Could Self-Driving Cars Become Weapons?

Car makers rush to put self-driving cars on the road. Bets on how much attention is being paid to security? Stopping Self-Driving Cars From Becoming Cybersecurity Weapons

This isn’t a new issue really. I think it was Black Hat 2015 that had a talk about remotely hacking a Jeep driving down the highway.

And Def Con 25 is joining in the fun this year with the Car Hacking Village. No. It won’t amount to anything, I’m sure. Because the car companies are all over this, right?

Yuval Diskin, former head of Israel’s internal security service (Shin Bet) and Chairman of CyMotive Technologies, has a somewhat different view.

The car industry is run by engineers. Up until a few years ago, they thought of information technology (i.e., computers) as some kind of basic support infrastructure, like water and electricity. It’s been a challenge for the industry to better integrate its core competency—electrical engineering—with IT or computer engineering. But they now understand that IT is at the core of their business.

I doubt they really understand it. I believe they know they need to pay it lip service, and I believe they know they need to devote some level of resources to the issue, but I doubt they are setting up bug bounties, or ensuring that firmware and software updates are secure or that a user can always override what the vehicle is trying to do. In short I doubt they really understand what the issues are. Will they miss a ship-date to ensure that the software is secure?

I actually started a similar post on this subject last week, but couldn’t make it come together. Yuval Diskin came up with the phrase that puts it all in perspective.

Serious attacks can and will happen at the fleet level where you can impact many cars—“imagine stopping thousands of Toyota cars on the highways of Europe,” says Diskin.

Could thousands a of cars be hacked at the same time? You really have to ask? How many PCs were infected by WannaCry? By GoldenEye? And that was just in the past couple of months against an attack that we knew how to stop. (Upgrade your software/hardware!).

Dow Jones Hack – the result of poor security configuration

The joys of outsourcing. I don’t mean outsourcing, (that is so 1990s!) but using the cloud. Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data

The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.

2.2 or 4 million names, addresses, account information, email addresses, and last four digits of credit card numbers for people who subscribe to the WSJ or Barron’s. All because the security was not configured correctly.

Thank you Amazon Cloud Services for building in an option to let companies do stupid things with their data!

Finally, the aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.

Because why come clean when a good coverup might just work. (For the first time ever!)

This comes via Small Dead Animals. Who has the perfect take.

Centralize your and your customers data with hard to learn API’s and confusing security options! Join now for just half the price of a good IT person!

Black Hat: Attack on US Infrastructure in 2 Years

Survey Says… Black Hat Attendees Predict Cyberattack on US Infrastructure Within Two Years

Critical U.S. infrastructure will be hit by a major cyberattack in the next two years, according to a survey of experts who attended the annual Black Hat security conference in the last two years.

Black Hat is in its 20th year, so if you haven’t heard of it, you aren’t really paying attention to security.

While it’s impossible to predict precisely how threat actors might strike U.S. infrastructure, 50 percent of those surveyed indicated that they were most concerned about social engineering and phishing schemes that dupe users into handing over access credentials.

It seems crazy in 2017 that phishing would still be a thing. (We didn’t learn the lesson: Trust No One!) Social Engineering* is still a thing, and in the face of good tech security…

The full survey from Black Hat is available as a PDF.

* Deviant Ollam on the subject of getting into a facility by wearing matching shirts. (The audio is a bit wonky, but the story is good.)

Yes Virginia, Mac OS does get viruses.

People still think if they are on a Mac they are safe. (I heard this in conversation over the weekend.) Grow up. macOS isn’t as secure as you think

Most people still seem to think macOS is super secure. Sorry, but this idea hasn’t been true for a while now. It is still true though that Macs get fewer viruses than Windows, but Macs still get them (and the number is rising).

All operating systems are vulnerable and motivated attackers will find a way to infiltrate. Look at KeRanger, the first ransomware program targeting Macs, which was detected last year. More recently, in May 2017 attackers hacked the popular DVD-ripping app HandBrake to spread a variant of the Proton malware.

Mac OS isn’t a good target because installed base is small, and especially if you look at the installed base in Corporate America or the .gov, and after all, where is all that lovely data that they want to steal? (Hackers aren’t interested in your vacation video unless it helps them steal your identity.)

Electronic Frontier Foundation’s Report Card on Companies Who Protect Your Privacy

Some do a good job. Others, not so much. AT&T, Verizon, Other Telco Providers Lag Behind Tech Industry in Protecting Users from Government Overreach, EFF Annual Survey Shows | Electronic Frontier Foundation

Online retail giant Amazon has been rated number one in customer service, yet it hasn’t made the public commitments to stand behind its users’ digital privacy that the rest of the industry has.

AT&T, Comcast, T-Mobile, and Verizon scored the lowest, each earning just one star. While they have adopted a number of industry best practices, like publishing transparency reports and requiring a warrant for content, they still need to commit to informing users before disclosing their data to the government and creating a public policy of requesting judicial review of all NSLs.

The full list can be found here.

West Virginia Hospital Hit By Cyber Attack

This was not a surprise to anyone, except the administrators who didn’t want to spend money to upgrade the hospital’s security. WV MetroNews – Princeton hospital to replace 12-hundred computer hard drives after cyber attack

Petya is more damaging than WannaCry, in that it doesn’t really encrypt your data, it wipes the hard drives.

Princeton Community Hospital is a smallish hospital in southern part of West Virginia. Maybe they thought “We aren’t the NHS; no one will target us.” They thought wrong.

The hospital is spinning, saying that this is a complete surprise. (To whom, exactly?)

[Rose] Morgan [vice president of patient care services at the hospital] called the attack “surprising” because the hospital made sure to put all the protections in place to prevent cyber attacks. She said the attack just goes to show that no organization is completely immune to computer viruses.

My guess is that the “completely prepared” windows systems are not patched, that SMB verion 1 is still active on the network, etc. In any event, according to Securelist, this attack uses two exploits that Microsoft had patched back in March. (It also seems to use a piece Ukrainian tax software, but I doubt the hospital was installing that.)

If I was writing a Neighbors Were Shocked post, I would remind everyone that crime isn’t something that happens “in other kinds of places” and only to “other kinds of people.” If you are reading this then you live in the Real World™ where crime – including cyber crime – does happen.

Other people have been hit, probably by assuming that cyber crime doesn’t impact them. Such as a medical practice in Pennsylvania.

“Sometimes the small practice physicians think they won’t be targeted because they have less information, but what we’re learning is that everyone is vulnerable because health data is very valuable,” Deven McGraw, deputy director for Health Information Privacy for the Office for Civil Rights at the U.S. Department of Health and Human Services, told Medical Economics prior to the most recent attack.

Attacks are becoming more sophisticated, and health systems must step up efforts to ensure they don’t become victims, Michael Kaiser, executive director of the National Cyber Security Alliance

If you have a computer attached to the internet, you need to be prepared to recover from a nightmare like this. You can’t pay these guys 300 bucks and be on your way. In the 1st place the email address has been deactivated, and it isn’t ransomware – it wipes your data. Can you get it back? Oh, and why aren’t you updating your software?

Petya the destroyer

This title sounds like the character in fantasy movie. Petya the destroyer: Wiper attack in disguise is really out to kill data

But it isn’t a fantasy. It is the next wave of cyber crime.

Researchers from leading infosec firms have arrived at the same conclusion: the ransomware attack that goes by the labels Petya and GoldenEye is really out to destroy systems.

Unlike WannaCry, Petya, (or GoldenEye, or NotPetya) is not ransomware. It doesn’t encrypt your data, it wipes your disk.

A good reason not to pay ransoms; you might not get the data back anyway.

So how do you protect against a wiper? You have backups of your data. On site. Off site. Multiple copies of anything you think is important.