Tag Archives: Security

Microsoft releases Checked C

The C programming language has been around since the 1970s and it’s been used to create a incredible amount of software. It’s guaranteed to be part of the software you’re using to view this regardless of what you’re using to view it with. But C has some serious drawbacks in that it’s incredibly easy to make serious mistakes that don’t seem obvious until the software is running (and possibly not all time).

But there are follow-on languages that build on C but add features that make some of these errors obvious. Microsoft has one called C# and it’s available for Windows developers to use as part of their Visual Studio developer environment. But lots of programmers, especially those working on open source, are still using regular old C. Recently, Microsoft Research developed Checked C which adds many of the features of C# into C without significantly changing how programmers work or requiring older code to be rewritten. They’ve released it as an open source project for use on Windows and Linux systems and welcome fixes and improvements.

In case you wonder why this is a big deal you need to know that much of the software running on the Internet is programmed in C and many of the security vulnerabilities that have been found and exploited arose from the kind of mistakes that C overlooks. Widespread use of something like Checked C could make a significant improvement in security for everyone.

How CERN Fights Hackers

Talk about attack surface: CERN has to keep tabs on around 40,000 bring-your-own-devices from professors, technicians, and other workers; academics and engineers also connect to systems remotely. The organization’s two main data centres in Switzerland and Hungary have around 100,000 hard-drives and 13,000 servers in total.

Then there’s the LHC’s computing grid, spread across North America, Europe, and Asia, which reprocesses data generated by the experiments. Control systems for equipment need to be secure as well, and CERN hosts around 10,000 websites.

Nissan Leaf electric cars hack vulnerability disclosed

Nissan Leaf electric cars allow you to control some of its features via a smartphone app. Unfortunately, this also allows attackers to control the heat and air conditioning. The attack isn’t very sophisticated and doesn’t even require the app, just a carefully constructed file sent by a web browser. Nissan is aware of the issue but no fix is yet available.

Internet connectivity for cars is becoming more common yet most automobile manufacturers have never had to deal with security until now. It’s a much different environment than the closed off embedded engine control systems they’re familiar with and they need to come up to speed faster than they seem to be so far.

Vulnerability allows attackers to remotely kill a Jeep on the road

Two hackers have found a vulnerability that allows them to completely control a Jeep Cherokee while it’s traveling on the road. And when I say completely, I mean not just the radio, the AC and the wipers but also the steering, brakes and transmission.

It’s because the internal control network for the vehicle is connected to the same network as the entertainment system and they’re both connected to the cellular network. And Jeep isn’t alone in this, other “connected cars” may also be vulnerable .

Fiat Chrysler, which makes Jeep, issued a patch on July 16th that must be manually installed. Other manufacturers are also slowly awakening to the need to pay attention to security in their vehicles. As I always say, if you can get access anyone can get access. That applies to your computer, your home and (now) your car.

Serious iOS, OS X flaws lead to password theft

More cybersecurity bad news. A serious defect in iOS and Mac OS X can lead to password theft by exploiting resource sharing between apps. It was originally reported to Apple six months ago and the researchers decided to go public after Apple remained silent. Fixing this will require major changes to the operating system and the App Store infrastructure, so don’t expect a fix to be quick or simple.

In the meantime, users are advised to follow standard security precautions: Do not install apps from unknown sources, and be cognizant of any suspicious password prompts.

Why the theft of OPM data is so awful

Yes, it’s another cybersecurity post. It’s becoming more of an issue for all of us and you’d better be prepared.

You’ve probably heard that the Federal Office of Personnel Management (OPM) was recently hacked and a lot of sensitive personal data was stolen. But it’s much worse than originally reported. Also stolen was a second set of data, the Standard Form 86 (SF 86).

The SF 86 “QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS,” is a 127-page form that asks (among other things), where applicants have lived; contacts with foreign citizens and travel abroad; the names and personal details of relatives; illegal drug use and mental health counseling except in limited circumstances. It is filled out by anyone who is looking for a security clearance.

It is rumored that the data was stored, for no discernible reason, on Dept. of the Interior servers. The data was not encrypted, but the OPM is claiming that it wouldn’t have mattered as the attackers possessed valid network credentials and could access the data in unencrypted format. There was no two-factor authentication in use. Needless to say Congress is having a cow.

Fingers are being pointed at China for this attack (they of course deny it). It certainly sounds like it’s state-sponsored given the data stolen and its potential for use in blackmail and espionage. If you have a clearance of any kind you’re potentially a target now that the attackers know more about you than anyone else (including possibly your spouse).

[Update 6/23/2015] Hey, remember when I said it was “much worse”. Well, it’s even worse than that. It’s possible up to 14 million records were obtained, essentially everyone who has ever worked for the federal government. All of them now in the hands of a foreign government.

Change your LastPass master password NOW

LastPass is reporting they’ve detected suspicious activity in their network. User passwords weren’t stolen but other information (account email addresses, password reminders, server per user salts, and authentication hashes) was. What this means is you should change your LastPass password immediately since this will update the salts and hashes.

You should have received a notice by now of this breach and to change your password, but even if you haven’t don’t wait. And if you haven’t already, enable multifactor authentication on your account. This will further protect you should someone else try to change your password.