Cybersecurity News for the Week Ending April 1, 2022

How Many Times Do I Need to Say – Crypto is Software, Software Has Bugs, Your Money is at Risk

Decentralized Finance platform (DeFi) Revest Finance said that it lost $2 million due to a software bug and, oh yeah, (a) the can’t recover the funds, (b) they do not have the money to cover the losses and(c) they don’t have insurance to cover the hack. Unless we eliminate the software, we cannot eliminate all bugs. Credit: The Record

Russia Faces Internet Outages Due to Equipment Shortages

One of Russia’s tech unions says that Russian ISPs run the risk of Internet outages as the value of the Ruble goes down and foreign companies won’t sell them parts or new equipment. Right now the government is saying that is the Internet providers’ problem, but if it turns into widespread outages, they are likely to change their tune. Credit: Bleeping Computer

Cryptocurrency was Fun While it Lasted

EU Parliament committees have voted to require crypto exchanges to verify the identity of self-hosted wallets, meaning the end of anonymity for crypto transactions. The US Treasury (FinCEN) has also suggested that we do that, but it has not yet appeared in a bill. That means that the bad guys will need to do peer to peer crypto, minus the exchanges to deal in criminal activities. While this is harder than using exchanges, it is far from impossible. Given that the whole purpose (beside speculating) of crypto is to commit fraud, identifying yourself is probably not high on user’s wish lists. Credit: Vice

Senate Asks Companies About Hackers Creating Fake Warrants

Recently I wrote that hackers have figured out the the government’s search warrant process is as secure as, say, a screen door. Now that the facts have been outed and likely even more hackers will use that fact to steal even more data, a couple of Senators have started asked questions. That is a long way from Congress actually doing anything useful about it, but at least it is a start. Don’t expect anything to happen because it is a hard problem to fix. Credit: Brian Krebs

Apple Fixes More Mac, iPhone Zero Days

In case you haven’t noticed, the last 12 months have not been Apple’s friends when it comes to zero-day bugs. This week Apple patched two more that are actively being exploited in the wild and affect iPhones, iPads, iWatches and Macs. The versions you are looking for are iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively. Credit: Bleeping Computer

Can Automakers Get Ahead of Cyber Crooks?

Cars have huge attack surfaces. And getting bigger every year.

One source says the average car has 30-50 computers and luxury cars have a hundred (personally, I think that is low). Add to that 60 to 100 sensors. Some cars have a hundred million lines of code in them.

How do you make that 100 percent secure? That is a pretty daunting task.

But then you have another complexity.

I own two cars that were built in 2006. They were probably designed a few years before that.

Do you think any car maker is going to patch cars that are 15 to 20 years old?

This week a researcher revealed that Honda, in some of its “older” cars did not use encryption in it’s door unlock and remote start feature, so all a hacker had to do was be close enough to record the sequence and he or she could play it back at will. And yes, they used the same sequence every time for a car.

What was Honda’s response?

Those are old cars (they date back to 2015 and newer). We’re not going to fix it.

Who knows what it would even take to fix it. Nothing says that you can just load new software into those cars. There is probably hardware that would need to be replaced and new engineering.

Who is going to pay for that?

How do you even figure out who owns those cars now? There is no requirement to tell the manufacturer that you just bought a used car from someone.

Honda is not alone. Tesla had a similar problem last year. They had to download new software and then convince owners to buy new key fobs.

There was a 60 Minutes segment a couple of years ago where some researchers took over a Jeep, controlling the steering and brakes, while it was driving down the highway at 60 minutes an hour – from miles away.

In another attack, researchers were able to disable the charging function of the Combined Charging System due to security flaws by disrupting the communications between the charger and the vehicle.

This is only going to get worse before it gets better. It is very hard to build truly secure systems.

How do we pay for that and how do we retrofit hundreds of millions of old cars on the road.

One thing working in our favor –

Manufacturers are horrible about standardizing these things so even two cars from the same brand might have completely different innards. On the other hand, sometimes, two models from different brands – say Chevy and Cadillac – are actually the same car with different finishes. It is hard to tell what is different and what is the same, so hackers have to decide whether it is really worth the effort.

What works against us is that car makers buy a lot of stuff – think about how many car makers bought Taketa airbags. Remember the ones that were defective. So if you can sabotage the supply chain, well, that makes things easier.

That is not at all clear. Credit: Threatpost and CEI