Author: Sean Gallagher

Sophisticated hackers use the command line with their pinkies raised and wear cashmere balaclavas.

The profile of attacks on two US state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI.

Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack.

Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware.

Enlarge / An FBI "Flash" memorandum on state Board of Elections site warns of attacks on two states so far and asks for other states to check their logs.

Someone using servers in the US, England, Scotland, and the Netherlands stole voter registration from one state's Board of Elections website in June and unsuccessfully attacked another state's elections website in August, according to a restricted "Flash" memorandum sent out by the FBI's Cyber Division. The bureau issued the alert requesting other states check for signs of the same intrusion.

The "Flash" memo, obtained by Yahoo News, was published three days after Secretary of Homeland Security Jeh Johnson offered state officials assistance in securing election systems during a conference call. According to Yahoo's Michael Isikoff, government officials told him that the attacks were on voter registration databases in Illinois and Arizona. The Illinois system had to be shut down in July for two weeks after the discovery of an attack; the registration information of as many as 200,000 voters may have been exposed.

While saying the Department of Homeland Security was unaware of any specific threat to election systems, Johnson offered states assistance from the National Cybersecurity and Communications Integration Center (NCCIC) "to conduct vulnerability scans, provide actionable information and access to other tools and resources for improving cybersecurity," a DHS spokesperson said, describing the conference call. "The Election Assistance Commission, NIST, and DOJ are available to offer support and assistance in protecting against cyber attacks."

Enlarge / A St. Jude Medical cardiac defibrillator implant like the ones MedSec claimed to have found vulnerabilities in. (credit: St. Jude Medical)

Trading in the stock of medical device manufacturer St. Jude Medical was halted Friday afternoon after a dramatic drop in its value. That drop was triggered by news of alleged vulnerabilities in the company's cardiac care devices. The vulnerability was disclosed not in a report by the company but by security researchers partnered with Muddy Waters Capital, an investment firm that had "shorted" St. Jude's stock on the information in order to profit from a drop in the stock's value.

The researchers at the security firm MedSec chose to take this route to disclosure, MedSec CEO Justine Bone said, to "ensure that St. Jude Medical responds appropriately and with urgency." The partnership with a short seller is a fundamental departure from the established approach of responsible disclosure normally taken by researchers. But it also represents an approach that bypasses the sort of legal maneuverings and threats, suppression of information, and inaction that have been experienced by researchers who have discovered vulnerabilities in other products. Researchers who discovered a vulnerability in Volkswagen electronic engine locks, for example, were forced to withhold a paper for two years through a court injunction filed by the automaker in 2012.

Muddy Waters issued a report on Thursday claiming that it had demonstrated "two types of cyber attacks against STJ implantable cardiac devices: a 'crash' that causes cardiac devices to malfunction... and a battery drain attack that could be particularly harmful to device dependent users." The report claimed that the vulnerabilities had been proven in "multiple demonstrations evidencing how hollow STJ's device security is."

SS7 allows an attacker to use just a phone number to gain access to calls and texts to and from that phone—and can be used to undermine the security of WhatsApp and Telegram. (credit: Petr Kolář (modified by Ars))

A documented weakness in Signaling System 7 has been shown to allow widespread interception of phone calls and text messages (SS7 is the public switched telephone network signaling protocol used to set up and route phone calls; it also allows for things like phone number portability). This weakness in SS7 can even undermine the security of encrypted messaging systems such as WhatsApp and Telegram.

In an April segment of 60 Minutes, Democratic Congressman Ted Lieu of California allowed hackers to demonstrate how they could listen in on his calls. In light of the mass leak of congressional staffers' contact information by hackers, Congressman Lieu is now urging the Federal Communications Commission to take action quickly to fix the problem with SS7. The hackers are purportedly tied to Russian intelligence.

The vulnerability in SS7 was revealed in a presentation at the RSA security conference in March. It exploits the use of SS7 by cellular networks to handle billing and phone location data for call routing. The vulnerability is open to anyone with access to SS7 signaling. This includes not just telecommunications companies that have "roaming" relationships with a phone's primary carrier, but any state actor or hacker who has access to those companies' networks. Using SS7, an attacker could create a proxy to route calls and text messages. He could intercept them and record them without the knowledge of the people on either end of the communications. An attacker could also spoof texts and calls from a number.

Enlarge / You have been served: a subpoena cover letter sent to the service provider for Hillary Clinton's private e-mail server yesterday by Rep. Lamar Smith.

Rep. Lamar Smith (R-Texas), chairman of the House Science and Technology Committee, has sent subpoenas to three companies that provided services related to former Secretary of State Hillary Clinton's private e-mail server. The subpoena seeks information on how secure the server was and whether it was protected within the guidelines set by the National Institute of Standards and Technology (NIST) for systems used by government employees. Smith's subpoenas were supported by Senator Ron Johnson (R-Wis.), the chairman of the Senate Homeland Security and Government Affairs Committee.

The subpoenas were sent to executives of the data security firm Datto, SECNAP Network Security, and the ISP and managed services provider Platte River Networks. Datto's SIRIS disaster recovery service was used to back up the e-mail server hosting ClintonEmail.com, and SECNAP provided its Cloudjacket managed intrusion detection and prevention service to the Clinton server. Platte River Networks apparently managed the server for at least part of the period that Clinton and her staff used e-mail accounts on it while at the State Department. All three companies had previously declined to provide information to Smith's committee voluntarily.

In the letter accompanying the subpoena to Platte River Networks CEO Treve Suazo, Smith and Johnson wrote:

This is not what NSA's TAO is doing right now.

A group called the Shadow Brokers made headlines this month by leaking a hacking tool belonging to the NSA's Tailored Access Operations (TAO) team. Now this week, several informed sources suggest an inside source may have been involved.

The leaked software—which can exploit weaknesses in a number of network hardware platforms and other devices—apparently may have come with the help of an NSA insider, according to the analysis of several information security experts, reports citing former NSA employees, and one journalist who had access to the files leaked by Edward Snowden. While the hacking tools were said not to have come from the Snowden documents cache, they may in fact be associated with another leaker who provided information to Jacob Appelbaum and Wikileaks, James Bamford suggests in a commentary published Monday by Reuters.

Details of the hacking tools also match with a training manual for NSA cyberespionage operations included in the Snowden document trove, released last week by The Intercept. Some of the tools also match with entries in the TAO's ANT catalog—an NSA internal wishbook for hardware and software exploits. That document was published in part by Der Spiegel in collaboration with Appelbaum back in December of 2013.

LAS VEGAS—On a raised floor in a ballroom at the Paris Hotel, seven competitors stood silently. These combatants had fought since 9:00am, and nearly $4 million in prize money loomed over all the proceedings. Now some 10 hours later, their final rounds were being accompanied by all the play-by-play and color commentary you'd expect from an episode of American Ninja Warrior. Yet, no one in the competition showed signs of nerves.

To observers, this all likely came across as odd—especially because the competitors weren't hackers, they were identical racks of high-performance computing and network gear. The finale of the Defense Advanced Research Projects Agency's Cyber Grand Challenge, a DEFCON game of "Capture the Flag," is all about the "Cyber Reasoning Systems"(CRSs). And these collections of artificial intelligence software armed with code and network analysis tools were ready to do battle.

Inside the temporary data center arena, referees unleashed a succession of "challenge" software packages. The CRSs would vie to find vulnerabilities in the code, use those vulnerabilities to score points against competitors, and deploy patches to fix the vulnerabilities. Throughout the whole thing, each system had to also keep the services defined by the challenge packages up and running as much as possible. And aside from the team of judges running the game from a command center nestled amongst all the compute hardware, the whole competition was untouched by human hands.

A report by Reuters suggests that the FBI was aware of a possibly Russian-sponsored intrusion into the network of the Democratic National Committee as early as last fall. But investigators from the FBI only initially told DNC staff that they should be on the lookout for strange activity on their network—and the feds didn't mention a potential state-sponsored attack until they informed the Clinton campaign in March about a phishing campaign.

Unnamed DNC staffers told Reuters' Mark Hosenball and John Walcott that the FBI had been investigating a potential intrusion into the DNC's network since the fall of 2015. After the initial warning to look for anything suspicious, DNC IT staff checked network logs and scanned files, finding nothing suspicious. When asked to provide more information to help identify a problem, the FBI "declined to provide it," according to the Reuters report.

It was not until March that the DNC IT team realized the severity of the intrusion of their systems, though Reuters did not report what triggered their realization. At about the same time, the FBI reportedly warned the Clinton campaign of the attempted attacks, according to a Yahoo News report. Spear-phishing attacks were detected in March and April against the DNC and the presidential campaign organization of Hillary Clinton by the security company SecureWorks, as Ars has previously reported.

(credit: US Air Force)

The US Air Force today announced that its first operational squadron of F-35A Lightning II fighters is ready for combat duty. The announcement was made just a day into the five-month period that the Air Force had been given to reach operational levels with the 34th Fighter Squadron, based at Hill Air Force Base in Utah.

The "initial capability" declaration comes after two Air Force F-35As joined two Marine Corps F-35s at July's Royal International Air Tattoo at the United Kingdom's Fairford Royal Air Force base and after an accelerated pace of operational tests for the 34^th over the past few months. The first F-35A aircraft were delivered to the 34^th in September of last year. They've been modified several times after delivery, including getting software updates to the avionics that have eliminated some of the "instability" problems previously experienced (including radar system crashes that required reboots while in flight). Since the most recent software upgrades, the squadron has flown 88 individual aircraft sorties without a software problem, according to an Air Combat Command statement.

The system, the Autonomic Logistics Information System (ALIS), combines diagnostics and repair functions with part inventory and verifies that the correct parts have been installed properly. In earlier versions of the software, a bug in ALIS prevented aircraft from flying even when properly maintained. ALIS 2.0.2, the latest version, won't be available to the Air Force until October at the earliest.

An image sent by DNC staffer Alexandra Chalupa shows a warning message she received from Yahoo Mail. (credit: Alexandra Chalupa)

An e-mail message within the Wikileaks dump of Democratic National Committee data suggests that the Yahoo account of one DNC staffer may have been specifically targeted by Russian hackers. The leaked message from DNC staffer Alexandra Chalupa includes a photo of a screen displaying a pop-up alert in Yahoo Mail warning, "We strongly suspect that your account has been the target of state-sponsored actors."

"Since I started digging into [Trump campaign chairman Paul] Manafort, these messages have been a daily occurrence on my Yahoo account despite changing my password often," Chalupa reported in the message. Chalupa was looking into Manafort's work in Ukraine, where Manafort managed the campaign of former Ukraine President Viktor F. Yanukovych (who fled to Russia after violent protests against his regime) and worked with pro-Russian and Communist Party politicians forming an opposition block to the current government.

The detail, spotted by cybersecurity researcher Matt Tait and posted to the Twitter account @pwnallthethings, offers another hint at the scope of the campaign to collect intelligence on DNC operations by what appears to be Russia-based "actors" operating on the behalf of Russian intelligence. Earlier evidence collected by SecureWorks detected phishing attacks against the personal Gmail accounts of some DNC staffers as well as attacks on DNC and Clinton campaign e-mail addresses.