TIME cybersecurity

Hackers Can Change This Sniper Rifle’s Target

Hackers can gain access when the gun's computer is connected to Wi-Fi.

Sniper rifles have gotten pretty fancy these days, but it’s those high-end gadgets that help expertly guide shots that could also be their biggest weakness.

TrackingPoint self-aiming rifles work by using a computer connected to wi-fi, which helps the shooter to more accurately aim and hit its target. However, two security researchers found that the $13,000 rifle can be compromised, allowing a hacker to recalibrate the scope’s calculation so the shots land away from the intended target. A cyber attacker could even disable the gun altogether.

The researchers, married couple Run Sandvik and Michael Auger, plan to present the results at the Black Hat hacker conference in two weeks, but gave Wired magazine a demonstration ahead of time. In the video, you can see the two dial in changes to the scope’s targeting system that sends a bullet straight to their own bullseye instead of the original target.

“You can make it lie constantly to the user so they’ll always miss their shot,” Sandvik told Wired.

TrackingPoint has sold more than a thousand of its rifles since it launched in 2011. Founder John McHale said the company would release a software update to patch the vulnerability.

Read more at Wired.com.

TIME Android

Stagefright: Everything You Need To Know About Google’s Android Megabug

The Latest Mobile Apps At The App World Multi-Platform Developer Show
Bloomberg—Bloomberg via Getty Images A logo for Google Inc.'s Android operating system is displayed on an advertising sign during the Apps World Multi-Platform Developer Show in London, U.K., on Wednesday, Oct. 23, 2013. Retail sales of Internet-connected wearable devices, including watches and eyeglasses, will reach $19 billion by 2018, compared with $1.4 billion this year, Juniper Research said in an Oct. 15 report. Photographer: Chris Ratcliffe/Bloomberg via Getty Images

Here's a friendly Q&A to help you understand what happened, why it is a problem that still needs fixing, and what you can do about it.

Stagefright? What? Huh? That’s what you’ve been asking yourself ever since the Internet erupted yesterday over the announcement of a big computer bug in Google’s Android operating system.

In fact, you might still be wondering: Is my phone safe? Wait, the Internet erupted? Did it actually explode? (Is that even possible?)

Thankfully, no. I mean maybe, but as long as you’re still able to read this then I think we’re doing okay. Anyway, for those who still have questions about all the hullabaloo, Fortune has drafted a friendly Q&A to help you understand what happened, and why it is a problem that still needs fixing.

What is stage fright?

Stage fright is the nervous sensation a presenter feels before appearing publicly. (Say, for example, at a major security conference next month.)

Stagefright, on the other hand, is the nickname of a terrible Android flaw found in the open source code of Google’s Android operating system. The vulnerability, disclosed on Monday, may be the worst one to date. It puts 95% of Android devices—950 million gadgets—at risk of being hacked.

Where does the name come from?

“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too.

No lie. What does that media library do?

Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.

Wait, I thought you said Stagefright is a bug, not bugs?

Okay, okay. So Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are:

  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828, and
  • CVE-2015-3829

But for our purposes, I’ll just refer to them collectively as Stagefright. A singular bug set; one vulnerability.

Fine, that seems easier. Why should I care about it?

Well, if you’re an Android user then your device is probably vulnerable.

Is that bad?

That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn’t even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast.

Er…that doesn’t sound good.

Right. Once inside, an attacker can access your phone’s data, photos, camera, microphone. What’s worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised. So basically, yeah it’s bad.

That does sound bad.

Yup. And it gets worse! Imagine this scenario: Someone attacks your phone, steals your contact list, automatically targets those devices—rinse, repeat. Now everyone’s infected.

That’s what we like to call a computer worm.

How long has this been the case?

About five years.

What?? You mean my phone has been open to attack this whole time???

Yes.

Surely, Google must have patched it by now!

You’re right! Google patched the bugs right away. The company learned about one set of vulnerabilities in April and another set in May. The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google adopted them within two days. (The company reportedly paid him $1,337 for his work.)

Woohoo! So I’m safe?

Nope. The problem isn’t fixed.

What? Huh? Why?

That’s because Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers.

Have they done so yet?

CyanogenMod, Mozilla, and Silent Circle’s Blackphone have.

I don’t use those…

Then you’ll have to wait. The other companies have issued statements that basically say, “We’re working on it.” You can read them here.

Is there a way to test whether I’m vulnerable?

If you’re using a phone that runs on Android version 2.2 or above, you may as well assume you’re at risk. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market.

(We’ll add a link to a test when one comes to our attention but, unfortunately, there’s nothing available yet—at least that we know of. Though it would be pretty cool if someone came up with one. Nudge nudge, wink wink.)

Why are post-Ice Cream Android phones better off?

As Google Android’s lead security engineer explains here, that’s about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. “This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit,” Adrian Ludwig writes. He goes on: “(For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language. Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)”

You can find a list of similar security technologies implemented since Ice Cream (version 4.0) here.

So I get that I should pressure my phone-maker to push out the fixes. What about my wireless carrier?

Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network. Fiat Chrysler recently worked with Sprint to make its cars much less hackable that way. Your carrier could also help make sure the fix works for older versions of Android, too, rather than just making sure the latest version is protected. The security researcher Nicholas Weaver recently made this point on Twitter.

He suggested something similar for Google, too.

Can I do anything else to be safer?

First, ask your device manufacturer for an update: When will a patch be available and will you be covered? You might also consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Un-click “automatically retrieve MMS messages.” In the meantime, consider using Snapchat or WhatsApp to swap clips, GIFs, and whatnot.

Other than that, keep your phone number private, I guess? Drake, the guy who found the flaw, plans to present more details at the Black Hat conference next month.

Okay, thanks for the tips. If I have any other questions, can I call you?

No, sorry. My phone number is private information.

Just testing you!

Ah I see what you did there, you jokester!

TIME cybersecurity

Arrests Made in Connection With JPMorgan Hack, Report Says

JPMorgan Chase & Co. Headquarters Ahead of Earnings
Bloomberg—Bloomberg via Getty Images

Law enforcement officials have apprehended four out of five suspects tied to the bank's massive hack last summer

Law enforcement authorities have arrested four people in connection with last summer’s hacking of JPMorgan Chase, Bloomberg reports.

Law enforcement officials have apprehended four people—including two college friends who are graduates of Florida State University—involved in “a complex securities fraud scheme” that has been connected to the data breach, Bloomberg said. A fifth person remains at large.

Two Israeli men, Gery Shalon and Ziv Orenstein, as well as a U.S. citizen Joshua S. Aaron are among those charged with participating in a pump-and-dump plot, the report said. They allegedly used bulk emails and pre-planned trading to boost certain stock prices to their benefit.

The grand jury indictment, unsealed in Manhattan on Tuesday, according to Bloomberg, revealed that at least five stocks were manipulated in years past.

The JPMorgan data breach last summer compromised the personal information of 83 million individuals and small businesses. Following the breach, JPMorgan’s CEO Jamie Dimon said he would increase the bank’s investment in cybersecurity. A March New York Times story had hinted that investigators were getting close to making arrests.

For more information, read the developing story on Bloomberg.

TIME car hacking

Your Car Isn’t Safe From Hackers. Here’s Why

Jeep Cherokee Runs into Trouble
Darren McCollester—Getty Images A Jeep Cherokee.

Hacker carjackers are able to break into hundreds of thousands of vehicles on the road right now

The next time you’re buckled in behind the wheel, you may want to ask yourself: Am I really in control?

Two computer hackers have spent the past year cracking the digital defenses of Internet-connected vehicles. And what they’ve discovered is disturbing.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of vehicle safety research at the cybersecurity firm IOActive, can take over certain vulnerable automobiles with ease. The pair recently demonstrated their abilities on a Jeep Cherokee, remotely hacking into the highway-cruising vehicle from miles away, as Wired reported.

“Their code is an automaker’s nightmare,” wrote Wired reporter Andy Greenberg, who intrepidly volunteered to serve as a crash test dummy for the hacker duo. “Software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

The remote attack could be used to compromise as many as 471,000 vehicles on the road today, the team estimates.

In 2013, the team similarly hacked into other cars, such as a Ford Escape and Toyota Prius. However, in those cases the two used computers that were plugged directly into the car’s dashboard.

Miller and Valasek plan to reveal more information about how they pulled off the Jeep stunt at the Black Hat conference next month. In the meantime, all they’ve said is that the trick involves using a cellular connection to break into the car’s entertainment system through a feature called UConnect. From there, they’re able to move laterally into other electronic parts of the vehicle, such as the air conditioning, transmission, and even the car’s steering controls.

Despite the security risks, automakers are more determined than ever to win the connected car race, and to turn their vehicles into computers. (And the reverse: Apple trying to turn its computers into cars.) Recently, a dozen of the top companies such as Ford and General Motors joined a coalition to share security data to protect their latest innovations from compromise.

In these early days, though, it seems the hackers have an edge. Watch the hackers’ antics in Wired’s video here.

TIME

Ashley Madison Already Caved to Hackers’ Demands

"We apologize for this unprovoked and criminal intrusion into our customers’ information"

Ashley Madison, a dating site that enables spouses to surreptitiously arrange extramarital affairs, suspended fees for users who want to delete their accounts, after hackers threatened to publicly expose millions of users on Monday.

The company insisted that the delete option, which normally carries a $19 fee, would fully wipe clean the user’s personal data.

“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes,” the website said in an official statement.

A hacker ring identified as the Impact Team warned on Monday that it would begin leaking “credit card transactions, real names and addresses, and employee documents and emails” in order to expose “cheating dirtbags.”

Ashley Madison offered a second apology to users in a public statement released on its website on Tuesday.

“We apologize for this unprovoked and criminal intrusion into our customers’ information,” the statement read. “We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.”

TIME Ashley Madison

Data Breach Aside, Your Ashley Madison Affair Was Never a Secret

A flaw in the site's 'password reset' form could be the culprit

Worried you might be outed as a cheater in the data breach at Ashley Madison?

Turns out the extramarital affairs site, which bills itself as the “world’s leading married dating service for discreet encounters,” had leaky lips anyway. Information about who had an account wasn’t exactly hidden. Or rather, not hidden well.

Troy Hunt, a developer who specializes in security and who runs the site “Have I Been Pwned?”, revealed a flaw affecting the site in a blog post on Monday. The weakness, easily exploited, gave away whether an email address was contained in the site’s database or not; from there, one could infer who may have registered an account on the site.

The flaw affected Ashley Madison’s “password reset” form, a common Achilles heel in web security. Here’s how it worked: If you had submitted the email address of a registered account through that form, the request would trigger a certain message. Submit an email address not associated with an account, and that message would change.

So, invalid email address returned a certain screen. Valid email addresses returned a different screen. The difference? The invalid email address message contains a text box and a “send” button:

Ashley Madison - invalid password reset

The valid email address message excludes those details:

Ashley Madison - valid password reset

What this means is that anyone who knows your email address could easily check whether you had registered an account on the site.

There is, of course, an easy way to avoid detection: Create a bogus email address and use that to register an account on the site.

“[H]ere’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable,” said Hunt. Putting aside the morality of the site in question for a moment, Hunt writes: “If you want a presence on sites that you don’t want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether.”

I would take that truism one step further: always assume anything you do on the Web is discoverable—unless you’re taking some serious operational security measures to remain hidden, such as anonymizing Internet routing services, encryption, aliases, etc.

By the time Fortune tested out the flaw to verify its authenticity, the issue appeared to have been resolved.

A spokesperson for Avid Life Media, the company that owns Ashley Madison, declined to comment.

TIME cybersecurity

Want Free Airline Flights? Hack Into United

United is using free miles as an incentive to uncover security flaws in its systems.

United on Thursday said that it had awarded millions of frequent flier miles to unlikely recipients: hackers.

The airline, in an effort to ramp up its web security, offered “bug bounties” to hackers who uncovered cyber risks within its systems. United wants helpful hackers to find the weaknesses before malicious ones do.

United first announced the program in May and told Reuters on Thursday that it has twice paid out its maximum award worth 1 million miles to individuals who flagged security flaws. One million miles can be cashed in for dozens of free domestic flights on the airline.

To receive the free miles, hackers must be the first to discover a bug and notify United of it, according to the airline’s website.

Jordan Wiens, who researches cyber vulnerabilities, tweeted last week that he was the recipient of one of the 1 million mile awards.

 

TIME

Director of Hacked Federal Agency Says She Won’t Resign

The Office of Personnel Management Director Katherine Archuleta arrives late for a hearing of the Senate Homeland Security and Governmental Affairs Committee about the recent OPM data breach in the Dirksen Senate Office Building on Capitol Hill June 25, 2015 in Washington.
Chip Somodevilla—Getty Images The Office of Personnel Management Director Katherine Archuleta arrives late for a hearing of the Senate Homeland Security and Governmental Affairs Committee about the recent OPM data breach in the Dirksen Senate Office Building on Capitol Hill June 25, 2015 in Washington.

"I am committed to the work that I am doing," Office of Personnel Managment director Katherine Archuleta said

The director of the Office of Personnel Management said Thursday she will not resign, despite the newly widened scope of the massive breach of federal government data.

An internal investigation released Thursday revealed that the social security numbers of 21.5 million individuals and 1.1 million fingerprints were stolen — higher than previously reported — along with the personnel data on 4.2 individuals that was previously reported stolen.

Among the 21.5 million people were employees and applicants who had submitted information to the OPM, which is essentially the human resources department of the federal government, for background checks and their friends and relatives like spouses and “co-habitants.”

Lawmakers on Capitol Hill had already been calling for director Katherine Archuleta to resign from her post in the wake of the massive breach, first reported in June about a month after officials discovered the system had been compromised. Those calls will only get louder with these new revelations.

But Archuleta said she would continue leading the agency despite the revelations. “I am committed to the work that I am doing at OPM,” she told reporters on a conference call Thursday. “We are working very hard not only at OPM but across government to ensure the cybersecurity of all of our systems and I will continue to do so. ”

She said it was under her watch that a new information technology plan was implemented at OPM, and it was that plan that led the staff to identify the recent breach.

“It is because of the efforts of OPM and its staff that we’ve been able to identify the breaches that you’ve described,” Archuleta said. “We have a very aggressive push to enhance our cybersecurity and modernize our systems and we’ll continue to do so.”

Federal officials are now conducting a comprehensive review of security systems across the federal government to identify remaining vulnerabilities.

TIME cybersecurity

Massive Federal Data Breach Affects 7% of Americans

That's 21.5 million people.

The U.S. Office of Personnel Management announced Thursday that a massive data breach—one that targeted its security clearance system—compromised the sensitive information of 21.5 million people, including social security numbers for current and former federal workers, contractors, friends, and families, the agency said. As many as 19.5 million of those people had applied for security clearances.

In June, the office had disclosed an earlier breach affecting 4.2 million such workers, which included performance reviews as well as social security numbers for federal employees.

The second breach, OPM director Katherine Archuletta told Congress, began in May 2014 and was not discovered until a year later. Two federal worker unions have filed lawsuits against the office so far.

Many U.S. officials believe the breach was the work of Chinese attackers. Although that remains unconfirmed, Director of National Intelligence James Clapper and others have implicated the country.

At a hearing before the Senate Judiciary Committee this week, FBI Director James Comey said that his files were compromised in the hack. He described the breach as “enormous” in size without revealing further details, though in June he had reportedly told Senators in a classified meeting that the hack may have affected 18 million Americans.

On July 4, Archuletta had intimated in a blog post that an updated figure for the size of the breach might be forthcoming this week. “Thanks to the tireless efforts of my team at OPM and our inter-agency partners, we also have made progress in the investigation into the attacks on OPM’s background information systems,” she wrote. “We hope to be able to share more on the scope of that intrusion next week, and in the coming weeks, we will be working hard to issue notifications to those affected.”

Jason Chaffetz, chairman of the house oversight committee, has been vocal in calling for the ouster of Archuletta. He posted a series of tweets about the number of people affected by the breach:

TIME cybersecurity

U.S. Intelligence Chief Points Finger at China for Data Hack

Director Of Nat'l Intelligence James Clapper Speaks At Council On Foreign Relations
Bryan Thomas—Getty Images Director of National Intelligence James Clapper speaks at the Council on Foreign Relations on March 2, 2015 in New York City.

Large data breach left millions of Social Security numbers exposed

The most senior U.S. intelligence official has openly implicated China in a large hack of U.S. government data.

James Clapper, the U.S. Director of National Intelligence, said Thursday that China was a “leading suspect” in a recent security breach that saw millions of personnel records of Americans stolen from government computers.

Previously, U.S. officials hadn’t named a suspect for the breach, which was disclosed in early June. Clapper mentioned China at an intelligence conference in Washington, D.C. “You have to kind of salute the Chinese for what they did,” he said, noting the difficulty of the attack.

Earlier this year Barack Obama signed an executive order that grants the Treasury greater ability to impose sanctions on countries who conduct cyberattacks against the U.S. China has denied involvement in the attack, which may have exposed as many as 18 million Social Security numbers.

[WSJ]

Your browser is out of date. Please update your browser at http://update.microsoft.com