TIME Ashley Madison

CEO Of Ashley Madison Parent Company Stepping Down

Ashley Madison founder Noel Biderman poses during an interview in Hong Kong
Bobby Yip—Reuters Ashley Madison founder Noel Biderman poses during an interview in Hong Kong on Aug. 28, 2013.

Avid Life Media chief exec Noel Biderman quits amid hacking scandal.

A week after hackers first published stolen data from the infidelity website Ashley Madison, parent company Avid Life Media’s chief executive officer Noel Biderman has tendered his resignation.

“Effective today, Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc. (ALM) and is no longer with the company,” the company wrote in a statement. “Until the appointment of a new CEO, the company will be led by the existing senior management team.”

AshleyMadison.com has lately been at the center of a hacking scandal in which personal information for more than 30 million users—ostensible extramarital affair-seekers—became public. The data dumps have included information such as names, email addresses, sexual preferences, partial credit information, profile information, and more.

Last week, the individual or group behind the attack, known as the “Impact Team,” leaked to the dark web a cache of Biderman’s alleged email correspondences. The 197,000 messages have revealed that Biderman apparently encouraged hacking a competitor, considered buying the gay, bi-sexual and bicurious dating app Grindr, planned a proprietary wife-rating app, and wrote a script for a movie called In Bed with Ashley Madison.

As the investigation to uncover the attackers continues, reports have surfaced that some users may have committed suicide as a result of having their personal information exposed. Cybercriminals are also apparently targeting individuals listed in the Ashley Madison database for extortion schemes.

“This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees,” the Avid Life Media statement reads, regarding the Biderman’s decision to step down.

The company says it is working alongside law enforcement, which has dubbed the investigation “project unicorn,” to apprehend those responsible for the data breach. Avid Life Media also says it will award tipsters $377,000 for any information leading to the arrest of the perpetrator (or perpetrators).

“We are actively adjusting to the attack on our business and members’ privacy by criminals,” the company said in the statement. “We will continue to provide access to our unique platforms for our worldwide members.”

TIME Ashley Madison

There Are Almost No Active Female Users on Ashley Madison

HONG KONG-LIFESTYLE-INTERNET-SEX
PHILIPPE LOPEZ—AFP/Getty Images

Most appear to be bots, fakes, or inactive accounts, a report says

The large disparity in the number of male and female accounts on the adultery website Ashley Madison is well-documented. But an analysis by Gizmodo of the massive data dump released by people who allegedly hacked the company’s website shows the number of active female users is absolutely miniscule.

Ashley Madison has about 31 million male accounts and 5.5 million female accounts. But the overwhelming majority of those female accounts appear to be bots, fakes, or inactive accounts that were hardly used in the first place, the report says. Gizmodo found that only about 1,500 of the female users had ever checked their messages on the site, while only 2,400 had ever chatted on the site, and only 9,700 had ever replied to a message.

Hackers first threatened to release personal information about Ashley Madison users in July, and then proceeded with a massive data dump earlier this month. Ashley Madison is now facing several lawsuits from several former users who say the website knew about the security vulnerabilities in its systems.

TIME cybersecurity

The Guy Who Hacked Jeep’s Truck Just Quit Twitter

Chrysler Issues Recall On 850,000 Sport Utility Vehicles
Joe Raedle—Getty Images

He used to work for the NSA

Last month, Wired magazine filed a report in which two hackers detailed how they were able to take control of a Jeep Cherokee SUV over the Internet. One of the hackers, Charlie Miller, was also an engineer at Twitter.

Not anymore.

Miller, who used to work at the National Security Agency and is considered one of the world’s leading experts on cybersecurity, has left the social media company, according to Reuters. He didn’t comment on what he is planning to do next.

The hack on the Cherokee caused a recall of 1.4 million vehicles. Cybersecurity for connected cars is quickly becoming one of the most important issues facing automakers.

TIME Volkswagen

Volkswagen Spent Years Hiding This Huge Security Flaw

Volkswagen Group Delivers Over 9 Million Vehicles In 2012
Sean Gallup—Getty Images

The flaw enables the theft of many luxury, keyless vehicles, report says

2015 may go down as the year when we all realized that our cars are vulnerable to hackers.

First we had a report from a U.S. Senator on the security risks facing new car owners, and then the news that Fiat had recalled 1.4 million cars to address security flaws. And this week a paper is being presented at the USENIX security conference in Washington, D.C., on a security flaw affecting “thousands of cars from a host of manufacturers,” according to a Bloomberg News report.

We could have known about these risks for some time, as the paper was actually written two years ago, but car makers like Volkswagen fought in court to keep the information private. According to Bloomberg:

“Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London. BMWs and Range Rovers are particularly at-risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.

Security researchers have now discovered a similar vulnerability in keyless vehicles made by several carmakers. The weakness – which affects the Radio-Frequency Identification (RFID) transponder chip used in immobilizers – was discovered in 2012, but carmakers sued the researchers to prevent them from publishing their findings.

TIME Autos

How the Jeep Hack Reveals Tesla’s Biggest Advantage

It's all about security

Tesla touts environmental friendliness and savings on gas costs as two of the big perks of its electric cars. But security may turn out to be a winning feature as well.

In the last few weeks, a worrying trend has emerged in which hackers have found ways to hijack control of vehicles’ onboard computers. In July, hackers were able to remotely access a Jeep Cherokee SUV through its on-board entertainment system, taking control of its steering, transmission and brakes. This week, researchers executed a similar hack into the Tesla Model S’s infotainment system; they were able to shut off the vehicle’s engine with a keystroke (the Tesla attack required physical access to the vehicle).

But the big difference between these scenarios is what happened next. Fiat Chrysler had to recall 1.4 million Jeeps that could potentially be vulnerable to the hack, but the “recall” actually amounted to mailing Jeep owners a USB stick that they could plug into their vehicle’s dashboard port in order to give the car the necessary patch. Tesla, on the other hand, was able to automatically send a patch to all its Model S vehicles on Wednesday through an over-the-air update, a method more akin to how your smartphone gets software fixes.

The advantage for Tesla here is obvious. There’s no telling how many people will actually bother plugging in Jeep’s USB stick, but it probably won’t be 1.4 million. In the Model S, drivers just click “yes” to an on-screen prompt offering a software upgrade with the fix.

As automakers race to make their vehicles behave more like smartphones, they’ll have to deal with the security risks that come along with connecting to the Internet. Tesla is a step ahead with its ability to widely distribute updates with the press of a button. But other companies are sure to follow suit quickly. Everyone from Ford to General Motors is working to bring robust over-the-air updates to their cars in the coming years.

TIME hackers

Here’s the Scary New Target Hackers Are Going After

Solar Terrestrial Relations Observatory Satellites
Encyclopaedia Britannica—UIG via Getty Images

Hack the planet, indeed

Familiar with the refrain “Hack the Planet”? Well, security researchers have made that phrase more literal.

Colby Moore, a researcher at the hacker-for-hire startup Synack, has uncovered a way to crack the global positioning system (GPS) satellite network of Globalstar, a multibillion dollar satellite communications company based in Covington, La.

Globalstar sells devices connected to its satellite network that track the locations of shipments and other goods. Since the company’s technology does not, according to Moore, encrypt data transmitted between such devices and its satellite network, a “man-in-the-middle” attacker can easily spoof the system.

In other words, a hacker can intercept communications beamed over the company’s Simplex data network, and then modify, fake, or jam them. The vulnerability could be exploited by intelligence agents, criminals, or enemy combatants to eavesdrop, steal cargo, or follow troop and supplies movements.

Moore described such systems as “kind of fundamentally broken from the get-go” in an interview with Reuters. Worse, the flaws are not easily addressable; they are architectural in nature, he said, and software patches would not fix them.

“We rely on these systems that were architected long ago with no security in mind, and these bugs persist for years and years,” Moore told Wired. “We need to be very mindful in designing satellite systems and critical infrastructure, otherwise we’re going to be stuck with these broken systems for years to come.”

Moore added that he suspects similar satellite communications systems, beyond Globalstar’s own, could be vulnerable, too.

Though Moore said he alerted Globalstar of the problems six months ago, the company has yet to take action in way of a solution.

Globalstar—which counts many companies in many critical industries among its customers, including oil and gas, shipping, military, and more—replied evasively to Fortune’s request for comment, sidestepping questions about a possible remediation plan and not confirming whether its data in transit are unencrypted:

Globalstar monitors the technical landscape and its systems to protect our customers. Our engineers would know quickly if any person or entity was hacking our system in a material way, and this type of situation has never been an issue to date.

Fortune recently wrote about how freight thieves are turning to cybercrime. This new research represents a chilling development in that trade. The research heralds a world in which products no longer “fall off the truck,” but rather entire trucks, planes, and cargo shipments can “fall off the map.”

Hack the planet, indeed.

TIME Android

Nearly 1 Billion Phones Can Be Hacked With 1 Text

The Latest Mobile Apps At The App World Multi-Platform Developer Show
Chris Ratcliffe—Bloomberg / Getty Images Google's Android platform is vulnerable to the attack.

"Stagefright" is one of the worst Android vulnerabilities to date.

So listen: Can I have your number?

Can I have it? Can I? Have it?

Um…maybe not. Actually, you should think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system.

That’s the only thing a hacker needs to compromise a handset.

A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack. The computer bug, nicknamed “Stagefright” after a vulnerable media library in the operating system’s open source code, may be one of the worst Android security holes discovered to date. It affects Android versions 2.2 and on.

Should a hacker learn someone’s cell phone number, all it takes is for that person to send a malware-laced Stagefright multimedia message to an affected phone in order to steal its data and photos or to hijack its microphone and camera, among other nefarious actions. Worse yet, a user might have no idea that his or her device has been compromised.

Joshua Drake, vice president of research and exploitation at the mobile security firm Zimperium zLabs, says an attacker can delete the message before a victim has any idea.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” he writes on his company’s blog. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

When Drake reported the severe vulnerabilities along with potential fixes to Google in April (as well as another set May), the company, he writes, “acted promptly and applied the patches to internal code branches within 48 hours.” That doesn’t mean the problem is resolved, however.

As Forbes reporter Thomas Fox-Brewster writes, device manufacturers will still need to push the updates out in order to safeguard their customers. Google’s major Android partners, which include phone-makers like LG, Lenovo, Motorola, Samsung, and Sony were not immediately available to comment. (Fortune will update this when we hear back.)

An HTC spokesperson responded: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”

Drake praises the security firm Silent Circle, based in Geneva, Switz., which makes the Blackphone handset, for its quick response protecting users since it released PrivatOS version 1.1.7. He also praises Mozilla, maker of the Firefox web browser, for including fixes since version 38. “We applaud these vendors for prioritizing security and releasing patches for these issues quickly.”

“This is Heartbleed for mobile,” said Chris Wysopal, chief tech and information security officer at the application security firm Veracode. These vulnerabilities “are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.”

Drake plans to present his research at the Black Hat and Def Con security conferences in Las Vegas next month.

So, um, can I have your number?

TIME Fiat Chrysler

Jeep Hack: Fiat Recalls 1.4 Million Vehicles For Software Fix

A 2005 Jeep Grand Cherokee rolls down the assembly line Wedn
John F. Martin—Bloomberg/Getty Images

Hackers had proved a vulnerability in the popular car's software

Fiat Chrysler automotive will recall roughly 1.4 million vehicles after it was discovered that hackers were able to remotely take control of a Jeep Cherokee SUV through vulnerabilities in its built-in software.

According to a a report in USA Today, Fiat announced the recall under government pressure and will include a software update that will prevent hackers from controlling any of the cars’ functions remotely. Only U.S. vehicles will be affected by the recall.

The vulnerability in the Cherokee’s software was first reported in Wired magazine, which detailed how two software experts were able to manipulate many of the cars functions from miles away. According to Wired, the hacker’s code is
“an automaker’s nightmare . . . that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

Fiat says that there have been no injuries, as far as it is aware, as a result of the software vulnerability. The recall, according to USA Today, will affect the following models:

  • 2013-2015 Dodge Vipers
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

 

TIME cybersecurity

Arrests Made in Connection With JPMorgan Hack, Report Says

JPMorgan Chase & Co. Headquarters Ahead of Earnings
Bloomberg—Bloomberg via Getty Images

Law enforcement officials have apprehended four out of five suspects tied to the bank's massive hack last summer

Law enforcement authorities have arrested four people in connection with last summer’s hacking of JPMorgan Chase, Bloomberg reports.

Law enforcement officials have apprehended four people—including two college friends who are graduates of Florida State University—involved in “a complex securities fraud scheme” that has been connected to the data breach, Bloomberg said. A fifth person remains at large.

Two Israeli men, Gery Shalon and Ziv Orenstein, as well as a U.S. citizen Joshua S. Aaron are among those charged with participating in a pump-and-dump plot, the report said. They allegedly used bulk emails and pre-planned trading to boost certain stock prices to their benefit.

The grand jury indictment, unsealed in Manhattan on Tuesday, according to Bloomberg, revealed that at least five stocks were manipulated in years past.

The JPMorgan data breach last summer compromised the personal information of 83 million individuals and small businesses. Following the breach, JPMorgan’s CEO Jamie Dimon said he would increase the bank’s investment in cybersecurity. A March New York Times story had hinted that investigators were getting close to making arrests.

For more information, read the developing story on Bloomberg.

TIME car hacking

Your Car Isn’t Safe From Hackers. Here’s Why

Jeep Cherokee Runs into Trouble
Darren McCollester—Getty Images A Jeep Cherokee.

Hacker carjackers are able to break into hundreds of thousands of vehicles on the road right now

The next time you’re buckled in behind the wheel, you may want to ask yourself: Am I really in control?

Two computer hackers have spent the past year cracking the digital defenses of Internet-connected vehicles. And what they’ve discovered is disturbing.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of vehicle safety research at the cybersecurity firm IOActive, can take over certain vulnerable automobiles with ease. The pair recently demonstrated their abilities on a Jeep Cherokee, remotely hacking into the highway-cruising vehicle from miles away, as Wired reported.

“Their code is an automaker’s nightmare,” wrote Wired reporter Andy Greenberg, who intrepidly volunteered to serve as a crash test dummy for the hacker duo. “Software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

The remote attack could be used to compromise as many as 471,000 vehicles on the road today, the team estimates.

In 2013, the team similarly hacked into other cars, such as a Ford Escape and Toyota Prius. However, in those cases the two used computers that were plugged directly into the car’s dashboard.

Miller and Valasek plan to reveal more information about how they pulled off the Jeep stunt at the Black Hat conference next month. In the meantime, all they’ve said is that the trick involves using a cellular connection to break into the car’s entertainment system through a feature called UConnect. From there, they’re able to move laterally into other electronic parts of the vehicle, such as the air conditioning, transmission, and even the car’s steering controls.

Despite the security risks, automakers are more determined than ever to win the connected car race, and to turn their vehicles into computers. (And the reverse: Apple trying to turn its computers into cars.) Recently, a dozen of the top companies such as Ford and General Motors joined a coalition to share security data to protect their latest innovations from compromise.

In these early days, though, it seems the hackers have an edge. Watch the hackers’ antics in Wired’s video here.

Your browser is out of date. Please update your browser at http://update.microsoft.com