In 2016, a group from Niessner Lab in Germany published a groundbreaking achievement in the world of computer facial manipulation. Their new technology, called Face2Face, captures one person’s facial expressions as they talk into a webcam and maps those facial expressions directly onto a separate individual’s face in real-time. In essence, this means that you can take a video of anyone and make their face show any expression you’d like. For example, in a demonstration video, footage of Vladimir Putin giving a serious speech becomes a video of him smiling, then frowning, with eyebrows up and then down.
(by Justin Manusov, Colorado Law 3L)
Hacking. Tapping. Cracking. Medjacking.
In the TV show Homeland episode Broken Hearts, a CIA informant is forced to retrieve a serial number that corresponds to the American Vice President’s pacemaker. A terrorist gains access to the VP’s pacemaker, accelerates his heartbeat and induces a heart attack.
Former Vice President Dick Cheney revealed that when he had a device implanted to regulate his heartbeat in 2007, he had his doctors disable its wireless capabilities to prevent a possible assassination attempt.
The health IT community is beginning to take medjacking seriously.
(by Jordan Demo, Colorado Law 2L)
The recent Equifax breach affecting approximately 143 million people has left many to call for justice—but justice for whom? After-the-fact investigations have tended to focus on whether the targeted entities took sufficient or reasonable measures to protect their systems. But what is the process for bringing attackers to justice? How are attackers who take the personal information of companies and individuals held accountable? What can be done to help deter this kind of behavior?
(by Susan Miller, Colorado Law 2L)
A cyberattack on Equifax, a consumer credit reporting agency, was announced last week. The breach was especially problematic for a variety of reasons:
- Equifax’s job is to gather and maintain sensitive personal information. Yet it learned of the breach in July but failed to inform the public of the breach until September, taking more than two months to give consumers notice of the breach.
- The breach put the personal information of 143 million Americans, nearly one-third of the entire population, at risk. This personal information includes names, social security numbers, birth dates, addresses, driver’s license numbers, and in some cases, credit card numbers.
- Three Equifax executives sold their stock days only days after the company learned of the attack and before the public was notified.
Equifax is offering free credit monitoring and, thanks to angry consumers, waived fees for setting up credit freezes through Equifax.
(by Sergey Frolov, University of Colorado Computer Science Ph.D candidate)
In the U.S., it is illegal to produce, distribute, and possess child pornography. Playpen is a now-defunct child pornography website. The FBI managed to trace the site’s operators, then obtained a warrant and seized the web server on which the site ran.
However, instead of shutting the server down immediately, the FBI continued to operate Playpen for an additional 13 days. During that time, according to the Electronic Frontier Foundation, the FBI sent malware to visitors to the site in order to identify and prosecute them for possession of child pornography.
(by Zach Goldberg, TLPC Student Attorney)
Over the past month, the TLPC has researched autonomous vehicle technology and its susceptibility to physical layer cyber attacks, with the aim of encouraging research and development efforts to counteract such threats. We sought to gain deeper understanding of the communication systems that enable autonomous vehicle technology, the vulnerabilities of these systems to jamming and spoofing attacks, and possible defenses against such attacks. We explore these issues in the attached comment, filed in the National Highway Traffic Safety Administration’s latest proceedings relating to autonomous vehicle safety and vehicular cyber security.
(by Zachary Goldberg, Colorado Law 2L)
Apparently Yahoo waited two full months to disclose to its customers the largest consumer data breach in history, which Yahoo officials claim went undetected for two full years
On September 22, 2016, Yahoo officials announced that 500 million of its customers’ email accounts were hacked in 2014. The Yahoo security team believes that “state-sponsored hackers” somehow managed to penetrate Yahoo’s system to target its email users’ identifying information, passwords, and security question responses. At this stage in their investigation, Yahoo officials have not indicated precisely when they discovered the breach, and they know neither specific details as to who orchestrated it, nor how they gained access to Yahoo’s email system.
(by Kiki Council, Colorado Law 3L)
Last week’s blog post concerned the ramifications of sponsored and compelled government hacking with the use of backdoor encryption. This week’s post concerns how government hacks of computers using the Tor browser, and whether those hacks are considered a “search” under the Fourth Amendment.
(by Colter Donahue, Colorado Law 3L)
Should government agencies possess, compel, or sponsor hacking and backdoors? A backdoor is a method of bypassing the normal authentication system of a website, messaging service, or other means of electronic communications.
Privacy and encryption advocates point out that the tools created or vulnerabilities exploited by backdoors pose a privacy risk. The vulnerabilities are not not limited to exploit by U.S. agencies like the FBI and NSA; bad actors and other nations can use them too. Hacking tools don’t always stay secret; once exposed, potential damage may be measured on a global scale. But what happens when law enforcement needs access for investigatory purposes? The following post will look at a recent example and the balance of competing interests.
The government intelligence community has long vocally advocated for so-called “backdoors” in encrypted digital communications systems. Proponents of these special modes of entry and intercept into otherwise protected databases and communications believe they are a necessary part of national security in the modern age. However, attempts to statutorily codify these ideas have met significant opposition.
Not to be deterred, the government is currently seeking alternate ways to gather information about suspected criminals and terrorists. Two weeks ago, the Senate passed the Cybersecurity Intelligence Sharing Act (CISA). This bill seeks primarily to permit information technology companies to “voluntarily” share information about security threats with the Department of Homeland Security. Companies would be given immunity both from liability and from FOIA requests regarding this information sharing. A proposed amendment that would have required the scrubbing of personally identifiable information in this information sharing failed to pass.