The October 2022 issue of IEEE Spectrum is here!

Close bar

China Establishes Presidential Commission to Shore Up Its Cyberdefenses

Plus: 360 million online accounts compromised, a security conference releases a buggy app, and Apple belatedly patches a security flaw

5 min read
China Establishes Presidential Commission to Shore Up Its Cyberdefenses
Image: Getty Images

This Week in Cybercrime

China is often pointed to as the home base for bad actors in the world of cybercrime and alleged to be a participant in undeclared cyberwarfare. But China’s computer networks are not immune from attack. The government revealed the extent of its concern over cybercrime when it announced that President Xi Jinping is chairing a new working group on cybersecurity and information security. Though Xi will have a direct hand in drafting national policies aimed at improving cyberdefenses, the announcement offered no details about what its cybersecurity efforts would entail.

“Efforts should be made to build our country into a cyberpower,” Xi said in a statement released after the first meeting of the group on Thursday, according to the official Xinhua News Agency. “No Internet safety means no national security,” Xi said.

App Released by Security Conference Is Insecure

The most ironic (and obviously embarrassing) occurrence of the week took place at the RSA Conference in San Francisco. Security researchers from IOActive reported that the official mobile app for the leading computer security conferences is riddled with security vulnerabilities. Worst among the security flaws is one that makes man-in-the-middle attacks possible. A hacker could use the vulnerability to inject malicious code, masquerade as a legitimate website, and steal login credentials.

IOActive says a separate security hole, though not as dangerous, is actually more interesting. According to Kaspersky Lab’s Threatpost, “The application apparently downloads a SQLite database file that is then used to populate the app’s user interface with various conference information, like speaker profiles and schedules. Seems innocuous enough, but that database—for reasons that remain a mystery to [IOActive]—contains the first and last names, employers, and titles of every user that has downloaded and registered with the application.”

Apple Patches Major Security Flaw

Last Friday, Apple released iOS 7.0.6, which it tried to characterize as a fix to a minor security flaw. Despite the company’s nothing-to-see-here take on the update, observers immediately sniffed out that it must have been important. Why else would the company put out a standalone fix now when iOS 7.1, a large update to iOS 7 that is currently in beta, is likely to be released in the next week or so? The security community’s instincts were right on point.

The patch was for Apple's SecureTransport platform, which appears in OS X 10.9 for desktop and in all versions of iOS going back to iOS 6. A seemingly small coding error that went unaddressed for years made it so that machines’ SSL connections failed to properly check the certificates that serve as websites’ proof of identity. The vulnerability made the task of masquerading as a user’s banking site or e-mail provider or pretending to be Facebook, LinkedIn, the App Store (or now that it’s tax time in the United States, the IRS website), much easier. That lowered bar left people open to man-in-the-middle attacks—most likely by attackers intercepting signals at public Wi-Fi hotspots. Even though the little padlock icon in their browser windows was delivering the message that their connections were secure, they weren't.

The Verge reports that, according to researcher Ashkan Soltani, "the vulnerability extended to every application built on Apple's SSL library, including FaceTime, Mail, and Calendar.” These and similar apps, says Soltani, have been exposed on iOS because of the flaw since September of 2012. That was when iOS 6 was first introduced. Soltani says the exploit is "one of the most significant security vulnerabilities from a major company we've seen in a while,"

The just-released OS X 10.9.2 patched the security hole. The update patched 32 other vulnerabilities in various versions of OS X, including four flaws that could be used to bypass the application "sandbox."

The fallout may be limited, though, by the fact that taking advantage of the disabled SSL connection and other security holes is easier said than done. As Columbia cryptographer Steve Bellovin tells The Verge, "Man-in-the-middle attacks aren't that easy to launch, and they don't scale well." For most attacks, the hacker would need to be within Wi-Fi distance, which fits with reports about the flaw having been exploited in isolated incidents where someone’s information was stolen at a public hotspot.

The security flaw has been attributed to sloppy coding such as an inadvertently repeated "goto fail" line that managed to slip through Apple’s code coverage testing and remain in place because of an if-it-ain’t-broke-don’t-fix-it philosophy that kept the error hidden in plain sight.

The Odds Are Against Us

A reminder that security in our electronic transactions is likely almost always illusory came this week when analysts with cybersecurity firm Hold Security reported that they have obtained a list containing 360 million stolen online account credentials. The information, they surmise, was most likely the spoils of multiple data breaches. They say they stumbled upon the list while studying underground marketplaces where pilfered data is bought and sold. Alex Holden, Hold Security’s CIO, told Computer World that, February has been very fruitful for hackers, explaining that “one batch of 105 million details, discovered about 10 days ago by the company, included email addresses and corresponding passwords, but it isn't clear what Web services the credentials unlock.” The company’s researchers are still trying to piece together that part of the puzzle.

Hold Security, which offers a paid service that notifies companies when their stolen data is spotted online, says it has also found 1.25 billion e-mail addresses circulating among hackers. Address lists, important information for spammers, are regularly sold on underground forums.

Cybercrook Talks His Way Into Prison

A British national was indicted this week in the U.S. District Court for the Southern District of New York on charges that he hacked into several Federal Reserve Bank servers and stole names, e-mail addresses, and other personal information of the bank's staffers. The hacker, who was already facing charges in New Jersey and Virginia, for the server break-ins, is his own worst enemy. It seems that the authorities got wind of what he was up to only after he told other hackers in an IRC chat room that he had gained control of a server for the Federal Reserve Bank in Chicago. In other self-aggrandizing moments on IRC forums, says the criminal complaint, the hacker revealed that he’d also gained access to a Federal Reserve Bank server in New York. The indictment alleges that he also took to a chat room to announce his intention to post personal information of Federal Reserve employees.

“Lauri Love is a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information, and made it widely available, leaving people vulnerable to malicious use of that information,” said the prosecuting attorney in a statement. “We place a high priority on the investigation and prosecution of hackers who intrude into our infrastructure and threaten the personal security of our citizens.”

So it should be just a matter of time before the perpetrators of the hacks that have led to millions of consumers’ credit card information being swiped are brought to justice. Perhaps those criminals will brag about their exploits in chat rooms too.

In Other Cybercrime News…

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less