FBI denies paying $1 million to attack Tor

FBI has refused an accusation of paying at least $1 million to Carnegie Mellon University (CMU) researchers to infiltrate Tor, a free software implementation of second-generation onion routing that enables its users to communicate anonymously on the internet.

The intelligence agency told Ars Technica, that these accusations of paying the security researchers of the university to disclose the Tor users as well as Reveal their IP addresses as part of a criminal investigation was 'inaccurate'.

"The allegation that we paid (Carnegie Mellon University) $1 million to hack into Tor is inaccurate," the FBI said.

However, the Tor Project team had discovered last year in July that more than hundred new Tor relays that modified Tor protocol headers to track people who were looking for Hidden Services, web servers hosted on Tor that offers more privacy.

The attackers used a combination of nodes and exit relays along with some vulnerabilities in the Tor network protocol that let them uncovered users' real IP addresses.

After discovering the flaws, the team updated its software and rolled out new versions of code to block similar attacks in the future. But, during that time the team could not find the hackers behind the flaws.

“We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor -- but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research," the Tor team said in a blog post.

"Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent," the post added.

Now, the Tor claims to have patched the vulnerabilities but this doesn't solve the core problem.

5.6 million fingerprints stolen, but the reason is still unknown

Some people are blaming Office of Personnel Management (OPM), which serves as a sort of human resources department for the federal government,  some are saying unchangeable biometrics and others are blaming Chinese hackers behind the massive breach in U.S of the OPM’s servers during which fingerprints of 5.6 million people were stolen.

No matter, what was the reason but the tension is about those millions people whose fingerprints have been stolen. What would be the consequence? Or there is nothing to worry about?

The authority concerned needs to come up with some program to address the issue.

Now, the U.S. officials have blamed Chinese government hackers without any evidence. China has also denied to have any involvement in the breach.

The OPM has said that the federal experts believe there is low chance of fingerprints being misused. However, there is a possibility that future technologies could take advantage of this information.

The OPM had earlier confirmed that the number of people was 1.1 million only. However, the number has now increased to 5.6 million.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology, told Boing Boing. “I’m surprised they didn't have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

Not only the fingerprints, it is said that about 21.5 million individuals had their Social Security Numbers and other sensitive information affected by the hack.

As per the OPM, now, Department of Homeland Security and Defense Department representatives are planning to review the implications of the stolen fingerprint data.

Two Ukrainian defendants to pay $ 30 million to the Securities and Exchange Commission

Ukrainian based firm, Jaspen Capital Partners Limited and Chief Executive Officer (CEO), Andriy Supranonok had agreed to pay $30 million to settle U.S. Securities and Exchange Commission (SEC) civil insider trading charges on Monday (September 14).

SEC had charged the two to have traded on information from illegally obtained news releases.
The company had become the first of 34 defendants to settle SEC charges over allegations of theft of more than 150,000 press releases from Newswire before the news became public.

Traders would sometimes create what prosecutors called “shopping lists” of companies that were expected to make announcements and pass them on to hackers.

The illegal profit generated by traders over a period of five years is estimated to be around $ 100 million while Jaspen and Supranonok made approximately $25 million buying and selling contracts-for-differences (CFDs), which are derivatives allowing for leveraged stock price bets, to trade from 2010-2015 trading on press releases stolen from newswire service.

The case was filed in U.S. District Court for the District of New Jersey, which entered an asset freeze and other emergency relief against Jaspen and Supranonok, among others. Nine of the defendants also face criminal charges, though Jaspen and Supranonok were not criminally charged.

Without admitting or denying the SEC’s allegations, the two defendants agreed to transfer $30 million of ill-gotten gains from the accounts which were frozen a month ago.

"Today's settlement demonstrates that even those beyond our borders who trade on stolen nonpublic information and use complex instruments in an attempt to avoid detection will ultimately be caught,” said SEC enforcement chief, Andrew Ceresney.

The settlement between Jaspen and Mr. Supranonok must be approved by a court.

The SEC said its civil case will continue against the other 32 defendants.


Researcher says Laser Pen can Halt Driverless Car

Where the world is waiting for self driving cars to become more popular to reach the masses, a security researcher has found a major flaw in the driverless car that can possibly drive it off the road.

Principal scientist at software security company, Security Innovation, Jonathan Petit, discovered that a laser pointer that costs only $ 60 could interfere with the laser ranging (Lidar) system of the car that could bring it to a halt.

Most self-driving cars rely on to navigate on this system of Lidar which creates a three dimensional map and allows the car to see potential hazards by bouncing a laser beam off obstacles.

Focusing the laser pointer at an automated or a semi automated car will be picked up by the Lidar system and can trick the car into thinking of some objects ahead it while there’s nothing actually. This act will force the car to slow down. A hacker can also overwhelm it with spurious signals which will force the car to remain stationary.

During his tests, Petit recorded laser pulses reflected by a commercial Lidar system, and then mimicked them with the laser back at the navigation system. This method worked from a distance of 300 feet from the car, and didn’t require perfect accuracy with the laser beam.

According to him, the movement of cars, pedestrians or stationary obstacles can be imitated from 50 to 1000 feet away from the car and the same attack can be carried out using a Raspberry Pi or an Arduino single-board computer.

On detecting a phantom object, the car may exhibit both short and long term response. The short term reaction may only consist of an unnecessary stop but a long term stop may trick the car into believing a blockage on the road thus taking an alternative route which will affect the trip.

The automakers need to ensure that simple hacks don't render driverless vehicles useless or worse.

If proper steps are not taken on security implications of internet-connected cars right now, they will be vulnerable to hackers in the same way as PCs, laptops and tablets.

Director of smart connected vehicles at Cisco, Andreas Mai believes that an advanced end-to-end security reference architecture and close collaboration among automakers, suppliers, technology providers and government agencies should be maintained in order to deal with modern cyber attacks.

In a world, where data breaches takes place every time and all sorts of corporations look up to cyber security to protect their customer’s personal and financial information, car companies have something major to worry for.

Automated cars were developed with thought for safety as the conventional, human-driven cars produced many instances of bad decisions of humans while driving. Road accidents happen because of human errors on when to accelerate and when to put brakes.

But Google, which has led the way on self-driving cars, has experienced several accidents since hitting the road. In July, one of the firm’s Lexus SUV driverless cars was rear-ended in Google's home city of Mountain View, California.

For car companies, the worry of hacking does not end with financial crimes and frauds like in other corporations but here hacking can result in real-world and real-time physical problems and injuries.

While automated cars could be beneficial in future, the companies that bring them to the masses have to make people comfortable about them. They won't be successful if they aren't perceived as completely safe.

Man jailed for 18 months for hacking into 900 Aviva phones

Richard Neele (40) has been sentenced to 18 months in prison for hacking into 900 phones of insurance company Aviva.

Neele deleted the data on all the 900 smart phones making the company lose out on 5,00,000 pounds onf business.

Neele was a director at Esselar. a company which had been contracted by Aviva to manage its security network.

Neele has said that he carried out hte attacks becauys eof falling out with his colleagues.

He hacked the system at Aviva in May 2014 when Esselar was giving a security demonstration to Aviva.

Splunk buys Caspida for $190M

Splunk announced on July 9 that it had purchased Caspida, a Palo Alto startup that uses machine learning techniques to help identify cyber-security threats from inside and outside the company, for $190 million.

“Under the terms of the agreement, Splunk has acquired all of the outstanding stock of Caspida for an aggregate purchase price of approximately $190 million, including approximately $127 million in cash and $63 million in restricted Splunk securities,” the Splunk posted on its blog.

Haiyan Song, SVP of security markets at Splunk said it helped both companies to deal with the onslaught of machine data coming from IT systems using data science techniques and automation to make sense of it. Part of that is a growing security business, which accounted for a third of the company revenue in its most recent quarter.

“With Caspida, Splunk accelerates its focus on solving advanced threats - both external and from insiders - by shining a light on those who are wrongfully using valid credentials to freely and unpredictably exploit systems they have accessed. By addressing the entire lifecycle of known and unknown advanced threats, and by providing a platform to detect, respond to, and automate actions, Splunk has further reinforced its position as the security nerve center,” he added.

It is said that Splunk is adding a new tool to its security arsenal to beef up the ability to locate threats using the machine learning techniques that Caspida has developed.

“Like everyone, Splunk has watched the growing number of breaches over the last year, and its customers have been asking for better security detection tools to help battle these threats, many of which use with compromised credentials. This kind of attack is difficult to detect with conventional security techniques looking for signatures or rules. If someone comes in through the front door using valid credentials, there are no rules or patterns. They look like a valid user,” Song explained.

According to the blog post, the 35 Caspida employees will join Splunk immediately.

Caspida, which was launched in 2014, came out with its first product at the end of last year.

“We founded Caspida with a vision of applying data science to help solve the most pressing cybersecurity challenges - advanced threats and insider threats,” said Muddu Sudhakar, CEO of Caspida.

“By analyzing machine data and using data science to detect meaningful anomalous behavior of users, devices and entities, Caspida has solved a problem that previously required significant manpower and expensive, do-it-yourself toolsets. We are very excited to join the Splunk family and deliver new detection capabilities to customers,” he explained.