"Cyber espionage is a fact of life internationally. And the fact that it continues to be a fact of life internationally is a product of the fact that it has been so successful internationally."
So said David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), at Fortinet's Security 361° Symposium in Sydney on Wednesday.
News of cyber espionage is commonplace now, with nearly every story pointing the finger at unspecified nation-state actors. Well, unless they straight-up finger China. Or Russia. Or Iran.
Irvine mentioned the breach of the Australian parliamentary network in 2011, and the breach of the Bureau of Meteorology revealed in 2015. But he was particularly impressed with the breach of the US Office of Personnel Management (OPM), revealed in 2015.
Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.
Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.
And all a hacker has to do is plug it in and wait.
“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away,” Kamkar told Motherboard in a phone call. “You don’t even need to know how to do anything.”
PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it’s plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim’s cookies, as long as they come from websites that don’t use HTTPS web encryption, according to Kamkar.
Mozilla addressed 29 vulnerabilities, three rated critical, when it released the latest iteration of its flagship browser, Firefox 50 and Firefox ESR 45.5, on Tuesday.
Firefox developers said this week that it might take some effort, but at least two of the critical bugs could be exploited to run arbitrary code. Both bugs stemmed from memory safety issues in Firefox 49, released in mid-September.
According to a security advisory published by Mozilla, both issues showed evidence of memory corruption and were discovered by Mozilla developers and community members.