Mit Rajani

An Important Message to Yahoo Users on Security

Yahoo, the tech company, has recently disclosed that it had been breached with over 500 million accounts compromised. According to haveibeenpwned.com, a website that allows users to search if their accounts have been breached using information from the web, the Dropbox breach could potentially be the biggest breach in history with the largest breach currently being MySpace with close to 360 million accounts compromised. The breach had occurred in late 2014 with the information being stolen including names, email addresses, telephone numbers, dates of births, and hashed passwords. Yahoo had identified that the breach was the cause of a state sponsored hacker, which is to say that the individuals for the attack had political motivation or support.

While this may seem just like another data breach that we hear on the news, the two areas that make this breach important is the size and how long it took Yahoo to publicly release the hack. According to the fortune article, many states require companies to report a breach within 30 days in order to protect users. However, Yahoo has had acknowledged that accounts were for sale online in August and have just recently prompted users to review their online accounts and activity. Due to Yahoo not taking the necessary actions to warn users in a timely manner (within 30 days), Yahoo might be facing legal issues going forward. For myself at least, I normally think of the damage of data breaches being a loss in reputation or having to pay for damages done to the users. However, fines for not following the law are another costs that could affect those in data breaches. I will need to keep posted on this breach as Yahoo reveals more about the attack to the public.

Citations:
Yahoo Could Face Legal Trouble Over Delay in Disclosing Hack
https://haveibeenpwned.com/
http://www.businessinsider.com/yahoo-hack-by-state-sponsored-actor-biggest-of-all-time-2016-9

Your smart cars are at risk!
While electronic accessories and smart cars add leisure in cars it also increases security issues.
Are you an owner of Audi or Volkswagen? What is the issue?
Volkswagen, Audi, Seat, Skoda key less cars produced over the last 20 years are vulnerable to hack attacks due to cryptography keys. The car manufacturers are dependent upon constant key scheme and thus vulnerable.
What is the attack?
Attackers use simple radio signals and can use a simple $40 radio for the attack. Hackers can identify the car, intercept the radio signal sent from a key fob to the car, then get the cryptographic “password” associated with the vehicle. That cryptographic key would then need to be paired with another special key. With the constant key scheme used, makes it easy to detect. The bad news is that the task would not be a serious challenge for a professional hacker, and if they ever found the special cryptographic key, they could leak the details online.
How can it affect you?
Although the mechanism cannot start the car it can still unlock it. This is a major physical security and theft issue, corporate scandals and theft.
With the newest technology to have driver less cars, this can be a major threat to human safety.
Who is safe?
VW’s cars built on recent MQB platform, Golf , Tiguan, Touran, Passat models were not vulnerable to this attack.
[source: https://www.rt.com/news/355754-vw-keyless-system-hacked%5D

I had read this news earlier and that time Yahoo had not accepted that the data has been breached. They said they were investigating. The news I read dated back to Aug 2nd. Prior to publishing the news, Motherboard, has tested 5000 records and they had claimed that not all but few accounts were accessible. And the accounts which were not accessible was due to password change as data dated back to 2012.
Now that Yahoo has accepted the breach, it has already been more than a month. The sale of accounts was already active on the dark web and data lost has potential further loss.

The article I found is about a new tactic adopted by cyber criminal in Melbourne. It seems like they now drop in random people mailbox infected USB drive hoping that someone would plug it in their computer and give them access to their data.
One would think that with so much awareness of data breach and hackers as well as the potential danger of USB drive, people would not even try to public the device on their computer. However, I was surprised to know that many people were too curious and ended infecting their computer. This raise the question of whether or not cyber criminal are now leveraging human psychology and use it as a tool to get to people. A study conducted by researchers from the University of Illinois, the University of Michigan and Google, found that all of the target people not only plugged the USB drive but also open the files. Why is that? It is certainly not due to a lack of awareness.
Your thoughts?

http://thehackernews.com/2016/09/usb-malware.html

This is crazy! I guess we are not safe anywhere anymore. Whether you use your phone, your computer, your car or even the ATM machines, you put yourself at risk one way or another . The funny thing is that, it will get even worse with the rise of technology.
They say we should be embracing new technology but it definitely come with a big package.

Thanks for sharing Priya!

Hackers Leak Michelle Obama’s Passport Online

A scan of First Lady Michelle Obama’s passport has been published online, the feds are investigating the breach now. The scan appeared on a site with suspected ties to Russia, DCLeaks.com. The hacking group also published other confidential information like travel details, names, social security numbers and birth dates. The scan appeared to have been taken from a Gmail account belonging to a low-level White House contractor.
Last week the group published personal emails from former secretary of State Colin Powell, with critical comments about presidential hopefuls Hilary Clinton and Donald Trump. DC leaks is suspected to be linked to Russian intelligence services. Also, DCLeaks’ registration and hosting information aligns with other Fancy Bear activities and known tactics, techniques and procedures.
It seems like Russia hacking organizations had attacked American systems for several times—Hilary Clinton’s email, American athletes’ medicine records and this time Michelle Obama’s passport. However, it is difficult to understand their purpose. Those three events don’t seem to have commons. It is a threat that they may make troubles for the election day of president. Also, it is a warning call for the government to see how vulnerable their systems are.

Link: http://www.infosecurity-magazine.com/news/hackers-leak-michelle-obama/

Mengxue, thanks for sharing this news. You have brought up an interesting question here. What is the purpose of hackers exploiting identity theft?
Mainly that happens not for a direct monitory gain. A person may steal personal information to get details of your personal life that can be used while committing a bigger fraud.
Another reason is that hackers want to blackmail the target and get easy cash. I had read about an incident where the hacker stole health data and blackmailed patients about disclosing their persona information in public.The hacker could have a revenge motive.

http://www.ehow.com/list_7341860_reasons-identity-theft-occurs.html

Flaw with IOS 10 allows hackers to crack password:

A severe security flaw was uncovered in the new release of Apple IOS 10 which can allow hackers to crack password from backup 2500 times faster than before. The new password verification method is 2500 times slower that IOS 9 backups. Elcomsoft researchers discovered that when IOS 10 backup is saved in itunes, a password cracking tool can be used to conduct brute force attack at a rate of 6 million times per second and can also decrypt the entire content of the backup including the keychain.

Apple is working on security update to fix it. Apple has since modified its OS to restrict private APIs. But yet one can find a way around this restriction. This may not be fixed just by an update and not sure how quickly this can be fixed. Probably along with the IOS 10 update, the itunes also has to be updated and the backup format also may need to be changed.

IOS is known to be malware free or threat free. Seeing this I feel that no organization can take its security lightly and should always be ready to face the threat no matter whatever preventive measures they take.

Source: http://www.ibtimes.co.uk/ios-10-security-flaw-allows-hackers-crack-passwords-2500-times-faster-russian-firm-elcomsoft-says-1583112

Article: US Issues Federal Security Guidance on Self-Driving Cars

In its most comprehensive statement yet on autonomous vehicles, the US Department of Transportation has issued a 15-point set of federal safety assessment guidelines covering issues like cybersecurity, black box recordings and how a vehicle would deal with potential ethical conundrums.
When it comes to cyber, the guidelines say that “the manufacturer or other entity should address the cross-cutting items as a vehicle or equipment is designed and developed to ensure that the vehicle has data recording and sharing capabilities; [and] that it has applied appropriate functional safety and cybersecurity best practices.”

On the privacy front, DoT said that manufacturers’ privacy policies must explain how they collect, use, share, secure, audit and destroy data from vehicles, offering choices as to how personally identifiable information (PII) like geolocation, biometric and driver behavior data is accessed and used. It also said that manufacturers should collect and retain the minimum amount of personal data required to achieve legitimate business purposes—and keep the data only for as long as necessary.

Spot on the news post Paul! To piggyback off the previous post, it’s a shame it took so long for Yahoo to disclose this information.

Priya, most definitely agree with that email notification. The brunt of the backlash would have minute. Unless, Yahoo wanted the bad publicity. I would like not to think so, but reading some Twitter users tweets regarding it was pretty funny about yahoo doing a publicity stunt.

http://www.trtworld.com/americas/hackers-break-into-500-million-yahoo-accounts-191846

The article I read is about how mobile devices and mobile security is likely to become the next corporate focus for security executives because in recent times, hacks and exploits have become more successful. In fact, it is now a fact that mobile security NEEDS to be part of the broader policy and procedure mix because most incidents are due to employees failing to follow basic security instructions and procedures. Securing mobile devices is tricky because of the above fact, because employees lose their devices, and because often time’s people use their own unsupported devices for work. Researchers have found that pins and password can be stolen from mobile devices with 80% accuracy on their first hack and 90% on their second attempt. The reality is that while executives want to bring in the latest and greatest technology in mobile technology but even the latest mobile devices are one of the weakest links in corporate security. So the bottom line is that mobile security, protecting data, securing networks, and training employees to take security seriously is going to be a huge focus and challenge for security executives moving forward.

article: https://hbr.org/2016/09/your-biggest-cybersecurity-weakness-is-your-phone

***********Disclaimer: Posted this new article by accident on week 4 -_-************

This article goes into explanation about the massive hacks that have been happening via Dark Net to huge companies. A few of these heavy hitters that fell victimized include: Apple, DropBox, Uber, McDonald’s, Ebay, etc. As many of 85 companies have been targeted by these “Russian hackers”.

The article goes into further details that there is no knowledge regarding the identities of the perpetrators and no links have been established foreign governments. Yet, if the information that was seized by these hackers are valuable; they elude that we can expect to see these stolen credentials for sale on the dark web.

Source:https://www.hackread.com/dark-net-russian-hackers-hit-us-firms/

Firefox browser vulnerable to Man-in-the-Middle Attack

I found an article about Firefox browser, which a critical vulnerability resides in Mozilla’s Firefox browser, allows attackers to launch MITM attack. This can deliver the malicious update on targeted computer.
The main issue exists on in Firefox Certificate Pinning which is an HTTPS feature that makes sure the user’s browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.
Mozila announced that they schaudlued to realease Firefox 49 on September 20, users should update to new version and disable automatic add-on on updates.

http://thehackernews.com/2016/09/firefox-tor-mitm_18.html

Binu,

Really interesting article. I think they have released updates concerning the issue. Also, iOS is far from being malware free or threat free. It’s just because more people use Android and Windows phones. So hackers put all their energy in those OS as it’s more lucrative.

Hackers stole airline miles to book a hotel room or airline
It’s easy for hackers to get into your airline and hotel rewards accounts, then use your hard-earned points and miles for their own gain.Hackers might use passwords from lower-security sites like shopping platforms or chat forums and try those same passwords on frequent flier accounts, or they might send out phishing emails to trick customers into giving away account information.

http://www.huffingtonpost.com/entry/airline-miles-hackers_us_57e56a8fe4b0e80b1ba1da6c

The article I read this week is called “Chinese Hackers Remotely Control Tesla Cars.” It talked about that Chinese researchers have discovered major security vulnerabilities in several Tesla car models, allowing them to remotely apply the brakes, open the boot and perform other actions which could put drivers in danger. In addition, the cyber-attack allows to fold the car’s wing mirrors when it changes lanes while driving, and allows to brake the car when in motion. This was the first case of remote attack on Tesla cars. Other professions argued that it is the modern car’s connectivity which often leaves it exposes to attack, especially as mechanical and electrical engineers don’t have the requisite TCP/IP skills to develop secure implementations. And he listed several focuses: “open source to improve the quality of the software; forging a root of trust in hardware to ensure firmware can’t be reflashed and replaced; and security-by-separation via hardware-assisted virtualization, to ensure lateral movement inside embedded systems is not allowed.”
As a result, Tesla has fixed the issues and claimed that the bug could only be exploited if a car was physically near and connected to a malicious wifi hotspot.

http://www.infosecurity-magazine.com/news/chinese-hackers-remotely-control/

Synopsis of “Swift Reports Summer Cyber Attacks on Three Banks”

Since this week’s case study was online banking, I thought this article was interesting because it points out that not only online banking is vulnerable to cyber attacks.

Swift is a company that provides a financial messaging network to business, banks, and other financial institutions to make transactions, which includes real-time payment systems. It currently connects 11,000 institution in over 200 different countries.

Hackers were able to create and transmit fraudulent messages requesting money transfers to a third-party beneficiary. Some of the banks hit were in Bangladesh (India), Ecuador, Ukraine, and Vietnam. A total of $81 million has been transferred by hackers, and SWIFT CEO warns financial institutions to take additional precautions to secure their local networks.

To learn more about SWIFT: https://www.youtube.com/watch?v=t_lPPxUwdM0
Articles: http://securityaffairs.co/wordpress/50854/security/swift-discloses-attacks.html
http://www.wsj.com/articles/swift-reports-summer-cyber-attacks-on-three-banks-1474924036

Russian ‘Fancy Bear’ Hackers Hit Mac OS X With New Trojan

Fancy Bear has been spotted using a new Trojan that targets Apple Mac OS X machines. The group used a phishing email to lure the user into downloading a file that looks like a PDF but instead is malicious executable code. The victim works in the aerospace industry, and though he/she was downloading a file containing Russia space program. Once the victim opens the file or link, a decoy document with a PDF-looking icon appears.
Until now, the group was mostly attacking Windows machines in its targeted attacks against government agencies, nonprofits, non-government organizations.
This is really interesting because people think Apple OSs are not vulnerable to attacks; whereas, more and more hackers are developing malware to attack those OSs.

Source; http://www.darkreading.com/operations/russian-fancy-bear-hackers-hit-mac-os-x-with-new-trojan/d/d-id/1327016

New MarsJoke Ransom-ware Targets Government Agencies

State and local government agencies, K-12 educational institutions, healthcare, telecommunications, insurance are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant.
The MarsJoke ransom-ware email campaign featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns.
The attackers use the subject lines such as Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package”, to convince victims.
It creates .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. Infected users need to follow the instructions included in a locker window. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.
In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections.

NEWS: “Leaked NSA Hacking Tools Were ‘Mistakenly’ Left By An Agent On A Remote Server”

The Shadow Brokers, a hacking group published leaked data including hacking tools that were made to inject malware into various servers and also leaked “best files” of some sophisticated “cyber weapons” and put them on sale for 1 million bitcoins. The Shadow Brokers obtained all these tools by hacking an NSA-linked group.

It turns out that the NSA’s private zero-day exploits, malware and hacking tools were directly hacked. A former NSA employee left these tools on a remote server three years ago and a group of Russian hackers discovered them, according to investigation by Reuters. These hacking tools helped hackers to exploit vulnerabilities in systems of Cisco, Juniper and Fortinet.

The careless employee did realize the mistake and reported it to the NSA shortly but instead of notifying the affected vendors about the associated risks, the NSA kept quiet. When the NSA’s cyber weapons were released in public, Cisco and Fortinet “the leaked zero-day vulnerabilities were legitimate and issued out patches to fix those exploits.”

Hackers will continue to use the exploits to launch cyber-attacks and some of the Cisco customers were targeted as well; Cisco released a new zero-day vulnerability from the data that was dumped publically.

Source: https://thehackernews.com/2016/09/nsa-hacking-tool-exploits.html

I read the article named “IOS 10 Flaw Could Expose Backup Data to Hackers”. The article points out that the IOS 10 operating system skips certain security checks during the backup process. Indeed, this can increase the running speed of the system, however, comparing with IOS 9, the newest vision of IOS operating system higher the risk of being hacked, which may cause serious data leak of users’ personal information. According to the article, the IOS 10 potentially give hackers access to information stored in a user’s Apple Keychain. This could include passwords, credit card information and WI – Fi network information. Apple confirmed to Forbes that it was aware of the issue and was working on a fix.

Source: http://www.infosecurity-magazine.com/news/ios-10-flaw-could-expose-backup/

IoT devices being increasingly used for DDoS attacks

IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. Today, attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks. The number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging.
Just this month the security vendor Sucuri reported on a large DDoS attack launched from 3 different types of botnets (CCTV botnet, home router botnet and compromised web servers). While not commonly seen in the past, attacks originating from multiple IoT platforms simultaneously may be seen more often in the future, as the amount of the embedded devices connected to the Internet rises.
Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam.

Majority of attacks originate in US and China –
Analysis of a Symantec honeypot which collects IoT malware samples found that the highest number of IoT attacks originated in China, which accounted for 34 percent of attacks seen in 2016. Twenty-six percent of attacks stemmed from the US, followed by Russia (9 percent), Germany (6 percent), the Netherlands (5 percent), and Ukraine (5 percent). Vietnam, the UK, France, and South Korea rounded out the top ten.

How to stay protected :
• Research the capabilities and security features of an IoT device before purchase
• Perform an audit of IoT devices used on your network
• Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password”
• Use a strong encryption method when setting up Wi-Fi network access (WPA)
• Many devices come with a variety of services enabled by default. Disable features and services that are not required
• Disable Telnet login and use SSH where possible
• Modify the default privacy and security settings of IoT devices according to your requirements and security policy
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Regularly check the manufacturer’s website for firmware updates
• Ensure that a hardware outage does not result in an unsecure state of the device

Source : http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks

Hi Ian,

The mobile devices have been one of the weakest links in corporate security because most organizations have began using mobile devices to increase the operational efficiencies but they don’t have strong control or security in place. It is very important for the organizations to take it serious to set up strict policies for whose employees using their own devices for work. I am very shocked that how easy and accurate it is to steal our pins and pins and passwords on the first and second attempt on out mobile device.

Bad Security Habits Persist Despite Rising Awareness

In the spirit on “Creating a Security Aware Organization Week”, I found an article that actually bring bad news about this topic. It seems that a survey was done in 2016 which found that despite 79% of organizations feel that they learned lessons from cyber-attacks and improved security, only 25% deployed malware protection, followed by endpoint security, 24% and 16% deployed security analytics. They also found that 40% admitted to store privileged and admin passwords in Word document or spreadsheets, which is a worrying practice. Another point of worry is almost half (49%) of the respondents allow third-party access to their systems and public sector firms are doing a poor job of securing that access. 21% admitted to not securing connections at all while 33% do not monitor third-party activity on their network.

http://www.infosecurity-magazine.com/news/bad-security-habits-persist-despite/

Hi Laly,

Those tweets are pretty funny! Unfortunately, I wish it could be just a publicity stunt but instead this hack was backed by some government. I recently just read another interesting article on the breach and it gives a couple of examples of why a government will support such hacks.

Link: http://windowsitpro.com/troy-hunts-security-sense/security-sense-yahoos-nation-state-value-proposition

Interesting article Yulun,

In fact, security is not just about information security of an organization but all electric devices including cars, mobile phones and computers. I am imagining that how dangerous and scary it is to remote a testa car while someone is using the auto drive feature of Testa.

Uber’s new selfie check helps make sure riders get the driver they’re promised
Uber has announced that it will require drivers to take selfies before signing on to the platform and accepting ride requests. The new feature, called Real-Time ID Check, uses Microsoft machine learning to compare a selfie snapped in the moment against a driver’s registered profile pic, which Uber says is designed as a protective safety measure for rider and driver alike
On the rider side, it means the driver you’re getting is the same one who went through Uber’s onboarding process. Plus, it may avoid things like “ghost driver” phenomenon.
On the driver side, Uber notes that this will prevent driver fraud, by essentially requiring an additional verification measure each time you login. The equivalent Uber is looking to evoke seems to be with bank account security – it’s aiming to protect drivers against identity theft.

Source: https://techcrunch.com/2016/09/23/ubers-new-selfie-check-helps-make-sure-riders-get-the-driver-theyre-promised/

Hi Said,

Interesting article, I also used to think that Apple computers or its OSs are more secured against cyber attacks. In fact, none of the operating systems(Linux, MacOS, Windows) are perfect in security. Employees can still open phishing emails even though the OSs are perfectly secured. I recalled from our class that some organizations send out testing phishing email to see how their employees react to that. If employees do open the phishing email, they will be sent to complete specific trainings.

Hi Vaibhav,

Thanks for sharing this news, I think that we should avoid giving our personal information in some unsecured websites, but in fact, it is hard to define which website has lower security so I will tend to trust large companies because they would invest more in securing their websites.

The article that I selected this week is regarding the massive breach from 2014 of over 500 million customer records were stolen by what Venafi (security consultant brought in after the breach) said was a state sponsored breach by a China group. The records were found for sale on a dark web site called The Real Deal. There are also accusations being tossed around that Yahoo’s CEO, Marissa Mayer, was aware of what was described as a devastating breach long before the breach was made public. The fallout from this breach could have far reaching impact as the timing of this being made public couldn’t have been worse as Yahoo was in the process of selling their core business to Verizon and the filings to the SEC for the purchase were made just last week. During that process Mayer also said she had no knowledge of any serious breach of Yahoo’s internal systems or users accounts. It appears that this was completely untrue and may end up terminating the sale to Verizon. This brings up serious questions as far as what the Chief Executive’s duty is when a breach of customer records is identified as far as notifying the users as well as making it available in the case where the company is up for sale to potential buyers. In addition to the implications of the Verizon acquisition, a class action lawsuit has been filed stating that they were negligent in protecting users data. The issue at hand is that it appears that Yahoo was using outdated algorithm and outdated certificates to create a relatively easy target for motivated individuals.

Questions Mount Around Yahoo Breach

Hospital Security Fears as Pagers Come Under Spotlight

This article talks about all healthcare organizations should immediately re-evaluate their use of pagers because unencrypted messages can be intercepted and spoofed with potentially life-threatening repercussions. Following are the key points that Trend Micro claimed in its new Leaking Beeps report:

• Pager messages can be simply decode by a software-defined radio (SDR) and a $20 USB dongle.
• It enable remote hackers to spy on sensitive protected health information (PHI) being sent to and from facilities, including names and medical diagnoses.
• hackers could sabotage medical prescriptions by spoofing messages intended for pharmacies; direct patients to the wrong operating room; create havoc by declaring emergencies inside facilities; and even steal the identities of dead patients

What actions should be taking to prevent spoofed messages?
• limiting the transmitted of relevant documentation/ information on the receiving end
• vendors should include pre-shared key encryption(PSK) in pager to protect customer privacy and
authentication needs to be designed into the firmware

http://www.infosecurity-magazine.com/news/hospital-security-fears-as-pagers/

Brits in Biometrics Boost as 20% Use Fingerprint Tech

While PINs and passwords (63%) are still the most popular way to authenticate via the device, nearly a quarter of respondents (21%) said they use fingerprint sensors to do so. This article highlights that pins and passwords are not safe anymore and there is a growing need and influence of biometrics in cybersecurity. A majority of UK firms are expecting to increase their spending on biometrics in the next three years.

In fact, hackers can easily crack passwords by trying millions of word combinations but it is much hard to hack the passwords or system with biometric technology. Organizations like banks should begin considering to adapt the biometric technology in improving the issues of authentication of a customer. In our case study, HDFC bank had a hand time balancing the convenience levels of customers while improving the online banking security.

Source:
http://www.infosecurity-magazine.com/news/brits-in-biometrics-boost-20/

Tesla model S was hacked by a Chinese security research group (Keen Security) who posted the entire hack and how they did it on YouTube. The group was able to take over the controls of the cars computer, door locks, side mirrors during auto pilot mode. Tesla has provided patches for the security flaw.

This is a huge security flaw for Tesla but glad the good guys were able to identify the issue before the bad guys found it. Glad to see Tesla pro-active with security and technology.

http://www.usatoday.com/videos/tech/2016/09/21/90781180/

“HACKING, CRYPTOGRAPHY, AND THE COUNTDOWN TO QUANTUM COMPUTING”

The article I chose is about the threat of quantum computing to current encryption methods. At the moment, strong encryption is one of the best cyber security tools available, and most available computing power are nota able to break strong encryption. Computers attempt to break encryption by trying one combination after another in a method known as brute force until successful. This method can be successful for weaker encryption, but the stronger the encryption the harder it becomes for computers. Stronger encryption means longer passwords or possibilities for a computer to guess, and it can only guess one answer at a time. Most strong encryption standards are out of reach for current computers, but not for quantum computers.

Quantum computers operate differently than current computers. Today, computers process through 0 or 1. known as bits. Instead of bits, quantum computers store information as quits, which can be either or both at once. Quantum mechanics allows for superposition, which allows for objects to exist in multiple states and/or be in different places simultaneously. Superposition is the primary threat that quantum computing posses to encryption. Unlike a traditional computer which must try combinations sequentially, a quantum computer can try many different combinations simultaneously, exponentially speeding up the process. With more advancement in quantum computing, current encryption methods might become useless with quantum computing.

http://www.newyorker.com/tech/elements/hacking-cryptography-and-the-countdown-to-quantum-computing?mbid=rss

I think that Tesla was the first car manufacturer to deliver software updates remotely. While convent, can make the car vulnerable to cyber threats. On the other hand, it allows Telsa to push out security updates very quickly as opposed to having to do a traditional recall. While there are always going to be cyber security issues with cars, and Tesla is no exception, they have seemed to take the issue very seriously, but time will tell.

Another reminder of how inadaquete cyber security is for healthcare organizations. Hard to believe that anyone is still using pagers. and not to mention for an organization that has a lot of sensitive data.

This hack isn’t that worrying I believe since other methods of getting into a car are easier. If you are parking in public, if you lock the door as you leave the car then it doesn’t matter if they sniff the signal when you wirelessly unlock the car. Since they can’t start the car there isn’t much they can do besides take items from it. Lockpicks can pick most commercial locks out there as is. Smashing the windows is another way into the car if you have left it. A pickpocket would take your keyfob as you walk away from the car.

This is interesting. This just reminds me how crazy security will have to be if they release the self-driving cars. Self-driving cars are zero room for error. A great/expensive product like a Tesla makes it seems like this may never happen. I am curious to how well the patches will fix the security flaws with Tesla. I wonder what the hacker will be able to do to the movement of the actual car rather than just steal information and mess with the stereo and such.