source:  cyberscoop.com

 

The command post for any future U.S.-backed cyberwar is now officially open.

Last week, NSA and U.S. Cyber Command leaders posed together and smiled for pictures during a ribbon-cutting ceremony to celebrate the completion of a new, state-of-the-art spy bunker named the “Integrated Cyber Center,” or ICC.

Bland in name alone, the groundbreaking facility located inside Fort Meade in Maryland represents the latest step taken by the federal government to equip U.S. spies and a growing force of “cyberwarriors” with the physical infrastructure necessary to combat foreign threats online.

Hackers linked to Russia, China, North Korea and Iran have each respectively penetrated important U.S. political groups, government agencies, entertainment studios and U.S. energy companies in recent years. These types of breaches have led lawmakers to openly question whether the federal government is doing enough to deter hackers.

“Today we are at the dawn of a new era, facing the reality of wars changing character,” said Deputy Secretary of Defense Patrick Shanahan. “The emergence of cyberspace and outer space has contested war fighting domains … cyberspace is not bound by geography, it is not bound to the physical presence of our adversaries. The next ten years will look significantly different from the last ten more than any of us can likely imagine.”

Senior U.S. officials hope the ICC will effectively help the 66-year-old signals intelligence agency easily coordinate with U.S. Cyber Command, a nascent military unit that’s individually responsible for cyberwarfare operations. Such operations typically cause a noticeable disruption to the enemy’s computer network instead of covertly collecting secrets.

The goal is to improve cross-government collaboration by centrally organizing the appropriate representatives from each different agency and military branch into one space. Recent legislative decisions have given Cyber Command the authority to deploy their forces to combatant commands around the world.

  source: intelnews.org

In a rare public appearance on Sunday, a senior member of the United States Central Intelligence Agency discussed ways in which ongoing technological changes pose challenges to concealing the identities of undercover operatives. Dawn Meyerriecks worked in industry for years before joining the CIA in 2013 as deputy director of the agency’s Directorate of Science and Technology. On April 22, she delivered one of the keynote speeches at the 2018 GEOINT Symposium. The meeting was held in Tampa, Florida, under the auspices of the Virginia-based United States Geospatial Intelligence Foundation, which brings together government agencies and private contractors.

In her speech, Meyerriecks discussed what she described as “identity intelligence”, namely the detailed piecing of a person’s identity from data acquired from his or her online activity and digital footprint left on wireless devices of all kinds. This data, combined with footage from closed-circuit television (CCTV) systems and other forms of audiovisual surveillance, poses tremendous barriers to clandestine operations, said Meyerriecks. Today, around 30 countries employ CCTV systems with features so advanced that they render physical tracking of human operatives unnecessary, she added. She went on to warn that the combination of these advanced systems with all-encompassing digital networks in so-called smart cities, as well as with the Internet of things, pose serious threats to the CIA’s ability to operate in secret. Abandoning the online grid is not a solution, said Meyerriecks, because doing so draws attention to the absentee. “If you have […] a six figure or low seven figure income, and you own no real estate, you don’t have any health [or] life insurance policies to speak of, you turn your cell phone off every day from 8:00 to 5:00, who do you work for?”, she said.

 source: thehackernews.com

"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!!

Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.

Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions.

However, the device doesn’t remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration.
 

Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.

However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.

 
Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."
"The calculator skill is initialized, and the API\Lambda-function that's associated with the skill receives a launch request as an input," researchers said in its report.
In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.
 

By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.

Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.

Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.

It's not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.

 source: forbes.com

From Alexa’s random outbursts of laughter to claims that your smart refrigerator wants to kill you, it is easy to see why the Internet of Things (IoT) invokes negative connotations. Some may even say IoT has a dark side, fueled by security and privacy concerns along with uncertainty about what these devices can do.

Although we are talking about the consumer realm, where IoT is more of an overhyped novelty, similar concerns remain in the much larger business (B2B) market. While IoT holds promise to completely transform businesses, disrupt markets and create new value propositions, its perceived dark sides are impeding progress. Just one year ago, Cisco research showed that 60% of IoT initiatives stalled at the proof-of-concept (PoC) stage, and only 26% of businesses considered their IoT projects a total success.

Times are changing, however. Over 69% of global organizations are adopting or planning to adopt IoT solutions this year, and the global IoT market is expected to reach as high as $8.9 trillion by 2020. Clearly, IoT continues forward despite the concerns. 

Nonetheless, we must tackle the most pressing IoT challenges to see the light at the end of the tunnel and realize IoT’s true transformational value. Here are five dark sides to IoT, and how we can address them.

1. IoT is driving nearly every industry and company to become more technology focused, with data as a key asset. Thus, securing not only IoT devices but also the data they collect, share and store is paramount. In fact, 97% of risk professionals believe that a data breach or cyberattack caused by unsecure IoT devices could be “catastrophic” for their organizations.

While enterprises are finally understanding the impact of IoT security, it’s been challenging to get to this point. First, traditional security strategies often implemented in industrial environments -- such as “security by obscurity” where production operations are separated from enterprise networks -- do not work for IoT. Organizations need to take a comprehensive, policy-based architectural approach, which includes the convergence of IT/OT, integration of physical and digital security, a thorough plan before/during/after attacks and adoption of industry-wide standards. Second, IoT security must be everyone’s job -- from device-makers, to service providers, to the C-Suite, employees and even governments. I encourage all IoT practitioners and providers to embrace this end-to-end approach and engage with standards bodies.