We’ve got a major collection today, including some items revealing how vulnerable our phones, cars, planes, and more are increasingly vulnerable to government, corporate, and other hackers, the latest developments in Asia’s Game of Zones, and a whole lot more. . .
We open with the newest phase of America’s endless wars — call it Iraq.3.0 — via the New York Times:
U.S. Warplanes Strike Militants in Iraq
The United States on Friday afternoon launched a second round of airstrikes on Sunni militants in northern Iraq, sending four Navy fighter jets to strike eight targets around Erbil, according to Pentagon officials.
The attacks came hours after an initial wave of strikes by military aircraft and armed drones, escalating the American involvement in Iraq a day after President Obama announced that the United States military was returning to a direct combat role in the country it left in 2011.
Military officials said they believed that the second round of attacks resulted in a number of casualties among the militants with the Islamic State in Iraq and Syria. The Navy fighters launched from the aircraft carrier George H. W. Bush, which has been deployed in the Arabian Sea.
Earlier Friday, two F-18 fighters dropped 500-pound laser-guided bombs on a mobile artillery target that had just begun shelling Erbil, Pentagon officials said. A senior military official said on Friday that the artillery unit hit in the earlier bombing was being towed by a truck toward Erbil.
The Associated Press has some context:
Iraq official: Militants hold 100s of Yazidi women
Hundreds of women from the Yazidi religious minority have been taken captive by Sunni militants with “vicious plans,” an Iraqi official said Friday, further underscoring the dire plight of Iraq’s minorities at the hands of the Islamic State group.
Kamil Amin, the spokesman for Iraq’s Human Rights Ministry, said hundreds of Yazidi women below the age of 35 are being held in schools in Iraq’s second largest city, Mosul. He said the ministry learned of the captives from their families.
“We think that the terrorists by now consider them slaves and they have vicious plans for them,” Amin told The Associated Press. “We think that these women are going to be used in demeaning ways by those terrorists to satisfy their animalistic urges in a way that contradicts all the human and Islamic values.”
While the London Daily Mail rattles sabers:
TWO retired four-star generals blast Obama for failing to use ‘decisive’ force in Iraq with ‘pinprick’ attacks for ‘political posturing’
- Retired Gen. Barry McCaffrey laid into Obama on Friday, saying bombing runs against ISIS positions are political posturing
- ‘These are political gestures using military power,’ he said, lamenting the president’s lack of commitment to a full-blown military campaign
- Obama ran for president on a platform of getting US military out of Iraq but began bombing runs Friday morning in the country’s northern region
- White House Press Secretary Josh Earnest assured reporters on Friday that a ground-troop incursion is out of the question
- GOP critics are hammering the White House for not being more aggressive
- House Speaker John Boehner said the White House has an ‘ongoing absence of a strategy for countering the grave threat ISIS poses’
- Obama underestimated ISIS in January, telling The New Yorker that ‘If a jayvee team puts on Lakers uniforms that doesn’t make them Kobe Bryant’
CNBC raises an ironic question:
Will US airstrikes target US-supplied weapons?
As American pilots fly new airstrikes over northern Iraq Friday, they’ll see some very familiar weaponry in the hands of Islamic State forces: Humvees, MRAP transports, American-made heavy machine guns and American artillery.
Islamic State (which also goes by ISIS or ISIL) forces captured the haul of American weapons as the U.S.-supplied Iraqi Army retreated in the face of the extremist onslaught, leaving expensive American equipment littered on the battlefield.
All that raises the prospect that, at some point during these airstrikes, American taxpayer-financed fighter jets will fire on and destroy American taxpayer-financed weapons on the ground.
And the McClatchy Washington Bureau adds a dash of bitters:
Why can’t Islamic State be stopped? Analysts say it’s better armed, better organized
Observers on the ground and analysts in Washington believe that the latest push was possible because the peshmerga forces are stretched trying to defend a frontier with the Islamic State that is nearly 900 miles long. The Islamic State is also better equipped, with U.S.-supplied weapons that its forces have looted from every Iraqi military based it has seized. It also has recently captured major Syrian arsenals.
On Twitter, the Islamic State often posts photos of its bounty from military bases, which include rocket-propelled-grenade launchers, artillery and weapons that are far more sophisticated than those in the peshmerga arsenal.
The Islamic State also has the advantage of momentum. According to the Long Wars Journal, citing a tweet by the Islamic State, its forces have taken control of 17 communities in the area around Mosul. Its push stretches all the way to Diyala province in northeast Iraq, which borders Iran. On Thursday, the Islamic State claimed to control the Mosul Dam, the largest water supply source in Iraq _ a claim U.S. and Iraqi sources confirmed.
And perhaps most importantly, the Islamic State has very simply put together a smarter offensive plan. Its push toward Irbil is believed by many not to be a move to take that city but to force the peshmerga to defend its capital, allowing the Islamic State to harden its grip on places nearby it’s more interesting in holding.
And for our final item on the subject, no comment needed, via The Verge:
The Pentagon used a tweet to tell the world about airstrikes in Iraq
- Tweets are the new briefings
From United Press International, gettin’ real [somewhat late]:
New York Times will now use the word ‘torture’
President Barack Obama made waves last Friday when he admitted the United States tortured terror suspects in order to get information.
The New York Times will now use the word “torture” in stories regarding interrogations in which the paper is sure pain was inflicted to get information.
The Times has faced criticism for its hesitation to use the word when speaking about the controversial interrogation techniques used by the United States and specifically the Central Intelligence Agency when trying to get information from terror suspects. They had previously used Bush administration-coined euphemisms such as “enhanced interrogation techniques.”
In an editorial published Thursday, executive editor Dean Baquet said The Times will no longer use these euphemisms and instead call it what it is.
From Aviation Week, Skynet fears continue unabated [thank heavens]:
‘Certifiable Trust’ Required To Take Autonomous Systems Past ‘Unmanned’
- Deployment of autonomous capabilities across aerospace faces major hurdle
Aviation has been built around humans since before the origins of powered flight, but unmanned technology is opening new design spaces in unexpected ways. Now shaped by the strengths and weaknesses of pilots and controllers, how aircraft are flown and air traffic managed could change dramatically in coming decades as autonomy becomes understood, accepted and, eventually, trusted.
“Aviation has been very successful with a -humancentric paradigm, the idea that it is humans that save the day,” says Danette Allen, chief technologist for autonomy at NASA Langley Research Center. Even with the Northrop Grumman RQ-4 Global Hawk—arguably the most automated of today’s unmanned aircraft—“the human is still on or in the loop for situational awareness, just in case they have to jump in and solve problems,” she says.
But autonomy means machines making decisions, not humans, and behaving in ways that are not painstakingly pre-planned and pre-programmed. It requires safe and trusted systems than can perceive their environment for situational awareness and assessment, make decisions on uncertain and inaccurate information, act appropriately, learn from experience and adapt their behavior. “In Washington, autonomy has become the ‘A’ word. It has become a negative,” says Rose Mooney, executive of the Mid-Atlantic Aviation Partnership, one of six civil-UAS test sites established by the FAA.
“Certifiable trust”? Does that mean you have to be certifiable to trust ‘em?
For our next drone story, we turn to the Associated Press:
Central NY airport new site for drone safety tests
Federal regulators have approved drone research flights at a central New York airport, one of six sites nationally chosen to assess the safety of the aerial robots in already busy skies.
The other mission at Griffiss International Airport in Rome will be to study how drones can help farmers stay on top of pests, weeds and the conditions of their crops.
The NUAIR Alliance, a consortium of private industry, academic institutions and the military, says flights could begin in a couple of weeks after the Federal Aviation Administration approval Thursday. Future operations will include Massachusetts. The other test sites are in Alaska, North Dakota, Nevada, Texas and Virginia.
And for our final dronal delight, there’s this from Ars Technica:
San Jose Police Department says FAA can’t regulate its drone use
- FAA disagrees, says law enforcement definitely needs permission to use a drone.
Newly published documents show that the San Jose Police Department (SJPD), which publicly acknowledged Tuesday that it should have “done a better job of communicating” its drone acquisition, does not believe that it even needs federal authorization in order to fly a drone. The Federal Aviation Administration thinks otherwise.
Late last month, a set of documents showed that the SJPD acquired a Hexacopter called the Century Neo 660, along with a GoPro video camera and live video transmitter. The nearly $7,000 January 2014 purchase was funded through a grant from the Bay Area Urban Areas Security Initiative, a regional arm of the Department of Homeland Security. San Jose, which proclaims itself the “capital of Silicon Valley,” is the third-largest city in California and the tenth-largest in the United States.
The documents, which were sent to MuckRock as part of a public records request and were published on Wednesday for the first time, make a number of statements suggesting that the SJPD has a deep misunderstanding of current drone policy.
Next up, more dirty dealing at Scotland Yard from the Independent:
Secret internal police report points to ‘highly corrupt’ cells in the Met
Three former Scotland Yard detectives were part of “highly corrupt cells within the Metropolitan Police Service” but have never been brought to justice, according to a secret internal report seen by The Independent.
The police officers, who left the Met to open a private investigation agency, were suspected of seizing tens of thousands of ecstasy tablets from criminals and selling the drugs themselves, according to a file produced by the force’s anti-corruption command.
The 2000 report said the officers also had links to London’s criminal underworld and were capable of tracking down and threatening witnesses involved in sensitive trials.
On to the world of hackery, starting with the latest biggie, first from ProPublica:
Leaked Docs Show Spyware Used to Snoop on U.S. Computers
- Software created by the controversial U.K. based Gamma Group International was used to spy on computers that appear to be located in the United States.
Software created by the controversial U.K. based Gamma Group International was used to spy on computers that appear to be located in the United States, the U.K., Germany, Russia, Iran and Bahrain, according to a leaked trove of documents analyzed by ProPublica.
It’s not clear whether the surveillance was conducted by governments or private entities. Customer email addresses in the collection appeared to belong to a German surveillance company, an independent consultant in Dubai, the Bosnian and Hungarian Intelligence services, a Dutch law enforcement officer and the Qatari government.
The leaked files — which were posted online by hackers — are the latest in a series of revelations about how state actors including repressive regimes have used Gamma’s software to spy on dissidents, journalists and activist groups.
And The Intercept covers one country amongst the targets:
Leaked Files: German Spy Company Helped Bahrain Hack Arab Spring Protesters
A notorious surveillance technology company that helps governments around the world spy on their citizens sold software to Bahrain during that country’s brutal response to the Arab Spring movement, according to leaked internal documents posted this week on the internet.
The documents show that FinFisher, a German surveillance company, helped Bahrain install spyware on 77 computers, including those belonging to human rights lawyers and a now-jailed opposition leader, between 2010 and 2012—a period that includes Bahrain’s crackdown on pro-democracy protesters. FinFisher’s software gives remote spies total access to compromised computers. Some of the computers that were spied on appear to have been located in the United States and United Kingdom, according to a report from Bahrain Watch.
Earlier this week, an anonymous hacker released 40 gigabytes of what appears to be internal data from FinFisher on Twitter and Reddit, including messages between people who appear to be Bahraini government officials and FinFisher customer service representatives.
In those messages, Bahraini software administrators complained to FinFisher that they were “losing targets daily” due to faults in its software. In one message employing the language of a frustrated consumer, a spy appeared to complain that he or she had to keep re-infecting a targeted computer, risking detection: “[W]e cant stay bugging and infecting the target every time since it is very sensitive. and we don’t want the target to reach to know that someone is infecting his PC or spying on him” one message reads.
For our next hackery item, RT America covers a major conference and some revelations aired during sessions:
Black Hat hackers conference exposing flaws in everyday electronics
The “Internet of Things” is a hot topic at this year’s Black Hat cybesrsecurity conference in Las Vegas. With more household, security and even medical devices being connected to the internet, the threats posed by hackers and nefarious governments are growing. Web connected insulin pumps, home thermostats and other technologies are easily hacked and have had numerous security flaws exposed, potentially putting lives at risk, warn experts. Erin Ade, host of RT’s Boom Bust, is at the conference and has more.
Al Jazeera America has another overview:
Hackers sound alarm about Internet of Things
- By reframing cybersecurity as a public safety issue, white-hat hackers may be making inroads in Washington
A hacker with a smartphone can unlock your front door. Your refrigerator becomes infected with a virus that launches cyber attacks against activists in Bahrain. Criminals and intelligence agencies grab data from your home thermostat to plan robberies or track your movements.
According to computer-security researchers, this is the troubling future of the Internet of Things, the term for an all-connected world where appliances like thermostats, health-tracking wristbands, smart cars and medical devices communicate with people and each other through the Internet. Many of these products are already on the market, and over the next decade, they are expected to become dramatically more commonplace.
For consumers, the Internet of Things will allow high-tech convenience that not long ago seemed like science fiction — a car’s GPS automatically turning on the air conditioner in your house as you drive home from work, for example. But security experts see a dystopian nightmare that is quickly becoming reality. A study released last week by Hewlett Packard concluded that 70 percent of Internet of Things devices contain serious vulnerabilities. Experts say it’s the latest evidence that our dependence on Internet-connected technology is outpacing our ability to secure it.
Defense One covers one session’s fruits:
Hacker Shows How to Break Into Military Communications
Soldiers on the front lines use satellite communications systems, called SATCOMS to call in back up, lead their comrades away from hot spots and coordinate attacks, among other things. Airplanes use SATCOMS to rely on data between the ground and the plane, and ships use them to avoid collisions at sea and call for help during storms or attacks. A well-known hacker says he’s found some major flaws in the communication equipment that ground troops use to coordinate movements. The equipment is also common on a variety of commercial ships and aircraft rely on to give pilots vital information. In other words, you can hack planes.
Speaking at the Black Hat cyber security conference, analyst Ruben Santamarta of IOActive presented a much-anticipated paper showing that communications devices from Harris, Hughes, Cobham, Thuraya, JRC, and Iridium are all highly vulnerable to attack. The security flaws are numerous but the most important one — the one that’s the most consistent across the systems— is back doors, special points that engineers design into the systems to allow fast access. Another common security flaw is hardcoded credentials, which allows multiple users access to a system via a single login identity.
Santamarta claims that a satellite communication system that’s common in military aviation, the Cobham Aviator 700D, could be hacked in a way that could affect devices that interact with critical systems possibly resulting in “catastrophic failure.”
MIT Technology Review covers another:
Black Hat: Google Glass Can Steal Your Passcodes
- Footage of people unlocking their phones can be used to steal mobile passcodes even if the typing can’t be seen.
Criticism of Google Glass has often focused on the way its camera makes surreptitious video recording too easy. Now researchers have shown that footage captured by the face-mounted camera could also pose a security threat.
Software developed by the researchers can automatically recover the passcodes of people recorded on video as they type in their credentials, even when the screen itself is not visible to the camera. The attack works by watching the movement of the fingers to work out what keys they are touching. It also works on footage from camcorders, webcams, and smartphones, but Glass offers perhaps the subtlest way to stage it.
The work suggests that “shoulder surfing”—stealing passwords or other data by watching someone at a computer—could become more of a threat as digital cameras and powerful image processing software become more common.
Ars Technica covers a third:
Security expert calls home routers a clear and present danger
- In Black Hat Q&A, In-Q-Tel CISO says home routers are “critical infrastructure.”
During his keynote and a press conference that followed here at the Black Hat information security conference, In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers. The inexpensive Wi-Fi routers commonly used for home Internet access—which are rarely patched by their owners—are an easy target for hackers, Geer said, and could be used to construct a botnet that “could probably take down the Internet.” Asked by Ars if he considered home routers to be the equivalent of critical infrastructure as a security priority, he answered in the affirmative.
Geer spoke about the threat posed by home routers in advance of “SOHOpelessly Broken,” a router hacking contest scheduled for the DEF CON security conference later this week sponsored by the Electronic Frontier Foundation. “Because they are so cheap, you can get a low-end router for less than 20 bucks that hasn’t been updated in a while,” Geer explained.
Attackers could identify vulnerabilities in particular models and then scan the Internet for targets based on the routers’ signatures. “They can then build botnets on the exterior of the network—the routing that it does is only on side facing ISPs,” he said. “If I can build a botnet on the outside of the routers, I could probably take down the Internet.”
MIT Technology Review covers a fourth:
Black Hat: Car Security Is Likely to Worsen, Researchers Say
- In-car applications and wireless connectivity are a boon to hackers who take aim at cars.
The electronic systems in cars increasingly control safety-critical functionality.
As more cars come with wireless connectivity and in-car apps, more of them will be vulnerable to potentially dangerous hacking, two well-known researchers warned at the Black Hat security conference in Las Vegas on Wednesday.
In a study of nearly 20 different vehicles, Charlie Miller, a security engineer with Twitter, and Chris Valasek, director of vehicle security research with security services firm ioActive, concluded that most control systems were not designed with security in mind and could be compromised remotely. The pair created cybersecurity ratings for the vehicles, which will be published in a paper later this week.
And from Wired threat level, that darned cat:
How to Use Your Cat to Hack Your Neighbor’s Wi-Fi
Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors’ Wi-Fi networks, identifying four routers that used an old, easily-broken form of encryption and another four that were left entirely unprotected.
Unbeknownst to Coco, he’d been fitted with a collar created by Nancy’s granddaughter’s husband, security researcher Gene Bransfield. And Bransfield had built into that collar a Spark Core chip loaded with his custom-coded firmware, a Wi-Fi card, a tiny GPS module and a battery—everything necessary to map all the networks in the neighborhood that would be vulnerable to any intruder or Wi-Fi mooch with, at most, some simple crypto-cracking tools.
Reuters covers another blow to online anonymity:
Russia demands Internet users show ID to access public Wifi
Russia further tightened its control of the Internet on Friday, requiring people using public Wifi hotspots provide identification, a policy that prompted anger from bloggers and confusion among telecom operators on how it would work.
The decree, signed by Prime Minister Dmitry Medvedev on July 31 but published online on Friday, also requires companies to declare who is using their web networks. The legislation caught many in the industry by surprise and companies said it was not clear how it would be enforced.
A flurry of new laws regulating Russia’s once freewheeling Internet has been condemned by President Vladimir Putin’s critics as a crackdown on dissent, after the websites of two of his prominent foes were blocked this year.
The Guardian covers the Down Under version of a familiar story:
Warrantless metadata access is already taking place at higher rate than ever
- A multitude of agencies currently have access to metadata and in 2012-13 used those powers on 330,640 occasions
Given the current debate about metadata retention in Australia it’s worth pointing out that various organisations can access your metadata already, without a warrant – and it’s occurring at a higher rate than ever before.
In mid 2013 we wrote about how agencies from the police to the RSPCA to the Victorian Taxi Directorate are able to access “existing information or documents” from telecommunications companies without a warrant. The information can include details of phone calls (but not the contents of the call) and internet access details such as subscribers’ personal information, and dates and times of internet usage.
The most recent figures, released in December 2013, show warrantless access to metadata occurred on 330,640 occasions in the 2012-13 financial year. The agency requesting the data is required to fill out a request form, however there is no judicial oversight or requirement that law enforcers prove suspicion of a crime being committed.
And from the McClatchy Washington Bureau, idiotic obstructionism:
Judge dings FBI for response to inmate’s FOIA requests
A federal judge has slapped the FBI, or maybe just laughed at it, for making “transparently implausible” arguments while resisting a prison inmate’s Freedom of Information Act requests.
The feds, U.S. District Judge James E. Boasberg wrote, in what sounds like a state of near-incredulity, argued that the “FOIA request need not be disclosed because they reside on two CDs and a thumb drive.”
That’s right. The FBI seemed to say that information was exempt from disclosure because of the medium it was stored on.
After the jump, the latest developments in the Game of Zones, including spooky arrests, an Orwellian anecdote, an X-rated protest, and a whole lot more. . . Continue reading