Hacking a car? That’s five-year-old news

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A group of researchers at the University of California at San Diego and the University of Washington showed they could hack a 2009 Chevy Impala—five years ago. The researchers chose not to publicly name the make and model of the vehicle they tested at the time. GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010. For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether. “We basically had complete control of the car except the steering,” says Karl Koscher, one of the security researchers who helped to develop the attack. “Certainly, it would have been better if it had been patched sooner.” Source: Wired

Beat those spears into pruning hooks

sh_phishing_280In a presentation at the Intelligence & National Security Summit, the director of the National Counterintelligence and Security Center announced a “new counterintelligence campaign” focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called Know the Risk, Raise Your Shield, the campaign’s opening salvo is a pair of spear-phishing awareness videos, urging people not to click on those links. “There have been just over 500 breaches so far this year, some of which made the news,” said NCSC Director Bill Evanina. “And 47 percent of adult Americans have been the victim of a breach in the last three years. That data is an opportunity for criminals, but it’s also allowed foreign intelligence to collect information about government employees, contractor, and their families.” He noted that 91 percent of breaches seen in the past few years have emanated from spear phishing. “Our adversaries do not need to use sophisticated attacks—it all starts with emails.” Source: Ars Technica

Always keeping an eye on the East

sh_china espionage_280Chinese cyber espionage continues to target a “broad spectrum of U.S. interests,” including national security information, sensitive economic data and intellectual property, the U.S. Director of National Intelligence James Clapper said on Thursday. “Although China is an advanced cyber actor in terms of capabilities, Chinese hackers are often able to gain access to their targets without having to resort to using advanced capabilities,” Clapper told the House of Representatives Intelligence Committee. He said improved U.S. cybersecurity would complicate Chinese cyber espionage “by addressing the less sophisticated threats and raising the cost and risk if China persists,” according to a written statement Clapper provided to the committee. Clapper said the risk of a “catastrophic attack from any particular actor is remote at this time” but that he foresees continued “low-to-moderate level cyber attacks” that could undermine U.S. economic competitiveness and national security. Source: NBC News

Cost of convenience vs. cost of security

Zurich Insurance Group and international affairs think tank the Atlantic Council modeled the economic benefits of the Internet and related information and communications technologies while also looking at costs such as cybersecurity spending and losses from cyber incidents. Their findings were mixed. On an annual basis, cybersecurity costs already outweigh connectivity benefits in developed countries such as the United States. But looking over time paints a different picture: “The accumulated global benefits of being connected should still outpace the costs through the year 2030 by nearly $160 trillion.” That base case represents an 8 percent gain in cumulative global growth between 2010 and 2030. This is because long-term economic benefits accrue from technology investment while cyber costs tend to be more episodic. Source: The Wall Street Journal

Pay up or we’ll knock you offline

sh_extortion_280Banks, media groups and gaming firms are being hit with extortion demands by a cyber gang that threatens to knock them offline unless they pay up. In a report, net firm Akamai said in the past 10 months it had seen 141 attacks on its customers by the group. The gang, called DD4BC, threatens to swamp servers with data unless a ransom of up to 50 bitcoin (about $12,000) is paid. The attacks mounted by the gang can flood sites with more than 56 gigabits of data a second, it said. “The latest attacks—focused primarily on the financial service industry—involved new strategies and tactics intended to harass, extort and, ultimately, embarrass the victim publicly,” said Stuart Scholly, manager of Akamai’s security division. Scholly said that as well as threatening to knock companies offline, DD4BC said it also would post messages on social networks to shame firms if they did not pay up. Source: BBC News

Watch those credit card bills

Consumer electronics company Mohu is notifying approximately 2,500 customers that credit card information and other data was compromised during an attack on the www.gomohu.com website. Names, addresses, email addresses, phone numbers, credit card numbers, expiration dates and CVV codes could be exposed. An attacker penetrated Mohu’s security, inserted malicious code into computer systems, and removed the personal information. At least one Twitter user has reported fraudulent use of a credit card that seems to be a result of the attack. Mohu has hired two security consulting firms to review and make recommendations to improve electronic security measures. Source: SC magazine

You’re going to need a warrant for that

sh_records request_280The California state assembly passed a digital privacy bill that aims to prevent government access without warrant to private electronic communications. The bill would provide some exceptions for law enforcement in emergencies or for other public safety requirements. California is home to a large number of tech companies who face regular requests for data on their customers from both state and federal law enforcement agencies. The bill, which would require a judge’s approval for access to a person’s private information, including data from personal electronic devices, email, digital documents, text messages and location information, had been passed in June by the state Senate and now will return there for concurrence before heading to Gov. Jerry Brown for approval. If the Electronic Privacy Act is approved as law, California would join states like Texas, Virginia, Maine and Utah that have updated their privacy laws to require judicial oversight, including a warrant, for access to sensitive digital information. Source: Computer World

Windows 10, whether you want it or not?

sh_Windows 10_280Microsoft confirmed that Windows 10 is being downloaded to computers whether or not users have opted in. “For individuals who have chosen to receive automatic updates through Windows Update, we help upgradable devices get ready for Windows 10 by downloading the files they’ll need if they decide to upgrade. When the upgrade is ready, the customer will be prompted to install Windows 10 on the device.” In other words, if you are patching via Patch Tuesday, then you are going to get a big folder on your hard drive ready so you can update to Windows 10 on demand. Source: The Inquirer

Patch me up … or not

Networking giant Cisco has issued warnings about potential vulnerabilities in its email security appliance and Web security appliances. The first vulnerability concerns the DNS resolution function of the Cisco Web Security Appliance. This flaw could allow an unauthenticated, remote attacker to cause a partial denial of service condition due to DNS name resolution failing through the device. Cisco blamed the vulnerability on the handling of DNS requests awaiting a DNS response when new, incoming DNS requests are received. A patch is available. However, Cisco says there currently are no available software updates for a second vulnerability. The Cisco Email Security Appliance apparently “contains a vulnerability that could allow an unauthenticated, remote attacker to impact the integrity and availability of services and data on the affected device. The impact includes a partial denial of service. In addition, the attacker could override part of the memory of the affected device.” Source: Tech Week