Sunday, 14 July 2019

 MUST READ: ZDNet is giving away $1,000 in Amazon gift cards Hacker discloses Magyar Telekom vulnerabilities, faces jail term


An ethical hacker who reported serious vulnerabilities in Magyar Telekom has been arrested and faces years behind bars for "disturbing a public utility."
Magyar Telekom, a Hungarian telecommunications company, filed a complaint against the hacker who is now being defended by the Hungarian Civil Liberties Union (HCLU/TASZ).
According to local media, the man discovered a severe vulnerability in the telecom provider's systems in April 2018. These findings were reported to the company and both parties met.
The idea of working together was floated but never came into fruition, and in the meantime, the researcher continued probing Magyar Telekom's networks.
In May, the hacker found another vulnerability which the publication says, if exploited, could have been used to "access all public and retail mobile and data traffic, and monitor servers."
According to Index.hu, the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."


On the same day, the company noticed strange activity on their network and reported a cyberintrusion to the police, leading to the man's arrest.
The trial has already begun. Hungary's prosecution service is requesting a prison term, while the HCLU has fought back, claiming that the indictment is "incomplete" as "it is not clear what exactly he has done."


Magyar Telekom told Napi.hu:
"The hacker, beyond the limits of ethical hacking, launched new attacks after the first attack, and began to crack additional systems with the data he had acquired so far."
A plea deal was on the table. If the man admitted his 'guilt,' he would be given a two-year suspended sentence. However, this was refused and now the researcher is being charged with an upgraded crime --  the "disrupting the operation of a public utility" -- and could end up behind bars for up to eight years.
Ethical hacking is often considered outside of criminal law as intrusions can benefit companies and society as a whole, a "good faith" concept which is argued as part of HCLU's defense strategy.
However, there are still rules which should be observed, such as making sure no private data is taken and day-to-day operations are not disrupted due to testing and probes.
This encapsulates the prosecutor's case. Law enforcement claim that the hacker crossed an ethical line and his actions may have posed a "danger to society," and therefore he can be charged under the country's criminal laws.
However, there is no evidence that the man in question disregarded these rules, and in a separate statement, the company said itself that the customer data was "safe and secure."
"If someone finds a mistake on a system of Magyar Telekom Group and reports it to Telekom immediately, it does not use it in any way (eg does not modify, delete, save information, etc.), cooperates with Telekom's own investigation and does not publish (this endangers the system), Telekom will not file a complaint against it," Magyar Telekom added.
The case is ongoing

Engineer flees to China after stealing source code of US train firm

Insider threats are a common problem for companies now increasingly reliant on computers and electronic systems, with the risk of intellectual property theft a constant worry. 
For one locomotive manufacturer in Chicago, a software engineer handed the keys to the kingdom became the ultimate example of how much data can be stolen by a single individual -- and where it may end up. 
According to newly unsealed federal indictment charges revealed by the US Department of Justice (DoJ) on Thursday, Xudong "William" Yao is currently in hiding after allegedly stealing a vast array of information belonging to his former employer. 
The unnamed locomotive manufacturer hired Yao in 2014. US prosecutors say that within two weeks of starting his new job, Yao downloaded over 3,000 electronic files containing "proprietary and trade secret information relating to the system that operates the manufacturer's locomotives."
This was not the end of the matter. Over the course of the next six months, the software engineer allegedly continued to download and steal more files containing corporate and intellectual property.
Notably, this included nine complete copies of the company's control system source code and the technical blueprints which described how the source code worked in depth.
While Yao pilfered the US company's trade secrets, the engineer also reportedly accepted a job with a business in China that specializes in automotive telematics. 
In February 2015, Yao was fired for reasons which were not related to theft by the US locomotive firm. In July 2015, following his dismissal, Yao made copies of the stolen data, traveled to China, and began working for his new employer. The engineer then traveled to Chicago with the stolen intellectual property in his possession before once again returning to China. 
Since his last known movements, the engineer has not been traced, but US law enforcement believes Yao is on the run in the country. A federal warrant was issued in 2017 but the engineer is yet to be apprehended. 
Yao is charged with nine counts of theft of trade secrets. If found and convicted, the software engineer faces up to 10 years in prison. 
Earlier this month, a 64-year-old electrical engineer was found guilty of conspiring to smuggle military-grade semiconductor chips to China. The engineer and co-conspirators posed as customers to gain access to custom processors, and the physical products were then shipped to a Chinese company. The processors are used by clients including the US Air Force and DARPA.