everyone scrambles to figure out what to do about the sorry state of IoT security, some are looking to Internet Service Providers to help protect and shrink the existing population of vulnerable devices.
Speaking of sorry situations, WIRED published exclusive insights this week into last year’s disastrous Office of Personnel Management hack. Meanwhile, law enforcement used a sound cannon against pipeline protesters on Standing Rock Reservation in North Dakota (and updates were coming to the world from livestreams on social media), the Clinton campaign wants states to get serious about reducing cyberbullying, and Trump has a disinformation campaign going to make voters skeptical of the upcoming election results. Oh, and researchers are using totally mind-blowing physics hacks to take over Android phones. Whew.
But there’s more! Each Saturday we round up the news stories that we didn’t break or cover in depth but still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
On Thursday, a Ukrainian group calling itself Cyber Hunta released 1GB of emails from key aides close to Vladimir Putin that show Russia heavily influencing the separatist movement in Ukraine. Russia has denied involvement with that faction, which destabilized Ukraine and paved the way for the Russian takeover of Crimea, but the emails contradict the Kremlin’s official position. The email dump contained data downloaded directly from Russian aides’ Outlook accounts. Given the Obama administration’s recent indications that it would retaliate in some way against Russia for its political hacking in the US, this new incident seems like it could be a warning strike. The true nature of Cyber Hunta is not yet known, though, and a senior US intelligence official told NBC that the US “had no role” in the leak.
A hacker charged with stealing nude photos and other data from celebrities’ personal storage accounts in 2014 was sentenced to 18 months in prison this week. Ryan Collins, a 36-year-old Pennsylvania resident, had pleaded guilty to felony charges in May. He admitted to phishing over 600 people—many, like Jennifer Lawrence and Rihanna, in the entertainment industry–to get their login credentials for different digital services. The Department of Justice says that it does not have evidence that Collins leaked the data, but called his scheme “sophisticated” and said that he sometimes used speciality software to download all the data in victims’ Apple iCloud backups in one sweep. Collins also had a modeling scam that he used to convince people to send him nude photographs.
Many Critical Infrastructure Operations Still Use Unencrypted Beeper Messages to Manage Control Systems
New research from the security firm Trend Micro shows that many industrial operations still use wireless pagers to communicate commands to control systems. Nuclear power plants, HVAC companies, power generation stations, and chemical plants may be relying on unencrypted beeper messages to manage systems that control things like diagnostics, fire incidents, contamination, and pump flow rate. Unencrypted pager messages are cheap and easy to intercept, and Trend Micro studied more than 54 million of them. “We found that a disturbing amount of information that enterprises typically consider confidential can easily be obtained through unencrypted pager messages,” the researchers wrote.
In 2013 The New York Times did some reporting about an AT&T program called Project Hemisphere that compiled vast troves of customer communication data, which the company then made available to federal and local drug enforcement officials. The Times said the database, which contains decades of call records, was available to law enforcement for drug cases with a subpoena as part of a “partnership.” But new reporting from the Daily Beast based on internal AT&T documentation reframes Project Hemisphere as a product that the telecom has been peddling broadly to government agencies for millions of dollars a year. Accessing the database doesn’t require a warrant and gives officials access to trillions of call records, which can establish where a person was located during a call and who they were speaking to. The Beast reports that AT&T asked officials to promise that they wouldn’t reveal anything about Project Hemisphere to the public. The situation calls to mind the 2013 revelations about the National Security Agency’s own bulk call surveillance, but in fact AT&T has records dating back longer than the NSA did.
Bitcoin improves anonymity compared to, say, credit cards, but on Friday, a new blockchain-based currency launched that promises to take the incognito mode a step further. ZCash combines blockchain with cryptographic principles that the company says allow transactions to be done without a record on the ledger of which wallets sent and received currency. The system will only record that a transaction occurred. The promise of extreme privacy has buoyed ZCash futures. Mining for the currency began on Friday and the company distributed some ZCash to its investors. The original research underlying ZCash came from work in 2013 at the Johns Hopkins University applied cryptography lab led by Matthew Green. According to IEEE Spectrum, researchers say that the work underlying ZCash is very robust and sophisticated, but caution that because of its complexity there hasn’t been time yet for thorough independent vetting.