Ashton Kutcher, who traveled to technology conference TED this week, has been punk’d. That’s what happens when you hang out on the same wireless network as a bunch of technology geeks — who probably don’t even need hacking-made-easy-tool Firesheep to eavesdrop on Internet sessions on unencrypted Web pages.
Kutcher’s over six million followers are now going to be aware of Twitter’s lack of security thanks to these two tweets Wednesday night:
The hacker who likely accessed Kutcher’s account through a shared wireless network at TED2011 in Long Beach, California, tweeted, “This account is not secure. Dude, where’s my SSL?” followed by “This is for those young protesters around the world who deserve not to have their Facebook Twitter accounts hacked like this.”
This security problem with Twitter got widespread attention last year, due to the release of Firesheep — a program that made hacking a fellow wireless network user’s account on non-encrypted sites easy. Pressure was put on companies like Facebook and Twitter to make their websites “https” (or encrypted) by default. Facebook has since made it an option for users to enable that feature (though it’s still not a default). Twitter also has a https option, though it’s also not the default.
Back in November 2010 during the Firesheep controversy, Twitter told me: “Protecting users and providing a safe Twitter experience is incredibly important to us. We’re actively exploring avenues for increasing user safety that would address this issue.”
We’ll see if the hacking of a high-profile user’s account makes Twitter explore those avenues more quickly.
Update (March 3): Twitter’s PR account tweeted late Wednesday night, “Users can use Twitter via HTTPS: http://t.co/q84H6K3. We’ve long been working on offering HTTPS as a user setting will share more soon.”
(To avoid @aplusk’s fate, make sure you do your tweeting at https://twitter.com/.)
(CNN) — A Navy intelligence specialist was charged Thursday in an espionage sting in which he allegedly sold documents marked “Top Secret” and “Secret” to an undercover FBI agent, according to the Navy.
The charges against Spc. 2nd Class Bryan Minkyu Martinare are for attempting to forward classified information to a person not authorized to receive such information, according to the Navy statement.
A court-martial date has not been set.
Martin is charged with four specifications of attempted espionage and 11 specifications of mishandling classified information, the Navy said.
All charges stemmed from incidents that allegedly occurred while Martin was assigned to the Expeditionary Combat Readiness Center at Joint Expeditionary Base Little Creek – Fort Story in Virginia, the Navy said.
Martin was apprehended by special agents of the Naval Criminal Investigative Service and the FBI on December 1, in Fayetteville, North Carolina, after he was suspected of attempting to sell classified information.
Martin is currently being held in Naval Brig Norfolk in Virginia.
According to an affidavit filed in U.S. District Court last December, Martin, 22, met with an FBI undercover agent posing as an intelligence officer of an unnamed foreign country three times at a motel in Fayetteville, near the Fort Bragg Army base, where he had been working since September.
The court documents alleged he was paid a total of $3,500 in cash, and he handed over documents marked “Top Secret” and “Secret” and signed receipts for two of the payments.
“Investigators have a high level of confidence that no classified information was actually delivered to any unauthorized persons,” an NCIS statement last December said.
The Navy did not release details of how Martin came to the attention of the investigators or how he allegedly made contact with the agent posing as a spy.
One of the more common predictions for 2011 among industry-watchers is that smartphone malware will become more common as smartphones grow more popular. But even feature phones are vulnerable to attacks.
Collin Mulliner and Nico Golde – students in the Security in Telecommunications department at the Technische Universitaet Berlin – have demonstrated a so-called “SMS Of Death” attack on feature phones made by LG, Motorola, India-based Micromax Nokia, Samsung and Sony Ericsson that exploits the ability of the SMS protocol to send “binaries” (small programs) to the handset.
Cellcos use this function to remotely change phone settings, but attackers can use it to send malicious messages that can shut down the phones. While the attack requires the attacker to know the type phone someone is using, they can easily send five malicious SMSs targeting the top five handset models in that market and knock large numbers of users off the network, according to Technology Review.
The availability of Web-based bulk SMS services make this kind of attack both cheap and easy, Mulliner says.
Cellcos have two options to prevent such an attack, according to the TR report: update the firmware of existing phones, or filter SMS traffic for malware, the latter of which is tough because SMS filters are designed to block spam, not binaries.
Updating phone firmware is also a tough haul, Aurélien Francillon, a researcher in the system security group at ETH Zurich, tells TR: “Most of those phones don’t have automated updates, and when they do, patches are not made available quickly.”
French car maker Renault has launched legal action for industrial espionage after it suspended three top managers who it reportedly suspected of leaking secrets about its new electric cars.
The company said it had lodged a complaint for “industrial espionage, corruption, breach of trust, theft and handling stolen goods”.
State prosecutor Jean-Claude Marin said the charges alleged that “elements concerning France’s economic secrets” had been leaked “to a foreign power”.
The French daily Le Figaro has reported that Chinese interests stood to benefit from spying on Renault’s electric car programme, on which it is staking its future. China has angrily denied any involvement.
Renault last week suspended three senior managers – Michel Balthazard, Matthieu Tenenbaum and Bertrand Rochette – over suspicions they had leaked strategic information.
The three deny involvement and were not named in the company’s judicial complaint last Thursday. Under the French judicial system prosecutors can investigate allegations without a defendant being named.
WASHINGTON—China stealthily integrated itself into America’s telecommunications market over the past several years and is taking advantage of the United States’ superior name brand to further its goals, alleges a U.S. China Economic and Security Review Commission (USCC) report this month.
China is “able to affiliate their products with the excellent reputation of U.S. brands in global markets. China’s technology industry now appears to be a de facto part of the American communications industry landscape,” states the USCC report in its introduction.
A major issue is that China aggressively bulldozes its way into every conceivable market, most importantly the technology sector, crushing its competitors with cheaper subsidized products (often filching the technology from foreign companies doing business in China), forced technology transfer, cyber attacks, corporate spying, or acquisition of foreign companies.
The Commission sent out a warning signal stating, “Investments would increase China’s leverage in the U.S. marketplace and beyond (even if indirectly through joint ventures and third parties) and could eventually provide China access to or control of vital U.S. and allied information, networks, or segments of critical supply chains.”
Espionage in High Gear
“Lurking in the cybershadows is a far more insidious and sophisticated form of computer espionage. … Such attackers represent the elite—a dark army of cyberspies targeting the heart of corporations around the world where trade secrets, proprietary data, and cutting-edge technologies lie locked away in digital fortresses,” according to an investigation on Chinese cyber attacks by The Christian Science Monitor (CSMonitor) last year.
Experts suggest that one tool of the espionage trade is cyber espionage, a highly effective tool that has been employed a number of times and was more often than not found to originate in China.
“The China threat is constant. If there’s valuable intellectual property out there, there are people in China and elsewhere who want to take it. It’s the new battlefield—low risk and low investment with high gain,” said Shawn Carpenter, forensics analyst for cybersecurity company NetWitness, in the CSMonitor article.
In 2010, Canadian cyber attack experts discovered spyware nicknamed “GhostNet.” The spyware was found to originate from Hainan Island Internet accounts, where the Chinese army intelligence is located.
The USCC report also sees China as the main culprit in stealing trade secrets via cyber attacks. “There is growing public concern over the impacts of cyber espionage incidents that appear to originate in China.”
Congressional and industrial sources said that computer attacks on companies, including Google, Yahoo, and defense contractor Northrop Grumman have increased, although these companies, outside of Google, have remained quiet about it.
“Online attacks that appear to come from China have been an ongoing problem for years, but big companies haven’t said much about this, eager to remain in the good graces of [China],” according to an article on Computerworld’s website.
According to expert opinion, these companies downplay incidents for fear of losing access to the so-called lucrative Chinese market.
