Entries Tagged "hacking"

Page 70 of 78

Hacking the Boeing 787

The news articles are pretty sensational:

The computer network in the Dreamliner’s passenger compartment, designed to give passengers in-flight internet access, is connected to the plane’s control, navigation and communication systems, an FAA report reveals.

And:

According to the U.S. Federal Aviation Administration, the new Boeing 787 Dreamliner aeroplane may have a serious security vulnerability in its on-board computer networks that could allow passengers to access the plane’s control systems.

More press.

If this is true, this is a very serious security vulnerability. And it’s not just terrorists trying to control the airplane, but the more common software flaw that causes some unforeseen interaction with something else and cascades into a bigger problem. However, the FAA document in the Federal Register is not as clear as all that. It does say:

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized access to aircraft data buses and servers. Therefore, special conditions are imposed to ensure that security, integrity, and availability of the aircraft systems and data networks are not compromised by certain wired or wireless electronic connections between airplane data buses and networks.

But, honestly, this isn’t nearly enough information to work with. Normally, the aviation industry is really good about this sort of thing, and it doesn’t make sense that they’d do something as risky as this. I’d like more definitive information.

EDITED TO ADD (1/16): The FAA responds. Seems like there’s more hype than story here. Still, it’s worth paying attention to.

Posted on January 7, 2008 at 12:38 PMView Comments

U.S. Army Installing Apple Computers

Because they’re harder to hack:

Though Apple machines are still pricier than their Windows counterparts, the added security they offer might be worth the cost, says Wallington. He points out that Apple’s X Serve servers, which are gradually becoming more commonplace in Army data centers, are proving their mettle. “Those are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off,” he says.

Posted on January 7, 2008 at 6:21 AMView Comments

Is Sears Engaging in Criminal Hacking Behavior?

Join “My SHC Community” on Sears.com, and the company will install some pretty impressive spyware on your computer:

Sears.com is distributing spyware that tracks all your Internet usage – including banking logins, email, and all other forms of Internet usage – all in the name of “community participation.” Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software (“the proxy”) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the “community,” very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.

Here is a summary of what the software does and how it is used. The proxy:

  1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
  2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
  3. Records and transmits “the pace and style with which you enter information online…”
  4. Parses the header section of personal emails.
  5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

    If a kid with a scary hacker name did this sort of thing, he’d be arrested. But this is Sears, so who knows what will happen to them. But what should happen is that the anti-spyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.

    Posted on January 3, 2008 at 11:02 AMView Comments

    Security of Adult Websites Compromised

    This article claims the software that runs the back end of either 35% or 80%-95% (depending on which part of the article you read) has been compromised, and that the adult industry is hushing this up. Like many of these sorts of stories, there’s no evidence that the bad guys have the personal information database. The vulnerability only means that they could have it.

    Does anyone know about this?

    Slashdot thread.

    Posted on December 28, 2007 at 7:54 AMView Comments

    Chinese Hackers

    Time Magazine article on Chinese hackers:

    But reports in Chinese newspapers suggest that the establishment of a cybermilitia is well under way. In recent years, for example, the military has engaged in nationwide recruiting campaigns to try to discover the nation’s most talented hackers. The campaigns are conducted through competitions that feature large cash prizes, with the PLA advertising the challenges in local newspapers.

    Tan is a successful graduate of this system. He earned $4,000 in prize money from hacker competitions, enough to make him worthy of a glowing profile in Sichuan University’s campus newspaper. Tan told the paper that he was at his happiest “when he succeeds in gaining control of a server” and described a highly organized selection and training process that aspiring cybermilitiamen (no cyberwomen, apparently) undertake. The story details the links between the hackers and the military. “On July 25, 2005,” it said, “Sichuan Military Command Communication Department located [Tan] through personal information published online and instructed him to participate in the network attack/defense training organized by the provincial military command, in preparation for the coming Chengdu Military Command Network Attack/Defense Competition in September.” (The State Council Information Office didn’t respond to questions about Tan, and China’s Foreign Ministry denies knowing about him.)

    With the help of experts from Sichuan University, the story continued, Tan’s team won the competition and then had a month of intense training organized by the provincial military command, simulating attacks, designing hacking tools and drafting network-infiltration strategies. Tan was then chosen to represent the Sichuan Military Command in competition with other provinces. His team won again, after which, the iDefense reports say, he founded the NCPH and acquired an unidentified benefactor (“most likely the PLA”) to subsidize the group’s activities to the tune of $271 a month.

    Posted on December 14, 2007 at 11:08 AMView Comments

    Dan Egerstad Arrested

    I previously wrote about Dan Egerstad, a security researcher who ran a Tor anonymity network and was able to sniff some pretty impressive usernames and passwords.

    Swedish police arrested him:

    About 9am Egerstad walked downstairs to move his car when he was accosted by the officers in a scene “taken out of a bad movie”, he said in an email interview.

    “I got a couple of police IDs in my face while told that they are taking me in for questioning,” he said.

    But not before the agents, who had staked out his house in undercover blue and grey Saabs (“something that screams cop to every person in Sweden from miles away”), searched his apartment and confiscated computers, CDs and portable hard drives.

    “They broke my wardrobe, short cutted my electricity, pulled out my speakers, phone and other cables having nothing to do with this and been touching my bookkeeping, which they have no right to do,” he said.

    While questioning Egerstad at the station, the police “played every trick in the book, good cop, bad cop and crazy mysterious guy in the corner not wanting to tell his name and just staring at me”.

    “Well, if they want to try to manipulate, I can play that game too. [I] gave every known body signal there is telling of lies … covered my mouth, scratched my elbow, looked away and so on.”

    No charges have been filed. I’m not sure there’s anything wrong with what he did.

    Here’s a good article on what he did; it was published just before the arrest.

    Posted on November 16, 2007 at 2:27 PMView Comments

    Al Qaeda Hacker Attack to Begin Sunday

    At least that’s what they said two weeks ago:

    On Sunday, Nov. 11, al Qaeda’s electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites. On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.

    I think this is nonsense. We’ll see who’s right next week.

    Posted on November 9, 2007 at 6:44 AMView Comments

    Targeted Phishing from Salesforce.com Leak

    From Slashdot:

    Salesforce.com has finally acknowledged what security experts have suspected for weeks: that a Salesforce.com employee had his company credentials stolen
    in a phishing scam, and criminals have been using names and e-mail addresses from Salesforce’s customer list to conduct other highly targeted phishing attacks, including the recent round of fake e-mails apparently from the Federal Trade Commission.” In such hightly targeted attacks, the AV companies are at a loss—they have little chance of quickly developing signatures for threats that only reach a few thousand victims.

    Posted on November 8, 2007 at 7:33 AMView Comments

    World Series Ticket Website Hacked?

    Maybe:

    The Colorado Rockies will try again to sell World Series tickets through their Web site starting on Tuesday at noon.

    Spokesman Jay Alves said tonight that the failure of Monday’s ticket sales happened because the system was brought down today by an “external malicious attack.”

    There was a presale that “went well”:

    The Colorado Rockies had a chance Sunday to test their online-sales operation in advance.

    Season-ticket holders who had previously registered were able to log in with a special password to buy extra tickets.

    Alves said the presale went well, with no problems.

    But some people found glitches, such as being told to “enable cookies” and to set their computer security to the “lowest level.” And some fans couldn’t log in at all.

    Alves explained that those who saw a “page cannot be displayed” message had “IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked.”

    Certainly scalpers have an incentive to attack this system.

    EDITED TO ADD (10/28): The FBI is investigating.

    Posted on October 25, 2007 at 11:52 AMView Comments

    1 68 69 70 71 72 78

    Sidebar photo of Bruce Schneier by Joe MacInnis.