UNM4SK3D: CIA, Headphones, and Consumer Reports

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

UNM4SK3D: CIA, Headphones, and Consumer Reports

Published: March 10, 2017 | By: Olivia | Views: 2467
save

cyber_security_news

#wikileaks

True or false? That’s the question being asked by millions of Americans after Wikileaks released a series of 8,761 documents titled ‘Vault 7,’ which detail the CIA’s cyber spying techniques and capabilities. Big news. Some people are questioning the validity, others are questioning their personal privacy. 

The documents, which are being called ‘Zero Year’ by Wikileaks, are apparently the first of many they plan to release. This is especially significant because the documents contain details of the CIA’s global hacking program, its malware, and zero-day exploits for a number of devices. Two of the most important documents show the CIA’s iOS and Android exploits, complete with clever code names like ‘Winterspy’ and ‘Elderpiggy.’  Looks like those agents are a fan of Game of Thrones and the Muppets. But cell phones aren’t the only devices mentioned in Vault 7. According to Wikileaks, the vulnerabilities they exploit cover everything from web browsers to smart TVs, which can be turned into ‘spying devices.’

You may be having Edward Snowden deja vu, and we are too. The former NSA contractor recently tweeted that the documents ‘look authentic,’ although the CIA has neither denied nor confirmed whether the documents are real. On the one hand, much of what was described in the documents was aimed at older devices that have known security flaws, with the documents dated between 2013 and 2016. Nor did any of them appear to be classified above the level of “secret/noforn,” which is a relatively low-level of classification. On the other hand, security experts warn the leak is ‘a big deal’ because it assists other countries that were trying to catch up to the United States, Russia, China and Israel in electronic spying.

“Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete.” And while Wikileaks is being mysterious for the time being, who knows when or if further information could be leaked. For now, all they’re saying is that the documents came from an “isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina.” This could mean intelligence agencies need to reassess the practice of sharing secrets widely inside their walls.

This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA -Wikileaks

Take a closer look at the can of worms opened by Snowden. Read: ‘Encryption Software and Combating Cyber Crime.’

#vulnerability

Your smart TV and even some of your children’s toys can record you. Now, your headphones can too. This attack vector is utilized in different forms across different devices. The most recently patched headphone vulnerability noted in the March 2017 Android Security Bulletin from Google focuses specifically on a critical vulnerability in Nexus 9.  

If you’re a Nexus 9 owner, you can breathe a sigh of relief. But prior to the patch, researchers were able to exploit the vulnerability to leak stack canaries, derandomize ASLR, conduct a factory reset, and even access HBOOT, allowing for communication with internal System-on-Chips (SoCs). For those of you who are less technical, just know that none of that is good news.

Feeling betrayed by your headphones? Unfortunately, this isn’t the first time they’ve been used as spying devices. In November 2016, a group of Israeli security researchers at Ben Gurion University created a proof-of-concept code that converts typical headphones into microphones and then uses them to record all your conversations in the room. Dubbed “Speake(a)r,” the malicious code is able to hijack a computer to record audio even when its’ microphone is disabled or completely disconnected from the computer. It works by utilizing the existing headphones to capture vibrations in the air, converting them to electromagnetic signals, altering the internal functions of audio jacks, and then flips input jacks (used by microphones) to output jacks (used for speakers and headphones). This allows a hacker to record audio, though at a lower quality, from devices with disabled or no microphone. Maybe it’s time to break out the antique record player.

The Speake(a)r attack works on practically any computer running Windows or MacOS, and most laptops, as well, leaving most computers vulnerable to such attacks -Mordechai Guri, Ben Gurion University lead security researcher

If you’re an Android user looking to protect your privacy, read: ‘Top 10 Android Tools for Security Auditing and Hacking.’

#privacy

If you thought product reviews were only for middle-aged women with shopping addictions, think again. Consumer publication Consumer Reports will soon begin considering cyber security and privacy safeguards when scoring products.

The group, which issues scores that rank the products it reviews, said they collaborated with several outside organizations to develop methods for studying how easily a product can be hacked and how well customer data is secured. You may not be aware, but the products they review include items such as smart TVs, routers, security cameras, thermostats, and software products such as apps and web browsers, so the feedback is actually useful. “We think it’s unfair and unrealistic to expect consumers to constantly play defense when the products and services they use aren’t engineered with basic privacy and security protections built in… That’s why we’re now launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy—and we hope the industry will use that standard when building and designing digital products.”

The hope is that the standard will ultimately be used to help Consumer Reports develop specific and repeatable testing procedures. Then, this information will be utilized to better evaluate products and give consumers the ability to compare products against each other on the basis of factors like privacy protection. Among the criteria this standard will look at are whether consumers are required to choose unique usernames and passwords during setup, if companies delete consumer data from their servers upon request, and if companies are transparent about how personal consumer information is shared with other companies.

65% of people said in the Consumer Voices survey that they were either slightly or not at all confident that manufacturers were looking after their personal data properly -Consumer Reports

Tenable surveyed 700 security practitioners from nine different countries across seven industry verticals. The report assesses the overall confidence levels of information security professionals in detecting and mitigating organizational cyber risk. Read: ‘Global Cybersecurity Confidence Declines.’

#factbyte

The Keeper Security study found that 46% of people aged 45+ do not password-protect their phones with a secure lock screen, compared to 26% of those aged 44 and under who do not.

#certspotlight

Data is the cornerstone of our lives. Security Architects protect that data by setting up countermeasures against unauthorized attempts at gaining entry to protected data. They are responsible for establishing and maintaining an organization’s network and computer security infrastructure.

Security Architecture is a framework for applying a comprehensive method of describing the current and future structure for an organization’s security processes so that they align with the company’s overall strategic direction. In turn, this should provide optimization that addresses security architecture and performance management. The Security Architecture Fundamentals Micro Certification focuses on the core concepts across multiple network disciplines, including operating systems, risk assessment, and perimeter security measures.

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel