Digital Sovereignty & Cyber Security

Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing. FSB is Russia’s primary security agency with parallels with the FBI and MI5, but its remit stretches beyond domestic intelligence to include electronic surveillance overseas and significant intelligence-gathering oversight. It is the primary successor agency to the infamous KGB, reporting directly to Russia’s president. A week ago, on July 13, a hacking group under the name 0v1ru$ that had reportedly breached SyTech, a major FSB contractor working on a range of live and exploratory internet projects, left a smiling Yoba Face on SyTech’s homepage alongside pictures purporting to showcase the breach. 0v1ru$ had passed the data itself to the larger hacking group Digital Revolution, which shared the files with various media outlets and the headlines with Twitter—taunting FSB that the agency should maybe rename one of its breached activities “Project Collander.” I received a link to the Digital Revolution site where an initial tranche of breached documents was “published two months ago… as part of that 7.5 terabytes.” I won’t publish the link here for obvious reasons. Digital Revolution has targeted FSB before. It is unknown how tightly the two hacking groups are linked. BBC Russia broke the news that 0v1ru$ had breached SyTech’s servers and shared details of contentious cyber projects, projects that included social media scraping (including Facebook and LinkedIn), targeted collection and the “de-anonymization of users of the Tor browser.” The BBC described the breach as possibly “the largest data leak in the history of Russian intelligence services.” As well as defacing SyTech’s homepage with the Yoba Face, 0v1ru$ also detailed the project names exposed: “Arion”, “Relation”, “Hryvnia,” alongside the names of the SyTech project managers. The BBC report claims that no actual state secrets were exposed. Twitter The projects themselves appear to be a mix of social media scraping (Nautilus), targeted collection against internet users seeking to anonymize their activities (Nautilus-S), data collection targeting Russian enterprises (Mentor), and projects that seem to relate to Russia’s ongoing initiative to build an option to separate the internal internet from the world wide web (Hope and Tax-3). The BBC claims that SyTech’s projects were mostly contracted with Military Unit 71330, part of FSB’s 16th Directorate which handles signals intelligence, the same group accused of emailing spyware to Ukranian intelligence officers in 2015. Nautilus-S, the Tor de-anonymization project, was actually launched in 2012 under the remit of Russia’s Kvant Research Institute, which comes under FSB’s remit. Russia has been looking for ways to compromise nodes within Tor’s structure to either prevent off-grid communications or intercept those communications. None of which is new news. It is believed that some progress has been made under this project. Digital Revolution claims to have hacked the Kvant Research Institute before The preparatory activities for splitting off a “Russian internet,” follow Russian President Vladimir Putin signing into law provisions for “the stable operation of the Russian Internet (Runet) in case it is disconnected from the global infrastructure of the World Wide Web.” The law set in train plans for an alternative domain name system (DNS) for Russia in the event that it is disconnected from the World Wide Web, or, one assumes, in the event that its politicians deem disconnection to be beneficial. Internet service providers would be compelled to disconnect from any foreign servers, relying on Russia’s DNS instead. There is nothing newsworthy in the projects exposed here, everything was known or expected. The fact of the breach itself, its scale and apparent ease is of more note. Contractors remain the weak link in the chain for intelligence agencies worldwide—to emphasize the point, just last week, a former NSA contractor was jailed in the U.S. for stealing secrets over two decades. And the fallout from Edward Snowden continues to this day. Digital Revolution passed the information to journalists without anything being edited, removed or changed—they said. Little is known about 0v1ru$ and the group has not come forward with any comment. Neither, unsurprisingly, has FSB.

Hackers behind a massive breach at hotel group Marriott International Inc (MAR.O) left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.

Marriott said last week that a hack that began four years ago had exposed the records of up to 500 million customers in its Starwood hotels reservation system.

 

Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing’s espionage efforts and not for financial gain, two of the sources said.

 

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014, said one of the sources.

Apple's Face ID is supposed to be the most secure biometric security system ever put into a smartphone. The company claims a false-positive rate of just one in a million under normal circumstances.

 

A Vietnamese security firm claims to have bypassed the iPhone X’s Face ID system using a silicone mask, a 3-D printed frame, and 2-D images of the eyes and mouth. It’s not a simple process, but it does mean that the iPhone X is technically defeatable.

 

The system starts with a 3-D printed frame that copies the underlying topography of the subject’s face. Face ID’s biggest innovation is the 3-D image scan of the user’s face that it relies on, which sets it apart from other facial recognition systems that just use a color 2-D image. To the 3-D frame, researchers added a silicone layer to resemble skin, areas of “special processing” along the forehead, and 2-D images of the subject’s eyes and mouth.

 

In a video, the security firm shows the mask unlocking the iPhone X on its own, as well as when placed on a person’s face.

 

In practice, the mask doesn’t present a threat to casual users. Any hack using the system would require a huge amount of research and preparation, which isn’t feasible for most criminals.

 

But for police forces executing a particularly valuable search warrant, for example, it could be possible to secretly scan a suspect’s face, make a mask, and then catch him unawares. Users can quickly disable Face ID by pressing the lock button five times in a row, but it would hypothetically be possible to steal someone’s phone and use the mask to unlock it before Face ID could be locked out.

C'est un risque qui devient de plus en plus courant à mesure que les voitures embarquent encore un peu plus d'électronique : le piratage à distance. Ce lundi 19 septembre, le constructeur de voiture électriques Tesla en a fait l'expérience avec la prise de contrôle de sa Model S par une équipe d'informaticiens chinois.Dans une vidéo postée sur Youtube par l'équipe du Keen Security Lab, on découvre avec quelle facilité les informaticiens ont pu contrôler presque l'ensemble des fonctionnalités de la voiture, des clignotants en passant par les sièges jusqu'à la pédale de frein.Cette démonstration est d'autant plus impressionnante que le contrôle de la voiture peut se faire même sur une très grande distance. Ainsi, si la majorité des tests se déroulent alors que l'équipe du Keen Security Lab se trouve à quelques mètres, les informaticiens ont pu actionner le frein de la Model S à 19 kilomètres de la voiture. Et ce sans allumer les lumières de freinage, ce qui démultiplie les risques de collision.

By replacing a PC's SPI flash chip with one that contains rogue code, an attacker can can gain full, persistent access.

Last year Yahoo (now part of Oath along with AOL after its acquisition by Verizon) announced that back in 2013, hackers had stolen info covering over one billion of its accounts. Today, the combined company announced that further investigation reveals the 2013 hack affected all of its accounts that existed at the time -- about three billion. The information taken "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers."For users being notified of the hack now, the notification is that their information is included. At the time the breach was first announced, Yahoo required everyone who had not reset their passwords since the breach to do so. According to the FAQ posted, it doesn't appear there's any new action being taken.The announcement isn't very specific about why or how it determined the breach was so much larger -- or how it was missed in the original forensic analysis, or how this happened in the first place -- likely due to pending lawsuits over the issue.

Over 100 million cars sold by Volkswagen since 1995 are susceptible to hacking due to security flaws in keyless entry systems, researchers have revealed.

Two UK-based computer experts at the University of Birmingham, Flavio Garcia and David Oswald, have published a paper showing how they were able to clone VW keyless systems by intercepting signals when drivers press their fobs to get into their vehicles.

"Major manufacturers have used insecure schemes over more than 20 years," the research paper asserts. Vehicles that are at risk to the attack include most Audi, VW, Seat and Skoda models sold since the mid-90s and roughly 100 million VW Group vehicles.

The landmark paper, which also included input from German engineering firm Kasper & Oswald, revealed two main vulnerabilities. The first could give hackers the ability to remotely break into nearly every car VW has sold since 2000. The second impacts 'millions' more vehicles such as Ford, Peugeot, Citroen and Ford.

As outlined in the paper, both attacks rely on "widely available" hardware that costs as little as $40 (£31) which can then be used to intercept and clone signals from victim's car fobs. Of course, at this point, cryptography becomes involved, but the experts found ways to crack that too.

"We discovered that the RKE [remote keyless entry] systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years," the researchers wrote.