Thursday Morning: Snowed In (Get It?)

Yes, it’s a weak information security joke, but it’s all I have after shoveling out.

Michigan’s winter storm expanded and shifted last night; Marcy more than caught up on her share of snow in her neck of the woods after all.

Fortunately nothing momentous in the news except for the weather…

Carmaker Nissan’s LEAF online service w-i-d-e open to hackers
Nissan shut down its Carwings app service, which controls LEAF model’s climate control systems. Carwings allows vehicle owners to check information about their cars on a remote basis. Some LEAF owners conducted a personal audit and hacked themselves, discovering their cars were vulnerable to hacking by nearly anyone else. Hackers need only the VIN as userid and no other authentication to access the vehicle’s Carwings account. You’d think by now all automakers would have instituted two-factor authentication at a minimum on any online service.

Researcher says hardware hack of iPhone may be possible
With “considerable financial resources and acumen,” a hardware-based attack may work against iPhone’s passcode security. The researcher noted such an attempt would be very risky and could destroy any information sought in the phone. Tracing power usage could also offer another opportunity at cracking an iPhone’s passcode, but the know-how is very limited in the industry. This bit from the article is rather interesting:

IOActive’s Zonenberg, meanwhile, told Threatpost that an invasive hardware attack hack is likely also in the National Security Agency’s arsenal; the NSA has been absent from discussions since this story broke last week.

“It’s been known they have a semiconductor [fabrication] since January 2001. They can make chips. They can make software. They can break software. Chances are they can probably break hardware,” he said. “How advanced they were, I cannot begin to guess.”

The NSA has been awfully quiet about the San Bernardino shooter’s phone, haven’t they?

‘Dust Storm’: Years-long cyber attacks focused on intel gathering from Japanese energy industry
“[U]sing dynamic DNS domains and customized backdoors,” a nebulous group has focused for five years on collecting information from energy-related entities in Japan. The attacks were not limited to Japan, but attacks outside Japan by this same group led back in some way to Japanese hydrocarbon and electricity generation and distribution. ‘Dust Storm’ approaches have evolved over time, from zero-day exploits to spearfishing, and Android trojans. There’s something about this collected, focused campaign which sounds familiar — rather like the attackers who hacked Sony Pictures? And backdoors…what is it about backdoors?

ISIS threatens Facebook’s Zuckerberg and Twitter’s Dorsey
Which geniuses in U.S. government both worked on Mark Zuckerberg and Jack Dorsey about cutting off ISIS-related accounts AND encouraged revelation about this effort? Somebody has a poor grasp on opsec, or puts a higher value on propaganda than opsec.

Wonder if the same geniuses were behind this widely-reported meeting last week between Secretary of State John Kerry and Hollywood executives. Brilliant.

Case 98476302, Don’t text while walking
So many people claimed to have bumped their heads on a large statue while texting that the statue was moved. The stupid, it burns…or bumps, in this case.

House Select Intelligence Committee hearing this morning on National Security World Wide Threats.
Usual cast of characters will appear, including CIA Director John Brennan, FBI Director James Comey, National Counterterrorism Center Director Nicholas Rasmussen, NSA Director Admiral Michael Rogers, and Defense Intelligence Agency Director Lieutenant General Vincent Stewart. Catch it on C-SPAN.

Snow’s supposed to end in a couple hours, need to go nap before I break out the snow shovels again. À plus tard!

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
8 replies
  1. Howard Beale IV says:

    It goes without saying the spooks in the Puzzle Palace have already cracked the phone and its contents=but they need Apple to validate their method is successful.

  2. mzchief says:

    Re #FBiOS and for folks still using radios … @dguido ( https://twitter.com/dguido/status/702551847878443009 ) says “Physical chip decapping is some “super risky cyber-level s***” and could result in total loss of data” ( https://twitter.com/dguido/status/701543330849669120 ). Apple, “the most widely held stock among hedge funds” ( https://twitter.com/StockTwits/status/692050319920885762 ) has a long history of backdoors as I found one for Apple Developer #1x that Apple knew about and admantaly refused to fix. So, I wonder that such low-level-hardware-hacking is theater for a bigger strategy of investor confidence gaming as both bankster pet organizations ( https://twitter.com/zilhen/status/702270767959056384 ; http://www.bloomberg.com/news/articles/2016-01-27/tim-cook-we-re-seeing-extreme-conditions-unlike-anything-we-ve-experienced-before-in-the-global-economy ; en.wikipedia.org/wiki/Bridgewater_Associates ) would certainly want to obscure yet another backdoor have detected ( https://twitter.com/ioerror/status/702704205103030272 ). Meanwhile, one of the apparent two developers of Signal moves to Apple ( https://twitter.com/FredericJacobs/status/702802104960860160 ). I’m watching for this paper ( https://twitter.com/ioerror/status/702760970557509632 ).

  3. lefty665 says:

    Very punny Rayne, I like that!
    .
    Seems like a good bet that, as usual, NSA has the national technical means and FBI can’t find the bathroom without a paid informant. The FBI does have some skills with blunt instruments so they’re using All Writs to try to bludgeon Apple into being an informant.
    .
    NSA doesn’t need Apple to validate anything, the content they’ve collected speaks for itself.
    .
    We had tornadoes yesterday, I’d prefer snow.

  4. bloopie2 says:

    Dumb comment. What does “encrypted” mean? Does it mean “unchanged in form, but protected by a password” (which seems to be the current Apple issue)? I.e., in a “crypt”? Or does it mean “modified into some kind of code” (like changing letters to numbers where you have to figure out the concordance, etc. – the old secret code pens or writing, 157 becomes AEG, what they did in WWII)? Until now, I thought the latter, but I guess I am wrong as far as today’s usage of the term. Does it make a difference?

    • IAN TURNER says:

      WHAT DOES ‘ENCRYPTION’ MEAN:
      In analog phone lines–the phone was “scrambled”[mechanically the wave form was distorted in a fixed-by-hardware way]
      .
      In text messages sent by telegram (e.g.the Jan 1917 “ZIMMERMAN TELEGRAM”) the text message was “encoded” so every letter or phrase was changed using a pre-defined code book into a different–but fixed- 5-digit number which was then transmitted & “decoded” using a copy of exactly the same code book it had been “encoded”into.
      .
      .With computer devices/smartphones/cellphone/digital TVs/.MP3 music players/DVDs/CD running nothing but streams of digits through their microchips it is possible to instruct the microchips to:
      i)format the streams of digits to represent a pre-agreed piece of information–that might a human voice or a movie picture or a .pdf file….
      ii)take that stream of digits(numbers) in its predefined format-& perform on them one of several mathematical calculations.
      You could perform a fixed equation (multiply by a number perhaps) & transmit the answer of the original numbers x the equation AS AN ANSWER at the same time as you transmit the original numbers–this is often called “an error correcting code” producing a CD quality sound for example
      .
      You can ALSO perform a very complex & (often) constantly changing mathematical equation [often called AN ALGORITHM] on the original numbers(which represented sounds or images or??) & transmit the ANSWER to your calculations ONLY to the microchips in the device you are sending the digital message to.
      THAT very complex mathematical calculation is THE ENCRYPTION of your original digital numbers–because the style of calculation your microchips performed had been picked to make sure, if you did not already know the exact details of the mathematics used, you could not easily guess what the original numbers had been.
      SO ENCRYPTION is the MATHEMATICAL CHANGING of digital numbers to make it difficult to understand what the original numbers were
      .
      SCRAMBLING is the changing of an analog wave form in a fixed way by equipment so that you have to create another piece of hardware to “de-scramble”
      .
      CODE-BREAKING is the skillful guessing of what certain fixed codes must have meant before they were encoded using a code book.

  5. lefty665 says:

    Not dumb, it’s process. The phone is encrypted and the FBI apparently has no clue how to break that. The password on the phone prevents access to the decrypted contents.
    .
    WWII encryption was a little more sophisticated than simple substitution. On Enigma the rotors advanced with each letter thus changing the substitution. On the US Sig Aba the rotor stepping itself was encrypted.

  6. earlofhuntingdon says:

    Hardware hacking of IPhone? The USG over the past decade and a half has often used the Cheneyite tack of doing questionable or illegal things, getting Congress or the courts to legitimize them “going forward”, then having its past, pre-legitimation illegal or misconduct leaked under the media rubric, “Who cares now?”. The arrogance is Kissingerian.

    Let’s hope other major automakers refuse to take a LEAF out of Nissan’s playbook. Requiring only a VIN no. to access private vehicle data is intentional misconduct. The VIN is prominently displayed in several locations, notably on the dashboard. It wouldn’t take a Rain Man to come along and take down vehicle numbers, license plates, etc. and make use of them for undisclosed, illegitimate-by-definition purposes.

Comments are closed.