Unhappy Days in Tesla-Land

Tesla (and other self driving car companies) have been particularly close-mouthed about crashes, especially when their cars are in self driving mode.

The National Highway Traffic Safety Administration (NHTSA) issued a new rule that pulls the covers off of that secrecy.

Now companies will have to report ALL crashes in which semi-autonomous, steering assist or automatic lane-keeping are involved. Not only does this affect Tesla, but it also affects Waymo, Zoox, Cruise and others.

The new rule says that any crash involving a semi-autonomous system and “a hospital-treated injury, a fatality, a vehicle tow-away, an air bag deployment, or a vulnerable road user such as a pedestrian or bicyclist” must be reported to NHTSA within one day of learning about the crash, with an update submitted 10 days later.

The companies also have to generate monthly reports and provide them to the NHTSA.

To encourage companies to comply, failure to comply will subject companies to fines of $22, 992 per day.

With a maximum fine of $100 million.

I assume that will get even Elon’s attention.

The objective is for the feds to have more data to understand how safe or not some of this new tech is.

Credit: Vice

Most Third Party Libraries Never Updated After Included in a Codebase

Okay, you are probably tired of hearing me rant about software supply chain but it is a huge source of hacks. Big hacks like SolarWinds and Microsoft Exchange, but mostly small hacks that we never figure out what the source is.

Reseachers looked at what developers actually do.

The analyzed 13 million scans of 86,000 code repositories containing more than 300,000 unique libraries and also asked a couple of thousand developers what they did.

If developers have accurate vulnerability information, they have fixed 17% of flaws in an hour and 25% within a week.

92 percent of open source flaws can be fixed with an update and 60 percent of those updates are minor.

Most of the time the updates are minor and unlikely to break things.

Only half of the developers said that they had a formal process for selecting third party libraries and more than a quarter had no idea if they did or not.

The security of libraries ranks third in selection – after functionality and cost. That is probably okay if third doesn’t mean “whatever”.

As the executive order on cybersecurity gets fleshed out, expect more attention from companies on the subject – because if they don’t then they will not be able to sell their software to the government or even use particular open source software at all.

For some companies it will become best practice and if you don’t have the ability to track and maintain libraries, they will find a vendor who will. This is independent of whether they sell to the government or not.

Credit: Help Net Security

Security News for the Week Ending June 25, 2021

Paying Ransom is Tax Deductible

Under current IRS regulations, paying cyber ransom after a hack is deductible, just like losses from a robbery, but the IRS is “looking into it”. One way the government could discourage ransom payments is if the cost is borne fully by the company’s owners. They still might choose to do it, but at least the taxpayers would not be subsidizing it. Of course, if your insurance pays for or reimburses you for the ransom, then that ransom is not deductible. Credit: AP

How Much Does YOUR Board Know About Cybersecurity Issues

As I reported last week, the SEC fined First American Financial a half million dollars for the data leak they had. The fine was based on the fact that an internal security team discovered the problem that was reported to the SEC several months later, no one bothered to tell FirstAm executives about the issue. The moral of the story is that the SEC is “suggesting” that you keep your business leaders informed about cybersecurity issues. If the SEC does that, assume that your insurance provider will follow suit soon and deny coverage if your executives are not kept in the loop. Credit: Reuters

How Long Does It Take to Fix Critical Vulnerabilities

According to White Hat Security, the average time to fix a CRITICAL vulnerability in May 2021 was 205 days, up from 201 days in April. The water utility sector was the least prepared. 66% of all applications used by the sector had at least one exploitable vulnerability open throughout the year. Even in finance, 40% of the applications had a window of exposure of 365 days, but 30% had a WoE of fewer than 30 days. Given stats like these, it is not surprising that the hackers are winning. Credit: ZDNet

Cyber Breach Insurance Market Set for a Reckoning

Cyber insurance claims spiked this year. Standalone claim payouts jumped from $145,000 in 2019 to $358,000 in 2020. A key metric the industry uses is something called direct loss plus defense and cost containment ratio. It skyrocketed last year to 73% from 42% the previous five years. At 73%, when you add in other costs, that means the industry is probably losing money. This means that premiums will go up, coverage will go down and limits and sublimits will be changing. If you have cyber risk insurance, prepare for changes. Credit: The Record

How Long Does it Take a Misconfigured Container to be Attacked?

Containers are great, but they are not bullet proof. Aqua Security says that based on data they have collected over 6 months, 50% of Docker APIs are attacked by botnets within 56 minutes of being set up.

It takes five hours on average for a new honeypot container to get scanned. The fastest happened in a few minutes. The longest was 24 hours. None of these numbers are very long.

What this means is that you need up your game when it comes to securing your cloud based systems. If you can, set them up in a contained environment (that is not publicly accessible) and harden it before exposing it. Credit: SC Magazine

Remember When Microsoft Said Windows 10 Was the Last Version? Just Kidding!

Microsoft did learn something from Windows 10 – don’t mess with their cash cow. They will continue to work on Windows 10 for the enterprise with a new release in the fall and cumulative updates for years.

But for consumers eager for the next new shiny object – Windows 11, here we come. For early adopters, it will be available on the ‘dev’ channel next week with a release in the fall.

I am not sure if Microsoft has run out of things to do with Windows, but they are touting Win 11 features like rounded corners, colorful icons, new animations and UI controls. With new features like that, you can see why enterprises are likely to stick with Windows 10.

Of course, improving stability, memory management and task scheduling are not sexy – but very important to the enterprise. Getting rid of that 25 year old code that is still in Windows – nah!

I don’t know; maybe I will become a believer after I see it, but so far, I am not impressed.

It seems like they are tweaking at the margins. Some new features include:

In addition to the user interface refresh, Windows 11 also introduces many new features, including a redesigned floating and centered Start Menu, a revamped windows snapping feature called Snap Groups, a new and improved Windows Clipboard, modern disk management, redesigned settings screen, and much more.

Finally, they ARE killing off some of that 25 year old code. Companies that still run apps that require Internet Explorer will NOT be able to run Windows 11 except with Edge compatibility mode. Given that IE is a hacker’s delight, removing that is good.

Credit: Bleeping Computer

Windows 11’s file explorer boasts rounded corners and new icons, but will it crash less? They aren’t saying.

They are finally adding a way to manage your webcam without having to install third party apps. That is nice.

They are also adding support for DNS over HTTPS, a nice security feature.

Credit: Bleeping Computer

Now here is an interesting feature. Apparently, Windows 11 will have an Android emulator* so that you can run any Android app (no, not iPhone apps, Apple probably would get upset if they did that). That means all sorts of games and productivity apps that people run on their phones will run on your PC too.

* The emulator is really not an emulator but a post compiler that allows apps to run natively . If this is true, that means that app performance should be good.

Credit: Bleeping Computer

Some things will be going away in Windows 11, although you may be able to load them from the app store if you insist, including:

IE, Timeline, Tablet mode, Wallet, 3d viewer Paint 3D, One Note, Skype, Cortana, Windows 10 S mode and others.

Not going to miss any of these.

Credit: Bleeping Computer

How Safe is Your Drinking Water?

The short answer is we don’t know. That should scare you a bit. In fact, it is likely that I have a better handle on the cybersecurity of my drinking water than many public water systems do.

Here are some stats.

A MAJORITY of the 52,000 drinking water supply systems in the United States have not inventoried some or any of their information systems.

The Water Sector Coordinating Council found that less than 40 percent of utilities have identified all of the IT assets (separate from their OT systems).

The Council says that 30 percent have identified all OT related assets. An additional 22 percent are working on that. Which means that almost half neither have completed the inventory nor started it.

68 percents said that they had no IT security incidents in the last year. Or, maybe, they just don’t know that the did. That means that a third ADMITTED that they did have an incident last year.

With publicly reported attacks on water systems in multiple states including California, Kansas and Florida, the fact that it is a 50/50 crap shoot as to whether your local water system is even trying to protect your drinking water is not terribly comforting.

In 2018 the feds passed a law that required large water systems to report to the EPA that they had conducted a risk assessment. That report, for those systems, is due this month.

NOTE THAT THEY ARE NOT REQUIRED TO FIX THE RISKS, JUST REPORT THAT THEY HAD CONDUCTED A RISK ASSESSMENT. I think they also need to put together a plan, but no one is monitoring whether they actually implement it.

But the vast majority of drinking water systems are small and they are not even required to do that much.

So, if your water comes from a large water system (like, say, Denver), It is likely that they have conducted a risk assessment, even if they have not fixed the risks.

If your water comes from one of the tens of thousands of small water systems, well, you are kind of on your own.

Of course, the hackers are well aware of this, which is really the big risk.

Credit: Brian Krebs

Most Mobile Finance Apps Are Vulnerable to Breaches

Mobile finance apps are very popular, but are they safe?

A report by security company Intertrust says that 88% of the apps tested failed at least one of the cryptographic tests, meaning that the encryption can be broken, resulting in loss of privacy and possibly loss of your money.

Some of the other findings from this report are:

  • One or more security flaws were found in every app tested
  • 84% of Android apps and 70% of iOS apps have at least one critical or high severity vulnerability
  • 81% of finance apps leak data
  • 49% of payment apps are vulnerable to encryption key extraction
  • Banking apps contain more vulnerabilities than any other type of finance app
  • Nearly three-quarters of high severity threats could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography

What this means is that you use all of those apps at your own risk. Note that the laws have not kept up and it is likely that you use these apps at your own financial peril.

Apps that are provided by your financial institution, as long as it is a federally or state chartered bank, are PROBABLY covered under conventional banking laws, but other apps, what are called FINTECH companies, are much more risky.

This doesn’t mean that the company won’t reimburse you, but you don’t have the law on your side.

If you tell your bank you were the victim of fraud, the law requires the bank, in most cases, to give you back your money first and then, if they choose to, investigate the problem.

When it comes to non-bank finance applications, there are no such laws.

Additionally, some banks have modified their terms of service to state that if you provide your online banking credentials to a third party app, they are no longer responsible for any fraud.

I am not saying don’t use fintech apps, but rather, understand the risk you are accepting, and if that is okay with you, that use the apps.

Credit: Helpnet Security