Can the Government—Or Worse, Hackers—Eavesdrop As You Commute?
They know what you said in anger on the bus last week. That could certainly be the case if you were a passenger on a public bus in San Francisco, California; Eugene, Oregon; Traverse City, Michigan; Columbus, Ohio; Baltimore Maryland; Hartford, Connecticut; or Athens, Georgia. Transit authorities in these cities have already installed microphone-enabled surveillance systems on the buses—some with technology for distinguishing conversations from the background noise from wind, traffic, and the bus’ engine. The audio and contemporaneous recordings from multiple video cameras are stored onboard in black boxes that can accommodate as much as 30 days of data. More cities are looking into installing such systems on their buses despite potential drawbacks related to privacy and security. These systems are designed to be remotely accessible via built-in servers. It is possible to monitor the audio and video in real time—all while tracking a bus using GPS data the system records.
The Daily reports that transit officials cite the systems’ benefits—improving the safety of passengers and drivers and helping to resolve complaints from riders—as good reason to have them in place. But Ashkan Soltani, a privacy and security expert, told the Daily that the audio could easily be coupled with facial recognition systems or audio recognition technology to identify passengers caught on the recordings. Civil liberties groups are up in arms at the potential to use the footage to prosecute people or at least monitor them; that, they insist, would be a clear violation of wiretapping laws and constitutional protections against illegal search and seizure.
And then there is the matter of information about your whereabouts and your private conversations falling into the hands of a hacker. According to the product pamphlet for one such system, remote connectivity “can be established via the Gigabit Ethernet port or the built-in 3G modem. A robust software ecosystem including LiveTrax vehicle tracking and video streaming service combined with SafetyNet central management system allows authorized users to check health status, create custom alerts, track vehicles, automate event downloads and much more.” What might a cybercriminal do with all that information? I shudder to think.
Facebook Helps Authorities Nab Botnet Bandits
Wired reports that 10 people who used botnets to take control of more than 11 million computers and steal about US $850 million have been arrested. The cybercriminals, who were arrested in the U.S., Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, and the United Kingdom, were behind the Butterfly Botnet (also known as the Slenfbot) that used the Yahos virus to infect the computers. Most of the victims had one thing in common: they were Facebook users who fell prey after clicking on fraudulent links in messages that appeared to come from friends but were actually the creation of the cybercrooks. The Yahos malware, which was unleashed with the ill-fated clicks, is designed to steal users’ banking login, password, and/or pin, credit card and bank account information, and other personal data.
Wired says that law enforcement was able to crack the case because of the assistance of Facebook. In an online statement released on 12 December, the social media site noted that, “In 2010, Facebook began investigating the Yahos malware and our automated systems were able to identify affected accounts based on suspicious activity. Once we were able to identify affected accounts, we were able to mitigate the threats posed by these viruses…As a result of our research, we were able to provide intelligence to law enforcement agencies about the capabilities and architecture of the malware.” Facebook also reported that the attack would have been worse but for the site’s anti‐spam systems; nevertheless, it has provided a link to help users determine if their computers were misused by the cybercrooks and to obtain free anti-virus software if a machine is shown to have been blighted by the malicious code.
Industrial Control Systems Remotely Hacked
An FBI memo revealed in July that hackers took advantage of a vulnerability in the cybersecurity of a New Jersey air conditioning company's industrial control system and gained control of the firm’s heating, ventilation, and air conditioning units. According to Kapersky Lab, the alert received public notice just this week when a report about the online break-in was published on a Web site operated by Public Intelligence, an international research project that advocates for public access to information. The first of the intrusions, which call into question the security of SCADA systems that manage much of the United States’ critical infrastructure, apparently occurred on 3 February, a few days after someone going by the moniker "@ntisec" posted on "a known U.S. website" that hackers were targeting SCADA systems to direct more attention to their vulnerabilities. The posting included a list of URLs and—one pointing to the very HVAC control system that was subsequently accessed—and information about downloading and decrypting a file containing user credentials giving administrator access into the industrial control system used by the companies whose Web addresses were on the list.
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.