Your Car’s Cyber Security Stinks

Yes, that is basically the summary of a Network World Article on the subject.

In a high end car there are hundreds of computers and millions of lines of software.  Gone are the days when you car was a big hunk of machined metal.

Now your car is a super computer network on wheels.

The patch that BMW released a couple of weeks ago and the hacking demo of the Tesla that opened the car’s doors while it was driving down the highway (see CNN article) are but two very public demonstrations of the vulnerabilities in today’s cars.

While some car owners have claimed that their cars have done very strange things while they were driving them, for the most case, the government and automakers have not been able to recreate them.  That doesn’t mean that the issues aren’t real.

Sen. Edward Markey (D-Mass) commissioned a study, the conclusion of which is that there is a

“clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”

Some of the trends in Markey’s study include:

  • Nearly 100% of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents.
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers.
  • These manufacturers collect an incredible amount of information about you and your driving practices over wireless networks, usually with no security and always with no rules regarding what they collect, how they use and and if they inform the consumer about their practices.
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real-time, and most said they rely on technologies that cannot be used for this purpose at all.

The last bullet is the most concerning.  Only two out of twenty manufacturers were able to detect and respond to hacks in real time (of the 20, 4 did not even respond to the Senator’s request for information).  If your computer is hacked and it takes Microsoft 6 months to come up with a patch, you may have your bank account drained or your data erased, but if your car is hacked, you may crash into a tree at 60 miles an hour and be killed.

While no one is suggesting that this is happening today, the use of software in cars is growing geometrically and no one is really doing very much about the security.  Some of the demonstrations have used a laptop connected physically to the car (which a hacker could do with advance planning).  One even used an infected CD in the CD player.

What is clear is that, as Tom Cruise said many years ago in a different context, this is a target rich environment.

The automobile industry is beginning to work on voluntary activities regarding both safety and privacy, but none of those activities are mandatory.  If you read Sen. Markey’s study, you will see that for many of the questions asked, the manufacturers either refused to answer or gave vague platitudes.  Other questions were answered with answers that had little to do with the question asked.

Given that right now the hackers have their hands full stealing our credit cards, healthcare records and other personal information, it may take a few years before they figure out how to monetize hacking your car, but fear not – they will.  Just like hackers nuked Sony into the stone age or, on a small scale, cryptolocker encrypts your personal computer in exchange for ransom, what if hackers nuked your car.  You have it towed to the dealer and they say they have no idea.  For the most part, dealers do not have the technology to reprogram most of your car’s computers in the field, which means that they would want to replace those computers, costing you hundreds to thousands of dollars.  Even if it is under warranty, would the manufacturer cover that cost or say that this is not a manufacturing defect.  For sure, the lawyers would get rich.


Facebooktwitterredditlinkedinmailby feather

FBI Says Most Businesses They Investigate Have Little To No Security is reporting that the FBI says that most breaches are entirely avoidable.

At the Online Trust Alliance’s Data Privacy And Protection Town Hall in New York City, FBI Special Agent George Schultzel said that over 90 percent of the companies who reported breaches to them had little to no security whatever.

The FBI said that most of the breaches are totally avoidable and that the hackers were attacking out of convenience.

This is great news for lawyers – at least for those lawyers suing businesses that have a breach.

If the FBI says that in 90 percent plus of the cases that businesses had no security and that the breaches were totally avoidable, then the businesses will need to show that they are in the less than 10 percent that had defenses and were not totally avoidable.  If I was an attorney, that is not a box I would want to be placed in.

The FBI suggested that businesses need to start creating and implementing security plans to prevent easy hacking in the future.

I would also assume that insurance companies might start taking the stance when you make a claim that your company was in the 90 percent, not the 10 percent.  Can you defend your counterclaim that you are part of the 10 percent?


Facebooktwitterredditlinkedinmailby feather

Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.


Facebooktwitterredditlinkedinmailby feather

Why Encryption Does Not Mean The End Of Law Enforcement

IT World wrote a piece on how the cops caught up with the now convicted founder of Silk Road, Ross Ulbricht, AKA The Dread Pirate Roberts, the man who ran the dark web marketplace for everything from drugs to murder.  The author goes into a lot more detail for those geeks who are interested.

Curious note:  That article ran everywhere under the title 4 technologies that betrayed Silk Road.  Their article lists 5 technologies, but the page name for the article is still called 4 technologies … go figure.

Number 1: He used Bitcoins to transfer money between buyers and sellers and himself, thinking it was untraceable.  Turns out while it might be hard to decrypt the bitcoin wallets themselves, it is easy to watch the transactions on the net.  You can see where the traffic comes from and where it goes to.

Number 2: Ulbricht used TorChat to communicate.  Like Tor, it is encrypted so you can’t just look at it.  However, for some reason, he consciously turning on chat logging, which made unecncrypted logs on his hard disk.  He may have thought that the logs were encrypted or he he may have thought that since his disk was encrypted, he was safe.

Number 3: Encryption makes it difficult for someone to eavesdrop on your world but stuff has to be decrypted in order to use it.  In Ulbricht’s case, he apparently was using whole disk encryption (WDE), like Microsoft’s Bitlocker (but probably not Bitlocker).  The problem every WDE product has is that it decrypts stuff once you login and the keys are kept in memory.  What this means is that WDE offers no protection while the computer is on.

For some reason, Ulbricht used public WiFi at the library some times and the cops caught him there, while the computer was turned on and logged in and were able to grab his computer before he could shut it off.  They now had access to, among other things, his private encryption key. Game over.

I have often said that public WiFi is not secure.  That is certainly true if you are a crook.

Number 4: Loose lips sink ships.  This is as true now as it was during World War II when the phrase was coined.  Ulbricht used Facebook and cross posted information, for example, about a vacation in Thailand to both Silk Road and Facebook.  Tie the FB account to a GMail account and voila.

Number 5: Automated server logins are convenient, but deadly.  because human beings are lazy, Ulbricht had set up a trust relationship between his laptop and the Silk Road servers, so he did not need to enter a password to login to the servers.  If you have access to the laptop, you have access to the servers.

I think most people will be able to figure out what not to do, so I don’t think I need to explain that here, but it does point out that nothing is foolproof.

The Feds – and Prime Minister David Cameron of England – feel that no communication should be private from the government.  The fact that in 99% of the cases, the people who want private communications just don’t trust the government and are doing nothing wrong is not relevant to them.  This case pointed out two things – First, encryption is not a silver bullet and Second, human beings make mistakes.

Maybe the next crook won’t make these five mistakes, but actually, I would not count on that.  The good news for the cops is that there is pretty much an unlimited supply of mistakes for the bad guys to make and while it may be harder to catch them if they use encryption, it is, for sure, not the end of catching crooks.  Ask Ross Ulbricht.



Facebooktwitterredditlinkedinmailby feather

Are You Watching Your TV? It May Be Listening To You!

Samsung’s Smart TV voice recognition works just like the voice recognition on your Android or iPhone – with one big difference and CNN is reporting on this today.

On all of these devices, the device captures your voice, sends it over the internet and gets the text back the same way.

It is not clear whether any of these vendors encrypt the traffic, but if I were taking bets, I would bet that it is not.

Samsung uses a third party – whom they have not named – to do the conversion.  It is unknown whether Apple and Google outsource it or do it internally.

Here is the difference.  On your phone, you tell it when you want it to perform speech to text conversion – you press the microphone icon or ask Siri.

Because the television never knows when you are going to ask it to change the channel or find a new program, it is always listening.

So, if you are plotting to rob a bank, maybe you should not do it in front of your smart TV.

What is not clear is whether something occurred to bring this to the forefront today.

Samsung claims they neither sell the data nor keep it.  They did not answer the question as to whether the third party keeps the data.

Your first inclination after reading this is to turn off the voice recognition feature.  Go ahead.  Of course, if you do that then you can’t yell at your TV to change the channel – you will have to do it the old fashioned way and use the remote.  If you do turn it off,  the TV listens anyway because there are some features that work even if general voice recognition is off and it sends that data, but not your voice, to Samsung for statistical analysis in addition.

We already know, courtesy of Edward Snowden, that the NSA looks at any data that the hackers hack that they can get their hands on.  Why do all that work.  Just steal it from the thieves.

I wonder if the NSA is listening to your smart TV?  If they weren’t before, I bet the are now.

A wire cutters to the microphone wire likely will work, however.




Facebooktwitterredditlinkedinmailby feather

Anthem Breach Blame Game Begins

UPDATE:  In a post on Dark Reading, they have added a few more details.  The breach, they say, started December 10th, about two months ago.  They detected the breach on January 27th and notified customers 8 days later.  Compared to other breaches, that  is very quick.

While they are calling this by that overused term, advanced persistent threat or APT, the term is probably appropriate in this case because the malware was customized for Anthem.  Mandiant, who is working with Anthem, said the bad guys could likely just change the IOCs (indicators of compromise) and sneak it in undetected somewhere else.  That is not a pleasant thought for other insurance companies.  All of them, no doubt, are looking in the corners and under the beds to see if they have been had as well.

They were able to detect this because of logging – a database administrator noticed unauthorized queries running with admin credentials.  Still it took them two months.

Anthem reset all admin passwords when they discovered this (more power to them.  In most organizations, if they did that the world would come crashing down upon them).  They also disabled all accounts without two factor authentication (at least they had two factor even if they were not using it everywhere).

The question about encryption has been danced around, although, it is fair to say that if the hackers had database admin credentials, encryption would not have protected them.


Insurance Networking News has a pretty detailed article on the Anthem breach.  Investigators believe at this point that the breach was state sponsored, likely by China.  If true, that means that two of the largest recent breaches (Anthem and Sony) were either conducted by or sponsored by state actors who are, to be kind, not very friendly to the United States.

James Mapes of security consultancy BestIT says that while credit card numbers go for between 10 cents and 25 cents each, stolen medical records go for between $100 and $300 per record.

Up until now, health care organizations did not spend much money on information security since most of their records were paper based.  Now, with the mandate for electronic health records, all of that has changed and unfortunately, Anthem got to be the poster child for information security.

Some people are suggesting that Anthem’s data was not encrypted.  That would not surprise me given the performance penalty organizations see when they do encrypt large amounts of data.  That means, if the bad guys got inside then the only thing that is between them and the data is likely a password.

When you have to do a large number of queries like Anthem has to do in the course of a day, that password is hardcoded into software (worst case) or in configuration data (best case).  In both of these cases, once the bad actor is inside, getting to that password is RELATIVELY easy.

Next comes logins.  Two factor authentication makes life harder on users, but also harder for hackers.  Some people are speculating that the system admins did not need to use two factor authentication.  Only time will tell if that was true at Anthem.

Finally, logging.  Extensive logging with really smart AUTOMATED analysis would detect if, for example, a credential is being used way more than it should have been or in a place that it was not expected to be used in.  It would also tell if data was being exfiltrated either in a volume that was unexpected or too a place that was unexpected.  Some people are speculating that the reason Anthem was able to detect the problem themselves was due to excellent analysis and alerting tools.

Sari Greene of Sage Data Security points out this is not an IT problem but a corporate governance problem.  Greene said that the Anthem board is likely discussing the breach today, but hopefully, this is not the first discussion with the board.

My guess is that ongoing, meaningful, board level discussion of information risk is still the exception, not the rule.  The cost to Anthem is unknown – depending on how much damage the attackers did, how much change is going to be required to reduce the chances of a future attack and the costs related to litigation and fines.

If you take the low end of the value equation, say $100 per record and cut the number of records in half to 40 million, that would make the value to the hackers of the data at around $4 billion.  Cut that in half again if you like – say $2 billion.

Like Willie Sutton said, he robbed banks because that is where the money is.  Today, the bank that holds the money is a data bank and Willie Sutton done struck again.

Boards MUST get involved, ask the hard questions and apply the resources – which means people and money – or we will continue to have more Anthems.

As I said yesterday, while the life expectancy of breached credit card data is maybe 30-60 days, a stolen social security number can be combined with other data for the rest of your life.  That makes them very interesting to the modern day Willie Suttons.


Facebooktwitterredditlinkedinmailby feather

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed