On Wednesday morning thousands of Twitter users, including verified accounts like BBC North America, Forbes, and tennis star Boris Becker, saw their accounts tweeting out a message in Turkish along with images of swastikas. Someone hacked Twitter and gained access to the accounts through the third-party app Twitter Counter, an analytics service.

The message that was sent out was propaganda in support of Turkish President Recep Tayyip Erdogan, and translated as “#NaziGermany #NaziNetherlands, a little #OTTOMAN SLAP for you, see you on #April16th.” The tweets also contained a link to a pro-Erdogan video on Youtube.

My twitter account was hacked !!! I never posted this as I obviously don’t speak Turkish…. pic.twitter.com/G7pNuH1UFj

— Boris Becker (@TheBorisBecker) March 15, 2017

The message was accompanied by emojis of swastikas and on some accounts the hackers had changed the user’s profile pictures into a Turkish flag or other Turkish symbols. April 16 is referendum day for Turkey–voters will be deciding whether or not to give the president even more power.

The Germany and Netherlands hashtags are referring to Erdogan’s recent beef with leaders of the two countries, he recently called them “Nazi remnants” and “fascists.” Erdogan had sent government officials to countries with large Turkish populations to rally support ahead of the referendum vote, which Germany and the Netherlands resisted.

Earlier this morning our Twitter account was hacked. We’ve now deleted the hacked tweet and investigating what happened. Apologies & thanks

— AmnestyInternational (@amnesty) March 15, 2017

Twitter Counter is based in Amsterdam and was also hacked in November, when some verified accounts like PlayStation and the New Yorker started sending out spam tweets telling users how to gain more followers. “We are aware of the situation and have started an investigation into the matter,” its chief executive, Omer Ginor, said. Twitter said in a statement that the hack was limited only to accounts that use Twitter Counter. “We removed its permissions immediately. No additional accounts are impacted,” the statement said.

We identified an issue affecting a small number of users. Source was a 3rd party app and it has been resolved. No action needed by users.

— Twitter Support (@Support) March 15, 2017

Emma Von Zeipel

Emma Von Zeipel is a staff writer at Law Street Media. She is originally from one of the islands of Stockholm, Sweden. After working for Democratic Voice of Burma in Thailand, she ended up in New York City. She has a BA in journalism from Stockholm University and is passionate about human rights, good books, horses, and European chocolate. Contact Emma at EVonZeipel@LawStreetMedia.com.

The post Hackers Tweeted Swastikas and Turkish Message From Thousands of Accounts appeared first on Law Street.

Tesco Bank, the British retail bank run by the UK’s largest supermarket chain, lost approximately 2.5 million pounds this month after hackers broke into the accounts of more than 9,000 customers. The bank has pledged to reimburse customers who lost money and ultimately decided to suspend online banking for all of its 136,000 customers. Spokespeople claimed that personal data had not been compromised in the hack and that customers do not need to change their passwords, yet the sheer scope of the attack has made security experts uneasy.

The company first caught on to the breach on Saturday, November 5, and immediately began texting customers who had been affected. Many customers saw their money being moved out of Tesco accounts via overseas transactions to Spain and Brazil. Although there was initial concern that the hack was an inside job, aided by a bank employee, it is now being marked up to general human error and a failure to create a truly secure system.

This attack represents a major modern shift in cybercrime, from attacking individual customers to attacking an entire bank in one go. Perhaps the most troubling discovery in the wake of the hack was that Tesco had been warned by the security firms CyberInt and Codified Security about the weaknesses in its system, which the company did not respond to. No company can be expected to track every spam email about cybersecurity that floods its inbox, but in this case, if the reports from Codified Security truly were purposefully ignored, it reveals a dangerously cavalier attitude toward cybersecurity at the Tesco Bank headquarters.

Defenders of the bank have argued that the hack was successful because it took place during the weekend, when the technical staff were not at their desks, responding to customer reports and warning signs like they would during the work week. Regardless of the timing of the attack, the amount of money shifted from customer accounts is disturbing, especially as it is only the latest in a string of high profile hacks this year. Almost two years ago, the Bank of England highlighted cybercrime in the meetings of its financial policy committee, noting that banks were woefully unprepared for large scale attacks on their databases, but that warning came and went with very little impact.

It is not only smaller, less conventional banks like Tesco that have been targeted: in January of this year, HSBC shut down its mobile banking platform after a distributed denial of service attack. Tesco Bank is a relative mom and pop bank compared to the global behemoth that is HSBC, which explains why it did not have the same early warning notifications and success that HSBC did when shutting down the January hack. No bank, either electronic or brick and mortar, is definitively safe but when hundreds of accounts are being attacked, there is a clear issue with security. Tesco Bank will take a major hit in the wake of the attack but rather than lying back and celebrating the decline of a competitor, other UK banks–and banks around the globe–should be rushing to their own cybersecurity teams to repair the weaknesses that could be exploited in the next great hack.

Jillian Sequeira

Jillian Sequeira was a member of the College of William and Mary Class of 2016, with a double major in Government and Italian. When she’s not blogging, she’s photographing graffiti around the world and worshiping at the altar of Elon Musk and all things Tesla. Contact Jillian at Staff@LawStreetMedia.com

The post Startling Holes in Our Cybersecurity Network: The Tesco Bank Hack appeared first on Law Street.

Tweets sent out by WikiLeaks on Sunday afternoon had Julian Assange fans really concerned. The messages seemed like a “dead man’s switch”–which are encrypted messages containing highly classified material that become unveiled in case someone dies. This is what the messages looked like:

pre-commitment 1: John Kerry 4bb96075acadc3d80b5ac872874c3037a386f4f595fe99e687439aabd0219809

— WikiLeaks (@wikileaks) October 16, 2016

pre-commitment 2: Ecuador
eae5c9b064ed649ba468f0800abf8b56ae5cfe355b93b1ce90a1b92a48a9ab72

— WikiLeaks (@wikileaks) October 16, 2016

pre-commitment 3: UK FCO f33a6de5c627e3270ed3e02f62cd0c857467a780cf6123d2172d80d02a072f74

— WikiLeaks (@wikileaks) October 16, 2016

These messages had Twitter users speculating that Assange was, in fact, dead.

There were also theories about what the messages actually meant. One possibility is that John Kerry is next to be targeted by a big release of classified information, considering recent WikiLeaks publications have focused on the Democratic Party specifically. According to former Trump adviser Roger Stone, Kerry has previously threatened the Ecuadorian government.

John Kerry has threatened the Ecuadorian President with “grave consequences for Equador” if Assange is not silenced @StoneColdTruth

— Roger Stone (@RogerJStoneJr) October 17, 2016

Another interesting and bizarre aspect to the story is that actress Pamela Anderson unexpectedly and uninvited dropped by the embassy on Saturday to share a vegan lunch with Assange. Some fans even speculated that she was the one who had killed him, maybe hired by the American government, by bringing him a poisoned sandwich…but that obviously seems incredibly far-fetched.

@alburyj GET ASSANGE OUT OF THERE AND INTO HIDING. How do we know that Pamela Anderson isn’t working 4 someone to set up him up?

— Rosa Marzullo (@niftyrosa1) October 17, 2016

Pamela said she is an Assange supporter and that she is worried about his health. She wanted to bring him “a nice vegan lunch and some vegan snacks.” But maybe he would have preferred some hearty meat. “He said I tortured him with bringing him vegan food,” she said jokingly.

Finding out that Pamela Anderson & Julian Assange are friends is like watching an unlikely animal friendship video https://t.co/JnTTgrYCGg

— Gabriella Paiella (@GMPaiella) October 17, 2016

By Monday, everything pointed to Assange still being alive and well. Gizmodo speculated that “pre-commitment” in this case stands for a cryptographic plan to prevent classified and yet unreleased material from being tampered with.

The WikiLeaks Twitter account was active on Monday, also a good sign. In the early morning, it posted a tweet saying “a state party” had intentionally cut off Julian Assange’s internet connection. The message went on to say that the organization had “activated the appropriate contingency plans.”

Julian Assange’s internet link has been intentionally severed by a state party. We have activated the appropriate contingency plans.

— WikiLeaks (@wikileaks) October 17, 2016

On Saturday, WikiLeaks released the alleged full transcripts of Hillary Clinton’s paid speeches to financial firm Goldman Sachs. Many people thought the Monday cutoff of Assange’s internet was revenge for messing with Clinton.

We and many others believe Julian Assange’s internet was cut for criticizing Hillary Clinton. #FreeJulian

— Anonymous (@LatestAnonNews) October 17, 2016

Assange has been in hiding at Ecuador’s embassy in London for the last four years, trying to avoid extradition to Sweden over a rape case, which could lead to deportation to the U.S., where he fears he would be charged with espionage. The alleged internet cutoff comes after recent news that Sweden is not dropping the charges against him, and a press conference he held via video link on October 4. In that speech he promised 10 weeks of new releases of classified material, in celebration of Wikileak’s 10-year anniversary.

Emma Von Zeipel

Emma Von Zeipel is a staff writer at Law Street Media. She is originally from one of the islands of Stockholm, Sweden. After working for Democratic Voice of Burma in Thailand, she ended up in New York City. She has a BA in journalism from Stockholm University and is passionate about human rights, good books, horses, and European chocolate. Contact Emma at EVonZeipel@LawStreetMedia.com.

The post What’s Going on With Julian Assange and WikiLeaks? appeared first on Law Street.

Welcome to RantCrush Top 5, where we take you through today’s top five controversial stories in the world of law and policy. Who’s ranting and raving right now? Check it out below:

Yahoo: “U.S. Intelligence Made Us Do It!”

Reuters reported Tuesday that Yahoo has been doing broad sweeps of its users’ incoming emails under the (no longer) classified directive of the NSA or the FBI. The details of what the company was supposed to be looking for are still unclear. When asked about the matter, Yahoo said: “Yahoo is a law abiding company, and complies with the laws of the United States.”

Which is legalese for: Yahoo denies any semblance of wrongdoing. This news comes weeks after Yahoo announced a 500 million account hack.

*Suspicious squint*

Also Yahoo’s pending deal to be purchased by telecom giant Verizon for $4.8 billion is looking pretty rickety.

via GIPHY

Sources say that it is likely other tech companies have been ordered by the government to conduct this type of surveillance too. Reuters says Google and Microsoft have not responded to requests for comment on the issue.

Rant Crush

RantCrush collects the top trending topics in the law and policy world each day just for you.

The post RantCrush Top 5: October 5, 2016 appeared first on Law Street.

Hackers have leaked personal emails from former Secretary of State Colin Powell, in which he describes Donald Trump as a “national disgrace” and an “international pariah,” Buzzfeed reported. The website DCLeaks.com obtained the emails, which include exchanges between journalist and former Powell aide Emily Miller as well as other Powell associates. The leaks also highlight disagreement between Powell and the Clinton campaign over the use of her private email server during her time as Secretary of State.

In one email to Miller, Powell wrote that Trump “is in the process of destroying himself, no need for Dems to attack him. [Speaker of the House] Paul Ryan is calibrating his position again.” Powell also said that the idea promoted by Trump and others that President Obama was not born in the United States is racist. He said:

Yup, the whole birther movement was racist. That’s what the 99% believe. When Trump couldn’t keep that up he said he also wanted to see if the certificate noted that he was a Muslim.

Powell is a self-described lifelong Republican but has endorsed President Obama twice, indicating that he has problems with the direction Republican Party of today is heading. In another email with “Racism” in the subject line, he wrote, “Or as I said before the 2012 election, ‘There is a level of intolerance in parts of the Republican Party.’” He went on to say he wouldn’t comment about Trump to the media, arguing that it would feed into his ego.

Colin Powell also said that having Roger Ailes, who resigned from Fox news over sexual harassment allegations, as an adviser won’t exactly help Trump win over women’s votes, Buzzfeed reported.

Shortly after the leak, Powell confirmed that the emails are authentic and said that the hackers “have a lot more.” The website, DNCLeaks.com, has links to Russian-backed hackers who were previously accused of breaking into the accounts of the Democratic National Committee and releasing emails that embarrassed the party.

#DCLeaks Powell in leaked email: ‘I didn’t tell Hillary to have a private server at home’ https://t.co/uxALVOi4CC

— DC Leaks (@DCleaks_) September 14, 2016

In other leaked emails, Powell talked about Hillary Clinton’s private email server, an issue he wished to stay far away from. In February he wrote to Kenneth Duberstein, a White House chief of staff under president Reagan, saying, “I didn’t tell Hillary to have a private server at home, connected to the Clinton Foundation, two contractors, took away 60,000 emails, had her own domain.”

And in September 2015 email to Lawrence Wilkerson, his former chief of staff, he wrote, “[Hillary Clinton] and her mishandling of this has really given her a major problem I do not wish to get involved in, despite the best efforts of her team to drag me in.”

Defenders of Hillary Clinton like Representative Elijah Cummings have tried to point to Powell and Rice as a precedent for the use of a private email account while serving as Secretary of State. In a press release, Representative Cummings noted that both Rice and Powell had “received classified national security information” on their personal accounts. But Powell took issue with the classified emails that many cited, claiming that they were not classified at the time. Both Powell and Rice expressed, over email, an increasing annoyance with the situation.

This also led Powell to email Duberstein. “Stupid State Department dragged me in and I had to take care of myself […] I warned them. Don’t say these unclassified messages are classified or should have been classified,” he wrote.

Emma Von Zeipel

Emma Von Zeipel is a staff writer at Law Street Media. She is originally from one of the islands of Stockholm, Sweden. After working for Democratic Voice of Burma in Thailand, she ended up in New York City. She has a BA in journalism from Stockholm University and is passionate about human rights, good books, horses, and European chocolate. Contact Emma at EVonZeipel@LawStreetMedia.com.

The post Colin Powell Calls Trump ‘International Pariah’ in Leaked Emails appeared first on Law Street.

On Thursday, Apple released a new security update for iPhone users worldwide after the discovery of an attempted hack that was trying to take advantage of three huge vulnerabilities in the iOS operating system. Using these three factors, now called the “Trident” flaw, hackers could take complete control over someone’s phone remotely, without the owner knowing about it.

The group that is believed to be behind the hack is an American-owned, Israeli-based company called NSO. It was founded in late 2009 by two Israeli mass-entrepreneurs with ties to the Israeli government and defense forces. In 2014 a San Francisco-based equity firm bought a majority stake in the company for $120 million.

NSO says it specializes in tools fighting against crime and terrorism. Its LinkedIn page describes the company as in “the field of Internet security software solutions and security research.” But many security firms call the group a “cyber arms dealer.” An online document from NSO says it is “a leader in the field of cyber warfare” that utilizes its proprietary monitoring tool it calls “Pegasus,” which can monitor and extract all data from a target “via untraceable commands” which allow “remote and stealth.”

Human rights activist Ahmed Mansoor from the United Arab Emirates was the first one to report the suspected hack, after receiving a text message to his iPhone with a link promising to reveal details about torture in his country’s prisons. Instead of clicking the link he contacted the Toronto-based internet watchdog Citizen Lab.

Incredible: #UAE tries to hack democracy activist @Ahmed_Mansoor w/ Israeli-made… https://t.co/u9WQZFM2OQ by @salamah via @c0nvey

— Azza Youssri (@AzzaYoussri) August 26, 2016

Reports issued on Thursday by Citizen Lab and San Francisco mobile security company Lookout revealed how they discovered an advanced spyware that could take over the whole phone at the tap of a finger. If you click the link in a fake message like the one Mansoor received, it would activate spying software called “Pegasus” and hackers could listen in on your calls, collect text messages and personal information, and control your camera.

This advanced technique is so highly desirable in the cyber world that one spyware broker said in November that it had paid $1 million to programmers who said they had found a way to do it, according to the Telegraph.

On Thursday an Apple spokesperson said:

We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.

Emma Von Zeipel

Emma Von Zeipel is a staff writer at Law Street Media. She is originally from one of the islands of Stockholm, Sweden. After working for Democratic Voice of Burma in Thailand, she ended up in New York City. She has a BA in journalism from Stockholm University and is passionate about human rights, good books, horses, and European chocolate. Contact Emma at EVonZeipel@LawStreetMedia.com.

The post Who are the Hackers Behind the Apple Spyware Problem? appeared first on Law Street.

Individuals who were using a website to cheat on their spouses and significant others will not remain anonymous if they choose to remain on the lawsuit against that website–Ashley Madison. This week a judge ruled that anyone who continues in the legal fight will not be allowed to use pseudonyms in the lawsuit.

Let’s start at the beginning of this whole mess: this lawsuit began in response to last summer’s hack of the Ashley Madison website, a service with the motto: “Life is short. Have an Affair.” The website, which purports to facilitate men and women in finding people to have affairs with, is used most predominantly by men. In the hack, 11 million account passwords were discovered because of improperly secured accounts. This led to the release of 32 million customers’ emails, sexual preferences, names, and addresses on the internet, which caused backlash in small communities, investigations of government employees found using the site, and even the blackmailing of some individuals whose information was released.

In response to the release of personal information, several Ashley Madison users have decided to sue the company for claiming to secure personal information and then failing to do so. While many of their identities have already been released, the plaintiffs petitioned to use pseudonyms in the case in order to protect themselves from judgment of the public.

Unfortunately for the roughly 50 people suing Ashley Madison, Judge John A. Ross, a United States District Judge, ruled on April 6th to deny the motion for plaintiffs in the case to use pseudonyms. Part of the judge’s ruling was based on the fact that:

The personal and financial information plaintiffs seek to protect has already been released on the Internet and made available to the public.

In addition, the judge acknowledged the fact that:

Only in extraordinary circumstances may civil litigation proceed under fake names, like in cases such as sex crimes and suits about juveniles.

What the judge did allow is for the members who are currently involved in the suit to dismiss their complaints and instead file as members of a class in a class-action suit. If it is certified they will not need to release their names individually in order to sue.

A lot of the people whose names were released in the hack have faced serious consequences because of the release of information. Some people have been blackmailed into paying bitcoin bribes in order to try to stop blackmailers from ousting the cheaters to their oblivious spouses. Town officials have been shamed by their local newspapers and publications.

While the huge breach in security was unexpected for the members of the Ashley Madison site and the people whose information was released may have legal standing to sue the company, it’s hard to have much sympathy for cheaters whose significant others found out about their infidelity. This is a good lesson for all of us to be a little more skeptical about the security of personal information online and the reality of bad karma. Next time you go online to find a hot date with whom to two-time your wife, maybe think twice before plugging in your government email address.

Alexandra Simone

Alex Simone is an Editorial Senior Fellow at Law Street and a student at The George Washington University, studying Political Science. She is passionate about law and government, but also enjoys the finer things in life like watching crime dramas and enjoying a nice DC brunch. Contact Alex at ASimone@LawStreetmedia.com

The post Judge Denies Cheaters’ Request to Remain Anonymous in Ashley Madison Suit appeared first on Law Street.

In light of concerns about state-sponsored hackers going after American technology, Facebook will now warn users it believes are falling victim to these types of attacks.

The warning will take the form of a notification that pops up on Facebook. It doesn’t warn individuals that their Facebook accounts are being hacked, but rather that their computers, smartphones, tablets, or other devices have malware on them that indicate that hackers may be trying to access their accounts.

According to Facebook, the notification will prompt a user to “Please Secure Your Accounts Now” and contain the following message:

We believe your Facebook account and your other online accounts may be the target of attacks from state-sponsored actors. Turning on Login Approvals will help keep others from logging into your Facebook account. Whenever your account is accessed from a new device or browser, we’ll send a security code to your phone so that only you can log in. We recommend you also take steps to secure the accounts you use on other services.

Facebook also recommends that if possible, people who get these notifications should consider replacing or rebuilding their systems, because this type of breach is probably too strong to be wiped out by everyday anti-virus software. Facebook has also made it clear that it won’t be sending out these notifications willy-nilly, but only if there’s strong evidence that a breach is coming from a foreign government hack.

Obviously not all hacks come from state-sponsored entities, but Facebook is clear on why it is focusing on warning its users specifically about these kinds of attacks. Alex Stamos, the Chief Security Officer at Facebook, explained in the announcement about the policy change:

While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.

War waged via technological means is certainly a legitimate concern–there have been either allegations or outright evidence that unfriendly actors such as China, Russia, Iran, North Korea, and ISIL have attempted to hack American accounts.

There are some criticisms of the new alert–Tech Crunch pointed out that the phrase “state-sponsored actors” may not be in everyone’s vernacular, and could be confusing. Additionally, Maddy Crowell of Christian Science Monitor points out that we don’t know exactly how Facebook is getting the information to conclude that someone has been the victim of a state-sponsored attack. While that’s not necessarily a criticism, it is a viable inquiry about Facebook’s privacy features. 

So, essentially, you don’t want to see this notification pop up on your Facebook–it means that your information is under attack, most likely due to malware that has infected your computer. Facebook is doing right by its users by letting them know–it may be an indication of the kind of security we’ll see moving forward as cyberwar remains a serious concern.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Facebook to Warn Users of Potential State-Sponsored Hackers appeared first on Law Street.

Last week’s top stories ran the gamut from cheating spouses to the best places to get a joint J.D./M.B.A degree. The top story of the week was a breakdown of the strangest arrests making the news, followed by a look at the Ashley Madison hack and the future of online privacy. The #3 story was the J.D./M.B.A. ranking for the University of California-Berkeley School of Law. ICYMI, check out the top posts from last week:

#1 Weird Arrests of the Week

It’s the end of the week, which means its time to relax and reflect on all the stupid things people have done this week. Specifically, some fantastically odd arrests. Check out the slideshow here.

#2 Ashley Madison Hack: The Future of Online Privacy Doesn’t Look Good

A few weeks ago, a group of hackers called the “Impact Team” threatened to expose the profiles of people who had accounts on Ashley Madison, a dating site specifically aimed at married people who are looking to cheat. The hackers threatened to “release customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails” if the site was not taken down. The parent company–Avid Life Media–did not comply, and now that data has been released to the public. Read the full story here.

#3 Top 10 Schools for J.D./M.B.A. Programs: #9 University of California-Berkeley School of Law

The legal industry is changing and law schools are no exception. Applications and enrollment are both down, and the value of the traditional legal education with its current price tag is the subject of continual debate. Law Street Specialty Rankings are a detailed resource for prospective law students as they consider the many law schools across the country. Law Street Specialty Rankings blend the quantitative and qualitative in a way that accurately highlights the top law schools based on specialty programs. Check out the University of California-Berkeley School of Law’s ranking here.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post ICYMI: Best of the Week appeared first on Law Street.

A few weeks ago, a group of hackers called the “Impact Team” threatened to expose the profiles of people who had accounts on Ashley Madison, a dating site specifically aimed at married people who are looking to cheat. The hackers threatened to “release customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails” if the site was not taken down. The parent company–Avid Life Media–did not comply, and now that data has been released to the public. The Impact Team hackers have now shed a very personal light on cheating spouses around the globe–but the potential overall ramifications are significantly more jarring than the awkward conversations that some members are probably going to have with their spouses tonight.

Massive data hacks are nothing new–the Sony and Target hacks warranted significant news coverage for weeks, and the Office of Personnel Management hack earlier this summer compromised the data of over 20 million people. However, this Ashley Madison hack may rank among the largest yet. As Ars Technica points out:

Researchers are still poring over the unusually large dump, but already they say it includes user names, first and last names, and hashed passwords for 33 million accounts, partial credit card data, street names, and phone numbers for huge numbers of users, records documenting 9.6 million transactions, and 36 million e-mail addresses.

The hackers targeted Ashley Madison in particular for a few reasons, but one of the biggest sticking points appeared to be that they didn’t agree with Ashley Madison’s business practices when it came to handling data. Specifically, they took issue with the fact that Ashley Madison charged users to delete their data, and then didn’t. Impact Team further explained about its hacking motives:

Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data. Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95 percent of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.

What is particularly concerning about this hack, however, is what it signals about any site where personal information is provided. This isn’t just about stealing individuals’ social security and credit card numbers, like so many hacks in the past. This involves private information, and while it’s easy to justify that this private information has been breached because the people who provided it did so willingly in the hopes of engaging in an affair, it’s not that simple.

Online privacy is something we’ve all taken for granted for so long–we probably shouldn’t have, but that ship has completely sailed. Things like our private communications, our medical records, and sometimes yes, our dating or sexual preferences, can be found online. It’s easy to ignore the Ashley Madison hack because it was aimed at people that are in a very moral gray area, but it can just as easily happen, and may happen, when it comes to other personal information. The Impact Team did show the power of hacking. Despite the nature of the hack, it’s time that we realize its seriousness when it comes to our expectations of online privacy.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post Ashley Madison Hack: The Future of Online Privacy Doesn’t Look Good appeared first on Law Street.

How would you feel if someone took control of your car while you were driving it? Well that’s exactly what happened to Wired’s Andy Greenberg when he let two hackers remotely take control of his car while he was driving it. While the experiment was obviously done in good faith, the ordeal sheds some light on the remote capabilities of hackers to mess with vehicles as driving software continues to improve.

Hackers Chris Valasek of IOActive and Charlie Miller, a former NSA staffer, accessed Greenberg’s Jeep’s computer brain through its Uconnect infotainment system. There are issues in the Uconnect software system that powers the connected infotainment and other internet-powered systems in Fiat-Chrysler automobiles. Because of this, they were able to create an attack that could connect to the system and use a chip powering the in-vehicle entertainment to rewrite the firmware. From there, their exploit code sent commands across the car. They were able to do all this simply by using a MacBook connected to a cell phone.

To test their hacking skills, Greenberg drove the Jeep Cherokee down the expressway, gearing up to about 70 mph. Once the hackers were able to take control of the car, they began to test some of its features. This included playing with the car’s air conditioning, blasting loud music, and even killing the transmission and brakes. Despite being in on the “test,” Greenberg was freaked out when the vehicle began to drive itself even though he was still behind the wheel and on the expressway. He was able to gain control of the car again, only after he turned the car off and back on. Once he exited the expressway and tried to park the car in a parking lot, his brakes were hacked as he parked directly in front of a ditch, and was forced into it.

Even more notably, once the hackers were able to access Uconnect, they were also able to scan for other vulnerable vehicles. After repeated scans, they believe as many as 471,000 vehicles are carrying the same vulnerabilities that would allow them to get hacked. They have only actually tested their hacking skills on this Jeep Cherokee, but they believe any Chrysler vehicle with Uconnect manufactured in late 2013, all of 2014, or early 2015 is affected.

As crazy as this sounds, Miller and Valasek aren’t the first to hack a car over the internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego showed that they could wirelessly disable the locks and brakes on a sedan. 

Regardless of how funny the act may have been in this context, Miller and Valasek’s demonstration should alert drivers to the potential danger they could be facing if their car was hacked while they were driving a vehicle.  The entire automotive industry has been repeatedly criticized for various systems’ lack of security over the last year. Former National Security Agent, Charlie Miller says,

If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone.

Other researchers have demonstrated attacks on vehicles from afar, while highlighting vulnerabilities in widely-used insurance dongles. At a recent Senate Commerce Committee hearing on The Internet of Things, senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) announced legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy.

So what does this say about the types of vehicles we drive and their vulnerabilities that provide hackers access? Even though it was just a demonstration, Greenberg was clearly extremely uncomfortable not being in control of his car. In 2011, the team of researchers from the University of Washington and the University of California San Diego took a more discreet approach in their research, keeping the identity of the hacked cars a secret and only sharing the details with the carmakers. Now, carmakers who failed to take heed of polite warnings in 2011 have been exposed for their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. While it is fortunate all cars are not subject to these vulnerabilities, it is clear that car manufactures must finally address the potential dangers of car hacking.

Angel Idowu

Angel Idowu is a member of the Beloit College Class of 2016 and was a Law Street Media Fellow for the Summer of 2015. Contact Angel at staff@LawStreetMedia.com.

The post Car Hacking: Funny or Dangerous? appeared first on Law Street.

For people choosing to travel via air, security on the plane is of the utmost importance. That is why news of a security researcher claiming he was able hack into the computer systems of several airplanes while aboard is really scaring some air travelers, and setting law enforcement on edge.

#CyberSecurity Researcher Hacks and Controls Plane – Hero or Villain? http://t.co/4eKMmkJAdb pic.twitter.com/K32kB5g0I4

— vpnforus (@vpnforus) May 18, 2015

Wired magazine reported that Chris Roberts, a security researcher with One World Labs, first told the FBI in February that he was able to hack the in-flight entertainment system (IFE) and control parts of the plane while aboard various airlines. Roberts claims that he conducted the research in order to expose the potential vulnerabilities in in-flight software. In an FBI search warrant application for Robert’s digital devices and data FBI Special Agent Mark Hurley details Roberts’ previous hacking attempts, writing:

He [Roberts] stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.

The search warrant was filed after Roberts was removed from a United Airlines flight from Denver  after sending out a tweet while aboard, joking about hacking the plane and setting off the emergency oxygen masks.

According to CNN, FBI agents tracked down his plane after being informed of the tweet and “found signs of tampering and damage to electronic control boxes that connect to in-flight entertainment systems.” The boxes tampered with just so happened to be under where Roberts was sitting and the seat in front of him. Despite this, Roberts insists he did not hack that particular flight.

At the time FBI agents also seized two laptop computers and several hard drives and USB sticks from Roberts without a search warrant, telling Roberts that a warrant was pending. It’s the information in that newly obtained warrant that is cause for concern.

In the warrant, Roberts is quoted as telling the FBI that he accessed the in-flight networks more than a dozen times between 2011 and 2014 and had briefly commandeered a plane during one of those flights. This contradicts an interview he had previously given to Wired, where he claimed he had only explored the networks and observed data traffic.

However, some aircraft experts seriously doubt Roberts was able to hack IFEs in order to commandeer a plane. Business Insider reports that industry expert Peter Lemme told “Runway Girl Network” blogger Mary Kirby that  “the IFE ARINC 429 interfaces are not capable of changing automatic flight control modes” and “the claim that the Thrust Management System mode was changed without a command from the pilot through the mode control panel, or while coupled to the Flight Management System is inconceivable.” Boeing has issued statements saying that its entertainment systems are isolated from flight and navigation systems. CNN writes,

It is worth noting that Boeing airplanes have more than one navigational system available to pilots. No changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.

If Roberts is not exaggerating his hacking claims, these IFEs do pose a very plausible threat to aircraft security that needs to be addressed. So far no charges have been filed against Roberts, but he could end up in some serious trouble for conducting these unauthorized tests. If he did hack those planes with passengers aboard, and in one instance even tilt the plane, he was irresponsibly putting numerous lives at stake.

Alexis Evans

Alexis Evans is an Assistant Editor at Law Street and a Buckeye State native. She has a Bachelor’s Degree in Journalism and a minor in Business from Ohio University. Contact Alexis at aevans@LawStreetMedia.com.

The post Security Researcher Sparks Fear With This Plane Security Hack appeared first on Law Street.

Following the recent fiasco at Sony, hacking has been catapulted squarely into the spotlight. But hackers are doing more than just delaying movie premieres–they are causing serious damage and have the capability to cause much more. Before we get too scared of these anonymous boogeymen, however, it is important to understand what hacking is and who the hackers are.

What are hackers and what do they do?

So, first of all, what is a hacker? While the answer to that question is very complicated, for clarity’s sake a succinct and clear explanation of a computer hacker and computer hacking is this:

Computer hackers are unauthorized users who break into computer systems in order to steal, change or destroy information, often by installing dangerous malware without your knowledge or consent.

This definition is of course limited, as hacking is not relegated solely to computers and is not always a negative thing. Below is a video that offers a fuller picture.

While not all hacking is negative, much of it is, and it is important to understand specifically what the intentions of many hackers are and how they operate. Hackers often lure their unsuspecting victims with bogus scams sent through emails or websites. Some hackers also prefer the approach of directly attacking a computer if it does not have the requisite protection in place, such as a firewall; however, while hacking may appear as simple as pressing a button in a movie, it is more complicated than that. More specifically, what a hacker does is infect another person’s computer with malicious software or malware. Once the unsuspecting user has activated the malware, either by clicking on a link or opening an email, his computer can then become infected with a virus. If a computer does become infected the hacker essentially has unlimited access to the operating system. This then enables him to have virtual control over the user’s computer and internet activity. Normally the hacker will try to maintain a low enough profile so the user is not alerted; in the meantime he will attempt to obtain sensitive information. Whatever way hackers choose to attack, they often try to steal things like passwords, account numbers, and means of identification such as a social security number.

The purpose behind all of this is nefarious; stealing an individual’s money, abusing their credit, or even turning a profit by selling the acquired information to a third party is often the end goal. Two prime examples of this are the major hack of Target’s credit card system in 2013 and the similar hack of EBay this year. Nonetheless, while hackers seem to have similar motives, the group is in fact quite heterogeneous and can vary from countries to individuals.

State Actors

The first type includes hackers utilized by a country’s government or military. In this way, hackers are used like other weapons such as tanks or missiles. In this regard, perhaps no country employs hackers and hacking more than China. According to a 2013 article from Bloomberg, China accounted for 41 percent of hacking assaults in 2012–four times that of the second place country on the list. While there’s no way to say definitively whether those hacks came from the Chinese government, the idea comes as no surprise to those familiar with the United States’ claims that China has long hacked American corporations in order to steal trade secrets and then passed them along to Chinese companies. For example, there were hacking accusations against China earlier this year by American corporate icons such as U.S. Steel and Alcoa.

However, the United States is far from an unwitting victim of these attacks. In fact the number two country from the same list of top hacking nations was the United States. In 2012, for example, ten percent of hacking attacks originated from within the United States. In addition, the United States military has increased the portion of its budget focused on cyber warfare. In 2015, the U.S. Cyber Command plans to spend $5.1 billion on cyber combat. The video below explains the threat of cyber warfare.

There is already evidence of suspected U.S. cyber warfare at work. Aside from unpublicized U.S. attacks against the Taliban in Afghanistan, there’s the more notable example of the Stuxnet virus that infected the Iranian nuclear infrastructure and severely damaged its nuclear program. There is also the recent shutdown of North Korean internet access that many suspect was American retaliation for the suspected North Korean hack of Sony.

Along with the United States and China, other countries where hacking is a major weapon include Taiwan, Turkey, and Russia.

Non-State Actors

Indeed non-state actor hackers may pose an even bigger threat to global systems than government operations. One reason why is while government operations are generally strictly military or defensive in nature, non-state operations run the gamut.

Patriotic Hacking

One example is something known as patriotic hacking. In essence, these groups are self-appointed to represent a particular country and will respond in kind to any perceived slight against the nation they represent. One such group formed in China in response to the accidental bombing of a Chinese embassy in Belgrade by the United States during the war in Kosovo. Similar groups have also formed in many countries such as Israel, India, Pakistan, and the United States.

An example of a patriotic hacker–or “red hacker” as they are known in China–is Wan Tao. Wan Tao hacked everything from the U.S. government to Japanese political email accounts. While it is believed they he was never explicitly ordered to do so, the hacker’s targeted attacks fell in line with Chinese Governmental actions. As if to emphasize the underlying nationalism in his attacks, Wan Tao even had a name for his group, the China Eagles.

Hacktivists

Another type of non-state hacking group is known as hacktivists, which are people who use both legal and illegal means to achieve some political goal. Perhaps the best example is the group known collectively as Anonymous. Known for dawning the Guy Fawkes mask, Anonymous has been involved in hacking cases related to social issues ranging from the Occupy Wall Street movement to the shooting death of Michael Brown that set off the protests in Ferguson, Missouri. A more expansive definition of hacktivism is provided in the video below.

Other Non-State Actors

There are countless other non-state hacking groups at play today. One example is the massive hack of JP Morgan Chase in October 2014. In this case, the personal information of 83 million bank customers was stolen.  While Chase was quick to deny any information such as account numbers was taken, experts in the field remain more skeptical.  Regardless of what exactly was stolen, the culprits were again believed to be Russian hackers who stole personal information with the intent to sell it or profit off of it through other means such as fraud. There is also the persistent fear of terrorist hackers, although little has yet to come of this.

Putting Up a Firewall

While governments and individuals swarm to the attack there are also efforts to fight back against hackers, and like hackers and hacking these efforts take many forms. At the highest level are government efforts like those of the United States government. Specifically, as touched upon earlier, the United States has created a cyber command capable of launching retaliatory strikes against its enemies through cyber space if the U.S. were attacked. In essence then the United States is creating a deterrent through cyber space much like it already has through both conventional and nuclear means.

There are also altruistic attempts such as the ones being undertaken by organizations like I Am the Cavalry, which allows researchers to share their findings and help improve the security of four major sectors: medical devices, automobiles, home services, and public infrastructure.

In addition, there are more classical capitalist efforts employed by corporations. Several major corporations such as Apple, Facebook, Google, and Microsoft are actively courting hackers, often holding competitions with prizes like lucrative job offers. The goal of this approach is to pick up where traditional IT efforts leave off. Traditional efforts are geared at creating defensive measures so hackers cannot break into a system; however, this new approach utilizes hackers themselves specifically because they have the opposite mindset and are looking for the vulnerabilities to attack. By harnessing hackers’ aggressive skill sets and playing off their competitive mentalities these companies and many more are, in essence, using hackers to prevent hacking.

Conclusion

As the world becomes more digital and connected the threat of hacking will increase. In the future everything from cars to even toasters can and will be vulnerable to hacking and misuse. Furthermore, this threat will not necessarily come from other countries, but also non-state actors and even individuals. The motivations and allegiances of these people and groups vary widely and make the problem infinitely more complex.

Nonetheless, while efforts to prevent hacking can seem hopeless, like trying to keep a ship with a million leaks afloat, all is not lost. Indeed there are already efforts underway to fight back, which vary as much as those of the hackers themselves. As history has shown, no ship is unsinkable. Thus hacking is always likely to be a problem and an increasingly dangerous one; however, it can also offer an avenue for improvement and a channel to voice social concerns. While hacking may be the next great threat, like previous scourges it may also present unique opportunities for change and improvement for society as a whole.

Resources

Primary

Center for A New American Security: Non-State Actors and Cyber Conflict

Additional

Bloomberg: Top Ten Hacking Countries

CNN World: North Korea Denies Sony hack

Forbes: The Top 5 Most Brutal Cyber Attacks of 2014

Time: Here’s What Chinese Hackers Actually Stole From U.S. Companies

Time: China’s Red Hackers

WebRoot: Computer Hackers and Predators

Bloomberg Business Week: Target Missed Alarms

Washington Times: Cyber Command Investment Ensures Hackers Targeting US Face Retribution

The New York Times: North Korea Loses its LInk to the Internet

New York Post : Hackers Steal 83 Million Chase Customers’ Info

Mashable: Hacktivism

International Business Times: What is Anonymous?

CDR Global Inc: Hacking for Good

Guardian: There are real and present dangers around the internet of things

I Am the Cavalry: Homepage

Michael Sliwinski

Michael Sliwinski (@MoneyMike4289) is a 2011 graduate of Ohio University in Athens with a Bachelor’s in History, as well as a 2014 graduate of the University of Georgia with a Master’s in International Policy. In his free time he enjoys writing, reading, and outdoor activites, particularly basketball. Contact Michael at staff@LawStreetMedia.com.

The post Hacking: The New Kind of Warfare appeared first on Law Street.

A major hacking scandal at the entertainment company Sony has escalated quickly over the last few weeks. It started with leaked information, and has now led to full on terror threats against theaters that show the movie The Interview, a comedy that centers around the premise of killing North Korean leader Kim Jong-Un. The release has since been cancelled. The hacker group responsible called themselves “Guardians of the Peace.” This morning, the FBI put out a statement that included the following:

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions.

Just before 2:00 PM today, President Barack Obama held a news conference to address the Sony issue, among other things. It is his final press conference of 2014.

The first question of the day was, as expected, about the Sony hack.

A Politico reporter asked whether or not Sony made the best choice pulling The Interview. Obama was clear: he thinks that Sony made a mistake. He talked about the need to be able to resist cyber attacks, saying “we’re not even close to where we need to be.” He also emphasized the need for strong cyber security laws that would serve to protect both the public and private sectors. He then made an excellent argument for why Sony’s decision was wrong, saying:

We cannot have a society in which some dictator someplace can start imposing censorship in the United States. Because if someone is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary they don’t like, or news reports they don’t like. Or even worse, imagine if producers and distributors and others start engaging in self censorship because they don’t want to offend the sensibilities of someone whose sensibilities need to be affected. That’s not who we are. That’s not what America’s about.

He continued to emphasize the need to stand against terrorist demands, because of the slippery slope to which it could lead, specifically referencing North Korea in this case–not a surprising move given that the FBI had already done so. He said there would be a response, but he wasn’t going to go into detail today, emphasizing the need for international cooperation on the issue of cyber security. Later, in response to another question, he pointed out that despite the international aspect, there’s no evidence to indicate that North Korea was working with any other country.

It’s been a long few weeks for Sony, and the idea that a foreign government could use cyber-terrorism to intimidate an American company is concerning. But President Obama was right–negotiating and giving in to terrorists may be even more dangerous down the road. While his plan about how to respond to North Korea was, completely understandably, very vague, I have a feeling the White House may need to take tough actions here to mitigate Sony’s caving to the cyberterrorists’ demands.

Anneliese Mahoney

Anneliese Mahoney is Managing Editor at Law Street and a Connecticut transplant to Washington D.C. She has a Bachelor’s degree in International Affairs from the George Washington University, and a passion for law, politics, and social issues. Contact Anneliese at amahoney@LawStreetMedia.com.

The post President Obama: Sony Made a Mistake Pulling “The Interview” appeared first on Law Street.