https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/
A New
Wireless Hack Can Unlock 100 Million Volkswagens
In 2013, when University of
Birmingham computer scientist Flavio Garcia and a team of researchers were
preparing to reveal a vulnerability that allowed them to start the
ignition of millions of Volkswagen cars and drive them off without a key, they
were hit with a lawsuit that delayed
the publication of their research for two years. But that experience doesn’t seem to have
deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year
after that hack was finally publicized, Garcia and a new team of researchers
are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that
unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to
practically every car Volkswagen has sold since 1995.
… The researchers
found that with some “tedious reverse engineering” of one component inside a
Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen
vehicles. By then using their
radio hardware to intercept another value that’s unique to the target vehicle
and included in the signal sent every time a driver presses the key fob’s
buttons, they can combine the two supposedly secret numbers to clone the key
fob and access to the car.
The author is talking of many things, but these “rules”
stand out! It’s another way of saying
that we have to re-learn basic security practices every time something new
cones along.
The Internet of (insecure) Things and other inside
observations from the Black Hat hackers conference
If there are common threads in our adoption of any new
technology, they would most likely be:
- We often adopt it before we fully understand the security implications.
- Our bad habits from legacy technologies are highly portable.
- We don’t avail ourselves of the new and/or improved security capabilities that are part and parcel of new technology.
Clever. Possibly
true. So what? So my Computer Security students should have
evidence to refute this claim?
Andrew C. Glass, David D. Christensen and Matthew N. Lowe
of K&L Gates write:
With the ever-increasing amount
of personal information stored online, it is unsurprising that data breach
litigation has become increasingly common. A critical issue in nearly all data breach
litigation is whether a plaintiff has standing to pursue claims—especially
where there is no evidence of actual fraud or identity theft resulting from the
purported data breach. The plaintiffs’
bar has pursued a litany of legal theories in the attempt to clear the standing
hurdle, including the recent theory of “overpayment” (a/k/a “benefit of the
bargain” theory). Under this theory, the plaintiff alleges that the price for the purchased
product or service—whether sneakers, restaurant meals, or health
insurance—included some indeterminate amount allocated to data security.
Depending on how the theory is framed,
the purported “injury” is either that the plaintiff “overpaid” for the product
or service, or that the plaintiff did not receive the “benefit of the bargain,”
because the defendant did not appropriately use the indeterminate amount to
provide adequate data security. Despite
plaintiffs’ attempts to establish standing through this novel theory, courts
have limited its applicability in a variety of ways discussed below.
Read more on Lexology.
Important enough to take 9 years investigating, but not
important enough to do anything about? Something
a little fishy here?
I have been following this case from the beginning and
wondering why the heck HHS didn’t come down on Walgreens like they did on their
competitors CVS
and RiteAid.
And now we learn that OCR just
closed the case with no penalty? Seriously?
So CVS and RiteAid get clobbered by both
the FTC and HHS/OCR, and Walgreens…. nothing other than throwing the issued
into a larger environmental
case?
WTHR, who first made the public aware of the problem with
Walgreens’ privacy and data security, reports:
A decade after WTHR exposed the
county’s largest pharmacy chains failed to protect their customers’ sensitive
healthcare information, 13 Investigates has learned government regulators have
quietly closed their investigation into improper trash disposal practices by
Walgreens.
The government’s decision – announced in an e-mail to WTHR – means Walgreens will not face any federal penalty despite
repeatedly violating federal law and jeopardizing customer privacy in the same
manner that resulted in record-setting fines against its largest competitors.
Read more on WTHR,
who did a tremendous public service via their original investigative reporting
in 2006, and their follow-ups on this issue. It’s a damned shame that OCR did not impose a
monetary penalty as a reminder to entities that disposal of paper records
matters.
Does the government like covering agencies whenever
possible or is there something really embarrassing this time? (One system for employees & contractors,
one for vendors, one for the environments they “protect.” That leaves me 27 systems short?)
EPA conducts, will not release, cyber audit
Citing privacy concerns, the Environmental Protection
Agency will not be releasing an Inspector General’s report discussing
cybersecurity.
An “At A Glance” summary of the report says an audit of
the agency’s computers found 30 systems
with personally identifiable information.
So now we can can’t can can’t can block ads!
Adblock Plus has already defeated Facebook's new ad blocking
restrictions
Disintermediation?
What a concept!
This Company Wants to Disrupt Ticketmaster's Tight Grip on
Your Favorite Events
… SeatGeek, founded in 2009,
carved a niche as a search engine to help customers find the best deals among
tickets being sold and resold online, as well as a place for electronic tickets
to safely change hands (or mobile devices, rather) without fraud worries. Today, the company has announced SeatGeek Open, its
official entry into primary sales that aims to eventually compete with the
ticketing industry’s biggest players.
Overall, SeatGeek’s goal is to open up the marketplace
(despite the fact that Ticketmaster is trying to keep it as closed
as possible). Its key differentiator
lies in its open-source technology, which will allow artists, teams, venues and
the like to present and sell available tickets directly via social media and
ecommerce.
A response to those slow chipped credit cards? Will every (large?) company want its own
payment App?
CVS Pharmacy launches its own mobile payments and loyalty
solution, CVS Pay
… Currently,
customers have to either present their physical CVS rewards card at the
register, or they have to say their name and birthday in order for the store
associate to look up their account information. Then, after their purchases and prescriptions
are run up, they have to pay. (And thanks to the slow-to-process chip cards, this, too, takes
time.)
Perspective. HPE is
becoming a player in the super computer market?
Hewlett Packard Enterprise acquires SGI for $275 million
For my students who get outdoors?
Printable USGS PDF Quads A Quick, Easy, Free way to Download
any Quad in the Country
by Sabrina
I. Pacifici on Aug 11, 2016
“National Geographic has built an easy to use web interface that allows anyone to
quickly find any quad in the country for downloading and printing. Each quad has been pre-processed to print on a
standard home, letter size printer. These
are the same quads that were printed by USGS for decades on giant bus-sized pressed
but are now available in multi-page PDFs that can be printed just about
anywhere.”
No comments:
Post a Comment