While We’re on the Subject of Hacking – More Car Hacks

The new tech “hotness” in cars has to do with control fobs. Walk up to your car, and it unlocks. Sit in and push the starter and off you go. Mechanical KEYS are SO 20th Century. Shock and key From BMW to Peugeot, these are the makes and models of cars MOST AT RISK of being broken into by car thieves hacking keyless cars.

Please note the wording in the headline. “Most at risk.” This is NOT a definitive list.

Vehicles from 30 manufacturers, ranging from BMW to Peugeot, were unlocked and/or started using a simple hack in German tests.

Tests by the ADAC (German auto club) showed how easy it was to unlock, and in some cases start and drive away, with fancy new high tech cars. From BMW, Mercedes, Toyota, Ford, and others. 30 manufacturers? Is there anyone who didn’t get hacked?

“Thefts have been using these loopholes presumably for years, without car manufacturers providing an effective solution – which shows that the automotive industry still has very much to catch up to other sectors of the economy with regards to IT security.

“All the more since keyless systems are also available for small and medium-sized cars and offered partly as standard configuration, manufacturers are called upon to effectively protect vehicle electronics.”

A couple of company statements are predictably worthless. “We take this very seriously…” “We follow all commonly excepted standards…” and a similar bucket of crap. It basically comes down to companies whining that “everyone else is doing the same thing.” Thanks guys.

What can you do? Store you electronic fobs in a Faraday cage.

All Your Credit Cards Are Belong to US

Another major company hacked, another set of credit cards stolen. Holiday Inn parent company says nearly 1,200 hotels were hacked in late 2016 | The Sacramento Bee

They did announce this hack in December when they found it. But they have more info.

“The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise locations between September 29, 2016 and December 29, 2016,” the company announced.

According to ComputerWorld, 1,174 hotels in the United States were breached, including 163 in Texas, 64 in California, 61 in Florida, 49 in North Carolina, 38 in Georgia, 19 in South Carolina, 10 in Washington and four in Idaho. You can search for a specific hotel here.

Still searching all the properties. No mention of providing credit-monitoring services to anyone who got stung.

Some Simple Steps Toward Online Privacy and Security

I value my privacy. That is one of the reasons I live where I do. (In the country) I don’t have nosy neighbors to deal with every day. My neighbors and I talk when there is a reason to do so.

I also value my online privacy. I don’t want to be a “product” for Google, or Facebook or whoever. So I do things to safeguard my privacy. Google tracks every search you make, back to you as an individual. Facebook tracks you even if you are not logged on to Facebook. (Every site that has a Facebook “Like” button is tracking you.) And they sell that information about you to other companies.

Google and Facebook – not to mention the CIA/NSA/FBI/EIEIO – want you to believe that privacy is impossible. That security is impossible. Because if you think it is impossible, or even just really hard, you won’t even bother to try to secure your technology. But it isn’t that hard to have decent privacy and security. And it isn’t just the .gov or the big corporations that want your information. Hackers are looking too.

So here is a list of things you can do. Some are easy to do; some are a bit harder. Some are free, while some cost a little. While the list isn’t in order of importance, or effect, the first 3 items on this list should take you less than 10 minutes – total. And you only have to do them once (or until you get a new computer or switch to a new browser.) The rest of the items are a bit more complex, but they are not impossible. Do one thing a day for a week. Or do one thing a week if they seem overly complicated. Even if you only do one thing a month, you will have much better security in a fairly short time. Do something.

  • Use a Search Engine That Doesn’t Track Every Query.

    There are a couple of alternatives to Google. And not Yahoo or Bing. (They aspire to be Google.) DuckDuckGo is the easiest (though you have to install an extension in Chrome to set it as your default search engine because Google REALLY doesn’t want you to have any options). Disconnect is another option. There are probably more choices to cut off the tracking of everything you do. I started using DuckDuckGo when Google stopped answering the queries I typed in and started answering what they THOUGHT I wanted to know. Also Google has a tendency to shortchange any site connected to firearms or the 2nd Amendment. (Which is a subject near and dear to my heart.) There are probably other subjects that Google is downplaying. (That said, I do use Google, Yahoo and Bing on occasion.)

  • Disable 3rd Party Cookies in Your Browser.

    This isn’t a fool-proof method, but the folks who write tracking software still complain about Apple’s Safari browser – it is the ONLY browser that ships with 3rd party cookies disabled by default. How to turn them off depends on which browser you use. But look under “settings” or “options” for something about content or privacy. The browsers have good help – mostly.

  • Install Privacy Protection Extensions in Your Browser.

    Privacy Badger from the EFF blocks all kinds of things that are stealing your info – and potentially loading Malware on your system. It is available for Gecko-based browsers (Firefox, Pale Moon, etc.) and Chromium-based browsers (Chrome, Opera, Vivaldi, etc.). I am not sure about Microsoft’s browsers or Safari.

    uBlock Origin (not uBlock, uBlockPlus, or any of the others) is a fairly efficient ad-blocker that will shut down tracking-based ads. And the potential spyware, etc. that can come along with ads. Available for Gecko and Chromium browsers as well as Microsoft’s Edge. (Some of these may be available for your mobile devices as well.)

  • Continue reading

Self-driving Cars: Just another IoT thing waiting to be hacked

The “S” in IoT stands for “Security.”

This from one of the guys who used to work for Uber trying to make sure they won’t be hacked. Charlie Miller on Why Self-Driving Cars Are So Hard to Secure From Hackers | WIRED

A couple of years ago these 2 guys showed how using only a cars internet connection, you could hack the car. Apply the brakes. Speed up. Turn the wheel. All by making use of existing controls in the car: Automated parking,
or collision avoidance or cruise control.

In a series of experiments starting in 2013, Miller and Valasek showed that a hacker with either wired or over-the-internet access to a vehicle—including a Toyota Prius, Ford Escape, and a Jeep Cherokee—could disable or slam on a victim’s brakes, turn the steering wheel, or, in some cases, cause unintended acceleration.

Because the car makers are really interested in offering cool features, but less interested in securing the vehicles against hackers.

Driverless cars – as Uber is hoping to field – are another problem because someone you don’t particularly trust is going to have access to the physical vehicle for an extended period. What shenanigans can they get up to? It turns out a lot. All they have to do is plug something into the On-board Diagnostics port (OBD2)

A driverless car that’s used as a taxi, Miller points out, poses even more potential problems. In that situation, every passenger has to be considered a potential threat. Security researchers have shown that merely plugging an internet-connected gadget into a car’s OBD2 port—a ubiquitous outlet under its dashboard—can offer a remote attacker an entry point into the vehicle’s most sensitive systems. (Researchers at the University of California at San Diego showed in 2015 that they could take control of a Corvette’s brakes via a common OBD2 dongle distributed by insurance companies—including one that partnered with Uber.)

“There’s going to be someone you don’t necessarily trust sitting in your car for an extended period of time,” says Miller. “The OBD2 port is something that’s pretty easy for a passenger to plug something into and then hop out, and then they have access to your vehicle’s sensitive network.”

Hacker Shows That Dallas Area Emergency Sirens Are Not Secure. Officials are Angry.

They should be embarrassed. This isn’t 1997, it is 2017. Infrastructure needs to be secured against hacking. But they are all “appalled at the attack.” Hacker Set Off All Dallas Emergency Sirens in Middle of Night, City Says – NBC News

A city spokesman said all 156 emergency sirens were activated at 11:42 p.m. Friday, and the office of emergency management service agency eventually disabled the entire system at 1:17 a.m.

Here is the money quote.

The OEM hopes to have the system back up and running, with safeguards to prevent another hack, by Sunday night.

So the million dollar question is, “Why weren’t those safeguards in place last week?” Here are some other questions: When was the last security audit by an outside firm? (Can you spell “Red Team?”) What amount of the budget is dedicated to security? Are other aspects of the public infrastructure at similar risk? Who is that OEM, and how did they get the contract? (I don’t expect any of these questions to be answered.)

If you think this is only a problem in Dallas, there is probably some Florida swampland still available for purchase.

Castle Bravo

On March 1, 1954 in the Marshall Islands, on the Bikini Atoll, the US fired the Castle Bravo thermonuclear weapon. Less than 2 years after the Ivy Mike Shot proved that a hydrogen bomb was possible, the Castle Bravo device was the first thermonuclear weapon small enough to be carried by an aircraft. (The Ivy Mike shot had depended on cryogenic equipment making the device weigh 80 tons or more.) This opened the door to the 2nd stage of the Cold War.

The Castle Bravo shot was the first detonation of a dry thermonuclear bomb. It was also a complete catastrophe.

Officially it was Operation Castle, Bravo Shot. (For whatever reason there was no Alpha Shot in Operation Castle.

Scientists working on the shot had used a lithium-6 isotope but also included a lot of lithium-7. They calculated that the lithium-7 would be inert, and that the resulting explosion would be in the 6-megaton range. They were completely wrong.

The explosive power of the Castle Bravo shot was 250 percent ABOVE expectations. In other words, instead of the 6 megaton explosion they expected, they got 15 megatons. The base – built to conduct nuclear testing in the Marshall Islands – was destroyed. The shot crew were trapped in their bunker by high radiation. Several islands – where no one was even supposed to know what was going on – had to be evacuated. The people on those islands suffered for a long time as the result of radiation exposure. A Japanese fishing crew was exposed and at least one death from radiation exposure occurred. This lead to an international call for an end to atmospheric testing.

Remember this when scientists tell you that they know exactly how bad (or how good) something is going to be based on their equations, but in the absence of observation. They often get it right, but not always. “In theory, there is no difference between theory and practice. In practice, there is.” (Yogi Berra)

It isn’t surprising that A Capella Science has a take on nuclear weapons. (That does mention Castle Bravo)