Russia launched a “sophisticated cyber attack” against the Pentagon’s Joint Staff unclassified email system, which has been shut down and taken offline for nearly two weeks. According to the officials, the “sophisticated cyber intrusion” occurred sometime around July 25 and affected some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff. It appears the cyber attack relied on an automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet. Officials report the suspected Russian hackers coordinated the sophisticated cyber assault via encrypted accounts on social media. Source: CNBC
Another day, another car hack
Two security researchers have found a way to hack a Tesla Model S and bring the vehicle to a stop. However, the hack requires physical access to the inside of a Model S, making it difficult for any malicious hackers to pull off. Kevin Mahaffey and Marc Rogers, security experts with cloud-based services provider Cloudflare, found six vulnerabilities in the Tesla Model S, Mahaffey said. These vulnerabilities allowed the researchers—with physical access to the car’s internal computer—to gain control of the infotainment system in a Model S and perform “any action accessible to the center touch screen or Tesla’s smartphone app.” In one case, Mahaffery said, the researchers were able to turn off the car while it was driving. Tesla, which has committed to ongoing security checks, said that a patch for the vulnerabilities identified by Mahaffey and Rogers already has been sent to all vehicles via an over-the-air update. Source: CNet
Bad for business
Business identity theft—also known as corporate or commercial identity theft—occurs when criminals manipulate a business’s records and credit agency data, and use it to gain access to credit with banks and retailers. Thieves then will use those lines of credit to make big purchases (electronics, home improvement materials, gift cards, etc.), which can be easily resold. “Businesses—particularly small businesses—are a desirable and easy target for identity thieves because they don’t need that much information to impersonate a business,” Better Business Bureau CEO Kim States said. “More often than not, the information needed is publicly available for free or legally purchased.” Source: KUSA, Denver
Androids get nasty calls
A week after Stagefright bugs were revealed in Android, leaving Google phones open to one-text infection, more issues have been revealed that researchers claim allow for more single-message hacks on hundreds of millions of phones. The central problem, say Israeli researchers Ohad Bobrov and Avi Bashan, lies in the way Google’s partners use certificates to sign remote support tools. Such certificates are supposed to guarantee the authenticity of applications, allowing them to access different parts of Android. Thanks to vulnerabilities uncovered by Bobrov and Bashan, those certificates can be cloned and put to malicious use, however, and though they could be revoked, this is “not the right solution” since it will mean removing official original equipment manufacturer certificates, the Check Point hackers noted. In at least two ways, this can be abused to subvert those remote access tools that are supposed to be helpful plugins for servicing phones from afar and are installed on as many as 90 percent of Android phones, Bobrov and Bashan claimed. Source: Forbes
Are we having fun yet?
Ang Cui, chief scientist at Red Balloon Security, set out to create intentional radio signals that could be used as a carrier to broadcast data to an attacker even in situations where networks were “air-gapped” from the outside world. The result of the work of his research team is Funtenna, a software exploit he demonstrated at Black Hat that can turn a device with embedded computing power into a radio-based backchannel to broadcast data to an attacker without using Wi-Fi, Bluetooth, or other known (and monitored) wireless communications channels. With seven lines of code injected into the embedded computer of an otherwise unmodified laser printer, Cui was able to turn the printer into a radio transmitter by leveraging the electrical properties of existing input and output ports on the printer. The Funtenna hack was able to create a modulated radio signal as a result of the magnetic fields created by the voltage and resulting electromagnetic waves. Source: Ars Technica
By any other name
The Internet Corporation for Assigned Names and Numbers (ICANN) issued a security warning after login credentials for the ICANN.org website were compromised. An “unauthorized person” obtained usernames/email addresses and password hashes for profile accounts created by users on ICANN.org. These profiles contain information such as public bios, interests, newsletter subscriptions, and user preferences. The organization is requiring account owners to change their passwords. Users are instructed to create new passwords by accessing the “forgot password” page next time they log in to ICANN.org. Source: Security Week
Security for everybody
Facebook’s security chief wants the Internet industry to go beyond securing the Web “for the 1 percent” and create cybersecurity defenses to work across emerging markets. Alex Stamos, a former Yahoo security executive, said he would prioritize building security solutions to protect people who do not have the benefits of the most up-to-date technology. Stamos said consumer Internet companies, such as Facebook, could not rely on the security industry to keep all their users safe. “We can’t say you’re only safe if you’re on the latest phone in a country with a great human rights record,” he said, adding that responsibility for fighting hackers has landed mainly with the private sector. Source: City A.M.