Tag Archives: Security

How CERN Fights Hackers

Talk about attack surface: CERN has to keep tabs on around 40,000 bring-your-own-devices from professors, technicians, and other workers; academics and engineers also connect to systems remotely. The organization’s two main data centres in Switzerland and Hungary have around 100,000 hard-drives and 13,000 servers in total.

Then there’s the LHC’s computing grid, spread across North America, Europe, and Asia, which reprocesses data generated by the experiments. Control systems for equipment need to be secure as well, and CERN hosts around 10,000 websites.

Nissan Leaf electric cars hack vulnerability disclosed

Nissan Leaf electric cars allow you to control some of its features via a smartphone app. Unfortunately, this also allows attackers to control the heat and air conditioning. The attack isn’t very sophisticated and doesn’t even require the app, just a carefully constructed file sent by a web browser. Nissan is aware of the issue but no fix is yet available.

Internet connectivity for cars is becoming more common yet most automobile manufacturers have never had to deal with security until now. It’s a much different environment than the closed off embedded engine control systems they’re familiar with and they need to come up to speed faster than they seem to be so far.

Vulnerability allows attackers to remotely kill a Jeep on the road

Two hackers have found a vulnerability that allows them to completely control a Jeep Cherokee while it’s traveling on the road. And when I say completely, I mean not just the radio, the AC and the wipers but also the steering, brakes and transmission.

It’s because the internal control network for the vehicle is connected to the same network as the entertainment system and they’re both connected to the cellular network. And Jeep isn’t alone in this, other “connected cars” may also be vulnerable .

Fiat Chrysler, which makes Jeep, issued a patch on July 16th that must be manually installed. Other manufacturers are also slowly awakening to the need to pay attention to security in their vehicles. As I always say, if you can get access anyone can get access. That applies to your computer, your home and (now) your car.

Serious iOS, OS X flaws lead to password theft

More cybersecurity bad news. A serious defect in iOS and Mac OS X can lead to password theft by exploiting resource sharing between apps. It was originally reported to Apple six months ago and the researchers decided to go public after Apple remained silent. Fixing this will require major changes to the operating system and the App Store infrastructure, so don’t expect a fix to be quick or simple.

In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.

Why the theft of OPM data is so awful

Yes, it’s another cybersecurity post. It’s becoming more of an issue for all of us and you’d better be prepared.

You’ve probably heard that the Federal Office of Personnel Management (OPM) was recently hacked and a lot of sensitive personal data was stolen. But it’s much worse than originally reported. Also stolen was a second set of data, the Standard Form 86 (SF 86).

The SF 86 “QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS,” is a 127-page form that asks (among other things), where applicants have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances. It is filled out by anyone who is looking for a security clearance.

It is rumored that the data was stored, for no discernible reason, on Dept. of the Interior servers. The data was not encrypted, but the OPM is claiming that it wouldn’t have mattered as the attackers possessed valid network credentials and could access the data in unencrypted format. There was no two-factor authentication in use. Needless to say Congress is having a cow.

Fingers are being pointed at China for this attack (they of course deny it). It certainly sounds like it’s state-sponsored given the data stolen and its potential for use in blackmail and espionage. If you have a clearance of any kind you’re potentially a target now that the attackers know more about you than anyone else (including possibly your spouse).

[Update 6/23/2015] Hey, remember when I said it was “much worse”. Well, it’s even worse than that. It’s possible up to 14 million records were obtained, essentially everyone who has ever worked for the federal government. All of them now in the hands of a foreign government.

Change your LastPass master password NOW

LastPass is reporting they’ve detected suspicious activity in their network. User passwords weren’t stolen but other information (account email addresses, password reminders, server per user salts, and authentication hashes) was. What this means is you should change your LastPass password immediately since this will update the salts and hashes.

You should have received a notice by now of this breach and to change your password, but even if you haven’t don’t wait. And if you haven’t already, enable multifactor authentication on your account. This will further protect you should someone else try to change your password.

Kaspersky Lab attacked by Duqu

Kaspersky Labs, one of the top cybersecurity research companies was attacked by the Duqu attackers, one of the top APTs (Advanced Persistent Threats) out there. Although they weren’t the only target, Kaspersky was probably in the best position to detect and analyze the threat.

They determined that Duqu took advantage of Windows zero-day vulnerabilities that allow attackers to raise their privilege levels and access any part of the affected system. The attackers had been at it for months before being detected.

The thing to remember from this is: If a company like Kaspersky can be successfully attacked, what chance does the average company have?

More on the attack from Ars Technica: Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks.