| 08.06.13 | Hackers take Ford, Toyota cars for a ride

If you are unable to see the message below, click here to view.

Editor's Corner: Setting the record straight What's New: 1. Hackers take Ford, Toyota cars for a ride 2. Trustwave SpiderLabs uncovers pooper snooper 3. US Airways suffers two data breaches in less than a month 4. Hackers steal host names and MAC addresses of Tor Browser Bundles users 5. BREACH vulnerability threatens HTTPS secrets of organizations Spotlight: BYOD security key part of Windows 8.1 update Follow @fiercecio on Twitter Also Noted: Is malware going to the cloud?; Security researchers and the law; Much more... News From The Fierce Network: 1. Justice Department wants to bring hammer down on Apple 2. Almost all iOS developers are supporting iOS 7, survey finds 3. US Trade Rep overturns ITC's import ban of iPhones and iPads August 6, 2013 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP This week's sponsor is HP.   eBook: Security for a faster world Cybercrime is becoming increasingly sophisticated, and it often surpasses the security capabilities of even large corporations. This eBook presents a maturity model that will help you determine how secure you really are, explores five questions every CIO should be able to answer, and outlines a new approach based on intelligence gathering and research that can keep you ahead of the cybercriminals. Download Now. Editor's Corner Setting the record straight By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn At the Black Hat conference last week, Gen. Keith Alexander, director of the National Security Agency, took great pains to set the record straight about the NSA's massive metadata collection program. I was impressed by the thoroughness of the general's presentation, while annoyed at hecklers who shouted out slogans during his keynote. As I explained in my report on his Black Hat keynote address, Alexander went through the agency's legal authority under amendments to the Foreign Intelligence Surveillance Act (FISA) contained in the PATRIOT Act passed in the aftermath of the 9/11 attacks. Section 215 of the PATRIOT Act authorizes the U.S. government to collect business records on both U.S. and non-U.S. citizens, Alexander explained. This is different from Section 702 of the act, which permits the U.S. government to eavesdrop on the conversations of non-U.S. citizens outside the United States. In the spirit of setting the record straight, I admit that I confused the two sections in my Editor's Corner of July 23, 2013. I lamented that Section 702, which is focused on surveillance of non-U.S. citizens, did not authorize NSA to collect metadata from U.S. carriers on U.S. citizens. It seemed to me that NSA was overstepping its legal authority in collecting that information. Now, after listening to the general, I understand that NSA in fact has the legal authority to engage in its broad metadata dragnet of U.S. citizens under the PATRIOT Act. As explained (.pdf) by the Congressional Research Service, a non-partisan research arm of Congress, Section 215 authorizes the U.S. government to collect business records on U.S. citizens if they are relevant to a foreign intelligence, international terrorism, or espionage investigation. My concern that the NSA's metadata dragnet violates the Fourth Amendment remains, but I understand now that the responsibility for this violation lies with Congress, which passed the PATRIOT ACT, and the courts for not striking it down. The NSA, by contrast, is operating within the broad surveillance power granted to them by Congress. Throughout his keynote, Alexander stressed that the NSA's surveillance program has thwarted numerous terrorist attacks, 54 to be exact. But as I mentioned in my previous Editor's Corner, not everything is permitted in the pursuit of national security. The Constitution protects certain rights, such as the right to free speech and the right against unreasonable searches and seizures, regardless of the impact on national security. I am reminded of another sad episode in U.S. history when national security concerns overrode basic rights guaranteed by the Constitution--the internment of U.S. citizens of Japanese descent during World War II. These U.S. citizens were not accused of espionage or other wrong doing. They were imprisoned simply because they were of Japanese descent and we were at war with Japan. That program was authorized by President Roosevelt and upheld by the Supreme Court in the name of national security. There is now a broad consensus of historians that the program was an unjustified usurpation of U.S. citizens' rights. I'm sure that years from now, the PATRIOT Act and other overreaching laws passed by Congress and carried out by the U.S. government in the name of fighting terrorism will receive a similar verdict from history. - Fred Read more about: Keith Alexander, PATRIOT Act Sponsor: HP Marketplace > Whitepaper: Case Study: Improve Service and Lower IT Overhead with Skybot Scheduler > eBook: Creating a Mobile Presence: Native Apps vs. HTML5 > Whitepaper: Powering Total Connectivity What's New 1. Hackers take Ford, Toyota cars for a ride By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Researchers were able to hack into car computers and gain control over the steering, acceleration and braking function at the DEF CON hacker conference held last week. Charlie Miller, a Twitter security engineer, and Chris Valasek, IOActive director of security intelligence, were able to hack into electronic control units (ECUs) of a Ford Escape and a Toyota Prius, according to a report by CIO magazine. By gaining access the ECUs, the hackers were able to disable the brakes while the car was moving, jerk the steering wheel around, accelerate rapidly, shut off the engine, and display incorrect speedometer and fuel level readings. Across the Pond, University of Birmingham researchers were able to hack into anti-theft systems on a number of luxury cars. In response, Volkswagen sued to prevent the researchers from publishing their findings, arguing that publication could "facilitate theft of cars," according to a report by the Birmingham Mail. The German auto maker was able to convince the U.K. High Court to impose an injunction against publication of the research. High Court Justice Colin Birss said: "I recognize the high value of academic free speech, but there is another high value, the security of millions of VW cars." Responding to the court ruling, a university spokesman said: "The university is disappointed with the judgment which did not uphold the defense of academic freedom and public interest, but respects it. It has decided to defer publication of the academic paper while additional technical and legal advice is obtained given the continuing litigation." Commenting on the controversy, Alex Fidgen, director of IT security firm MWR InfoSecurity, said: "Vendors should not try to block security research, they should work together with the researchers to understand the nature and potential consequences of the threats they are facing." Fidgen warned: "car manufacturers...are on a never-ending treadmill to try and keep ahead and offer their customers the latest technology. However, they now need to take a step back and look at how security should be embedded." For more: - read the CIO article - check out the Birmingham Mail report - see the MWR InfoSecurity release Related Articles: TechNavio: Telematics market to grow at a 22.7% CAGR through 2016 Frost: Ethernet could be catalyst for connected cars Your luxury car could be gone in six seconds Read more about: ecu back to top This week's sponsor is HP.   Know the Top 3 Mobile Application Threats According to Morgan Stanley Research, the smart phone will become the dominant computing platform by the end of 2013, with more units being sold than desktop and laptop computers combined. Ease of use and flexibility have outpaced security. Download this paper to learn how to prevent sensitive data leakage over insecure channels or stolen devices. 2. Trustwave SpiderLabs uncovers pooper snooper By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Trustwave SpiderLabs has uncovered a security hole in a new line of high-tech Japanese toilets that enables a hacker to gain control of the automated features, such as self-raising seats and defecation monitoring. While not an earthshaking IT security breach, the news highlights a growing danger from everything becoming connected to the internet – hackers can gain control of these devices and use them for mischief or even criminal purposes. IDC estimates that 1.7 billion smart connected devices and appliances will be shipped next year. The Japanese toilets use the Android "My Satis" application, which can control the toilet's various functions through a Bluetooth connection. The toilet maker hardcoded the Bluetooth PIN of "0000," making it easy for a hacker to access the toilet's controls through the app, Trustwave explained. "An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user," Trustwave SpiderLabs explained in a security advisory. Trustwave contacted the manufacturer, LIXIL Corp, but has not received a response, adding that there is currently no patch available. A report from Japan Press Daily noted that the high-tech toilets are popular in Japan and that the Satis toilet keeps detailed poop records. The My Satis app "can even access the detailed defecation records stored in the commode. Now we don't know for what nefarious purposes that can be used, but we sure don't want anyone having records of what and when we go number 2," the report's author, Ida Torres, opined. Commenting on the toilet-gate revelation, Chris Merritt, director of solutions market for security firm Lumension, cautioned in a blog: "As we rush headlong into this interconnected world, we need to be sure to think through 'all' the engineering challenges, and not succumb to bad assumptions. If it's connected, someone's gonna try to hack it." For more: - check out the Trustwave SpiderLabs advisory - read the Japan Press Daily report - see Merritt's blog Related Articles: Hackers take Ford, Toyota cars for a ride IDC: Big 4 emerging markets to ship more smart connected devices than developed world next year IDC: Apple gains on market leader Samsung in smart connected device shipments Read more about: connected devices, IDC back to top 3. US Airways suffers two data breaches in less than a month By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn While US Airways execs have been focused on their merger with American Airlines, they appear to have taken their eyes off of data security, resulting in two breaches in less than a month. On July 18, US Airways sent a letter to employees informing them that their W-2 forms for tax years 2010, 2011, and 2012 may have been viewed by other employees because of a "programming error" by the airline's data processing vendor ADP. ADP informed US Airways on June 6 of the possible breach and told the airline that the error had been fixed May 4. The letter did not specify when ADP found out about the problem or explain why the airline took more than a month to notify employees. The W-2 form "could have been downloaded with another US Airways employee's W-2, but it would not have been readily apparent to the other employee and would only be detected by the other employee if he or she took additional steps to retrieve the information," US Airways explained in the letter. The airline said it was unaware of any unauthorized access of the W-2s, but it was offering employees a one-year subscription to Experian's ProtectMyID alert service. In the second breach, involving Dividend Miles customers, US Airways said that a "small number" of Dividend Miles accounts were breached by hackers who had stolen usernames and passwords by an unknown method. In a letter to Dividend Miles customers obtained by the Office of Inadequate Security website, US Airways said the breach included access to the customer's name, address, email address, and answers to security questions. In some cases, the hackers also got access to date of birth, Known Traveler number, and the last four digits of credit cards, but not social security numbers or passport numbers. The undated letter was created on Aug. 2. US Airways deactivated the passwords of affected customers and advised them to log in and change their password. The airline is also signing them up for a free membership in LifeLock's credit monitoring service. It appears that US Airways and American Airlines will have to focus on more than merging their air routes when they complete their merger, which the European Commission approved this week. Data security should also be high on the priority list. For more: - see US Airways' letter to employees - check out the Office of Inadequate Security site - read the Reuters story on the merger Related Articles: Spotlight: States beef up data breach reporting laws California agency takes 6 months to notify victims about financial information breach Read more about: US Airways back to top 4. Hackers steal host names and MAC addresses of Tor Browser Bundles users By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Attackers have been stealing host names and media access control (MAC) addresses of users running the Firefox-based Tor Browser Bundles for Windows, the Tor Project blog warned. The Tor Browser Bundle enables users to maintain anonymity by "bouncing" communications "around a distributed network of relays run by volunteers" around the world, the Tor Project explained. The hackers exploited a Firefox vulnerability in JavaScript, a hole that was plugged in Firefox 17.0.7 Extended Support Release (ESR). "The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the host name and MAC address of the victim computer, send that to a remote web server over a non-Tor connection, and then crash or exit," explained a security advisory. It appears that exploitation of the vulnerability is related to efforts to take down Freedom Hosting. "The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users," the Tor Project blog explained. Brian Krebs, on his KrebsonSecurity blog, said that U.S. law enforcement appears to be targeting Freedom Hosting because of its alleged ties to a child pornography ring run by Eric Eoin Marques. Krebs cited a blog by Ofir David, head of intelligence for Israeli security firm Cyberhat, in which David said the attacks appear to be related to Marques' arrest. For more: - check out the Project Tor blog - see the Project Tor security advisory - read Krebs' blog post Related Articles: Firefox boycotts Apple over iOS browser restrictions RIM urges BlackBerry users to disable JavaScript amid security vulnerability Read more about: Tor Browser, Firefox back to top 5. BREACH vulnerability threatens HTTPS secrets of organizations By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn The CERT Coordination Center (CERT CC) is warning about a vulnerability in compressed HTTPS responses that could enable an attacker to recover plaintext secrets from the responding organization. The vulnerability, known as the browser reconnaissance and exfiltration via adaptive compression of hypertext (BREACH), is an offshoot of the CRIME security hole uncovered last September. Security researcher Angelo Prado of Salesforce.com (NYSE: CRM) reported the vulnerability to the CERT CC. He explained that "by injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size." Prado added: "This relies on the attacker being able to observe the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site. To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response." At last week's Black Hat conference, Prado, Neal Harris and Yoel Gluck demonstrated a successful BREACH attack against Outlook Web Access in under 30 seconds, related Michael Mimoso on a Threatpost blog. CERT CC warned that there is no practical solution to the problem. The center advised organizations to try a number of tactical mitigation strategies: "disable HTTP compression, separate the secrets from the user input, randomize the secrets in each client request, mask secrets (effectively randomizing by XORing with a random secret per request), protect web pages from CSRF [cross-site request forgery] attacks, [and/or] obfuscate the length of web responses by adding random amounts of arbitrary bytes." Some of these steps may succeed in protecting entire applications, while others may only protect web pages, according to CERT CC, which is run by Carnegie Mellon University and sponsored by the Department of Homeland Security. For more: - check out the CERT advisory - read Mimoso's blog Related Articles: Tips on how to use public Wi-Fi safely Work begins on next-gen HTTP 2.0 protocol Iran reportedly blocking encrypted network traffic Read more about: HTTPS compression, Salesforce.com back to top Also Noted TODAY'S SPOTLIGHT... BYOD security key part of Windows 8.1 update BYOD security is a key component of Microsoft's (NASDAQ: MSFT) Windows 8.1 update, explains Dustin Ingalls, group program manager for Windows security and identity, in a recent blog. "The Windows 8.1 update offers a full spectrum of new and improved security capabilities – from features that enable devices to be fully locked down by IT, to remote security options for BYOD devices, to safeguards for personal devices that need to access business resources from home," explained Ingalls. Among other measures, Microsoft is including biometrics to control device access as well as encryption to secure data on mobile devices. Read more > Malware-as-a-service blossoms in Russia, vendor research finds. Article (CIO) > Android one-click Google apps access cracked. Article (InformationWeek) > What security researchers need to know about the law. Article (eWeek) > Researcher builds botnet-powered distributed file storage system using JavaScript. Article (InfoWorld) > Configuring Apache, Nginx, and OpenSSL for forward secrecy. Blog (Qualys) And Finally… IRS holds up open source voting machines for six years. Article (Wired) Marketplace > Whitepaper: Case Study: Improve Service and Lower IT Overhead with Skybot Scheduler Eliminate hundreds of hours of programming hours needed to run your batch jobs and built-in dependency processing. Learn More Today. > eBook: Creating a Mobile Presence: Native Apps vs. HTML5 Enterprises are looking for ways to enable mobile collaboration and reach customers on the move. This places an important decision in the hands of chief information officers: native apps or HTML5? Learn more today. > Whitepaper: Powering Total Connectivity Customers, prospects, and employees expect intuitive mobile experiences across each and every touch point – mobile, tablet, desktop, and beyond. Create a mobile strategy that takes your business into the multi-channel future. Download Now. ©2013 FierceMarkets This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBioMarkers FierceBiotech FierceBiotechIT FierceBiotech Research FierceBroadbandWireless FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceComplianceIT FierceContentManagement FierceCRO FierceDeveloper FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinance FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHomelandSecurity FierceIPTV FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileContent FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharma Manufacturing FiercePracticeManagement FierceRetail FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe Hospital Impact StoreFrontBackTalk