Tag Archives: Security

Vulnerability allows attackers to remotely kill a Jeep on the road

Two hackers have found a vulnerability that allows them to completely control a Jeep Cherokee while it’s traveling on the road. And when I say completely, I mean not just the radio, the AC and the wipers but also the steering, brakes and transmission.

It’s because the internal control network for the vehicle is connected to the same network as the entertainment system and they’re both connected to the cellular network. And Jeep isn’t alone in this, other “connected cars” may also be vulnerable .

Fiat Chrysler, which makes Jeep, issued a patch on July 16th that must be manually installed. Other manufacturers are also slowly awakening to the need to pay attention to security in their vehicles. As I always say, if you can get access anyone can get access. That applies to your computer, your home and (now) your car.

Serious iOS, OS X flaws lead to password theft

More cybersecurity bad news. A serious defect in iOS and Mac OS X can lead to password theft by exploiting resource sharing between apps. It was originally reported to Apple six months ago and the researchers decided to go public after Apple remained silent. Fixing this will require major changes to the operating system and the App Store infrastructure, so don’t expect a fix to be quick or simple.

In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.

Why the theft of OPM data is so awful

Yes, it’s another cybersecurity post. It’s becoming more of an issue for all of us and you’d better be prepared.

You’ve probably heard that the Federal Office of Personnel Management (OPM) was recently hacked and a lot of sensitive personal data was stolen. But it’s much worse than originally reported. Also stolen was a second set of data, the Standard Form 86 (SF 86).

The SF 86 “QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS,” is a 127-page form that asks (among other things), where applicants have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances. It is filled out by anyone who is looking for a security clearance.

It is rumored that the data was stored, for no discernible reason, on Dept. of the Interior servers. The data was not encrypted, but the OPM is claiming that it wouldn’t have mattered as the attackers possessed valid network credentials and could access the data in unencrypted format. There was no two-factor authentication in use. Needless to say Congress is having a cow.

Fingers are being pointed at China for this attack (they of course deny it). It certainly sounds like it’s state-sponsored given the data stolen and its potential for use in blackmail and espionage. If you have a clearance of any kind you’re potentially a target now that the attackers know more about you than anyone else (including possibly your spouse).

[Update 6/23/2015] Hey, remember when I said it was “much worse”. Well, it’s even worse than that. It’s possible up to 14 million records were obtained, essentially everyone who has ever worked for the federal government. All of them now in the hands of a foreign government.

Change your LastPass master password NOW

LastPass is reporting they’ve detected suspicious activity in their network. User passwords weren’t stolen but other information (account email addresses, password reminders, server per user salts, and authentication hashes) was. What this means is you should change your LastPass password immediately since this will update the salts and hashes.

You should have received a notice by now of this breach and to change your password, but even if you haven’t don’t wait. And if you haven’t already, enable multifactor authentication on your account. This will further protect you should someone else try to change your password.

Kaspersky Lab attacked by Duqu

Kaspersky Labs, one of the top cybersecurity research companies was attacked by the Duqu attackers, one of the top APTs (Advanced Persistent Threats) out there. Although they weren’t the only target, Kaspersky was probably in the best position to detect and analyze the threat.

They determined that Duqu took advantage of Windows zero-day vulnerabilities that allow attackers to raise their privilege levels and access any part of the affected system. The attackers had been at it for months before being detected.

The thing to remember from this is: If a company like Kaspersky can be successfully attacked, what chance does the average company have?

More on the attack from Ars Technica: Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks.

Federal Office of Personnel Management hacked

One of the more troubling issues on the cybersecurity front are state-sponsored hacking groups. Unlike the popular image of the lone hacker operating from their mom’s basement, these groups receive sponsorship (salary, equipment, high-speed access) from national governments. The latest of these is the breach of personnel data of 4 million federal workers from the Office of Personnel Management. The FBI believes this to be the work of Chinese hackers backed by their government. As usual, the Chinese government denies this.

What makes these groups so dangerous is their ability to tap significant amounts of resources to put into play against their targets. And there are many of them. There isn’t any country today that doesn’t have at least some involvement with it, against the enemies and allies alike. Expect to see more of these headlines, not fewer.

The real story of how the Internet became so vulnerable

You can read The real story of how the Internet became so vulnerable but the real story is simple: It wasn’t designed with security in mind. Every bit of security has been bolted on after the fact, and it shows.

Fixing it would require literally replacing everything right down to the physical layer. That kind of upheaval simply isn’t going to happen. An alternative network is an option, but whether or not people could or would even want to switch to it is an open question.