Essays in the Category "Computer and Information Security"
Page 10 of 32
When Hacking Could Enable Murder
Cyberthreats are changing. We’re worried about hackers crashing airplanes by hacking into computer networks. We’re worried about hackers remotely disabling cars. We’re worried about manipulated counts from electronic voting booths, remote murder through hacked medical devices and someone hacking an Internet thermostat to turn off the heat and freeze the pipes.
The traditional academic way of thinking about information security is as a triad: confidentiality, integrity and availability. For years, the security industry has been trying to prevent data theft. Stolen data is used for identity theft and other frauds. It can be embarrassing, as in the Ashley Madison breach. It can be damaging, as in the Sony data theft. It can even be a national security threat, as in the case of the Office of Personal Management data breach. These are all breaches of privacy and confidentiality…
How an Overreaction to Terrorism Can Hurt Cybersecurity
Many technological security failures of today can be traced to failures of encryption. In 2014 and 2015, unnamed hackers—probably the Chinese government—stole 21.5 million personal files of U.S. government employees and others. They wouldn’t have obtained this data if it had been encrypted.
Many large-scale criminal data thefts were made either easier or more damaging because data wasn’t encrypted: Target, T.J. Maxx, Heartland Payment Systems, and so on. Many countries are eavesdropping on the unencrypted communications of their own citizens, looking for dissidents and other voices they want to silence…
The Rise of Political Doxing
Last week, CIA director John O. Brennan became the latest victim of what’s become a popular way to embarrass and harass people on the internet. A hacker allegedly broke into his AOL account and published emails and documents found inside, many of them personal and sensitive.
It’s called doxing—sometimes doxxing—from the word “documents.” It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying “I know a lot about you—like where you live and work.” Victims of doxing …
Face Facts about Internet Security
If the director of the CIA can’t keep his e-mail secure, what hope do the rest of us have—for our e-mail or any of our digital information?
None, and that’s why the companies that we entrust with our digital lives need to be required to secure it for us, and held accountable when they fail. It’s not just a personal or business issue; it’s a matter of public safety.
The details of the story are worth repeating. Someone, reportedly a teenager, hacked into CIA Director John O. Brennan’s AOL account. He says he did so by posing as a Verizon employee to Verizon to get personal information about Brennan’s account, as well as his bank card number and his AOL e-mail address. Then he called AOL and pretended to be Brennan. Armed with the information he got from Verizon, he convinced AOL customer service to reset his password…
Stealing Fingerprints
The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we’ve now learned that the hackers stole fingerprint files for 5.6 million of them.
This is fundamentally different from the data thefts we regularly read about in the news, and should give us pause before we entrust our biometric data to large networked databases.
There are three basic kinds of data that can be stolen. The first, and most common, is authentication credentials. These are passwords and other information that allows someone else access into our accounts and—usually—our money. An example would be the 56 million credit card numbers hackers …
VW Scandal Could Just Be the Beginning
Portuguese translation by Ricardo R Hashimoto
For the past six years, Volkswagen has been cheating on the emissions testing for its diesel cars. The cars’ computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were. When they weren’t being tested, they belched out 40 times the pollutants. Their CEO has resigned, and the company will face an expensive recall, enormous fines and worse.
Cheating on regulatory testing has a long history in corporate America. It …
Hacking Team, Computer Vulnerabilities, and the NSA
When the National Security Administration (NSA)—or any government agency—discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others’ computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can be used to make our own systems less vulnerable to those same attacks. The two options are mutually exclusive: either we can help to secure both our own networks and the systems we might want to attack, or we can keep both networks vulnerable. Many, myself …
The Meanest Email You Ever Wrote, Searchable on the Internet
The doxing of Ashley Madison reveals an uncomfortable truth: In the age of cloud computing, everyone is vulnerable.
Most of us get to be thoroughly relieved that our emails weren’t in the Ashley Madison database. But don’t get too comfortable. Whatever secrets you have, even the ones you don’t think of as secret, are more likely than you think to get dumped on the Internet. It’s not your fault, and there’s largely nothing you can do about it.
Welcome to the age of organizational doxing.
Organizational doxing—stealing data from an organization’s network and indiscriminately dumping it all on the Internet—is an increasingly popular attack against organizations. Because our data is connected to the Internet, and stored in corporate networks, we are all in the potential blast-radius of these attacks. While the risk that any particular bit of data gets published is low, we have to start thinking about what could happen if a larger-scale breach affects us or the people we care about. It’s going to get a lot uglier before security improves…
Should Some Secrets Be Exposed?
Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It’s a huge trove, and already reporters are writing stories about the highly secretive government.
What Saudi Arabia is experiencing isn’t common but part of a growing trend.
Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world…
Why We Encrypt
Bosnian translation
French translation
German translation
Hungarian translation
Persian translation
Russian translation
Spanish translation
Encryption protects our data. It protects our data when it’s sitting on our computers and in data centres, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.
This protection is important for everyone. It’s easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbours, and family members. It protects it from malicious attackers, and it protects it from accidents…
Sidebar photo of Bruce Schneier by Joe MacInnis.