What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-06-27 10:55:04 | Hackers can take control of Tesla Model 3 navigation. (lien direct) | Sat Nav spoofing is a growing threat to in-car driver assistance systems and autonomous vehicles, warns Regulus. Security researchers claim to have been able to hack into the navigation system of a Tesla Model 3, getting the vehicle to turn itself on. In early June, security specialists from Regulus conducted a test drive of the […] | Hack Threat | Tesla | |
 |
2019-03-25 15:47:01 | Two white hats hack a Tesla, get to keep it (lien direct) | >The electric automaker is working to release a fix for the underlying vulnerability in a matter of days | Hack Vulnerability | Tesla | |
|
2019-03-25 14:15:03 | (Déjà vu) Security Researchers hack Telsa Car at Pwn2Own contest. (lien direct) | A team of security researchers has hacked a Tesla Model 3 car on the last day of the Pwn2Own 2019 hacking contest that was held this week in Vancouver, Canada. Team Fluoroacetate –made up of Amat Cama and Richard Zhu– hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process […] | Hack | Tesla | |
 |
2019-01-15 14:10:02 | Huge prizes up for grabs for anyone who can hack a Tesla (lien direct) |  This year, for the first time ever, a popular car will be amongst the products hackers will be trying to exploit at the Pwn2Own contest.
Read more in my article on the Hot for Security blog.
|
Hack | Tesla | |
 |
2019-01-14 22:51:04 | A security conference will let you hack a Tesla car and earn cash prizes (lien direct) | Pwn2Own CanSecWest organizers will have a car on-site and let security researchers try their luck. | Hack | Tesla | |
 |
2018-09-12 06:48:00 | Tesla Model S Hack Could Let Thieves Clone Key Fobs to Steal Cars (lien direct) | Despite having proper security measures in place to protect the driving systems of its cars against cyber attacks, a team of security researchers discovered a way to remotely hack a Tesla Model S luxury sedans in less than two seconds.
Yes, you heard that right.
A team of researchers from the Computer Security and Industrial Cryptography (COSIC) group of the Department of Electrical
|
Hack | Tesla | |
 |
2018-09-10 17:33:17 | California\'s bad IoT law (lien direct) | California has passed an IoT security bill, awaiting the government's signature/veto. It's a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse. The one possible exception to this is “patchability”: some IoT devices can't be patched, and that is a problem. But even here, it's complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them. Users overwhelmingly forget about devices once they are installed. These devices aren't like phones/laptops which notify users about patching.You might think a good solution to this is automated patching, but only if you ignore history. Many rate “NotPetya” as the worst, most costly, cyberattack ever. That was launched by subverting an automated patch. Most IoT devices exist behind firewalls, and are thus very difficult to hack. Automated patching gets beyond firewalls; it makes it much more likely mass infections will result from hackers targeting the vendor. The Mirai worm infected fewer than 200,000 devices. A hack of a tiny IoT vendor can gain control of more devices than that in one fell swoop.The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn't have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn't mean it doesn't also have a bug in Telnet.That was the problem with devices infected by Mirai. The description that these were hardcoded passwords is only a superficial understanding of the problem. The real problem was that there were different authentication systems in the web interface and in other services like Telnet. Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.People aren't really paying attention to what happened with Mirai. They look at the 20 billion new IoT devices that are going to be connected to the Internet by 2020 and believe Mirai is just the tip of the iceberg. But it isn't. The IPv4 Internet has only 4 billion addresses, which are pretty much already used up. This means those 20 billion won't be exposed to the public Internet like Mirai devices, but hidden behind firewalls that translate addresses. Thus, rather than Mirai presaging the future, it represents the last gasp of the past that is unlikely to come again.This law is backwards looking rather than forward looking. Forward looking, by far the most important t | Hack Threat Patching Guideline | NotPetya Tesla | |
 |
2018-07-27 13:00:00 | Things I Hearted this Week, 27th July 2018 (lien direct) |
Welcome to your weekly security roundup, providing you all with the security news you deserve, but maybe might not need.
As always, these news stories are human-curated by me - no fancy algorithms, no machine learning, and definitely no trending topics here.
We are less than two weeks away from Blackhat in sunny Las Vegas. We’ll be there - pop along to booth 528 and say hello if you’re there.
Google: Security Keys Neutralized Employee Phishing
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.
Google: Security Keys Neutralized Employee Phishing | Krebs on Security
While we’re on the topic of phishing, attackers used phishing emails to break into a Virginia bank twice in eight months, making off with more than $2.4 million in total. Now the bank is suing its cybersecurity insurance provider for refusing to fully cover the loss.
Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M | Krebs on Security
We’re probably going to see more of this kind of back and forth as companies that have taken out cyber insurance and suffered a breach fight with their insurers over liability and who will cover the cost.
Somewhat related:
Scam of the week, another new CEO fraud phishing wrinkle | KnowBe4
Breaking the Chain
Supply chain and third party risks are getting better understood, but understanding a risk doesn’t necessarily mean it will reduce the risk.
Tesla, VW, and dozens of other car manufacturers had their sensitive information exposed due to a weak security link in their supply chains.
Tesla, VW data was left exposed by supply chain vendor Level One Robotics | SC Magazine
SIM Swap - A Victim’s Perspective
This is a really good write-up by AntiSocial engineer taking a look at how SIM swap fraud can impact victims, and why mobile phone operators need to do more to prevent this kind of fraud.
“It’s an all too common story, the signal bars disappear from your mobile phone, you ring the phone number – it rings, but it’s not your phone ringing. Chaos ensues. You’re now getting password reset emails from Facebook and Google. You try to login to your bank but your password fails. Soon enough the emails stop coming as attackers reset your account passwords. You have just become the newest victim of SIM Swap Fraud and your phone number is now at the control of an unknown person.”
SIM Swap Fraud - a victim’s perspective | AntiSocial Engineer
EU Fails to Regulate IoT Security
In this week’s head-scratching moment of “what were they thinking?”, the European Commission has rejected consumer groups' calls for mandatory security for consumer internet-connected devices because they believe voluntar |
Data Breach Hack | Tesla | |
|
2018-06-22 13:00:00 | Things I Hearted this Week, 22nd June 2018 (lien direct) |
The Tesla Insider
Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen."
The incident is also notable for the impact it had on the company's share price which dropped more than 6% in trading.
"I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."
Insider threats defined | AlienVault
Tesla hit by insider saboteur who changed code, exfiltrated data | SC Magazine
Tesla sinks after Elon Musk says an employee conducted 'sabotage' and Trump ramps up fears of a trade war (TSLA) | Business Insider
Can't Fix Won't Fix, Don't Fix
Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed?
Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?| IT Pro Portal
On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test.
It's time to kill the pen test (PDF) | RSAconference
To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine...
Awesome Penetration Testing | Kinimiwar, GitHub
A Case Study In Bad Disclosure
Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie.
Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000.
Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause.
|
Hack Vulnerability Guideline | Bithumb Tesla Tesla |
1
We have: 9 articles.
We have: 9 articles.
To see everything:
Our RSS (filtrered)
