Noteworthy News Archives – July 2015

July 28, 2015 – Slate

Lo, Rowhammer!

Security researchers just revealed a computer vulnerability that’s frightening, amazing, and unlike anything else.

By David Auerbach

The now-ubiquitous Heartbleed, the devastating Sony Pictures hack, the $1 billion Russian bank hack, the theft of sensitive government personnel files—one hole in a cybersecurity edifice can cause the whole thing to crash down. New reports of an Android text message vulnerability, so far unrevealed yet affecting almost a billion devices, underscore how every new computer technology seems to open up even more possibilities for hackers. Security fixes, from Chrome patches to Windows hotfixes, hold the walls in place. But what if you had a security hole you couldn’t patch?

Rowhammer.js, a new security attack revealed in a paper by security researchers Daniel Gruss, Clémentine Maurice, and Stefan Mangard, brings a truly new wrinkle to our understanding of computer vulnerabilities. “But I keep my system patched and up to date!” you might say. Rowhammer is here to tell you that’s not enough. Though the tech industry has known about the bug that Rowhammer exploits for several years, it was only this March that researchers at Google’s Project Zero revealed how it could be used by attackers.

Why is Rowhammer so scary? Because it doesn’t afflict your software but finds a weakness in your hardware, a physical problem with how current memory chips are constructed. So it doesn’t matter whether you’re using Linux, Windows, or iOS: If an Intel chip (or an AMD one, or possibly others) is inside, so is Rowhammer. Incredibly, Gruss, Maurice, and Mangard’s paper reveals how to exploit it from a simple webpage.

Chipmakers have known about Rowhammer since at least 2012. The problem affects Intel processors going back as far as 2009. Describing a remote Javascript attack using Rowhammer, Gruss, Maurice, and Mangard’s paper is a wake-up call. Previously, taking advantage of Rowhammer required local program execution on a computer—in other words, the computer already needed to be partly compromised. But now, any webpage can potentially exploit Rowhammer to arbitrarily access your data, perhaps even by gaining full control over the computer. And again, it doesn’t matter what operating system you’re using, since the problem is in the physical circuits of your memory chips. As the security researchers explain, it is “the first remote software-induced hardware-fault attack.”  (read full article …)

July 20, 2015 – Government Technology

Ransomware Threats Continue to Spread, FBI Warns

By Susan Tompor, Detroit Free Press

(TNS) — Time to cue up the soundtrack from “Jaws” as the cyber-sharks circle.

We’ve read news on hackers who stole Social Security numbers and other data from more than 21 million people out of U.S. government computer systems.

And now, we’re hearing more about something called “ransomware” — the latest cyber scam that involves trying to extort money from individuals and business owners by infecting and taking control of the victim’s computer.

Ransomware isn’t just a great plot for a TV series, such as one used several months ago on “The Good Wife” on CBS. It’s a real life threat for individuals and some businesses. It’s one more reminder of why you need to back up files and should never click on links, open attachments or visit websites if you’re uncertain of their origin.

Basically, the scam artists hold your data — your photos, your music, your other computer files — hostage until you pay up.

The ransom dollars? Victims are being asked to cough up anywhere from $200 to $10,000. Often, victims are asked to use bitcoin to pay the money.

The FBI’s Internet Crime Complaint Center issued a report in late June to warn that ransomware continues to spread typically through a threat called CrytoWall and its variants.

The FBI’s Internet Crime Complaint Center said that it received 992 CrytoWall-related complaints between April 2014 and June 2015. Victims reported losses totaling more than $18 million.

That’s just one type of ransomware.

“We have seen many more cases of ransomware, especially in the past year,” said Silka Gonzalez, president and chief executive of Enterprise Risk Management, a cybersecurity company in Coral Gables, Fla.

Targets for the scheme, she said, have included smaller law firms, small-to-medium-size entrepreneurs and others who might have less sophisticated protections in place for their computer systems. In some cases, she said, ransoms have been $20,000 to $50,000 for some small businesses. (read full article…)

July 20, 2015 – Washington Post

We need a new version of capitalism for the jobless future

By Vivek Wadhwa

“There are more net jobs in the world today than ever before, after hundreds of years of technological innovation and hundreds of years of people predicting the death of work.  The logic on this topic is crystal clear.  Because of that, the contrary view is necessarily religious in nature, and, as we all know, there’s no point in arguing about religion.”

These are the words of tech mogul Marc Andreessen, in an e-mail exchange with me on the effect of advancing technologies on employment. Andreessen steadfastly believes that the same exponential curve that is enabling creation of an era of abundance will create new jobs faster and more broadly than before, and calls my assertions that we are heading into a jobless future a luddite fallacy.

I wish he were right, but he isn’t. And it isn’t a religious debate; it’s a matter of public policy and preparedness. With the technology advances that are presently on the horizon, not only low-skilled jobs are at risk; so are the jobs of knowledge workers. Too much is happening too fast. It will shake up entire industries and eliminate professions. Some new jobs will surely be created, but they will be few. And we won’t be able to retrain the people who lose their jobs, because, as I said to Andreessen, you can train an Andreessen to drive a cab, but you can’t retrain a laid-off cab driver to become an Andreessen.  The jobs that will be created will require very specialized skills and higher levels of education — which most people don’t have. (read full article …)

July 16, 2015 – Forbes

Why ‘Cyberwar’ Is So Hard To Define

By Lisa Brownlee

Cyberwar is currently a hot topic of discussion and debate, much of which is potentially damaging. The term “cyberwar” is too frequently casually bandied about for dramatic effect, to instill fear, or exaggerate or obfuscate grim realities.

The book There Will Be Cyberwar  is a moderating and significant contribution to current cyberwar discourse. Richard Stiennon, the book’s author and renowned cybersecurity industry analyst, declares that there will be cyberwar, but first adeptly anticipates and defeats possible accusations of hyperbolic use of the term by explaining  how the term “war” has been used colloquially in many contexts, including “trade war,” “currency war” and even “war of words.”

Stiennon then, unlike too many cyberwar commentators, adopts a constrained definition of the term and leads the reader on a measured, persuasive explanation of how the move to network-centric war fighting has set the stage for cyberwar.  In contrast to Stiennon’s carefully considered approach that provides a definition and methodology, much public commentary is merely banter about cyberwar,” without definition of the term and with distortions in its application, up to and including the fantastic and fictionalized.

To the detriment of informed public debate, “cyberwar” is not a defined term of art in law or legal convention. Rather, traditional law of war concepts are applied to cyber “issues” or more precisely, cyber operations. While the lack of normative guidance on the conduct of “cyberwar” may be self-evident to scholars in the field, it is not to the public. It is important for the public to begin to grapple with the intricacies of the law of war as applied to cyber operations.  (read full article …)

July 12, 2015 – Associated Press

Deepening dependency on technology raises risk of breakdowns

By Michael Liedtke and Barbara Ortutay

Technology has become so indispensable that when it breaks down, people’s lives go haywire, too.

Computer outages at United Airlines, the New York Stock Exchange and The Wall Street Journal on Wednesday delivered a reminder about our growing dependence on interconnected networks to get through each day.

“The problem is humans can’t keep up with all the technology they have created. It’s becoming unmanageable by the human brain. Our best hope may be that computers eventually will become smart enough to maintain themselves.”

For the most part, technology has worked smoothly while hatching innovations and conveniences that have made our lives easier and our jobs more productive. Computers, though, could bring more frequent headaches as they link together with billions of other electronic devices and household appliances— a phenomenon that has become known as the “Internet of things.”

This technological daisy chain will increase the complexity of the systems and raise the risks of massive breakdowns, either through an inadvertent glitch or a malicious attack.

“The problem is humans can’t keep up with all the technology they have created,” said Avivah Litan, an analyst at Gartner. “It’s becoming unmanageable by the human brain. Our best hope may be that computers eventually will become smart enough to maintain themselves.”

Technology already is controlling critical systems such as airline routes, electricity grids, financial markets, military weapons, commuter trains, street traffic lights and our lines of communications.

Now, computers are taking other aspects of our lives as we depend on smartphones to wake us up in the morning before an app turns on the coffee pot in the kitchen for a caffeine fix that can be enjoyed in a the comfort of a home kept at an ideal temperature by an Internet-connected thermostat designed to learn the occupant’s preferences.

Within the next few years, we may even be unlocking our doors with high-tech watches after being chauffeured home in robotic cars.

Technology’s relentless march demands better security measures to prevent hackers from breaking into system and more rigid programming standards to reduce the chances of crippling outages, said Lillian Ablon, a technology researcher for the Rand Corp.

“Instead of just letting the technology rush ahead of us and then trying to catch up in terms of privacy and security, we should be baking those things into the systems from the start,” she said. “We need to be a little smarter on how we are coding things.”

The sequence of Wednesday’s outages appears to have been a fluke. Sabotage isn’t suspected, FBI Director James Comey said during an appearance before Congress.

But a domino effect may have contributed to The Wall Street Journal’s outage. Comey believes the newspaper’s website buckled after the New York Stock Exchange’s problems caused alarmed investors looking for information to swamp the Journal’s website.  (read full article …)

July 9, 2015 – Politico Magazine

The Reality of Cyberwar

By P.W. Singer and August Cole

When a series of technical glitches hit companies that ranged from United to the New York Stock Exchange this week, suspicions immediately ran to a cyber attack. Was this just the beginning of something much worse? A surprise attack, the beginning of long feared “cyber war” or the “cyber Pearl Harbor”? The irony that these worries were mostly expressed online at places like Twitter was not lost on many, but it points to how deeply they have become woven into the narrative of threats that surround us. Indeed it is notable that the discourse too quickly pointed the finger at hackers, rather than al Qaeda terrorists as would have been the default a decade back. 

A key challenge in this new environment of fear is that terms like  “cyber war” and “cyber Pearl Harbor” are tossed around today in politics and media with as much precision as the term “war” itself. There is a massive array of cyber threats out there, ranging from the 317 million distinct pieces of malware discovered by Symantec last year to credit card theft that has hit almost every major retail firm to advanced persistent threat campaigns that have penetrated literally every major corporation and government agency.

Many repeatedly use military terms to describe this diversity. For example, after someone (ahem, China) hacked the Office of Personnel Management (OPM), stealing records of over 21.5 million citizens, outlets that ranged from mass media like USA Today to partisan outlets like Commentary and National Review magazine to true D.C. geek sites like Federal Computer Weekly all claimed that this was the “ Cyber Pearl Harbor” of the war that we are already in.

Cyber hogwash.

We are at cyberwar as much as the “War on Christmas” is an actual war.

Just as a glitch is not an attack, stealing data is not war. Dependent on the goal and target, it is crime or espionage. No one likes to have their secrets stolen, but no nation has ever in history gone to war over lost secrets.

War—the real kind of war—not the way we use the term to describe everything from anti-drug to anti-Yuletide decoration campaigns, involves two key elements, mass violence and high-level politics. That is what distinguishes it from all the other wonderful human enterprises that range from crime to spying to even terrorism. Indeed, for all the talk of “cyber terrorism” and “cyber Pearl Harbor,” terms used over a half-million times according to Google, not a single person has been directly hurt or killed by a cyber attack, ever. (Cows, meanwhile, killed 22 people in the U.S. last year.)

That we have not seen the digital face of true conflict yet, however, does mean that “cyber war will not take place” as recent academic works have claimed. The reason we have seen no cyber war in the past is that we haven’t seen actors with actual cyber capabilities go to war with each other. But as the great strategic thinker Bachman Turner would advise, “You ain’t seen nothing yet.”  (read full article …)