Can the Government—Or Worse, Hackers—Eavesdrop As You Commute?
They know what you said in anger on the bus last week. That could
certainly be the case if you were a passenger on a public bus in San
Francisco, California; Eugene, Oregon; Traverse City, Michigan;
Columbus, Ohio; Baltimore Maryland; Hartford, Connecticut; or Athens,
Georgia. Transit authorities in these cities have already installed microphone-enabled surveillance systems on the buses—some
with technology for distinguishing conversations from the background
noise from wind, traffic, and the bus’ engine. The audio and
contemporaneous recordings from multiple video cameras are stored
onboard in black boxes that can accommodate as much as 30 days of data.
More cities are looking into installing such systems on their buses
despite potential drawbacks related to privacy and security. These
systems are designed to be remotely accessible via built-in servers. It
is possible to monitor the audio and video in real time—all while
tracking a bus using GPS data the system records.
The Daily reports that transit officials cite the systems’
benefits—improving the safety of passengers and drivers and helping to
resolve complaints from riders—as good reason to have them in place. But
Ashkan Soltani, a privacy and security expert, told the Daily that the
audio could easily be coupled with facial recognition systems or audio
recognition technology to identify passengers caught on the recordings.
Civil liberties groups are up in arms at the potential to use the
footage to prosecute people or at least monitor them; that, they insist,
would be a clear violation of wiretapping laws and constitutional
protections against illegal search and seizure.
And then there is the matter of information about your whereabouts and
your private conversations falling into the hands of a hacker. According
to the product pamphlet for one such system, remote connectivity “can
be established via the Gigabit Ethernet port or the built-in 3G modem. A
robust software ecosystem including LiveTrax vehicle tracking and video
streaming service combined with SafetyNet central management system
allows authorized users to check health status, create custom alerts,
track vehicles, automate event downloads and much more.” What might a
cybercriminal do with all that information? I shudder to think.
Facebook Helps Authorities Nab Botnet Bandits
Wired reports that 10 people who used botnets
to take control of more than 11 million computers and steal about US
$850 million have been arrested. The cybercriminals, who were arrested
in the U.S., Bosnia and Herzegovina, Croatia, Macedonia, New Zealand,
Peru, and the United Kingdom, were behind the Butterfly Botnet
(also known as the Slenfbot) that used the Yahos virus to infect the
computers. Most of the victims had one thing in common: they were
Facebook users who fell prey after clicking on fraudulent links in
messages that appeared to come from friends but were actually the
creation of the cybercrooks. The Yahos malware, which was unleashed with
the ill-fated clicks, is designed to steal users’ banking login,
password, and/or pin, credit card and bank account information, and
other personal data.
Wired says that law enforcement was able to crack the case
because of the assistance of Facebook. In an online statement released
on 12 December, the social media site noted that, “In 2010, Facebook
began investigating the Yahos malware and our automated systems were
able to identify affected accounts based on suspicious activity. Once we
were able to identify affected accounts, we were able to mitigate the
threats posed by these viruses…As a result of our research, we were able
to provide intelligence to law enforcement agencies about the
capabilities and architecture of the malware.” Facebook also reported
that the attack would have been worse but for the site’s anti‐spam
systems; nevertheless, it has provided a link to help users determine if their computers were misused by the cybercrooks and to obtain free anti-virus software if a machine is shown to have been blighted by the malicious code.
Industrial Control Systems Remotely Hacked
An FBI memo revealed in July that hackers took advantage of a vulnerability
in the cybersecurity of a New Jersey air conditioning company's
industrial control system and gained control of the firm’s heating,
ventilation, and air conditioning units. According to Kapersky Lab, the
alert received public notice just this week when a report about the
online break-in was published on a Web site operated by Public
Intelligence, an international research project that advocates for
public access to information. The first of the intrusions, which call
into question the security of SCADA systems that manage much of the
United States’ critical infrastructure, apparently occurred on 3
February, a few days after someone going by the moniker "@ntisec" posted
on "a known U.S. website" that hackers were targeting SCADA systems to
direct more attention to their vulnerabilities. The posting included a
list of URLs and—one pointing to the very HVAC control system that was
subsequently accessed—and information about downloading and decrypting a
file containing user credentials giving administrator access into the
industrial control system used by the companies whose Web addresses were
on the list.