Hacking a car? That’s five-year-old news

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A group of researchers at the Uni­ver­si­ty of Cal­i­for­nia at San Diego and the Uni­ver­si­ty of Wash­ing­ton showed they could hack a 2009 Chevy Impala—five years ago. The researchers chose not to pub­licly name the make and mod­el of the vehi­cle they test­ed at the time. GM took near­ly five years to ful­ly pro­tect its vehi­cles from the hack­ing tech­nique, which the researchers pri­vate­ly dis­closed to the auto giant and to the Nation­al High­way Traf­fic Safe­ty Admin­is­tra­tion in the spring of 2010. For near­ly half a decade, mil­lions of GM cars and trucks were vul­ner­a­ble to that pri­vate­ly known attack, a remote exploit that tar­get­ed its OnStar dash­board com­put­er and was capa­ble of every­thing from track­ing vehi­cles to engag­ing their brakes at high speed to dis­abling brakes alto­geth­er. “We basi­cal­ly had com­plete con­trol of the car except the steer­ing,” says Karl Kosch­er, one of the secu­ri­ty researchers who helped to devel­op the attack. “Cer­tain­ly, it would have been bet­ter if it had been patched soon­er.” Source: Wired

Beat those spears into pruning hooks

sh_phishing_280In a pre­sen­ta­tion at the Intel­li­gence & Nation­al Secu­ri­ty Sum­mit, the direc­tor of the Nation­al Coun­ter­in­tel­li­gence and Secu­ri­ty Cen­ter announced a “new coun­ter­in­tel­li­gence cam­paign” focused on reduc­ing the poten­tial secu­ri­ty dam­age done by the Office of Per­son­nel Man­age­ment data breach­es. Called Know the Risk, Raise Your Shield, the campaign’s open­ing sal­vo is a pair of spear-phish­ing aware­ness videos, urg­ing peo­ple not to click on those links. “There have been just over 500 breach­es so far this year, some of which made the news,” said NCSC Direc­tor Bill Evan­i­na. “And 47 per­cent of adult Amer­i­cans have been the vic­tim of a breach in the last three years. That data is an oppor­tu­ni­ty for crim­i­nals, but it’s also allowed for­eign intel­li­gence to col­lect infor­ma­tion about gov­ern­ment employ­ees, con­trac­tor, and their fam­i­lies.” He not­ed that 91 per­cent of breach­es seen in the past few years have emanat­ed from spear phish­ing. “Our adver­saries do not need to use sophis­ti­cat­ed attacks—it all starts with emails.” Source: Ars Tech­ni­ca

Always keeping an eye on the East

sh_china espionage_280Chi­nese cyber espi­onage con­tin­ues to tar­get a “broad spec­trum of U.S. inter­ests,” includ­ing nation­al secu­ri­ty infor­ma­tion, sen­si­tive eco­nom­ic data and intel­lec­tu­al prop­er­ty, the U.S. Direc­tor of Nation­al Intel­li­gence James Clap­per said on Thurs­day. “Although Chi­na is an advanced cyber actor in terms of capa­bil­i­ties, Chi­nese hack­ers are often able to gain access to their tar­gets with­out hav­ing to resort to using advanced capa­bil­i­ties,” Clap­per told the House of Rep­re­sen­ta­tives Intel­li­gence Com­mit­tee. He said improved U.S. cyber­se­cu­ri­ty would com­pli­cate Chi­nese cyber espi­onage “by address­ing the less sophis­ti­cat­ed threats and rais­ing the cost and risk if Chi­na per­sists,” accord­ing to a writ­ten state­ment Clap­per pro­vid­ed to the com­mit­tee. Clap­per said the risk of a “cat­a­stroph­ic attack from any par­tic­u­lar actor is remote at this time” but that he fore­sees con­tin­ued “low-to-mod­er­ate lev­el cyber attacks” that could under­mine U.S. eco­nom­ic com­pet­i­tive­ness and nation­al secu­ri­ty. Source: NBC News

Cost of convenience vs. cost of security

Zurich Insur­ance Group and inter­na­tion­al affairs think tank the Atlantic Coun­cil mod­eled the eco­nom­ic ben­e­fits of the Inter­net and relat­ed infor­ma­tion and com­mu­ni­ca­tions tech­nolo­gies while also look­ing at costs such as cyber­se­cu­ri­ty spend­ing and loss­es from cyber inci­dents. Their find­ings were mixed. On an annu­al basis, cyber­se­cu­ri­ty costs already out­weigh con­nec­tiv­i­ty ben­e­fits in devel­oped coun­tries such as the Unit­ed States. But look­ing over time paints a dif­fer­ent pic­ture: “The accu­mu­lat­ed glob­al ben­e­fits of being con­nect­ed should still out­pace the costs through the year 2030 by near­ly $160 tril­lion.” That base case rep­re­sents an 8 per­cent gain in cumu­la­tive glob­al growth between 2010 and 2030. This is because long-term eco­nom­ic ben­e­fits accrue from tech­nol­o­gy invest­ment while cyber costs tend to be more episod­ic. Source: The Wall Street Journal

Pay up or we’ll knock you offline

sh_extortion_280Banks, media groups and gam­ing firms are being hit with extor­tion demands by a cyber gang that threat­ens to knock them offline unless they pay up. In a report, net firm Aka­mai said in the past 10 months it had seen 141 attacks on its cus­tomers by the group. The gang, called DD4BC, threat­ens to swamp servers with data unless a ran­som of up to 50 bit­coin (about $12,000) is paid. The attacks mount­ed by the gang can flood sites with more than 56 giga­bits of data a sec­ond, it said. “The lat­est attacks—focused pri­mar­i­ly on the finan­cial ser­vice industry—involved new strate­gies and tac­tics intend­ed to harass, extort and, ulti­mate­ly, embar­rass the vic­tim pub­licly,” said Stu­art Schol­ly, man­ag­er of Akamai’s secu­ri­ty divi­sion. Schol­ly said that as well as threat­en­ing to knock com­pa­nies offline, DD4BC said it also would post mes­sages on social net­works to shame firms if they did not pay up. Source: BBC News

Watch those credit card bills

Con­sumer elec­tron­ics com­pa­ny Mohu is noti­fy­ing approx­i­mate­ly 2,500 cus­tomers that cred­it card infor­ma­tion and oth­er data was com­pro­mised dur­ing an attack on the www.gomohu.com web­site. Names, address­es, email address­es, phone num­bers, cred­it card num­bers, expi­ra­tion dates and CVV codes could be exposed. An attack­er pen­e­trat­ed Mohu’s secu­ri­ty, insert­ed mali­cious code into com­put­er sys­tems, and removed the per­son­al infor­ma­tion. At least one Twit­ter user has report­ed fraud­u­lent use of a cred­it card that seems to be a result of the attack. Mohu has hired two secu­ri­ty con­sult­ing firms to review and make rec­om­men­da­tions to improve elec­tron­ic secu­ri­ty mea­sures. Source: SC mag­a­zine

You’re going to need a warrant for that

sh_records request_280The Cal­i­for­nia state assem­bly passed a dig­i­tal pri­va­cy bill that aims to pre­vent gov­ern­ment access with­out war­rant to pri­vate elec­tron­ic com­mu­ni­ca­tions. The bill would pro­vide some excep­tions for law enforce­ment in emer­gen­cies or for oth­er pub­lic safe­ty require­ments. Cal­i­for­nia is home to a large num­ber of tech com­pa­nies who face reg­u­lar requests for data on their cus­tomers from both state and fed­er­al law enforce­ment agen­cies. The bill, which would require a judge’s approval for access to a person’s pri­vate infor­ma­tion, includ­ing data from per­son­al elec­tron­ic devices, email, dig­i­tal doc­u­ments, text mes­sages and loca­tion infor­ma­tion, had been passed in June by the state Sen­ate and now will return there for con­cur­rence before head­ing to Gov. Jer­ry Brown for approval. If the Elec­tron­ic Pri­va­cy Act is approved as law, Cal­i­for­nia would join states like Texas, Vir­ginia, Maine and Utah that have updat­ed their pri­va­cy laws to require judi­cial over­sight, includ­ing a war­rant, for access to sen­si­tive dig­i­tal infor­ma­tion. Source: Com­put­er World

Windows 10, whether you want it or not?

sh_Windows 10_280Microsoft con­firmed that Win­dows 10 is being down­loaded to com­put­ers whether or not users have opt­ed in. “For indi­vid­u­als who have cho­sen to receive auto­mat­ic updates through Win­dows Update, we help upgrad­able devices get ready for Win­dows 10 by down­load­ing the files they’ll need if they decide to upgrade. When the upgrade is ready, the cus­tomer will be prompt­ed to install Win­dows 10 on the device.” In oth­er words, if you are patch­ing via Patch Tues­day, then you are going to get a big fold­er on your hard dri­ve ready so you can update to Win­dows 10 on demand. Source: The Inquir­er

Patch me up … or not

Net­work­ing giant Cis­co has issued warn­ings about poten­tial vul­ner­a­bil­i­ties in its email secu­ri­ty appli­ance and Web secu­ri­ty appli­ances. The first vul­ner­a­bil­i­ty con­cerns the DNS res­o­lu­tion func­tion of the Cis­co Web Secu­ri­ty Appli­ance. This flaw could allow an unau­then­ti­cat­ed, remote attack­er to cause a par­tial denial of ser­vice con­di­tion due to DNS name res­o­lu­tion fail­ing through the device. Cis­co blamed the vul­ner­a­bil­i­ty on the han­dling of DNS requests await­ing a DNS response when new, incom­ing DNS requests are received. A patch is avail­able. How­ev­er, Cis­co says there cur­rent­ly are no avail­able soft­ware updates for a sec­ond vul­ner­a­bil­i­ty. The Cis­co Email Secu­ri­ty Appli­ance appar­ent­ly “con­tains a vul­ner­a­bil­i­ty that could allow an unau­then­ti­cat­ed, remote attack­er to impact the integri­ty and avail­abil­i­ty of ser­vices and data on the affect­ed device. The impact includes a par­tial denial of ser­vice. In addi­tion, the attack­er could over­ride part of the mem­o­ry of the affect­ed device.” Source: Tech Week