Could Self-Driving Cars Become Weapons?

Car makers rush to put self-driving cars on the road. Bets on how much attention is being paid to security? Stopping Self-Driving Cars From Becoming Cybersecurity Weapons

This isn’t a new issue really. I think it was Black Hat 2015 that had a talk about remotely hacking a Jeep driving down the highway.

And Def Con 25 is joining in the fun this year with the Car Hacking Village. No. It won’t amount to anything, I’m sure. Because the car companies are all over this, right?

Yuval Diskin, former head of Israel’s internal security service (Shin Bet) and Chairman of CyMotive Technologies, has a somewhat different view.

The car industry is run by engineers. Up until a few years ago, they thought of information technology (i.e., computers) as some kind of basic support infrastructure, like water and electricity. It’s been a challenge for the industry to better integrate its core competency—electrical engineering—with IT or computer engineering. But they now understand that IT is at the core of their business.

I doubt they really understand it. I believe they know they need to pay it lip service, and I believe they know they need to devote some level of resources to the issue, but I doubt they are setting up bug bounties, or ensuring that firmware and software updates are secure or that a user can always override what the vehicle is trying to do. In short I doubt they really understand what the issues are. Will they miss a ship-date to ensure that the software is secure?

I actually started a similar post on this subject last week, but couldn’t make it come together. Yuval Diskin came up with the phrase that puts it all in perspective.

Serious attacks can and will happen at the fleet level where you can impact many cars—“imagine stopping thousands of Toyota cars on the highways of Europe,” says Diskin.

Could thousands a of cars be hacked at the same time? You really have to ask? How many PCs were infected by WannaCry? By GoldenEye? And that was just in the past couple of months against an attack that we knew how to stop. (Upgrade your software/hardware!).

Dow Jones Hack – the result of poor security configuration

The joys of outsourcing. I don’t mean outsourcing, (that is so 1990s!) but using the cloud. Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data

The UpGuard Cyber Risk Team can now report that a cloud-based file repository owned by financial publishing firm Dow Jones & Company, that had been configured to allow semi-public access exposed the sensitive personal and financial details of millions of the company’s customers. While Dow Jones has confirmed that at least 2.2 million customers were affected, UpGuard calculations put the number closer to 4 million accounts.

2.2 or 4 million names, addresses, account information, email addresses, and last four digits of credit card numbers for people who subscribe to the WSJ or Barron’s. All because the security was not configured correctly.

Thank you Amazon Cloud Services for building in an option to let companies do stupid things with their data!

Finally, the aversion of Dow Jones and Company to notifying affected customers of this data exposure denies consumers the ability to swiftly act to protect their own personal information.

Because why come clean when a good coverup might just work. (For the first time ever!)

This comes via Small Dead Animals. Who has the perfect take.

Centralize your and your customers data with hard to learn API’s and confusing security options! Join now for just half the price of a good IT person!

July 16, 1945: Dawn of the Nuclear Age

The GadgetJuly 16, 1945. 5:29 AM Mountain Time, near Alamogordo, New Mexico. (Shamelessly stolen from myself, from last year.) Click the image for a larger view of the Gadget.

The Gadget was detonated – the 1st nuclear explosion – by the Manhattan Project. It was a plutonium implosion device.

At 05:29:21 (July 16, 1945) local time, the device exploded. It left a crater of radioactive glass in the desert 10 feet (3.0 m) deep and 1,100 feet (340 m) wide. At the time of detonation, the surrounding mountains were illuminated brighter than daytime for one to two seconds, and the heat was reported as being as hot as an oven at the base camp. The observed colors of the illumination ranged from purple to green and eventually to white. The roar of the shock wave took 40 seconds to reach the observers. The shock wave was felt over 100 miles (160 km) away, and the mushroom cloud reached 7.5 miles (12.1 km) in height. After the initial euphoria of witnessing the explosion had passed, test director Kenneth Bainbridge commented to Los Alamos director J. Robert Oppenheimer, Now we are all sons of bitches. Oppenheimer later stated that, while watching the test, he was reminded of a line from the Bhagavad Gita, a Hindu scripture: Now I am become Death, the destroyer of worlds.

(The Gadget was similar to Fat Man, which was dropped on Nagasaki on the 9th August that year. Little Boy, which was dropped on Hiroshima on August 6th, was a uranium gun-trigger.)

Video of the blast is all over YouTube. Here is a short one.

The best documentary I have seen on The Manhattan Project is The Day After Trinity. It doesn’t seem to be anywhere for streaming.

It was later determined to be an 18-to-20 kiloton explosion. (The equivalent of 18,000 tons of TNT or more) Relatively small by modern standards. Thermonuclear – or hydrogen – bombs are measured in megatons. (The largest – Tsar Bomba of the USSR – measured 50 megatons)

EMP: The Potential Disaster That Gets Ignored

The subject of EMP isn't covered in the mainstream press very often. And while The Economist isn't exactly mass-market, it isn't fringe either. The disaster that could follow from a flash in the sky

Electromagnetic Pulse (EMP) is an effect of nuclear weapons. Detonate a nuclear bomb high in the atmosphere (40 km or so) and the result of pumping large amounts of gamma rays into the ionosphere is an EMP. Other things can generate similar effects on varying scales.

ON MARCH 13th 1989 a surge of energy from the sun, from a “coronal mass ejection”, had a startling impact on Canada. Within 92 seconds, the resulting geomagnetic storm took down Quebec’s electricity grid for nine hours. It could have been worse. On July 23rd 2012 particles from a much larger solar ejection blew across the orbital path of Earth, missing it by days. Had it hit America, the resulting geomagnetic storm would have destroyed perhaps a quarter of high-voltage transformers, according to Storm Analysis Consultants in Duluth, Minnesota. Future geomagnetic storms are inevitable.

An EMP would have similar impacts.

High voltage transformers are not something you order from Amazon. They take time to build, they are not commodities, and there are very few people building them. Without them, you would have NO electric power – except what you are able to generate on your own.

No electricity means no heat in the winter, (bet your oil-burner uses electricity to run,) no refrigeration. ATMs, electronic cash registers, computers, and the internet all stop working. Electronics in vehicles stop working, as do fuel pumps at gas stations. Which means goods delivery – including food – stops. Water treatment and pumping stops. Elevators stop. And it isn’t just that computers and smart phones stop working for a time. They are toast, and won’t work again. Same for the electronics in your home thermostat, refrigerator, oven, car, solar-power charging system, etc.

The expense of installing surge-blockers and other EMP-proofing kit on America’s big transformers is debated. The EMP Commission’s report in 2008 reckoned $3.95bn or less would do it. Others advance higher figures. But a complete collapse of the grid could probably be prevented by protecting several hundred critical transformers for perhaps $1m each.

The costs of not doing it, versus the cost of doing something seem to be the sticking point. That and who would pay for it.

The article isn’t long and is worth a look.

There’s an Old Saying About Putting a Guard on the Picket Line After the Horses Have Been Stolen

The UK’s NHS knew that they had outdated hardware. They were warned. But they ignored the warning because those damn IT folks are always asking for something. Cyber threats could cost lives unless NHS improves security

Yesterday ministers pledged to spend an extra £21m on NHS cyber security, and to adopt a series of security measures which were recommended a year ago – before the worst attack in the history of the health service.

So they knew for at least a year that they were vulnerable and did nothing. And I would wager that they were warned about the phase out of XP support when Microsoft announced the schedule for discontinuing updates. But executives always view these kinds of warnings from IT as a smoke screen. Those damn IT folks just want new technology to play with. They can’t possibly understand what it means to the business to spend money on upgraded computers.

Even after WannaCry shut down the NHS for a couple of days, and was on every major newscast and in every paper, I bet there are still organizations who haven’t upgraded all of their XP boxes. I mean be fair, Microsoft fixed THAT problem, so the risk is gone, right? Not so much.

The moral of the story is – you can lead a horse to water, but executives are never going to spend money to mitigate risks that they don’t understand. And the one constant in the universe is that executives are mostly too arrogant to admit that there are risks they don’t understand. So the only thing the lowly schlubs in IT can do, is to document their recommendations and how they were turned down – otherwise it will be their fault for not keeping management apprised of risks. Either that or get out of IT all together.

Black Hat: Attack on US Infrastructure in 2 Years

Survey Says… Black Hat Attendees Predict Cyberattack on US Infrastructure Within Two Years

Critical U.S. infrastructure will be hit by a major cyberattack in the next two years, according to a survey of experts who attended the annual Black Hat security conference in the last two years.

Black Hat is in its 20th year, so if you haven’t heard of it, you aren’t really paying attention to security.

While it’s impossible to predict precisely how threat actors might strike U.S. infrastructure, 50 percent of those surveyed indicated that they were most concerned about social engineering and phishing schemes that dupe users into handing over access credentials.

It seems crazy in 2017 that phishing would still be a thing. (We didn’t learn the lesson: Trust No One!) Social Engineering* is still a thing, and in the face of good tech security…

The full survey from Black Hat is available as a PDF.

* Deviant Ollam on the subject of getting into a facility by wearing matching shirts. (The audio is a bit wonky, but the story is good.)

Yes Virginia, Mac OS does get viruses.

People still think if they are on a Mac they are safe. (I heard this in conversation over the weekend.) Grow up. macOS isn’t as secure as you think

Most people still seem to think macOS is super secure. Sorry, but this idea hasn’t been true for a while now. It is still true though that Macs get fewer viruses than Windows, but Macs still get them (and the number is rising).

All operating systems are vulnerable and motivated attackers will find a way to infiltrate. Look at KeRanger, the first ransomware program targeting Macs, which was detected last year. More recently, in May 2017 attackers hacked the popular DVD-ripping app HandBrake to spread a variant of the Proton malware.

Mac OS isn’t a good target because installed base is small, and especially if you look at the installed base in Corporate America or the .gov, and after all, where is all that lovely data that they want to steal? (Hackers aren’t interested in your vacation video unless it helps them steal your identity.)