Tag: security

Car industry can’t do computer security

jalopyWhile every tech company and its dog is trying to slam their technology into cars, it is starting to look like the automotive industry can’t cope with the need for security.

A Dallas law firm has filed a lawsuit against three major automakers claiming they have failed to take basic measures to secure their vehicles from hackers.

The lawsuit, filed in the US District Court for the Northern District of California by attorney Marc Stanley, is on behalf of three vehicle owners and “all others similarly situated”. It alleges that the cars are open to hackers who can take control of basic functions and endanger the safety of the driver and passengers.

“Toyota, Ford and GM have deliberately hidden the dangers associated with car computer systems, misleading consumers,” Stanley said in a statement.

But the case is bringing to light problems which may bedevil the car industry in the future. After all if they are having problems with the security on cars now, how are they going to manage when autodriven vehicles are in charge.

Modern cars and light trucks contain less than 50 separate electronic control units (ECUs) — small computers connected through a controller area network (CAN) or other network such as Local Interconnect Networks or Flexray.

New high tech cars will contain shedloads of them, and if hacked could be driven by hackers into walls or other cars.

The court case claims that the car companies are also habitually secretive about these sorts of problems – something that does not bode well if you are sitting in the back of a self drive taxi.

“Disturbingly, as defendants have known, their CAN bus-equipped vehicles for years have been (and currently are) susceptible to hacking, and their ECUs cannot detect and stop hacker attacks on the CAN buses. For this reason, defendants’ vehicles are not secure, and are therefore not safe,” the lawsuit states.

Last year, at the Black Hat security conference in Las Vegas, two industry experts released a 92-page report revealing “the 20 most hackable cars.”

DARPA reported that the defect represents a “real threat to the physical well-being of drivers and passengers.” Before releasing its study, DARPA shared its finding with car manufacturers so they could address the vulnerabilities, “but they did nothing,” the lawsuit states.

Tor wants government freedom

tor-browsingSecurity outfit Tor has said it wants to wean itself off US government cash.

In 2013, Tor received more than $1.8 million from the US government, about 75 percent of the $2.4 million in total annual expenses, according to their latest publicly available tax returns.

While Tor is grateful for the cash, it is worried that conspiracy theorists claim that the US spooks have the system wired up to be a honeypot.

The premise is that while  Tor is meant to keep you anonymous on the Internet but it’s funded in large part by the US government who does not want you to be anonymous. So it must be a way that the government locates those who want to be anonymous and tracks them down.

Technically this is tricky, but it is probably better for Tor if it was free of a government involvement – particularly when that government has been seen as a big fan of snooping.

Developers recently discussed the push to diversify funding at Tor’s biannual meeting in Spain, including setting a goal of 50 percent non-U.S. government funding by 2016.

Tor developers at the meeting also brought up the possibility of lobbying foreign governments within, for instance, the European Union.

However, increasing non-governmental funding is a major priority. Individual donations rose significantly in the last year and Tor plans on soliciting them much more aggressively in 2015. Every new download of Tor—there were 120 million in 2014—will be asked to donate to the project, a change expected to take place in the near future.

Tor is launching a crowdfunding campaign in May of this year.

Lenovo installed malware on laptops

lenovo_hqA security firm made the alarming assertion that Lenovo had pre-installed software on notebooks it sells that makes them more likely to be hacked.

The program called Superfish, which Lenovo installed on computers intended for home use was software that auto-displays adverts.

And according to Reuters, Errata Security, an American company, said Superfish opens up encrypted connections, so letting hackers take over PCs.

Lenovo officials are on holiday for the Chinese New Year and so far have not responded to the allegations.

However, Ken Westin, a senior security analyst at Tripwire had plenty to say on the matter.

“With increasingly security and privacy conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies,” he said.

“If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers’ trust, but also put them at increased risk,” he added.

 

Lockheed Martin jets into cyber security

DF-SC-82-10542US defence contractor Lockheed Martin sees cyber security as its number one growth area over the next three to five years.

Although it is better known for its jet aircraft, Lockheed Martin is the main provider of IT technology to the US government, said expects double-digit growth in its overall cybersecurity business over the next three to five years.

Lockheed said it was making strong inroads in the commercial market by using its experience and intelligence gathered while guarding its own networks and those of government agencies.
Chief Executive Officer Marillyn Hewson said Lockheed was providing cyber security services for more than 200 customers around the world in the energy, oil and gas, chemical, financial services and pharmaceuticals business.

Hewson told the company’s annual media day that Lockheed had faced 50 “coordinated, sophisticated campaign” attacks by hackers in 2014 alone, and she expected those threats to continue growing.

Lockheed now represented a large number of companies on the Fortune 500 list, including 79 percent of utilities, 35 percent of oil and gas companies, 46 percent of chemical firms, and 46 percent of financial firms.

It has been helped by the fact that other weapons makers, including Boeing and Harris have largely exited the cyber security business after finding it difficult to generate any real cash.

Obama blows hot and cold on encryption

thewhitehouseWhile his security spooks are complaining that company moves to use strong encryption is making their life difficult, President Barack Obama said he likes the technology, other than when he doesn’t.

Talking to Recode, Obama appears to have jumped on the side of the big tech corporations against the NSA and when asked if American citizens should be entitled to control their data, just as the president controls his own private conversations through encrypted email, he said yes.

Obama replied that he’s “a strong believer in strong encryption …. I lean probably further on side of strong encryption than some in law enforcement.” He maintained that he is as firm on the topic as he ever has been.

However the matter, claimed Obama was hypothetical. If the FBI had a good case against someone involved in a terrorist plot and wants to know who that person was communicating with? Traditionally, they could get a court order for a wire tap. Today, a company might tell the FBI they can’t technically comply.

He warned that the first time that an attack takes place in which it turns out that we had a lead and we couldn’t follow up on it, because the data was encrypted the public’s going to demand answers.

“Ultimately everybody, and certainly this is true for me and my family, we all want to know that if we’re using a smartphone for transactions, sending messages, having private conversations, that we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption,” he said.

So, in other words, everyone should have strong encryption which should turn itself off when the security services want to have a look at it.

Dutch government hit in cyber barrage

dutch-childrenWebsites run by the Dutch government were downed yesterday morning after a cyber attack.

The outages affected many of the government’s web sites and lasted for over seven hours.

And the cyber attackers – whoever they are – also used a distributed denial of service (DDoS) attack to take down a satirical website called GeenStijl.nl.

No one has yet claimed responsibility for the attack.

According to Reuters, phone systems and emergency channels stayed online.

The government information service said it is inestigating the attack along with the Dutch National Centre for Cyber Security.

The attackers targeted the hosting company that services the government sites – Prolocation.

Dating applications expose businesses

1930s-couple-620x400Big Blue is warning that millions of people using dating apps on company smartphones could be exposing their employers to hacking, spying and theft.

IBM security researchers said 26 of 41 dating apps they analysed on Google Android mobile platform had medium or high severity vulnerabilities.  Curiously the IBM team did not look at dating applications on Apple gear, probably because the company signed a deal to push Apple gear in the workplace.

Unfortunately IBM did not name and shame the vulnerable apps but said it had alerted the app publishers to problems.

Apparently Tinder, OkCupid and Match have become hugely popular in the past few years due to their instant messaging, photo and geolocation services. In 2013 it was estimated that 31 million Americans have used a dating site or app.

IBM found employees used vulnerable dating apps in nearly 50 percent of the companies sampled for its research. By using the same phone for work and play or “bring your own device,” it means that companies are wide open for such attack vectors.

Am IBM report said that while BYOD was seen as a way that companies could save cash by allowing employees to use their home gear on corporate networks , if not managed properly, the organizations might be leaking sensitive corporate data via employee-owned devices.

IBM said the problem is that people on dating apps let their guard down and are not as sensitive to potential security problems as they might be on email or websites.

If an app is compromised, hackers can take advantage of users waiting eagerly to hear back from a potential love interest by sending bogus “phishing” messages to glean sensitive information or install malware, IBM said.

A phone’s camera or microphone could be turned on remotely through a vulnerable app, which IBM warned could be used to eavesdrop on personal conversations or confidential business meetings. Vulnerable GPS data could also lead to stalking, and a user’s billing information could be hacked to purchase things on other apps or websites.

Strangely, despite its dire warnings to Android users, IBM said it had not so far seen a rash of security breaches due to dating apps as opposed to any other kind of social media.

Meanwhile, it recommends that dating app users limit the personal information they divulge, use unique passwords on every online account, apply the latest software patches and keep track of what permissions each app has.

ARM buys OffSpark

lightningBritish chip designer ARM has bought Dutch firm Offspark, which is an open source security software outfit.

It is all part of ARM’s cunning plan to make chips for the internet of things.  It seems that the move by Intel to buy McAfee is starting to make some sense and ARM is seeing the wisdom of having inhouse security software.

Offspark’s PolarSSL technology is designed for sensor modules, communication modules and smartphones.

ARM said buying the group would add its security and software cryptography to its IoT platform, designed to link billions of devices online.

It is not clear how much ARM paid for the security outfit. ARM has promised that the  technology will remain open source and will be made available to developers for commercial use.

It complements ARM’s Cryptobox technology of mbed OS that enables secure execution and storage.

Apparently ARM is to  release mbed OS under an Apache 2.0 licence which will include mbed TLS, Thread, and other key technologies toward the end of 2015.

The release of mbed TLS 1.3.10 is now available under GPL and to existing PolarSSL customers on polarssl.org.

 

Top encryption software project nearly went under

Glens_EnigmaA free email encryption software project which was used by whistleblower Edward Snowden nearly went under this week when the bloke behind it ran out of cash.

Koch’s code is behind most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win.  If he packed it in, he would create a nightmare scenario for the security industry.

Werner Koch appealed for cash to keep his Gnu Privacy Guard project going.  He wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.

He has been running the project more or less for free because he believed there was a need to have some sort of open saucy encrypted software.  In 2013 he was all set to pack it in and then the Snowden news broke, and he realised that this was not the time to cancel.

It is not as if the industry has been particularly helpful, despite its dependence on him, the security industry has not been that helpful.

Koch could not raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He has been living off $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date but he needed $137,000 to pay himself a decent salary and hire a full-time developer.

A lifeline was thrown to him this week. He was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

The cash gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when Propublica  http://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”

US health firm comprehensively hacked

Sheffield: CEO of AnthemAn American health insurer appears to have been hacked and lost millions of its customers’ records.
Anthem said that hackers stole the identities of customers across all of its business units.
It has about 37 million customers in the USA and has reported the attack to the Federal Bureau of Investigations (FBI).
It has said it has now closed the hole but that’s somewhat equivalent to closing the gate once the horse has bolted.
The hackers do not appear to have had access to Anthem customers’ credit card records.
It has set up a website to try to explain what happened, with its CEO and president claiming his company had state of the art information security systems.
He said that despite that, his company “was the target of a very sophisticated external cyber attack.  These attackers gained unauthorised access to Anthem’s IT systems”.
Anthem has hired a company called Mandiant to assess its IT systems.
Sheffield said: “Anthem will individually notify current and former members whose information has been accessed. We will provide credit monitoring and identity protection services free of charge.”

Organisations anticipate internet of things

Internet of ThingsAlthough there’s still a clear lack of standards with different vendors vying to take the lead, many organisations are getting ready for the internet of things (IoT).
Companies including Intel, Qualcomm, Google and others want to have a big stake in the future of IOT.
And there’s no doubt the hype is generating interest.
That’s the conclusion of market research company Gartner which said in a study that 40 percent of businesses think the IoT will have a “significant” impact in the next three years.
Nick Jones, a senior analyst at Gartner, said: “Only a small minority has deployed solutions in a production environment. However, the falling costs of networking and processing mean that there are few economic inhibitors to adding sensing and communications to products costing as little as a few tens of dollars”.
But even though many organisations are anticipating the IoT, few have put executives in leadership roles.
The main concerns of the  people surveyed are security and privacy.  And there is a shortage of people with the relevant skills to plot the future.

 

Authentication market value to soar

Screen Shot 2015-02-03 at 16.35.17By the end of this year, mobile multi-factor authentication software and services will be worth $1.6 billion by the end of this year.
The reason is that user names and passwords to identify people aren’t secure enough, according to ABI Research.
And attacks against organisations, of whatever size, continue to flourish with many breaches made because of weak passwords.
That means there’s considerable market demand for authentication technology that gives an additional layer of security.
ABI thinks that one time passwords and tokens are emerging as the favourite way of authentication.
They offer better security because passwords generated only work for a single session or transaction.
Microsoft, Apple, Facebook, Google and Twitter already use two factor authentication methods. And one type of two factor authentication uses hardware based security tokens.
Companies like MobileIron, Gemalto, Entrust,, Centrify, CA, Symantec and others are competing for market share.
ABI believes the market is so ready for this kind of secure technology that by 2020 the authentication market will be worth $13.2 billion.

 

Help! My Mini needs a patch

350350000patch37As a sign of a 21st century problem, car maker BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.

Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.

Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.

Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.

ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.

The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS.  Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.

The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.

Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.

 

 

UK makes Google change privacy policy

OgleThe Information Commissioner’s Office (ICO) has made Google sign an undertaking to improve information about how it collects personal data in the UK.
The ICO said that following an investigation it found that Google’s search engine was “too vague” in describing how it used personal data it had collected.
The ICO said Google has signed a formal undertaking to make changes to its privacy policy so that it meets the needs of the UK Data Protection Act.
The ICO worked with other European data protection authorities, it said.
The enforcement officer at the ICO, Steve Eckersley, said: “This investigation has identified some important learning points not only for Google, but also for all organisations operating online, particularly when they seek to combine and use data across services.”
Google will have to make agreed changes by the 30th of June this year, and take even more steps over the next two years.
Google’s undertaking can be found here.

 

Big data has serious risks

server-racksScientists at the Massachusetts Institute of Technology (MIT) said just four pieces of vague information can open the door to crackers and hackers.
The researchers said the dates and locations of just four transactions can identify 90 percent of people in a data set recording three months of credit card transactions by 1.1 million users.
For example, say the MIT scientists, that someone with copies of just three recent receipts, or one receipt, an Instagram photo of you, and a tweet about the phone you just bought will have a 94 percent chance of extracting your credit card records from a million other people.
The implications are serious, because both public and private entities see aggregated digital data as a source of insight.
Big Data, however, holds socially beneficial implications, the researchers said.
They are looking at other ways to protect peoples’ data from being filched.