Friday, July 28, 2017

Is nothing sacred?  A very understandable illustration.  Now think about the same types of hack in other environments.   
Researchers Demo Physical Attack via Car Wash Hack
LAS VEGAS - BLACK HAT USA - Researchers have created proof-of-concept (PoC) exploits to demonstrate how hackers can cause physical damage to vehicles and injure their occupants by remotely hijacking a connected car wash.
The attack was detailed in a presentation at the Black Hat security conference this week by WhiteScope founder Billy Rios, a researcher best known for finding vulnerabilities in medical devices and industrial control systems (ICS), and Dr. Jonathan Butts, founder of QED Secure Solutions and committee chair for the IFIP Working Group on Critical Infrastructure Protection.
The experts pointed out that automated car wash systems are essentially ICS and, just like industrial systems, they can be hacked and manipulated.
   Rios and Butts discovered that the web-based administration panel for the product, which is in many cases accessible directly from the Internet, has many features, including for sending email alerts and a widget for social media.
However, the more problematic issue is that both the owner and engineer accounts for the web interface are protected by weak default passwords.  They also discovered that the authentication mechanism can be bypassed by a hacker.

(Related).  What’s next?
Joshua Philipp reports:
Cyber mercenaries are breaching the systems of governments, financial institutions, critical infrastructure, and businesses, then selling access to them on a marketplace on the darknet, a hidden internet accessible only via specialized software.
All of this is happening on a darknet black marketplace known as the CMarket or “Criminal Market,” formerly known as “Babylon APT.”  The marketplace contains a public market, invite-only submarkets, and hacker-for-hire services ready to breach any network in any country.
The Epoch Times was provided with analysis, screenshots, and chat logs from the marketplace by darknet intelligence company BlackOps Cyber.  An undercover operative for the company gained access to the marketplace’s invite-only sections and grew close to several of its top members.
Read more on The Epoch Times.

Another one?!?!  Apparently, their strategy does not allow for anything that may go wrong. 
Wells Fargo Broadsided Anew With an Auto Insurance Sales Scandal
Wells Fargo & Co.’s campaign to rebuild customer and shareholder trust just hit another bump, as the bank said it may have pushed thousands of car buyers into loan defaults and repossessions by charging them for unwanted insurance.
An internal review of the bank’s auto lending found more than 500,000 clients may have unwittingly paid for protection against vehicle loss or damage while making monthly loan payments, even though many drivers already had their own policies,  Wells Fargo said in a statement late Thursday.  The firm said it may pay as much as $80 million to affected clients -- with extra money for as many as 20,000 who lost cars, “as an expression of our regret.”

Very timely.  My Architecture class will be discussing metrics this week!
Report Depicts Shameful State of Cybersecurity Metrics
For years, Security has sought the ear of the Board and claimed it was not offered.  Today the Board is listening; but all too often Security talks in a language that Business does not understand.  There is a solution, but it is not yet maximized.  That solution is Metrics, a language spoken and understood by both Business and Security; but not widely or effectively used.
The size of the task can be seen in just two statistics from Thycotic's 2017 State of Cybersecurity Metrics Annual Report (PDF).  Firstly, 1 in 3 companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
   The second statistic is that four out of every five companies fail to include business stakeholders in cybersecurity investment decisions.  The result, in combination, is that through no direct fault of its own, Business doesn't understand what Security is doing, and has no way of knowing whether it is effective.
   Using metrics to demonstrate the overall efficiency or lack of efficiency in a company's cybersecurity posture is difficult but not impossible.  At the moment, however, companies are not making use of, or even collecting, the statistics that are readily available.  For example, four out of five companies never measure the success of security training investments. 
Two out of three companies don't fully measure whether their disaster recovery will work as planned.  And while 80% of breaches involve stolen or weak credentials (from Verizon's DBIR), 60% of companies still do not adequately protect privileged accounts.

An all too common failure, given low priority.  Watch what happens when North Korea crashes their systems.
SEC must improve how it protects its networks against cyberattacks, says watchdog
Wall Street’s top U.S. regulator needs to improve the way it protects its own computer networks from cyber attacks, according to a new report by a congressional watchdog office.
The 27-page report by the Government Accountability Office found the Securities and Exchange Commission did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.
“Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said.

Just in case you Mac users were starting to feel all safe and secure…
WikiLeaks Details Mac OS X Hacking Tools Used by CIA
The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.
The tools, said to be part of a CIA project named “Imperial,” are called Achilles, Aeris and SeaPea.

Large collections of data are valuable.  No surprise that people will want to use a database that contains information on everyone in the country!
Ola employee accused of data theft from Aadhaar website
The Unique Identification Authority of India (UIDAI) has registered a case with the Bengaluru Police against Abhinav Srivastava and Qarth Technologies Pvt Ltd for misusing Aadhaar data obtained from its website without any authentication.
Chennai-based Qarth Technologies was acquired by India's largest taxi aggregator Ola in March last year, to help grow its in-house payments service.
   While the report does not divulge any further details on the nature of the violation, a cyber expert who did not want to be named speculated that Qarth could have been using someone else's license to access Aadhaar data for eKYC, which is not allowed as per the regulations set by the Aadhaar Act.

If the courts do it this way, following their example might be wise.
Ebook – Best Practices for Court Privacy Policy Formulation
by on
“A State Justice Institute supported report, “Best Practices for Court Privacy Policy Formulation” authored by three of our NCSC colleagues, Tom Clarke, Jannet Lewis and Di Graski has just been released.
The report begins: “As state and local courts progressively convert their business processes from paper to electronic formats, policies around remote electronic access to court case information by the public become ever more important.  COSCA last addressed this issue comprehensively in 2002 with a report authored by Martha Steketee and Alan Carlson that proposed a model policy for public access.  At that time, few courts had implemented electronic filing, so the model policy addressed both manual and electronic access.  In the fifteen years since then, courts have learned a lot about living in an electronic world and providing remote access to their case data and documents.  Consequently, there is a need to update what we know about this topic and revise the model policy.” 

Can we expect the same for President Trump as he deletes tweets and blocks people?
Court Rules Against Politician Who Banned Access to Her Facebook Page
A federal court in Virginia ruled that a local politician violated the free-speech rights of a constituent she banned from her Facebook page, in a case the judge said raises “important questions” about the constitutional restrictions that apply to social media accounts of elected officials.

Perhaps Rolls Royce is showing us what will be possible with self-driving cars.  (This one is not self-driving.)
Phantom VIII Heralds Arrival Of The House Of Rolls-Royce
   The 8-speed ZF gearbox retains satellite-linked intelligence, which reads GPS data about the road ahead then preloads shift sequences for upcoming corners.

No comments: