Most are shocked when I explain, usually in painful detail, just how much data is collected on you on a daily basis. And while some may opt for the normal cop-out of ‘well, I just don’t care’, you have a very serious reason to do, indeed, care. The world is a dangerous place. A hell…
Floyd Brown Big Tech Tyrants — American Partisan
A scenario that could happen based on what already has.
On December 4, 2017, at a little before nine in the morning, an executive at Goldman Sachs was swiping through the day’s market report in the backseat of a hired SUV heading south on the West Side Highway when his car suddenly swerved to the left, throwing him against the window and pinning a sedan and its driver against the concrete median. A taxi ran into the SUV’s rear fender and spun into the next lane, forcing a school-bus driver to slam on his brakes. Within minutes, nothing was moving from the Intrepid to the Whitney. When the Goldman exec came to, his driver swore that the crash hadn’t been his fault: The car had done it.1
Moments later, on the George Washington Bridge, an SUV veered in front of an 18-wheeler, causing it to jackknife across all four lanes and block traffic heading into the city. The crashes were not a coincidence. Within minutes, there were pileups on 51st Street, the southbound BQE, as far north as the Merritt Parkway, and inside the Midtown Tunnel. By nine, Canal Street was paralyzed, as was the corner of 23rd and Broadway, and every tentacle of what used to be called the Triborough Bridge. At the center of each accident was an SUV of the same make and model, but as the calls came in to the city’s 911 centers in the Bronx and Brooklyn, the operators simply chalked them up to Monday-morning road rage. No one had yet realized that New York City had just been hit by a cyberattack — or that, with the city’s water system, mass transportation, banks, emergency services, and pretty much everything else now wired together in the name of technological progress, the worst was yet to come.2
The fictional account imagined here is based on dozens of conversations with cybersecurity experts, hackers, government officials, and more. An attack of such scope is unlikely, but each component is inspired by events that can, and in most cases have, happened.
2. Homeland Securityrecently estimated that one major cyberattack — the NSA chief has said it’s a matter of “when, not if” — could cost $50 billion and cause 2,500 fatalities.
A third-year resident in the emergency room at Columbia University Medical Center in Washington Heights walked through the hospital as a television was airing images from the accident on the George Washington Bridge; that meant several crash victims would soon be heading her way. When she got to her computer, she tried logging into the network to check on the patients who were already there, but she was greeted with an error message that read WE’RE NOT LOOKING FOR BITCOIN THIS TIME.
Columbia, like major institutions across the country, had spent the past few years fighting so-called ransomware attacks, in which hackers locked a hospital or city hall or police department out of its own network until a ransom was paid.3 Hospital security teams had gotten wise to the problem, but every network’s defenses had the same vulnerability: the people who used it.4 For weeks, a group of hackers had been sending LinkedIn messages to employees at Columbia pretending to be recruiters from Mount Sinai. When an employee opened an attachment featuring the recruiting pitch — as ten of them did — and enabled the macros as prompted onscreen — four of them did — they unknowingly unleashed malware onto their computer and gave the hackers a beachhead. After months of lurking5, the hackers blocked Columbia’s doctors and nurses from accessing their network, including patient files. Doctors couldn’t access prescription records telling them which patients were scheduled to take which drugs when and resorted to improvised paper-record keeping6, which many of the younger doctors had never done before. In nearly every corridor, they were consulting with one another in a panic, asking how much of their own expertise was really stored in the cloud and had just disappeared.
3. In February, a hospital in L.A. paid 40 bitcoins, or about $17,000, to get back into its system. Russian hackers have even set up English-language call centers to explain to victims how to acquire and send bitcoins.
4. Hackers recently sent Pennsylvania drivers fake traffic tickets with malware, using GPS data so the tickets seemed to be from red-light cameras on their route home.
5. The average data breach is only identified five months later; hackers were allegedly inside a Ukrainian utility network for six months before shutting off electricity.
6. In March, a D.C.-area hospital system was hacked and forced to keep paper records. They got so overwhelmed they turned away cancer patients with radiation appointments.
The crowd in the waiting room swelled and grew more tense as nurses ran by patients, unable to give updates on when they might be seen. Various procedures were taking longer than they should have — one man was kept on a powerful antibiotic for several hours, with serious side effects, before a delayed lab result came back reporting that he should go off the medication — and the staff was having trouble keeping track of patients. A little before noon, a man walked into the hospital looking for his wife, whom he had dropped off early that morning for a simple surgical procedure. A few minutes later, the nurse told him that it appeared his wife had been discharged.
Most New Yorkers were proceeding with their day unaware. But the city’s head of cybersecurity7 had begun to connect the dots: Six hospitals had already informed him that their systems had been shut down, and the city had sent out warnings to all the others. One Police Plaza had just reported that it, too, was locked out of the programs it used to dispatch officers and emergency personnel8, which made responding to the traffic accidents around the city that much harder.
7. New York’s first head of cybersecurity started the job earlier this year.
8. In April, Newark’s policewere locked out of their computer system for three days.
After a few phone calls to friends in the private sector, the cybersecurity chief got more nervous. At the beginning of 2017, one friend told him, she had been called to investigate a mysterious occurrence at a water-treatment plant: The valves that controlled the amount of chlorine released into the water had been opening and closing with unexplained irregularity9. An alarm had gone off, so none of the tainted water had reached consumers, and the company’s CEO brushed off the consultant’s request to make the news public so others could prepare for similar attacks.
9. Investigators recently reported a similar incident at an undisclosed water company.
At MetroTech, New York’s cybersecurity chief pulled out the Office of Emergency Management’s 42-page booklet on how the city should react to a cyberattack — a copy of which he had printed out and stashed in his desk drawer in case his department’s own network was compromised — and was flipping from page to page when he got a call from a reporter.
At 12:30 p.m., the Times published a story reporting that “government officials” believed that the city was being hit with a wave of cyberattacks that appeared to be ongoing. A tipster claimed the hackers had caused at least a dozen car crashes and debilitated multiple hospitals and agencies — with more to come. If they could crash a car, could they crash a subway? The Times report included a line from a nurse at New York–Presbyterian who said that the initial message announcing that the network was blocked had included a link to a web page that was displaying a timer ticking down to 1 p.m. and text that read MORE PATIENTS WILL BE ARRIVING SOON.
The group of 10 European black-hat hackers11 who launched the attack against New York had spent much of the previous decade breaking into American corporate networks — credit-card companies, hospitals, big-box retailers — mostly for profit,12and sometimes just because they could. When those attacks became routine, the group moved into more politically inclined hacks, both against13 and on behalf14 of various governments,rigging elections15 and fomenting dissent. In the summer of 2016, the hackers received an anonymous offer of $100 million to perform a cyberattack that would debilitate a major American city. The group’s members weren’t much interested in death and destruction per se, so they declined their funder’s request for a“Cyber 9/11.”16 But to self-identified anarchists with a reflexively nihilistic will to power, the proposition had some appeal. Causing disruption was something that had been on their minds recently, as their conversations veered toward the problems with global capitalism, the rise of technocentrism, bitcoin, and the hubris required to nominate a man like Donald Trump. Their animus got more personal when American authorities arrested a well-respected white-hat hacker who had broken into an insulin pump in order to show the dangers of connecting devices17 without proper security. The black hats were on the opposite end of the ideological spectrum but had more empathy for their fellow hacker than they did for the American people, who, they felt, deserved a comeuppance — or at least a very loud “Fuck you.” The plan was to show how much of modern life in a city like New York could be disrupted by purely digital means. The hackers would get paid, but they also hoped their attack would dent America’s complacent faith in order and in the technology and political authority that undergirded it. As a bonus, their services would be in even greater demand.
10. Hackers are often identified by the malware they use: One group is known as Sandworm, because references to the sci-fi series ‘Dune,’ which features giant desert worms, were embedded in its code.
11. The hacker world divides into white hats, who are the good guys, and black hats, who are out to cause havoc or for personal gain.
12. According to the FBI, those hit by cyberattacks have paid more than $200 million in ransoms so far this year, compared with just $25 million in all of 2015.
13. Earlier this year, Congress was the target of a string of ransomware attacks.
14. An Italian company called Hacking Team has been criticized for offering hacking services to dozens of countries, many with poor human-rights records.
15. Andrés Sepúlveda, a Colombian hacker, recently told Bloomberg that he had helped rig elections in nine different Latin American countries, including by installing malware on campaign routers to spy on digital and phone communications.
16. Last year, a researcher claimed he had hacked into a plane’s seat-back entertainment system and could then access the cockpit controls on a Boeing jet flying from Denver to Chicago. Boeing has said this is impossible.
17. In 2014, a company tracking medical devices at more than 60 hospitals found malware in every hospital. Last year, another researcher was able to manipulate several drug-infusion pumps so he could, potentially, deliver a fatal dosage of medication.
No one had pulled off an attack of this magnitude, but it was possible to piece together a plan from various hacks that had been executed before, which, taken together, were a sort of open-source blueprint available to anyone with an interest in remote-control terrorism (and the time and manpower it required). This group was small, relatively speaking, and benign, relatively speaking. ISIS, for instance, might have a more pronounced bloodlust but not (yet) the technical capabilities; Chinese or Russian hacking operations would have many more resources and a much more sophisticated strategy that could bring even more targets, like nuclear-power plants,18 into play.
18. It took several years for hackers allegedly working for the U.S. and Israel to develop Stuxnet, a computer worm that disabled an Iranian nuclear reactor in 2010.
These hackers decided to start with cars. The team’s members found a particular automaker’s flagship SUV especially hackable,19 bought one to test their work (to help fund the operation, they had pulled from the millions they had made in several attacks against financial institutions, including a recent hack of theCentral Bank of Bolivia20), and, within a month, could shut off the ignition, turn off the brakes, and cause the steering wheel to jerk to the left.
19. In 2015, for an article in Wired, two hackers in St. Louis took control of a Jeep traveling 75 mph, sprayed wiper fluid so the driver couldn’t see, then cut the transmission.
20. In February, hackers stole the credentials of several employees in the Bangladeshi Central Bankusing malware that tracked keystrokes as the employees entered passwords and were then able to transfer $81 million into private accounts. (They might have stolen more had they not misspelled the word “foundation” in one of the transfers, triggering an alarm.) The underlying system of financial transactions, known as SWIFT, has since come under scrutiny after similar attempted attacks at other banks.
Read the Remainder at NY Mag
Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan,said it was a “fair question” to ask how exactly the FBI caught the defendant.
But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation.
In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)—the FBI’s term for a hacking tool—carried out additional functions beyond those authorised in the warrant.
DoJ attorneys have also asked to submit a filing ex parte and in camera, meaning that only the judge would be presented with evidence under the motion.
“Tsyrklevich claims that he requires access to the government’s ‘exploit’ to determine if the government ‘executed additional functions outside the scope of the NIT warrant,’” Special Agent Daniel Alfin writes. He is referring to Vlad Tsyrklevich, a malware expert held by the defense to analyse the NIT. In January, the defense did receive some of the NIT code, but not sections that would ensure that the identifier issued to the suspect’s NIT-infection was unique, and the exploit used to break into the computer.
This specific case concerns Jay Michaud, a public school administration worker from Vancouver, Washington, who was arrested in July 2015. In February 2015, the FBI seized a dark web child pornography site and ran it from their own servers for 13 days. During this time, the agency deployed a NIT against people who visited specific, child pornography threads, which grabbed their real IP address, among other technical details.
“Knowing how someone unlocked the front door provides no information about what that person did after entering the house.”
Tsyrklevich has written a declaration after analysing the parts of the NIT that have been disclosed, but the full text of that document remains under seal.
“He is wrong,” Alfin continues. “Discovery of the “exploit” would do nothing to help him determine if the government exceeded the scope of the warrant because it would explain how the NIT was deployed to Michaud’s computer, not what it did once deployed.”
Here, Alfin starts an analogy for software vulnerabilities: that of a flaw in a lock.
“In layman’s terms, an ‘exploit’ could be thought of as a defect in a lock that would allow someone with the proper tool to unlock it without possessing the key,” he writes.
“Knowing how someone unlocked the front door provides no information about what that person did after entering the house. Determining whether the government exceeded the scope of the warrant thus requires an analysis of the NIT instructions delivered to Michaud’s computer, not the method by which they were delivered.”
Alfin also claims that the identifiers attached to each NIT-infection, another point of contention for Tsyrklevich, are indeed unique.
“I have reviewed the list of unique identifiers generated during the operation and confirmed that there were in fact no duplicate identifiers generated,” Alfin adds.
NIT code has been disclosed in the past. In a 2012 case, the government provided details of its technique which turned out to involve the hacking-toolkit Metasploit. The FBI used a Flash applet to make a direct connection over the internet, instead of routing the targets’ traffic through Tor.
Peter Carr, a spokesperson for the Department of Justice, told Motherboard in an email “We’ll decline to comment beyond our public filings.”
Read the Original Article at Motherboard
As we continue to make advancements in this technological age, vulnerabilities in our cybersecurity have become glaringly obvious.
Over the past few years there have been numerous embarrassing and potentially dangerous hacks of high-profile private businesses and government agencies, exposing the identities and financial assets of millions of American citizens to fraud and theft.
Now the fast food chain Wendy’s can be added to the list of those who have been hacked, according to theU.K.’s Daily Mail.
They are reporting that Wendy’s is investigating “unusual activity” that has taken place on credit cards used at their restaurants recently.
The fast food chain was alerted to the activity by banking industry sources and cybersecurity experts, as reported by Krebs on Security.
Wendy’s is now working closely with those cybersecurity experts and law enforcement officials to determine exactly what happened and who is responsible.
Read the Remainder at Conservative Tribune
The Tactical Hermit 
You must be logged in to post a comment.