Blog Posts

Tesla-Stealing Hack is about Much More than Tesla

As Tesla’s popularity and usage continues to rise, it will start to become a much more attractive target for malicious actors. Especially since Tesla leverages extensive use of the internet for car-to-cloud connectivity, bad guys will try to find a vulnerability to exploit:

An often-asserted downside of internet-connected vehicles is that they’re subject to various forms of hacking, including theft. On Wednesday, a Norwegian security company called Promon claimed to have found something like the Holy Grail of vehicle hacking—by compromising a Tesla owner’s Android phone, they could take control of Tesla’s mobile app and steal the car.

The hack relies on tricking a Tesla owner into downloading a malicious app, for instance through a spoofed public Wi-Fi hotspot that would direct them to a deceptive Google Play download. That app could then escalate permissions on the owner’s phone and corrupt the Tesla app. Attackers could then, according to Promon, communicate with the Tesla server to issue remote commands including locating the victim’s car, opening its doors, and enabling keyless driving.

Has the Internet Become a Failed State?

This is quite the analysis of how the internet has evolved from a potential utopia to a government surveillance tool:

This blended universe is a strange place, simultaneously wonderful and terrifying. It provides its users – ordinary citizens – with services, delights and opportunities that were once the prerogative only of the rich and powerful. Wikipedia, the greatest store of knowledge the world has ever seen, is available at the click of a mouse. Google has become the memory prosthesis for humanity. Services such as Skype and FaceTime shrink intercontinental distances for families and lovers. And so on.

But at the same time, everything we do on the network is monitored and surveilled by both governments and the huge corporations that now dominate cyberspace. (If you want to see the commercial side of this in action, install Ghostery in your browser and see who’s snooping on you as you surf.) Internet users are assailed by spam, phishing, malware, fraud and identity theft. Corporate and government databases are routinely hacked and huge troves of personal data, credit card and bank account details are stolen and offered for sale in the shadows of the so-called “dark web”. Companies – and public institutions such as hospitals – are increasingly blackmailed by ransomware attacks, which make their essential IT systems unusable unless they pay a ransom. Cybercrime has already reached alarming levels and, because it largely goes unpunished, will continue to grow – which is why in some societies old-style physical crime is reducing as practitioners move to the much safer and more lucrative online variety.

Toronto Blockchain Security Startup Hires John McAfee as Chief Security Officer

John McAfee is an intelligent guy, and his eccentricities tend to get in the way, but he has somehow been hired by a Toronto blockchain security startup:

Toronto-based Equibit Development Corporation said in a press release today that McAfee has been hired as the company’s chief security officer. In a somewhat unusual arrangement, however, McAfee will be reporting to the board and not the CEO.

“We’re honored and thrilled to be working with John McAfee,” said Equibit CEO Chris Horlacher in a statement. “With his input and ongoing guidance, EDC will continue to set the security standard for blockchain services. We share his unwavering commitment to IT security and, with his help, will continue to push the boundaries of what’s possible in this industry.”

Equibit is a security service for safely issuing shares in companies and protecting trades from hacks, using decentralized blockchain technology. The platform will also handle other shareholder services, like voting and registering new stock owners.

Blockchain is a new security frontier, and is slowly starting to see adoption in the financial sector.

Unsurprisingly Businesses Continue to Neglect Cyber Security

This should come as no surprise, but businesses still do not understand the cyber threat and are unwilling to invest in security their IT assets:

Cybersecurity requires agile improvement and dedicated resources. Unfortunately, instead of businesses taking the recommended holistic approach, cybersecurity is often critically overlooked. An infographic based on a study from security solutions provider Resilient Systems and market research firm Ponemon breaks down key areas of continued failure for businesses.

66 percent of the security and IT professionals surveyed said their organizations are unprepared to recover from a cyber attack, and 75 percent lack a formal incident response plan, which has not changed since last year.

More or less mirrors my experience.

Ransomware Abusing Encrypted Chat App Telegram Protocol Cracked

Ransomware authors are leveraging publicly accessible app API’s to create malware:

However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.”

While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development.

To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.

By utilizing this channel rather than maintaining communication between the operator’s command and control center (C&C) over simple HTTP-based protocols, commonly used by many ransomware variants, security is improved and tracing the operator is more difficult.

These malicious actors are getting craftier by the day.

U.S. Government Claims Cyber Security Skills Shortage is a Myth

CSO Online:

One myth is this: “There is not a lot of cyber talent available for hire,” said Bailey. “Actually, over 14,000 people applied for our positions, with over 2,000 walking in the door. And while not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event.

“The amount of talent available to hire was so great, we stayed well into the night interviewing potential employees,” said Bailey.

The experience of the U.S. government seems counter to what industry studies say is actually going on.

Sounds iffy to me. The shortage is real, despite what DHS experienced during their recent job fair.

Malicious Actors Are Leveraging MailChimp to Spread Malware via Email Newsletters

Malicious actors – whether of the criminal, hacktivist, or nation state variety – will use any avenue possible to attack their intended targets. Some evil folks have turned to leveraging MailChimp as a means of spreading malware:

The “View Invoice” button leads to a .zip file, which, according to scans on malware analysis site Virus Total, is malicious.

Companies and websites sometimes outsource their newsletter distribution to another company, to handle the infrastructure and headaches of firing out tens or hundreds of thousands of emails at a time. In this case, that was MailChimpaccording to another apparent email from Business News Australia.

“This morning our MailChimp subscriber database was hacked and a fake invoice (Inoice 00317) [sic] was sent to our list,” the email reads, according to a screenshot tweeted by Hunt.

Careless Hewlett Packard Enterprise Services Contractor Leaks Personal Data on 130,000+ Sailors

Why is a Hewlett Packard Enterprise Services Contractor carrying a laptop with sensitive information on 130,000+ current and former U.S. Navy Sailors? Just another in a series of embarrasing NMCI blunders for HPE:

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy said on Wednesday.

It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said.

There is no valid reason for an HPE Services employee to be running around with this type of data stored locally on a laptop. Why does a contractor even have access to PII data of this nature?

Japanese Government Needs to Stop Spreading Anti-Vaccine Panic

HPV is a huge women’s health issue, and the Japanese government needs to stop playing games with anti-vaccers:

Japanese women’s health is increasingly at risk as public-health policy is driven by conspiracy theories, misguided political interference and bureaucratic caution. This is particularly evident in the government’s handling of the human papillomavirus (HPV) vaccine to protect against cervical cancer.

In June 2013, just two months after the HPV vaccine was included in the National Immunization Program, the Japanese government made the unusual and perplexing decision to keep the vaccine in the NIP but suspend “proactive” recommendations for it. This was evidently in response to highly publicized accounts of alleged adverse reactions.

The result was that girls in the target age group, from the 6th grade of primary school to the third grade of high school, stopped receiving the vaccine. Vaccination rates dropped to below 1% from about 70%.

Then there is this:

The Vaccine Adverse Reactions Review Committee, a task force established by the Japanese Ministry of Health, Labor, and Welfare’s Health Science Council, has repeatedly concluded that no causal link exists between HPV vaccines and professed symptoms, and that most reported cases were likely psychosomatic. A study of 70,960 vaccinated and nonvaccinated adolescent girls from Nagoya also found no significant association between 24 alleged vaccine-induced symptoms and the HPV vaccines.

Despite this, on March 16 Dr. Shuichi Ikeda, one of the principal investigators commissioned by the government to investigate alleged adverse events, presented highly misleading genetic and mouse experiment data at the MHLW’s Sciences Research Grant Meeting. He appeared on television the same day stating, “Without a doubt, there are signs of brain disorder. The results clearly reflect the objective findings which are common among the patients claiming such brain disorders.” The following day, major Japanese newspapers ran alarmist headlines.

Unbelievable. Dr. Ikeda should be fired.

The Japanese government needs to get out in front of this ASAP otherwise it will continue to put women in harms way. The public needs to hear from the government about how this claim has already been debunked, and reassure everyone about the true safety and importance of HPV immunization.

While MHLW did already make a statement to refute Dr. Ikeda, it seems to have backfired. They need to take a stronger stance, and forcefully demonstrate Ikeda’s ignorance on this topic, while at the same time presenting evidence showing why the HPV vaccine is safe.

The longer they wait, the longer this festers, and the less women will be inclined to vaccinate.

The Disruptive Career of Michael Flynn, Trump’s National-Security Adviser

Michael Flynn is not the type of National-Security Adviser America needs now:

Flynn broke rules he thought were stupid. He once told me about a period he spent assigned to a C.I.A. station in Iraq, when he would sometimes sneak out of the compound without the “insane” required approval from C.I.A. headquarters, in Langley, Virginia. He had technicians secretly install an Internet connection in his Pentagon office, even though it was forbidden. There was also the time he gave classified information to nato allies without approval, an incident which prompted an investigation, and a warning from superiors. During his stint as Mullen’s intelligence chief, Flynn would often write “This is bullshit!” in the margins of classified papers he was obliged to pass on to his boss, someone who saw these papers told me.

Flynn is a “do as as I say, not as I do” kind of guy. While he regularly broke the rules he disliked, as a Commander he likely punished junior soldiers for doing the very same things. There is no way junior officers or enlisted could ever get away with writing “this is bullshit” in the margins of documents passed on to him for review.

Finally, installing an unapproved, unaccredited internet connection in his office is just unbelievable. Likely his Information Assurance Manager (IAM) consulted against it, but was likely told something along the lines of, “shut-up and color”, as is often times what happens when senior leadership desires something against the rules. This is a huge problem within the US military – far too many people are more interested in promotion, and will not fight for whats right, especially when it involves a senior ranking offer like Flynn.

In 2012, Flynn became director of the Defense Intelligence Agency, in charge of all military attachés and defense-intelligence collection around the world. He ran into serious trouble almost immediately. I’ve spoken with some two dozen former colleagues who were close to Flynn then, members of the D.I.A. and the military, and some who worked with him in civilian roles. They all like Flynn personally. But they described how he lurched from one priority to another and had trouble building a loyal team. “He made a lot of changes,” one close observer of Flynn’s time at the D.I.A. told me. “Not in a strategic way—A to Z—but back and forth.”

Flynn also began to seek the Washington spotlight. But, without loyal junior officers at his side to vet his facts, he found even more trouble. His subordinates started a list of what they called “Flynn facts,” things he would say that weren’t true, like when he asserted that three-quarters of all new cell phones were bought by Africans or, later, that Iran had killed more Americans than Al Qaeda. In private, his staff tried to dissuade him from repeating these lines.

Flynn’s temper also flared. He berated people in front of colleagues. Soon, according to former associates, a parallel power structure developed within the D.I.A. to fence him in, and to keep the nearly seventeen-thousand-person agency working. “He created massive antibodies in the building,” the former colleague said.

This is not the type of temperament America needs for a National Security Advisor. When I think of really good Advisors, Condoleezza Rice comes to mind. While I may not have agreed with all of her assessments, she had the right temperament and frame of mind for the position – something I believe Flynn is missing.

I met Flynn once here in Tokyo, and just was the aura surrounding him both when he spoke to the audience, and afterwards when he was “networking” with attendees. While he appeared to speak confidently and intelligently about his topic, there was just something off-putting about the way he handled himself. The above perfectly characterizes Flynn in a nutshell.

Trump Needs To Partner With Silicon Valley On Cyber Security

If President-elect Trump desires to solve critical infrastructure cyber security problems then he needs to cooperate with Silicon Valley:

There is no indication that Trump has the slightest clue regarding the challenges of protecting our digital infrastructure or a strategy to address them. Unfortunately, there is little love lost between Trump and Silicon Valley, or vice versa, so finding qualified people willing to weigh in could be an even bigger challenge. Arora stresses, “Both sides need to look past those differences and focus on solving the actual problems at hand. The most important thing to do now, is to look at the core issues from a cyber security standpoint, whether it’s internal threat or external nation states and see what are the most important, most damaging and—most likely—not what provides the most headlines.”

A plan must be built and executed by those who have an intimate knowledge of cyber infrastructure and the threat landscape that not only exists but is possible,” declares Hanson. “The sooner we secure our infrastructure from the core the more efficient we will be in maintaining the security of our cyber infrastructure. Regulations and guidelines must exist that define what our core infrastructure looks like from the bare metal. Security at the hardware level is essential for a truly secure infrastructure.”

It will be interesting to see how Trump attempts to acquire the much required Silicon Valley assistance. The only way he is going to solve major technological problems is through cooperation with those with the requisite knowledge.

Complaining and tweeting about an uncooperative Silicon Valley, and trying to guilt trip technologists into helping will not work.

Thailand Seeks to Ostensibly Tighten Cyber Security, Raises Privacy Questions

In the name of ostensibly tightening cyber security regulations, Thailand ends up walking down the slippery slope of privacy protection:

Amendments to Thailand’s 2007 Computer Crime Act to be considered by parliament next month have come under fire from critics who say the bill could give state officials sweeping powers to spy on internet users and restrict online speech.

Critics say parliament is likely to approve the amendments because lawmakers voted unanimously to pass the bill in its first reading.

The amendments come as the military government has ramped up online censorship since the May 2014 coup, particularly perceived insults to the royal family, as it tries to ensure a smooth transition following the death of revered King Bhumibol Adulyadej on Oct. 13 and ahead of a 2017 general election.

Since the coup, the government has shut down or blocked thousands of websites it has deemed offensive or inappropriate.

The amendments to the cyber law, seen by Reuters on Tuesday, have pro-democracy activists worried that they could lead to arbitrary invasion of privacy without a court warrant.

If you are a King and do not have thick enough skin to handle online criticism, and need to rely on censoring perceived insults to your royal family, then you are no true King. The more you censor, the more insults you invite.

Meet the $1 Billion Startup Busting Cyber Security’s Greatest Myth

This article about Cylance reads more like an advertisement than an actual objective look at the “product” and its roots:

In 2011, cybersecurity researcher and entrepreneur Stuart McClure spent his last year working at McAfee, as the company’s global chief technology officer, apologizing a lot. McClure said hackers were slipping into McAfee customer networks and each subsequent breach seemed worse than the last.

McClure would have to meet with each of the big McAfee corporate customers to explain why the software failed and at the end of each meeting someone would ask McClure the same question: “‘What type of security software do you use on your machine to prevent cyber attacks?'” The customers would then wait, pens poised above a piece of paper to jot down the long list of layer after layer of high-end software that the global CTO of a multimillion-dollar security company would surely recommend. But McClure would have to tell them his dirty secret:

He didn’t use any security software. Not even his employer’s.

I wont discount this happened, but I do find it hard to believe that McClure encountered a large number of customers who believed McAfee products failed to protect their network. The assumption in the second paragraph is McAfee – now Intel Security – only makes software, as in the anti-virus type, which could not be farther from the truth. The company does write software, but is well known in the corporate and enterprise business markets for network-based hardware security products like firewalls, intrusion prevention, security information and event management, web gateway, and more.

So it is not as if McAfee, at the time, was only an endpoint security provider. More to the point: even if it were, by 2011 DoD had deployed host-based security system – essentially McAfee’s endpoint protection suite – on over five million nodes, and had not (and has not) been breached. This makes me feel as if McClure is indulging for the sake of making his grand idea, and Cylance, much larger than it actually is in reality.

Finally, to address the last point about McClure not using any security software: neither do I. However, that is not because I lack confidence in the product, but because I use a Mac and am much more in tune with what I do online. When I use Windows, I absolutely use security software, and it is always McAfee endpoint protection.

It would have been quite easy for McClure to make a blanket statement about not using McAfee’s security software, especially if he were a Mac user, which I suspect he was at the time.

Disclaimer: I work for Intel Security, a Cylance competitor.

Criminals Can Steal Your Passwords from Thin Air with This $25 Wi-Fi Hack

This is very interesting research into using RF signals to steal passwords:

So when you swipe your Android smartphone lock-screen pattern, enter a PIN number or a password in an app, your finger movements alter the radio signal and the movements are imprinted into the signal, meaning that if hackers were controlling a public Wi-Fi access point that your device is connected to, they could then reverse-engineer the signal to figure out what sensitive data you may have typed into your phone.

The researchers set up a malicious public Wi-Fi access point consisting of $20 (£16) antennas, the attacker’s laptop and a $5 Intel networking card in a café. The setup was located a metre away from a target sitting at a table with a smartphone.

Once the user connected to the free Wi-Fi, the WindTalker system was able to extract sensitive data by analysing the radio signals and processing the signals to separate the parts of the signal it needed.

I do not know how plausible this attack is in reality, but it sure sounds worth further exploration.

Wickedly Clever USB Stick Installs a Backdoor on Locked PCs

This is an interesting security exploit without a clear or obvious fix:

Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.

“In a lot of corporate offices, it’s pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it,” Kamkar says. The computer may be locked, he says, but PoisonTap “is still able to take over network traffic and plant the backdoor.”

Having physical access to a PC generally results in increased risk. So it should not be much of a surprise this is possible from an access perspective, but only from an operating system or browser vulnerability context.

Tech Coalition Releases Internet of Things Cyber Security Recommendations

Engadget on Internet of Things cyber security recommendations by the Broadband Internet Technical Advisory Group (BTAG):

This isn’t just speculation: IoT devices enabled two widely publicized DDoS attacks in October, one that took out the internet across the United States and another that disabled the website of security researcher Brian Krebs. The Krebs attack infiltrated an estimated 145,000 IoT devices, mainly security cameras and DVRs.

BITAG recommends a handful of security standards for IoT devices, including timely, automated and secure software updates, password protection, and increased testing of customization options. The group also suggests implementing encryption best practices, plus the ability for these devices, particularly home alarm systems, to function if internet connectivity or the cloud fails. BITAG even wants to establish an industry cybersecurity program that includes a seal for certified “secure” devices.

Malicious Images Sent via Facebook Messenger Lead to Locky Ransomware

CSO Online about a unique Facebook-based delivery method for Locky ransomware:

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.

The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded.

If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.

Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.

If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.

There are a lot of moving parts to delivering Locky in this manner. In addition, anecdotally anyhow, I believe most people use Facebook Messenger on their mobile devices rather than via the web so I wonder about the effectiveness of this attack. Unfortunately, there are a lot of folks who do not pay close enough attention and will allow the codec to install without nary a second thought, and thus allow this exploit to succeed.

Site Footer