I Mentored Mark Zuckerberg. I Loved Facebook. But I Can’t Stay Silent About What’s Happening.

‘In the world of growth hacking, users are a metric, not people. Every action a user took gave Facebook a better understanding of that user–and of that user’s friends–enabling the company to make tiny “improvements” in the user experience every day, which is to say it got better at manipulating the attention of users. Any advertiser could buy access to that attention. The Russians took full advantage.

Source: I Mentored Mark Zuckerberg. I Loved Facebook. But I Can’t Stay Silent About What’s Happening.

F-35’s Hacking Vulnerability | Could the F-35 Be Hacked?

Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation’s Central Point of Entry, which then passes it on to Lockheed’s central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations.

Source: F-35’s Hacking Vulnerability | Could the F-35 Be Hacked?

Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not.

It’s highly likely these vulnerabilities are a known detectable exploit vector.  Any military aircraft  should be able to perform its mission disconnected from a network — except for perhaps drones.

Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware

Tractor hacking is growing increasingly popular because John Deere and other manufacturers have made it impossible to perform “unauthorized” repair on farm equipment, which farmers see as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time.

Source: Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware – Motherboard

A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for “crop loss, lost profits, loss of goodwill, loss of use of equipment … arising from the performance or non-performance of any aspect of the software.”

How IoT hackers turned a university’s network against itself

While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”

The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.

Source: How IoT hackers turned a university’s network against itself | ZDNet

The network that IoT devices must use should be isolated and secured by a firewall.  This isn’t that difficult to do.

The History of SQL Injection, the Hack That Will Never Go Away

“When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.”

But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it’s not meant to do,” Hunt said, such as returning a piece of private data.

Source: The History of SQL Injection, the Hack That Will Never Go Away | Motherboard

Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added.

Online Cheating Site AshleyMadison Hacked

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

Source: Online Cheating Site AshleyMadison Hacked — Krebs on Security

Chinese hack compromised security-clearance database

Last week, the OPM announced that a database containing the personal information of about 4 million current and former federal employees was hacked. Privately, U.S. officials said the Chinese government was behind the breach. The administration has not publicly pointed a finger at Beijing.

Source: Chinese hack compromised security-clearance database – The Washington Post

I’m surprised the Washington Post continues with this Chinese narrative as there has been no official condemnation of China over this and determining the true source of an intrusion is extremely difficult if not impossible in many cases.  They still haven’t caught the culprits in the Target and Home Depot data breaches.  The list of suspects with motive to obtain this kind of data is probably quite long so it’s irresponsible to assume a guilty party before any evidence has been leaked.  No doubt consultants are working furiously tracing log records but at least wait until there is something concrete.  The Washington Post is an institution with top notch journalists so they should know better.

And here’s the blurb that made me laugh.

Offensive actions might include directing a U.S. agency to locate the servers holding the stolen data and deleting or altering the data, the former official said.

Haha.  Like whoever did this wouldn’t have backups 6 ways to Sunday of every bit gathered.  There’s no way to delete anything digital once it’s out in the ether.  Why would anyone publish a statement like that?  The only thing an offensive cyber attack can accomplish is making the US government behave like the criminals who they denounce.

DEF CON SOHOpelessly Broken Router Hacking Contest

Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.

Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news

Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.

This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side.   Making admin changes should happen rarely.  One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want.  Devices typically get a DNS address when they obtain an IP address from the router via DHCP.

Kicking the SOHO router seems to be a hot topic today.  From:  The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica

The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree

A new report from the U.S. Government Accountability Office (GAO) warns that in-flight W-Fi, including wireless entertainment and internet-based cockpit communications, may allow hackers to gain remote access to avionics systems and compromise them. However, other experts disagree and call the report “deceiving.”

via US Report Claims In-Flight Entertainment Leaves Planes Open to Cyberattacks; Others Disagree.

From:  Cyberhijacking Airplanes: Truth or Fiction? – DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf.

Closing Thoughts
● Nearly every protocol used in aviation is
● There is certainly the potential to annoy
ATC and/or small aircraft
● Increasing automation while continuing
with unsecured protocols is problematic
● Airliners are relatively safe (for now)

The above pdf is a good read.