Australian Agency Calls Cops on Teenage Do-Gooder Who Reports Website Vulnerability

Plus: Target underestimates amount of information taken in data breach, DailyMotion a pawn in a malware plot, and Yahoo’s e-mail security update gets bad reviews

3 min read
Australian Agency Calls Cops on Teenage Do-Gooder Who Reports Website Vulnerability
Photo: Getty Images

This Week in Cybercrime

Pessimists are fond of saying that no good deed goes unpunished. An Australian teenager who reported a security vulnerability in a government website and now faces legal troubles probably agrees. Joshua Rogers, a 16-year-old Victoria native, discovered a security hole that gave him access to a database containing the full names, addresses, home and mobile phone numbers, e-mail addresses, dates of birth, and nine of the 16-digit credit card numbers for about 600 000 commuters who paid for fares via the Metlink website run by the Transport Department.  When he stepped forward in late December to tell the site’s operators about the vulnerability, they never bothered to respond. Two weeks later, Rogers told his story to The Age; when the newspaper asked the Transportation Department about it, officials there reported Rogers to the police.

“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told The Age. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”

I guess the Transportation Department, knowing that it will face scrutiny over leaving its customers’ data so open to misappropriation, is trying to appear serious about security by taking a preemptive strike—albeit against someone who attempted to notify them of the hole instead of exploiting it.

Target's Data Breach Diagnosis Off Target

I’m shocked—shocked!—to find out that Target wildly underestimated the number of people whose personal data was stolen in a data breach that occurred between 27 November and 15 December. Target came out today and retracted the 42 million figure it had been sticking to since news of the breach broke on 19 December. The retailer announced today that names, mailing addresses, phone numbers, and e-mail addresses of roughly 70 million people fell into the hands of cybercriminals. Much of the data newly identified as having been accessed by the hackers was supposedly stored on a separate part of the company’s internal networks from the one Target knew was hacked.

Few Plaudits for Yahoo's Belated Security Update

Yahoo finally made HTTPS the default setting for its e-mail service this week, years after rivals such as Google made the move. But if it was expecting handshakes and pats on the back, it has another thing coming. Security experts say that after Yahoo finished inexplicably dragging its feet, it has come up with a scheme that is not likely to keep users’ communications away from prying eyes. The “new configuration leaves a lot to be desired,” Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. Ristic and other observers are scratching their heads about Yahoo’s decision not to support Perfect Forward Secrecy, which ensures that communications are secured by randomly generated ephemeral public keys. “Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise,” Ristic warns.

In Other Cybercrime News

  • RSA is facing a backlash over reports that it entered into a secret contract with the U.S. National Security Agency that called for the company to use a random number generator known to be flawed in its encryption tools. A growing number of security experts have withdrawn papers from an upcoming RSA conference in protest. In late December, Josh Thomas of Altredis announced that he had changed his mind about delivering a talk at the conference. The very next day, Mikko Hyponnen of F-Secure posted an open letter to RSA saying he was also canceling his talk on government-sponsored malware. At least a half dozen other people expected to be in the conference’s lineup have sent their regrets.
  • Researchers from Carleton University in Ottawa, have proposed a way to create a user- and machine-generated narrative, based on the user’s recent activity on a computer, which would serve as a device’s authentication mechanism instead of a password. They reason that a familiar narrative will be easy for the authorized user to remember but exceedingly difficult for a hacker to crack. “Allow the system to have a dialogue and prove that you are you and tell it things you know,” says one of the authors of the paper (“Towards Narrative Authentication; or Against Boring Authentication”).
  • Researchers have discovered vulnerabilities in industrial Ethernet switches manufactured by Siemens that could let attackers hijack Web sessions and perform unauthorized admin tasks on the switches.
  • As cars get smarter and increasingly Internet connected,privacy issues regarding the flood of data a vehicle generates have come to the fore.
  • Security firm Invincea reported this week that the video-sharing site DailyMotion, which attracts 17 million visitors a month, has been plagued by an attack that redirects users to a scam. Kaspersky Lab’s Threatpost explains the threat thusly: “When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.

Photo: Getty Images

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less