If you carry classified government information or trade secrets as part of your job, traveling in China is risky. Hackers, whether affiliated with the government, on the payroll of competing companies, or operating alone, are a constant threat, and you generally have to assume that you are never unobserved online. But a piece in the New York Times makes it exceedingly clear just how far one has to go to get even a measure of electronic privacy and security in China:

When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. Kenneth G. Lieberthal of the Brookings Institution takes precautions while traveling. He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

This is a philosophy that Representative Mike Rogers, chairman of the House Intelligence Committee, calls traveling “electronically naked”; Jacob Olcott, a cybersecurity expert at Good Harbor Consulting, calls it ‘Business 101’ for people involved in commerce in China. Read the NYT piece for more, but here’s one more nugget that emphasizes how dangerous, in terms of information security, it is to have any contact at all with Chinese systems:

McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.

Read more at NYT.

We’ve written before about hapless business owners practically handing hackers customers’ information by failing to observe basic computer security (Subway, we’re looking at you). But this is a security fail on a whole different level. A researcher has just revealed that about ten thousand systems controlling water plants, sewage plants, and other infrastructure are online, mostly unprotected and findable with a simple search.

(more…)

If you think of your personal computer as almost an extension of yourself, a recent federal court ruling in Colorado sounds a little disturbing. The court has ordered that a woman decrypt files on her laptop so they can be used by prosecutors against her. The woman, who is being tried for mortgage fraud, argued that this is a violation of her Fifth Amendment right to keep from testifying against herself, but the court sees the matter differently. Timothy Lee at Ars Technica’s explanation of the problem gets to the heart of it:

In previous cases, judges have drawn a distinction between forcing a defendant to reveal her password and forcing her to decrypt encrypted data without disclosing the password. The courts have held that the former forces the defendant to reveal the contents of her mind, which raises Fifth Amendment issues. But Judge Robert Blackburn has now ruled that forcing a defendant to decrypt a laptop so that its contents can be inspected is little different from producing any other kind of document.

For some, being forced to decrypt your computer and handing over your password to investigators so they can decrypt it might not seem that different—what’s hidden by your password might well feel as much a part of your mind as your password. But when you think about the precedent a ruling in the other direction might set, things get cloudier. The Department of Justice argues that if encryption is all that’s required to keep documents out of the hands of the courts, then potential child pornographers, drug smugglers, and others can refuse to hand over evidence on the grounds that it’s encrypted. Hmmm.

Another case from this week that shows the difficulty of aligning the modern sense of privacy with the law. The Supreme Court ruled that sticking a GPS device on a suspect’s car to track his whereabouts, without a warrant, is unconstitutional. But the court was divided as to why, on a very important point.

(more…)

We often write about the amazing, charming, ridiculous things that 3D printers makes possible: see the fabbed hermit crab shells, the space shuttle made of pureed scallops and cheese, the “pirated” Penrose Triangle. But machines that can make any physical object using only resin powder can also be turned to more nefarious ends. Security blogger Brain Krebs reports that someone has deployed at least one impressively sophisticated ATM skimmer in LA that appears to have been 3D printed. The device fits over the front of a bona fide Chase ATM. Just looking at these babies sends a chill down your spine—this person or persons knew what they were doing. Here’s more from Krebs: (more…)

On October 14, security company Symantec got word from a research lab that they’d discovered a piece of malware that looked a lot like Stuxnet, the sophisticated computer virus that made headlines last year after its anonymous designers used it to attack Iran’s nuclear program. This new malware, called Duqu by the researchers who discovered it, shares much of Stuxnet’s code, suggesting that it came from the same people who built the first virus, or at least people who had access to the source code. (more…)

Many implants like this pacemaker can receive
and transmit wireless signals

What’s the News: Topping the list of things you don’t want hacked is your heart. And with 300,000 medical devices such as pacemakers and drug pumps implanted each year, many of which can be controlled through wireless signals, that might soon be a real risk for patients to consider. 

To prevent such attacks, researchers from MIT and UMass Amherst are developing a jamming device that can be worn as a necklace or watch and keeps implants from receiving orders from unauthorized senders. The team will present their experiments with defibrillators [pdf], with off-the-shelf radio transmitters playing the role of the shield, at the SIGCOMM conference in Toronto.

(more…)

It wasn’t too surprising when scientists first hacked into a car using its own onboard diagnostic port—sure, it’s easy to get into a car’s electronic brain if you’re already inside the car. Now the science of car-hacking has received a digital upgrade: Researchers have have gained access to modern, electronics-riddled cars from the outside. And in so doing, they’ve managed to take control of a car’s door locks, dashboard displays, and even its brakes.

The oddest part of these findings, which were presented this week to the National Academy of Science’s Committee on Electronic Vehicle Controls and Unintended Acceleration, is that they weren’t entirely intentional: It was all part of an investigation prompted by the Toyota acceleration problems, and was meant to probe the safety of electronic automotive systems. But testing those system’s safety also uncovered some flaws.

How It Works

The researchers took a 2009 sedan (they declined to identify the make and embarrass the manufacturer) and methodically tried to hack into it using every trick they could think of. They discovered a couple good ones.

(more…)

John Tyner missed his flight to South Dakota for a pheasant hunting trip with his father-in-law. He wasn’t late to the airport, he didn’t get lost in the terminal. He never made it into the terminal because he wouldn’t partake in either a whole body scan or a physical pat-down of his genitals.

After arriving at the airport, Tyner was pulled aside to go through a “whole body scan,” an radiation-based machine that takes an image of your body under your clothes. He “opted out” of the scan only to realize the alternative is just as bad. He asked the TSA officer who was patting him down not to touch his privates. Actually, he said: “If you touch my junk, I’ll have you arrested.” The matter quickly escalated, according to his blog post about the incident:

She described to me that because I had opted out of the backscatter screening, I would now be patted down, and that involved running hands up the inside of my legs until they felt my groin. I stated that I would not allow myself to be subject to a molestation as a condition of getting on my flight. The supervisor informed me that it was a standard administrative security check and that they were authorized to do it. I repeated that I felt what they were doing was a sexual assault, and that if they were anyone but the government, the act would be illegal. [John Tyner's blog post]

After the incident, Tyner was escorted from the area, and was able to get a refund on his ticket and was eventually allowed to leave the airport, but not without being threatened with a $10,000 fine for doing so without having finished the screening procedure. At his blog you can read his post about the event and see his videos (he apparently had his smart phone recording video throughout much of the incident).

(more…)