Never Use Any “Found” USB or Lightning Cables

Or anything found for that matter. And you probably need to be aware of anything offered at an incredibly low price. These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer.

Because you are not smarter than the hackers.

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

The prototypes (released at Def Con) were hand made from purchased Lightning cables. Not only did they provide a way to access them remotely (via the internet if connected to a PC so connected) but you could also remotely “self-destruct” the cable if it looked like it was going to be found out. (It would still work as a Lightning cable, just not as a “persistent threat.”) And in close-range, you don’t need the internet, just a phone and an app.

There’s a Hak5 talk about how they did a “USB drive” drop – which were actually Hak5 Rubber Duckies – at a security conference. 60 percent (or more) were plugged into a computer. They were dropped at a security conference. Don’t plug stuff into your computer if you just find it.

Hackers 1, Voting Machines 0

Is anyone surprised by this result? (And actually the score is much worse than 1 to 0! It’s more like the hackers are batting 1000.) Hackers break into voting machines within 2 hours at Defcon – CBS News

This is so completely stupid, no one should be using electronic voting machines.

Synack, a San Francisco security platform, discovered serious flaws with the WinVote machine months ahead of this weekend’s convention. The team simply plugged in a mouse and keyboard and bypassed the voting software by clicking “control-alt-delete.”

They weren’t the only company to get pwned. And it isn’t just hackers.

In one case study, Synack found a Virginia poll worker hacked the machine to play Minesweeper.


I don’t think it can get much stupider than this.

Could Self-Driving Cars Become Weapons?

Car makers rush to put self-driving cars on the road. Bets on how much attention is being paid to security? Stopping Self-Driving Cars From Becoming Cybersecurity Weapons

This isn’t a new issue really. I think it was Black Hat 2015 that had a talk about remotely hacking a Jeep driving down the highway.

And Def Con 25 is joining in the fun this year with the Car Hacking Village. No. It won’t amount to anything, I’m sure. Because the car companies are all over this, right?

Yuval Diskin, former head of Israel’s internal security service (Shin Bet) and Chairman of CyMotive Technologies, has a somewhat different view.

The car industry is run by engineers. Up until a few years ago, they thought of information technology (i.e., computers) as some kind of basic support infrastructure, like water and electricity. It’s been a challenge for the industry to better integrate its core competency—electrical engineering—with IT or computer engineering. But they now understand that IT is at the core of their business.

I doubt they really understand it. I believe they know they need to pay it lip service, and I believe they know they need to devote some level of resources to the issue, but I doubt they are setting up bug bounties, or ensuring that firmware and software updates are secure or that a user can always override what the vehicle is trying to do. In short I doubt they really understand what the issues are. Will they miss a ship-date to ensure that the software is secure?

I actually started a similar post on this subject last week, but couldn’t make it come together. Yuval Diskin came up with the phrase that puts it all in perspective.

Serious attacks can and will happen at the fleet level where you can impact many cars—“imagine stopping thousands of Toyota cars on the highways of Europe,” says Diskin.

Could thousands a of cars be hacked at the same time? You really have to ask? How many PCs were infected by WannaCry? By GoldenEye? And that was just in the past couple of months against an attack that we knew how to stop. (Upgrade your software/hardware!).