Article: “Car hacking is the future – and sooner or later you’ll be hit”

This article discussed about how vulnerabilities of automotive system enable car hacking. As the car becomes increasingly computerized, many accidents due to system and software flaws are exposed to the public. Therefore, the security of car’s system and internal network should one of the top concern of car manufacturers. However, I think just few auto manufacturers have placed enough emphasis on developing secure vehicle information system. Back to 2014, it was approved that Jeep could be remotely took over, and therefore, Fiat had to recall all the affected cars to fix the problem. Even though the car manufacturer is keeping improving their systems, researchers still find vulnerabilities that enable hackers to access the car’s internal network through the entertainment system. Hackers are able to seize the control of the car by turning the steering wheel, hitting the brake or slamming on the accelerator. Researchers are currently focusing on the potential attacks related to sensors and radar that enable self-parking and self-driving.

 

I think this article is interesting because when people talk about information security and hacking, I would first think about privacy. However, it is much more than privacy, it also relates to people’s safety and health especially for vehicles and medical devices. The most common interconnected system connecting different systems in most of cars is called CAN bus. One of the greatest vulnerabilities is the lack of encryption on the CAN bus. A weakness of any one of the system could enable attackers access the the rest of the systems and even take control of the car. This would become the one of the greatest challenges to car manufactures, as most of them are focusing on developing self-parking and self-driving car.

 

https://www.theguardian.com/technology/2016/aug/28/car-hacking-future-self-driving-security

http://thevarguy.com/information-technology-events-and-conferences/hacker-wisdom-top-three-takeaways-black-hat-2016

I was curious on what this year’s Black Hat conferences were all about, other than a bunch of people getting together in numerous seminars and presentations for about a week, so here are “The Top Three Takeaways from Black Hat 2016” by Allison Francis from The Var Guy.com.

• Would you pick up a random USB drive and plug it into your personal computer?

Google researcher Elie Bursztein explains the enduring theory among cybersecurity experts that people will pick up and use random USB thumb drives that they find, and potentially take the risk of infecting their systems, which is not a rare case among unaware computer users all over.

Bursztein and his team had distributed 297 USB drives as “bait” at various strategic-ish locations, such as parking lots, building hallways, classrooms and outdoor areas around the University of Illinois campus.

He added that each drive houses tracking software that would “call home” if plugged in. those drives also included several different messages like “final exam results,” or “confidential,” among others.

The results were issued by eWeek (article), revealing a stoning 46 percent of the distributed drives “phoned home”, so Bursztein suggested that awareness and security training is highly important, and warned organizations and individuals to be mindful of what they plug into their machines. “You don’t pick up food from the floor and eat it because you may get poisoned”, so don’t pick up random USB drives either,” Bursztein said.

• The mounting threat of attacks in the VoIP and UC space

Fatih Ozavci, a managing consultant with Context Information Security, presented the lack of understanding and awareness of modern voice over internet protocol (VoIP) and unified communications (UC) security. This gap leaves providers and organizations extremely vulnerable to attacks, due to the ever-increasing and rapidly-growing number of threats.

During the conference Ozavci mentioned the various awareness that services providers and business are leaving themselves at risk to threat actors repurposing and exposing infrastructure for attacks such as botnets, malware distribution, vishing, denial of service attacks and toll fraud.

Also Ozavci touched on the weaknesses in messaging platforms and IC products suites since those vulnerabilities make it easy for hackers to sneak past security measures and spread malicious content. Once those vulnerabilities are exploited, attackers could gain unauthorized access to client systems or communications services such as conference and collaboration, voicemail, SIP trunks and instant messaging.

Last, Ozavci presented awareness and how he planned to get the word out and revealed his newly developed open sources tools Viproxy and Viproy which can be used for VoIP penetration testing.

• Information sharing and public work

Dan Kaminsky, the co-founder and chief technologist of the cybersecurity firm White Op highlighted the importance of making the internet a safe place for everyone by calling for more information sharing as a way to improve security and deal with and combat cyberthreats faster and more efficiently.

I have strong interest in this story because, one you probably never heard of this happening with an employee from a sport franchise, and two, I am a baseball fan.  This article is about an employee of the St. Louis Cardinals hacking the internal network of the Houston Astros.  Chris Correa, who was a former scout for the St Louis Cardinals was sentenced to almost four years for hacking into the Houston Astros player database. Correa was able to hack the internal network of the Houston Astros and gain access to statistics, and projections that were gathered by the front office of the Astros. Corrrea was able to do this by getting the old password from a former employee who is now the general manager for the Houston Astros.  The federal government estimated that this information was worth 1.7 million dollars.  In my opinion, cases like this is why companies enforce complex passwords, changing passwords often, and telling clients not to give their password out to anyone.

https://consumerist.com/2016/07/19/former-st-louis-cardinals-exec-sentenced-to-46-months-for-hacking-houston-astros/

This article is interesting because it shows how Cyber-Security firms, or Spy-Tech firms are using their technology and marketing their products to governments around the world.  This particular Spy-Tech company mentioned in the article, NSO, is based out of Israel.  Israel is the second-largest exporter in the world of cyber-security products, next to the United States.  NSO, has developed spying software that can see all of the activity on a target’s iPhone.  NSO argues spying is important to prevent terrorist attacks, and the firm’s motto is to “Make the World a Safe Place.”  With a price of $650,000, plus a $500,000 set-up fee to track 10 iPhone devices, the company’s software is not-exactly for the “everyday user.”  NSO’s software has been more in-demand in recent years because companies such as Facebook, Apple, and Google are making it harder for governments to access their data because they are using more-strict encryption.  NSO has developed a tracking software called Pegasus, which Apple recently released a security-update to patch all of it’s devices.  Do you believe this software is ethical, and should the government really need to know everything a person is doing on their phones in order to keep people safe? There has been recent cases in the United States, such as the San Bernardino shootings in California, where the government was unable to unlock the shooter’s iPhone.  Apple stuck to its guns, and did not provide the U.S. government with technology capable of unlocking the device.  The U.S. government had to resort to a third-party Spy-Tech firm to unlock the device.

 

http://www.nytimes.com/2016/09/03/technology/nso-group-how-spy-tech-firms-let-governments-see-everything-on-a-smartphone.html?_r=0

“Hacking Air – Gapped Networks”, this article blew my mind. The level at which these researchers and ethical hackers used to exfiltrate data from pc’s isolated from the internet is unbelievable. They were able to collect data using acoustic sounds, electromagnetic waves, sound waves and even heat emissions generated by the pc’s. The sole purpose of implementing an air gap network is to ensure your network is secure and out of reach from an unsecure network. I would have never imagine using the above methods to capture information such as encryption keys, usernames and password in such a manner.

This article was really an eye opener and just made this class even more exciting/interesting to be in.

http://resources.infosecinstitute.com/hacking-air-gapped-networks/

This article is about the release of account info for about 68 million DropBox users. The breach occurred in 2012 but now, 4 years later, the raw passwords are being released on the web. There are a few things I find interesting about the article. First, it mentions that what allowed the breach to take place back in 2012 was that one of its employees passwords was obtained by hackers. It is safe to assume that the hackers used a form of social engineering to obtain this password. What I also found interesting were the encryption methods used to encrypt the actual passwords- the SHA-1 algortihm and the Bcrypt hashing function. The SHA-1 hashing algorithm, it appears, is all but extinct as the time and effort it takes to break this encryption method have grown much smaller. What I think is most interesting here is that, in 2012, SHA-1 was a respectable encryption method. The use of Bcrypt enforced the hashing of the passwords but hackers  were still able to spend four years breaking the encryption. It becomes very clear from this example that, once data is obtained by hackers, all bets are off. The means by which data is encrypted today is sure to become extinct in years to come. I think the biggest takeaway here is that strengthening perimeter defenses-making it extremely difficult for hackers to gain entrance to systems at all-is the most important aspect of cyber defense.

Article: http://thehackernews.com/2016/08/dropbox-data-breach.html

Behind the scenes, SWIFT is upping the ante for financial institutions.  If you do not upgrade your systems and put robust processes in place you find your institution disconnect from SWIFT.  This is effectively a death sentence for a bank.

 

Wade Mackey

It sounds old fashioned, but I tell students that the may person you cheat is yourself.  Much like this course, if you just want to get through with a score. it is not difficult.  If you want to learn and be prepared for your future, then you have to put the work in.

Wade Mackey

 

This is an area where internal threats may be even greater.  Admins of these systems have the ability to “adjust” vote counts.  This means processes will need to be put in place to ensure this does not happen or is logged and reported.

Wade Mackey