TIME cybersecurity

The Guy Who Hacked Jeep’s Truck Just Quit Twitter

Chrysler Issues Recall On 850,000 Sport Utility Vehicles
Joe Raedle—Getty Images

He used to work for the NSA

Last month, Wired magazine filed a report in which two hackers detailed how they were able to take control of a Jeep Cherokee SUV over the Internet. One of the hackers, Charlie Miller, was also an engineer at Twitter.

Not anymore.

Miller, who used to work at the National Security Agency and is considered one of the world’s leading experts on cybersecurity, has left the social media company, according to Reuters. He didn’t comment on what he is planning to do next.

The hack on the Cherokee caused a recall of 1.4 million vehicles. Cybersecurity for connected cars is quickly becoming one of the most important issues facing automakers.

TIME cybersecurity

IRS Says More Taxpayers May Have Been Hacked

IRS - Hack
Getty Images

The Internal Revenue Service said Monday that a hack of its computer databases was far more extensive than previously believed, with more than 300,000 taxpayer accounts now possibly affected by identify thieves.

The IRS said in May that cyber thieves used stolen Social Security numbers and other data to try to gain access to prior-year tax return data for about 225,000 U.S. households, which included 114,000 successful attempts.

But on Monday, the agency said that an additional 390,000 households were targeted, including about 220,000 “where there were instances of possible or potential access” to prior-year return data, the Wall Street Journal reports. There were also some 170,000 additional instances of “suspected attempts that failed to clear the authentication processes,” the IRS added.

The IRS said it would move quickly to notify targeted taxpayers, as well as offer free credit protection. In order to successfully gain access to taxpayers’ information, hackers must pass a multistep process that includes intimate knowledge of the taxpayer, including Social Security numbers, date of birth, tax filing status and street address, as well as answer personal questions such as “What was your high school mascot?”

The IRS said Monday it is expanding its security measures for its ‘Get Transcript’ option, the feature which allows taxpayers to access their tax returns. “The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for `Get Transcript,’ including by enhancing taxpayer-identity authentication protocols,” the IRS said.

[WSJ]


 

TIME Google

Google Has a Stagefright Bug Fix For Android Owners

It reportedly infected nearly 1 billion phones

Stagefright, the bug that infected nearly 1 billion of Google’s Android phones with a single text, has a fix.

Google announced that the bug was handled in a recent software update to its Android phones.

The security firm Zimperium found that 95% of Android phones were vulnerable to the malware by opening the text message. However, Google told CNBC Wednesday that 90% of Android devices were protected because of what’s called “address space layout randomization.”

Google has also said that there will be updates to its Messenger service in which video messages won’t play automatically when previewed. That would halt a similar bug from infecting devices in the future.

For more on Stagefright, here’s a Fortune explainer on the bug.

TIME cybersecurity

Microsoft Is Giving More Money To Bug Hunters

GERMANY-IT-CEBIT
TOBIAS SCHWARZ—AFP/Getty Images

The rewards for some initiatives have been doubled

With Windows 10 recently unveiled, Microsoft says it’s boosting the amount of money it gives to bug hunters.

Those that can prove the ability to bolster the tech giant’s defenses as part of a “Bounty for Defense” initiative will receive $100,000, up from $50,000 previously, according to ZDNet.

“Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would,” the company said.

There appears to be more money to be had for other security achievements for bug hunters, too. Those who tackle authentication security issues will receive doubled rewards from Aug. 5 to Oct. 5, a bonus period, according to ZDNet.

Here’s the full list of ongoing bug-hunting programs, and the amount fixes pay, taken from a Microsoft blog post:

1. Online Services Bug Bounty
Start Date: 23 September 2014

Microsoft Azure services additions: 22 April 2015
Microsoft Account services additions: 5 August 2015
Timeframe: Ongoing

The Online Services Bug Bounty program gives individuals across the globe the opportunity to submit vulnerability reports on eligible Online Services (O365 and Microsoft Azure) provided by Microsoft. Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure. Qualified submissions are eligible for payment from a minimum of $500 USD up to $15,000 USD.

2. Mitigation Bypass Bounty

Start Date: 26 June 2013
Timeframe: Ongoing

Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system. Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.

3. Bounty for Defense

Start Date: 26 June 2013
Timeframe: Ongoing

Additionally, Microsoft will pay up to $100,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide (in conjunction with the Mitigation Bypass Bounty).

TIME

Hackers Could Go After Medical Devices Next

Patient Receiveing Chemotherapy Treatment
Richard Lautens—Toronto Star via Getty Images A nurse programs an infusion pump.

They could break in via a hospital’s network, authorities warn

Nothing, it seems, is safe from hackers — not Yahoo’s ad network, the federal government, or even electronic skateboards. Another item to add to the list: medical devices.

The U.S. Food and Drug Administration and Department of Homeland Security have both issued advisories warning hospitals not to use the Hospira infusion system Symbiq because of cyber vulnerabilities. No known attack has occurred, but by accessing a hospital’s network, hackers could theoretically fiddle with the intravenous infusion pump.

“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA wrote in a statement.

But it’s not just the Symbiq pump that has security problems. According to a WIRED report last year, security experts who studied on Midwestern medical facility chain over the course of two years found a host of security vulnerabilities. Just a few issues they founded included “Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”

The retirement of the Symbiq pump may only be the beginning of a landslide of recalls and added security features in the medical field.

TIME cybersecurity

Hackers Can Change This Sniper Rifle’s Target

Hackers can gain access when the gun's computer is connected to Wi-Fi.

Sniper rifles have gotten pretty fancy these days, but it’s those high-end gadgets that help expertly guide shots that could also be their biggest weakness.

TrackingPoint self-aiming rifles work by using a computer connected to wi-fi, which helps the shooter to more accurately aim and hit its target. However, two security researchers found that the $13,000 rifle can be compromised, allowing a hacker to recalibrate the scope’s calculation so the shots land away from the intended target. A cyber attacker could even disable the gun altogether.

The researchers, married couple Run Sandvik and Michael Auger, plan to present the results at the Black Hat hacker conference in two weeks, but gave Wired magazine a demonstration ahead of time. In the video, you can see the two dial in changes to the scope’s targeting system that sends a bullet straight to their own bullseye instead of the original target.

“You can make it lie constantly to the user so they’ll always miss their shot,” Sandvik told Wired.

TrackingPoint has sold more than a thousand of its rifles since it launched in 2011. Founder John McHale said the company would release a software update to patch the vulnerability.

Read more at Wired.com.

TIME Android

Stagefright: Everything You Need To Know About Google’s Android Megabug

The Latest Mobile Apps At The App World Multi-Platform Developer Show
Bloomberg—Bloomberg via Getty Images A logo for Google Inc.'s Android operating system is displayed on an advertising sign during the Apps World Multi-Platform Developer Show in London, U.K., on Wednesday, Oct. 23, 2013. Retail sales of Internet-connected wearable devices, including watches and eyeglasses, will reach $19 billion by 2018, compared with $1.4 billion this year, Juniper Research said in an Oct. 15 report. Photographer: Chris Ratcliffe/Bloomberg via Getty Images

Here's a friendly Q&A to help you understand what happened, why it is a problem that still needs fixing, and what you can do about it.

Stagefright? What? Huh? That’s what you’ve been asking yourself ever since the Internet erupted yesterday over the announcement of a big computer bug in Google’s Android operating system.

In fact, you might still be wondering: Is my phone safe? Wait, the Internet erupted? Did it actually explode? (Is that even possible?)

Thankfully, no. I mean maybe, but as long as you’re still able to read this then I think we’re doing okay. Anyway, for those who still have questions about all the hullabaloo, Fortune has drafted a friendly Q&A to help you understand what happened, and why it is a problem that still needs fixing.

What is stage fright?

Stage fright is the nervous sensation a presenter feels before appearing publicly. (Say, for example, at a major security conference next month.)

Stagefright, on the other hand, is the nickname of a terrible Android flaw found in the open source code of Google’s Android operating system. The vulnerability, disclosed on Monday, may be the worst one to date. It puts 95% of Android devices—950 million gadgets—at risk of being hacked.

Where does the name come from?

“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too.

No lie. What does that media library do?

Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.

Wait, I thought you said Stagefright is a bug, not bugs?

Okay, okay. So Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are:

  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828, and
  • CVE-2015-3829

But for our purposes, I’ll just refer to them collectively as Stagefright. A singular bug set; one vulnerability.

Fine, that seems easier. Why should I care about it?

Well, if you’re an Android user then your device is probably vulnerable.

Is that bad?

That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn’t even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast.

Er…that doesn’t sound good.

Right. Once inside, an attacker can access your phone’s data, photos, camera, microphone. What’s worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised. So basically, yeah it’s bad.

That does sound bad.

Yup. And it gets worse! Imagine this scenario: Someone attacks your phone, steals your contact list, automatically targets those devices—rinse, repeat. Now everyone’s infected.

That’s what we like to call a computer worm.

How long has this been the case?

About five years.

What?? You mean my phone has been open to attack this whole time???

Yes.

Surely, Google must have patched it by now!

You’re right! Google patched the bugs right away. The company learned about one set of vulnerabilities in April and another set in May. The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google adopted them within two days. (The company reportedly paid him $1,337 for his work.)

Woohoo! So I’m safe?

Nope. The problem isn’t fixed.

What? Huh? Why?

That’s because Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers.

Have they done so yet?

CyanogenMod, Mozilla, and Silent Circle’s Blackphone have.

I don’t use those…

Then you’ll have to wait. The other companies have issued statements that basically say, “We’re working on it.” You can read them here.

Is there a way to test whether I’m vulnerable?

If you’re using a phone that runs on Android version 2.2 or above, you may as well assume you’re at risk. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market.

(We’ll add a link to a test when one comes to our attention but, unfortunately, there’s nothing available yet—at least that we know of. Though it would be pretty cool if someone came up with one. Nudge nudge, wink wink.)

Why are post-Ice Cream Android phones better off?

As Google Android’s lead security engineer explains here, that’s about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. “This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit,” Adrian Ludwig writes. He goes on: “(For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language. Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)”

You can find a list of similar security technologies implemented since Ice Cream (version 4.0) here.

So I get that I should pressure my phone-maker to push out the fixes. What about my wireless carrier?

Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network. Fiat Chrysler recently worked with Sprint to make its cars much less hackable that way. Your carrier could also help make sure the fix works for older versions of Android, too, rather than just making sure the latest version is protected. The security researcher Nicholas Weaver recently made this point on Twitter.

He suggested something similar for Google, too.

Can I do anything else to be safer?

First, ask your device manufacturer for an update: When will a patch be available and will you be covered? You might also consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Un-click “automatically retrieve MMS messages.” In the meantime, consider using Snapchat or WhatsApp to swap clips, GIFs, and whatnot.

Other than that, keep your phone number private, I guess? Drake, the guy who found the flaw, plans to present more details at the Black Hat conference next month.

Okay, thanks for the tips. If I have any other questions, can I call you?

No, sorry. My phone number is private information.

Just testing you!

Ah I see what you did there, you jokester!

TIME cybersecurity

Arrests Made in Connection With JPMorgan Hack, Report Says

JPMorgan Chase & Co. Headquarters Ahead of Earnings
Bloomberg—Bloomberg via Getty Images

Law enforcement officials have apprehended four out of five suspects tied to the bank's massive hack last summer

Law enforcement authorities have arrested four people in connection with last summer’s hacking of JPMorgan Chase, Bloomberg reports.

Law enforcement officials have apprehended four people—including two college friends who are graduates of Florida State University—involved in “a complex securities fraud scheme” that has been connected to the data breach, Bloomberg said. A fifth person remains at large.

Two Israeli men, Gery Shalon and Ziv Orenstein, as well as a U.S. citizen Joshua S. Aaron are among those charged with participating in a pump-and-dump plot, the report said. They allegedly used bulk emails and pre-planned trading to boost certain stock prices to their benefit.

The grand jury indictment, unsealed in Manhattan on Tuesday, according to Bloomberg, revealed that at least five stocks were manipulated in years past.

The JPMorgan data breach last summer compromised the personal information of 83 million individuals and small businesses. Following the breach, JPMorgan’s CEO Jamie Dimon said he would increase the bank’s investment in cybersecurity. A March New York Times story had hinted that investigators were getting close to making arrests.

For more information, read the developing story on Bloomberg.

TIME car hacking

Your Car Isn’t Safe From Hackers. Here’s Why

Jeep Cherokee Runs into Trouble
Darren McCollester—Getty Images A Jeep Cherokee.

Hacker carjackers are able to break into hundreds of thousands of vehicles on the road right now

The next time you’re buckled in behind the wheel, you may want to ask yourself: Am I really in control?

Two computer hackers have spent the past year cracking the digital defenses of Internet-connected vehicles. And what they’ve discovered is disturbing.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of vehicle safety research at the cybersecurity firm IOActive, can take over certain vulnerable automobiles with ease. The pair recently demonstrated their abilities on a Jeep Cherokee, remotely hacking into the highway-cruising vehicle from miles away, as Wired reported.

“Their code is an automaker’s nightmare,” wrote Wired reporter Andy Greenberg, who intrepidly volunteered to serve as a crash test dummy for the hacker duo. “Software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

The remote attack could be used to compromise as many as 471,000 vehicles on the road today, the team estimates.

In 2013, the team similarly hacked into other cars, such as a Ford Escape and Toyota Prius. However, in those cases the two used computers that were plugged directly into the car’s dashboard.

Miller and Valasek plan to reveal more information about how they pulled off the Jeep stunt at the Black Hat conference next month. In the meantime, all they’ve said is that the trick involves using a cellular connection to break into the car’s entertainment system through a feature called UConnect. From there, they’re able to move laterally into other electronic parts of the vehicle, such as the air conditioning, transmission, and even the car’s steering controls.

Despite the security risks, automakers are more determined than ever to win the connected car race, and to turn their vehicles into computers. (And the reverse: Apple trying to turn its computers into cars.) Recently, a dozen of the top companies such as Ford and General Motors joined a coalition to share security data to protect their latest innovations from compromise.

In these early days, though, it seems the hackers have an edge. Watch the hackers’ antics in Wired’s video here.

TIME

Ashley Madison Already Caved to Hackers’ Demands

"We apologize for this unprovoked and criminal intrusion into our customers’ information"

Ashley Madison, a dating site that enables spouses to surreptitiously arrange extramarital affairs, suspended fees for users who want to delete their accounts, after hackers threatened to publicly expose millions of users on Monday.

The company insisted that the delete option, which normally carries a $19 fee, would fully wipe clean the user’s personal data.

“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes,” the website said in an official statement.

A hacker ring identified as the Impact Team warned on Monday that it would begin leaking “credit card transactions, real names and addresses, and employee documents and emails” in order to expose “cheating dirtbags.”

Ashley Madison offered a second apology to users in a public statement released on its website on Tuesday.

“We apologize for this unprovoked and criminal intrusion into our customers’ information,” the statement read. “We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.”

Your browser is out of date. Please update your browser at http://update.microsoft.com