Cyber-breaches prove security flaws

So-called ironclad security systems are a lot more vulnerable than their creators would want customers to believe. Within the past week, significant vulnerabilities were revealed in the systems of Ashley Madison, a dating website that caters exclusively to wouldbe adulterers, and Chrysler, makers of the Chrysler and Jeep vehicles. They now join the ranks of the U.S. government and countless other organizations whose systems had already been penetrated. In the case of Ashley Madison, hackers stole the personal information of its 37 million users. Chrysler's Uconnect entertainment system, installed in Chrysler's latest vehicles, proved vulnerable to would-be hackers that could interfere with the dashboard, the transmission, and even the brakes. Wired's Andy Greenberg broke the Chrysler story in a 4,000 word article published early Tuesday. Greenberg test-drove a Jeep Cherokee down the streets of St. Louis, while hackers altered its systems. The hackers, security experts Charlie Miller and Chris Valasek, demonstrated similar vulnerabilities to Greenberg before, but this was the first time they did so remotely. With battered laptops and an Internet connection, the pair began toying with non-critical systems, making images appear on the dashboard before targeting more vital systems. As Greenberg tells it: Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun. This isn't the first time hackers have used an entertainment system to penetrate more important functions related to transportation. In May, a security researcher told the FBI that he hacked into the network of United Airlines flight by exploiting its entertainment system. The so-called "white-hat hackers" - trying to improve security rather than destroy it - notified Chrysler, which released a software update that patched the exploit. In a statement, the company likened the vehicle software to that of a smartphone. "Similar to a smartphone or tablet, vehicle software can require updates for improved security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems," the company said. The hackers that targeted Ashley Madison were not so generous. Calling themselves "The Impact Team," the group has demanded that the website be shut down or they will release the personal information of the company's users. With security logos on Ashley Madison's website that say things like "Trusted Security Award," "100% Discreet Service," and "Secure Site," this was clearly a scenario that parent company Avid Life Media was trying to avoid. This was just before the company planned to launch an IPO in London. "All it takes is one bad line of code," Blake Cornell, CTO of Integris Security, a cybersecurity company based in Garden City, told Long Island Business News. But the problem extends beyond the people who created accounts on the website. Cornell compared this hack to the one that befell Adult FriendFinder, a matchmaking website for people seeking sexual encounters, back in March that has been far less widely publicized. From the released data, says Cornell, people "were able to tell that people in law enforcement were cheating on their wives and other really bad stuff." Continuing, he said, "the data could be used for blackmail, for divorce - there are a lot of lives that could be affected." In a statement released on Monday, Avid Life Media, which operates Ashley Madison, said it had secured its website and is working with law enforcement to investigate the attack. The company is also allowing users to erase their accounts for free, a service that normally costs $19. Published: Thu, Jul 23, 2015