Researchers Demo Physical Attack via Car Wash Hack
LAS VEGAS - BLACK HAT USA -
Researchers have created proof-of-concept (PoC) exploits to demonstrate how hackers can
cause physical damage to vehicles and injure their occupants by remotely
hijacking a connected car wash.
The attack was detailed in a presentation
at the Black Hat security conference this week by WhiteScope founder Billy
Rios, a researcher best known for finding vulnerabilities in medical
devices and industrial control systems (ICS),
and Dr. Jonathan Butts, founder of QED Secure Solutions and committee chair for
the IFIP Working Group on Critical Infrastructure Protection.
The experts pointed out that automated car wash systems
are essentially ICS and, just like industrial systems, they can be hacked and
manipulated.
… Rios and Butts discovered that the web-based
administration panel for the product, which is in many cases accessible
directly from the Internet, has many features, including for sending email
alerts and a widget for social media.
However,
the more problematic issue is that both the owner and engineer accounts for the
web interface are protected by weak
default passwords. They also discovered that the
authentication mechanism can be bypassed by a hacker.
(Related). What’s next?
Joshua Philipp reports:
Cyber mercenaries are breaching
the systems of governments, financial institutions, critical infrastructure,
and businesses, then selling access to them on a marketplace on the darknet, a
hidden internet accessible only via specialized software.
All of this is happening on a
darknet black marketplace known as the CMarket or “Criminal Market,” formerly
known as “Babylon APT.” The marketplace
contains a public market, invite-only submarkets, and hacker-for-hire services
ready to breach any network in any country.
The Epoch Times was provided with
analysis, screenshots, and chat logs from the marketplace by darknet
intelligence company BlackOps Cyber. An
undercover operative for the company gained access to the marketplace’s
invite-only sections and grew close to several of its top members.
Read more on The
Epoch Times.
Another
one?!?! Apparently, their strategy does
not allow for anything that may go wrong.
Wells Fargo
Broadsided Anew With an Auto Insurance Sales Scandal
Wells Fargo & Co.’s campaign to
rebuild customer and shareholder trust just hit another bump, as the bank said it
may have pushed thousands of car buyers into loan defaults and repossessions by
charging them for unwanted insurance.
An internal review of the bank’s auto lending found more
than 500,000 clients may have unwittingly paid for protection against vehicle loss
or damage while making monthly loan payments, even though many drivers already
had their own policies, Wells Fargo said
in a statement late Thursday. The firm said it may pay as much as $80
million to affected clients -- with extra money for as many as 20,000 who lost
cars, “as an expression of our regret.”
Very
timely. My Architecture class will be
discussing metrics this week!
Report Depicts Shameful State of Cybersecurity Metrics
For years, Security has sought the ear of the Board and
claimed it was not offered. Today the
Board is listening; but all too often Security talks in a language that
Business does not understand. There is a
solution, but it is not yet maximized. That
solution is Metrics, a language spoken and understood by both Business and
Security; but not widely or effectively used.
The size of the task can be seen in just two statistics
from Thycotic's 2017 State of Cybersecurity Metrics Annual Report (PDF). Firstly, 1 in 3
companies invest in cybersecurity technologies without any way to measure their
value or effectiveness.
… The second
statistic is that four out of every five companies fail to include business
stakeholders in cybersecurity investment decisions. The result, in combination, is that through no
direct fault of its own, Business
doesn't understand what Security is doing, and has no way of knowing whether it
is effective.
… Using metrics to
demonstrate the overall efficiency or lack of efficiency in a company's
cybersecurity posture is difficult but not impossible. At the moment, however, companies are not
making use of, or even collecting, the statistics that are readily available. For example, four out of five companies never
measure the success of security training investments.
Two out of three companies don't fully measure whether
their disaster recovery will work as planned. And while 80% of breaches involve stolen or
weak credentials (from Verizon's DBIR),
60% of companies still do not adequately protect privileged accounts.
An all too common failure, given low priority. Watch what happens when North Korea crashes
their systems.
SEC must improve how it protects its networks against
cyberattacks, says watchdog
Wall Street’s top U.S. regulator needs to improve the way
it protects its own computer networks from cyber attacks, according to a new
report by a congressional watchdog office.
The 27-page report by the Government Accountability Office
found the Securities and Exchange Commission did not always fully encrypt
sensitive information, used unsupported software, failed to fully implement an
intrusion detection system and made missteps in how it configured its
firewalls, among other things.
“Information security control deficiencies in the SEC
computing environment may jeopardize the confidentiality, integrity, and
availability of information residing in and processed by its systems,” the GAO
said.
Just in case you Mac users were starting to feel all safe
and secure…
WikiLeaks Details Mac OS X Hacking Tools Used by CIA
The latest round of
documents published by WikiLeaks as part of a leak dubbed by the organization
“Vault 7” describes several tools allegedly used by the U.S. Central
Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.
The tools, said to be part of a CIA project named “Imperial,” are
called Achilles, Aeris and SeaPea.
Large collections of data are valuable. No surprise that people will want to use a
database that contains information on everyone in the country!
Ola employee accused of data theft from Aadhaar website
The Unique Identification Authority of India (UIDAI) has registered a case with the Bengaluru
Police against Abhinav Srivastava and Qarth Technologies Pvt Ltd for misusing Aadhaar data obtained from its website without any
authentication.
Chennai-based Qarth Technologies was acquired by India's largest taxi
aggregator Ola in March last year, to help grow its in-house payments service.
… While the report
does not divulge any further details on the nature of the violation, a cyber
expert who did not want to be named speculated that Qarth could have been using
someone else's license to access Aadhaar data for eKYC, which is not allowed as per the
regulations set by the Aadhaar Act.
If the courts do it this way, following their example
might be wise.
Ebook – Best Practices for Court Privacy Policy Formulation
by on
“A State Justice Institute supported report, “Best Practices for Court Privacy Policy
Formulation” authored by three of our NCSC colleagues, Tom Clarke, Jannet
Lewis and Di Graski has just been released.
The report begins: “As state and local courts
progressively convert their business processes from paper to electronic
formats, policies around remote electronic access to court case information by
the public become ever more important. COSCA last addressed this
issue comprehensively in 2002 with a report authored by Martha Steketee and
Alan Carlson that proposed a model policy for public access. At that time, few courts had implemented
electronic filing, so the model policy addressed both manual and electronic
access. In the fifteen years since then,
courts have learned a lot about living in an electronic world and providing
remote access to their case data and documents.
Consequently, there is a need to update what we know about this topic
and revise the model policy.”
Can we expect the same for President Trump as he deletes
tweets and blocks people?
Court Rules Against Politician Who Banned Access to Her
Facebook Page
A federal court in Virginia ruled that a local politician
violated the free-speech rights of a constituent she banned from her Facebook
page, in a case the judge said raises “important questions” about the
constitutional restrictions that apply to social media accounts of elected
officials.
Perhaps Rolls Royce is showing us what will be possible
with self-driving cars. (This one is not
self-driving.)
Phantom VIII Heralds Arrival Of The House Of Rolls-Royce
… The 8-speed ZF
gearbox retains satellite-linked
intelligence, which reads GPS data about the road ahead then
preloads shift sequences for upcoming corners.
No comments:
Post a Comment