Hacking satellites & skateboards | Forget China | Black Hat continues

Obama's China syndrome

The New York Times reported earlier this week that President Obama seems dead set on retaliating against China over the Office of Personnel Management breach – the worst in US history. CIA chief James Clapper called Beijing the "leading suspect," but so far the administration hasn't shown any proof. Even if China is to blame, the way to fix the administration's cybersecurity problem – and prevent future data heists that rival the OPM breach – isn't to retaliate against a foreign government.

We are living in a world in which this kind of digital espionage is the new normal. It's the kind of thing that the National Security Agency wishes it could do against China. That is, if the intelligence agency isn't already doing it.

Deterrence is possible. But it doesn't come from force or trying to instill fear. It comes from enabling security protocols that makes valuable data so hard to steal that the effort isn’t worth the reward. The goal of deterrence isn’t to keep bad guys out of a network, it’s to make it next to impossible for them to acquire assets they’re targeting. Technically, that’s already possible. Read more. // Jeffrey Carr  

Hackable satellite signals may be impossible to patch

Security researcher Colby Moore plans to demonstrate this week at the Black Hat security conference how to intercept and even fake location-tracking satellite signals. The vulnerability could give thieves new ways to steal valuable cargo. //Joe Uchill 

Become a 2015 National Cyber Security Awareness Month Champion! October 2015 will mark the 12th year of National Cyber Security Awareness Month (NCSAM). Show your commitment to promoting a safer, more secure and more trusted Internet by registering as a NCSAM Champion! Being a champion is a way to officially support NCSAM; it’s easy to sign up and does not require any financial support. NCSAM Champions include companies, education institutions, nonprofits, government organizations and individuals. To become a NCSAM Champion, all you need to do is complete the simple registration form and pledge to take action in your community.  Other great moments in the history of disclosure  Duo Security has a comprehensive History of the Disclosure timeline that outlines vulnerability disclosures dating back to locksmiths in 1865. It outlines many of the debates surrounding research and disclosure, including if there should be an open market for vulnerabilities, whether vulnerabilities should be released to the public beyond releasing patches, and what the government's involvement should be in subsidizing bug research. But, on the Internet, no list is ever complete. Here are a few major events in vulnerability disclosure that didn't make the security firm's list: Oct. 10, 1995: Netscape announces the first "Bugs Bounty" program, paying researchers to submit fixable security flaws back to the company. That incentive for security researchers is now usually phrased in the singular – "bug bounty" – but has blossomed into one of the front-line defenses against bugs. 2012 to 2014: Commercial platforms arise to help publicize and run bounty programs. Notable companies Bugcrowd and HackerOne were founded in 2012and 2014, respectively. Feb. 13, 2015: Google announces it will no longer stringently abide by its former policy of waiting 90 days before publicly releasing vulnerabilities it discovers in other companies' products. Researchers often threaten and eventually post vulnerabilities when companies refuse to take threats seriously. In January, experts were concerned when Google released a Windows vulnerabilitytwo days before Microsoft was set to release a patch. The greater issue – how, when, and if deadlines should be enacted – is still up in the air. // Joe Uchill Mass surveillance system known as ECHELON confirmed Since the National Security Agency's ECHELON system was first reported on 27 years ago, the spy agency has never confirmed the earliest-known automated mass surveillance program. Newly released documents from Edward Snowden's NSA data dump, say (literally), "Yes, there is an ECHELON system." // The Intercept The original reporter, Duncan Campbell, recounts the long road between reporting the story and someone producing a document that seems to confirm it. // The Intercept And, on his personal website, Mr. Campbell gives a technical synopsis of the system, designed to intercept signals from global communications satellites. // Duncan Campbell Wherein a story's happy ending is '... no one had to go to New Jersey' Tech culture blog Boing Boing has long been host to a Tor exit node – a proxy through which users of anonymous Tor browser browse the open Web. While the users are never identifiable, the exit nodes are. This can lead to a host of complications when illegal activity is traced to the exit node instead of the user. Boing Boing was subpeopenaed to a New Jersey Grand Jury in just such an instance, but had no trouble convincing the FBI it had no part in the traffic it facilitated. // Boing Boing Hackers to announce method of hacking electric skateboards at DEF CON  It's sort of too bad this came out during the same conference season as the Jeep Cherokee hack. But this, too, is a vehicle that riders would prefer not to crash. // Wired Former Rep. Mike Rogers (R) of Michigan argues for encryption back doors "This is not the first time in America's history that private industry has been asked by society through law enforcement to strike the proper balance between profit and public interest." // CNN Meanwhile, University of California at Berkeley Prof. Nicholas Weaver says iPhone's iMessage generates enough metadata that law enforcement might be able to glean a lot, even without decrypting the message. // Lawfare Security firm RSA uncovers VPN system used by Chinese hackers Virtual Private Networks (VPN) are used to mask the IP addresses from which Internet traffic originates. The "Terracotta" network, which is used by several commercial VPN providers, is popular among major hacker groups such as the vaunted "Deep Panda," a group the security firms say was responsible for the Anthem data breach. Terracotta also tends to use hijacked computers from poorly guarded business networks (including US ones) rather than its own infrastructure. // Threatpost   *The most influential topics and stories, Tecnolog & social media mining algorithm.* I Haven't Opened My MacBook Since Windows 10 Came Out - Biz Insider Windows 10 Starts Charging for Missing Features - Gordon Kelly, Forbes How to Secure Windows 10: The Paranoid's Guide - ZDNet The Windows 10 Security Settings You Need to Know - Wired Here's Proof That Apple Fanboys Actually Adore Android - CNET The Android Ecosystem Is More Fragmented Than Ever - Fortune Here's Exactly How Amazon Prime Sharing Is Changing - Time 1 Key Reason Why Spotify Is Better Than Apple Music - Tech Insider CVS, IBM, and a New Future for Medicine - Steve Wildstrom, Tech.pinions Teach Your Robot to Do the Dishes - Mark Harris, MIT Technology Review Surfing the Internet...From My TRS-80 Model 100 - Sean Gallagher, Ars This post appeared on linkedin.