Month: September 2016

Tesla Remote Hack: Passengers Exposed to Frightening Risks

By Ali Raza

In the midst of all the hype surrounding next-gen automobile capabilities featured on Tesla vehicles, the company receives its share of bad press when something goes wrong with a sci-fi Tesla feature. Last week was no different, when one Shanghai-based Internet security firm demonstrated vulnerabilities in the Tesla software and performed unauthorized remote control on Tesla cars.

What is startling about these latest exploits is the range of actions that hackers managed to trigger remotely, some while the car was in motion, and one from 12 miles distant.

Here’s what the white hat hackers at Keen Security were able to achieve:

  1. On the research car when parked up, they remotely operated the sunroof, the indicator lights and adjusted the position and vertical tilt of the car seat.

 

The team claimed they had researched several Tesla models and, to demonstrate that claim, they exploited a brand new Tesla S75D to which they had not previously had physical access.

  1. While parked up and switched off, with the driver searching for the nearest charging station, the team remotely took control of the system using a laptop and planted a hacked message on the display consoles to prove the point. The driver was unable to regain use of the screens. Then they the unlocked the driver’s door remotely, from the laptop.

 

The more alarming exploits were demonstrated on the vehicle while it was in motion.

  1. From a laptop inside the car, the security researcher was able to switch on the windscreen wipers. Then indicator control was hacked during a lane change maneuver and the researcher was able to fold the wing mirror closed.

 

A vivid visual came next, again while the car was in motion.

  1. From the laptop, the researcher was able to unlock the trunk, which flew open in an abrupt and startling manner when viewed from inside the vehicle.

 

The final demonstration was the most unsettling. While the previous exploits were amusing and in the parlor game category, none of them could be considered life threatening to other road users.

  1. From an office 12 miles away, the researcher was able to remotely activate the emergency stop brake on a moving car. The effect was quite dramatic on the occupants. It was a fitting finale to an extremely interesting demonstration.

 

Connected cars loaded with automated functionality have already become a commonplace in the world of automobile research and development. Drivers are relieved of mundane tasks that otherwise keep drivers engaged in a traditional car, which means that Tesla drivers are not always in full control of their machines. The recent exploits therefore pose extremely high-risk to Tesla passengers. The security research firm, Keen Security, published a blog article and video detailing their exploits.

It should be noted that it took the Keen Security team many months of focused investigation to uncover the secrets for these contactless remote access exploits. However, it’s not the first time such exploits have been discovered.

Last year, a Tesla was exploited via its entertainment system and there were previous exploits before that. The general consensus is that the Tesla software is now very difficult to crack and that can only be a good thing. Tesla has already updated the firmware and owners are urged to download it as a matter of urgency. Not that your average computer geek will be easily able to uncover exploits. The guys at Keen Security are the crème de la crème of geekdom in that they dedicate 12 hours a day to their chosen career and insist that they work only on the side of the angels.

The best solution for now: Update the Tesla software with (some) patches to these vulnerabilities.

MIT Researchers Devise TOR Alternative That’s 10x Faster

By Ali Raza

Tor (The Onion Router) is now 14 years old and the biggest bugbear that users consistently moan about is speed. Riffle is proclaimed to deliver significant advances in anonymity technology, which includes both more reliable anonymity as well as being 10 times faster than Tor. It is the new anonymity joint development by MIT and the École Polytechnique Fédérale de Lausanne. Riffle is still at the prototype stage and quite a way from becoming commercially available. Two applications have been developed, for microblogging and for file sharing.

Riffle’s approach uses multiple technologies, none of which are new, but they are layered and interact in a way that has not been done before. The overall effect is that messages are split and packets are delivered in a random sequence that is computed in advance (hence the riffle, or shuffle) and is verified at the receiving end so that the message is reassembled.

The claim for greater security of anonymity is based on Tor’s known susceptibility to hacking by introducing rogue code and predefined messages onto a node, one of its estimated 4,500 network servers. As the servers are owned and maintained by volunteers, the possibility of introducing a malicious node is obvious. The known messages can then be tracked through the network. Riffle’s architecture uses an anytrust model, which means that, so long as just one single node remains uninfected, network security is not compromised.

At its core, Riffle uses a Mixnet, a small number of networked servers, to perform the message shuffle. Unlike Tor, where messages are sent in a linear sequential manner from one node to the next, the first thing Riffle does is to send the messages to all servers in the Mixnet where a new hybrid “verifiable shuffle” of the already split message components is performed, which also creates a mathematical proof. This proof can be used to validate that the message has not been modified and protects from malicious interference with the Mixnet system.

The network nodes utilize shared private key encryption, which in turn depends on authentication encryption, and is used used in conjunction with the Onion Layer model of successive layers of message data. Each node receives the authenticated private key. This process renders the packets effectively indecipherable except to the network nodes, where each layer is stripped to reveal the next encrypted routing directions to the next node. Messages are retrieved by the receiving party using Private Information Retrieval (PIR) to further assist with client anonymity.

The 10x speed enhancement over Tor has been measured in independent tests. Riffle’s approach of the verifiable shuffle and PIR makes compute and bandwidth efficiencies that add up to a significantly faster throughput than what Tor can achieve.

At this early stage, the future for Riffle is still unclear. The security community will take it to pieces to fully test its potential and further validate (or disprove) its heightened security claims. If proven, it will no doubt be welcomed by Internet users living under oppressive regimes where staying alive can depend of total anonymity in Internet terms. Its speed alone may position it as “the new Tor” and see it take over the mantle of the most popular anonymity technology. Right now, it’s a watch and wait brief to observe its progress from prototype to something tried and trusted.

Four-Year-Old DropBox Hack Comes Back to Haunt

By Ali Raza

It’s hard to believe that Dropbox is almost 10 years old. It seems to have been around forever. It’s now a $10 billion cap corporation and as close to being a household name as something as mundane as data storage can get for an operation.

The numbers are staggering. Almost 500 million of us use it or have used it at some point. That means a major chunk of social responsibility for Drobox to maintain the robust and impenetrable security required and expected by all us users. But they dropped the ball back in 2012. Security was penetrated and some 68+ million email addresses and hashed (scrambled) passwords were stolen. Fortunately, the repercussions have not been as bad as they could have been because of the scrambled nature of the passwords.

Dropbox advised users to change their passwords at the time but PR and reputation damage limitation now seems to have been uppermost on the priorities list. Last week, four years later, we are told that 60 million users were affected.

The thing is that all of us regular consumers who use online services of any description still have the mentality of the free Internet. We really don’t like paying very much and we are astounded if the service is not rock solid and utterly professional for our $5/mth or whatever.

Many of us, even hardened IT veterans, have not taken on board the vital necessity of using strong, secure passwords. The “it happens to other people, not to me” mentality is deadly because when it does happen, the impact can be scarily bad. I wonder how many people use Dropbox as their automatic backup for their laptops and devices? And of those, how many keep confidential documents like passport scans and bank account details (yes, even passwords too) in a Notepad file. Everything is probably replicated at Dropbox and, over time, users can forget that fact and forget that the security of their data has a massive dependency on an outside agent that is under constant security attack.

The incident at Dropbox stemmed from one user whose email account was hacked. The intruder then managed to locate and retrieve four files that contained the data. The lesson here is that every touchpoint with the outside world is a potential vulnerability. Every corporation invests significantly in security expertise but the defenders have to win 100% of the time 24/7/365. The attackers need to get lucky only once. And passwords with their very human creators and maintainers are still one of the weakest links.

Enterprises do instigate password security processes, such as encouraging users to change passwords frequently. However, users typically access a number of different applications, each of which requires a password, so the temptation to take the convenient route of weak but memorable passwords and reusing them is a constant. It is the individual that needs to change, and changing one’s habits is not something that can be done without an internal driver. That driver does not exist for too many of us.

Dropbox has moved to restrict the downside from the incident. It encourages users to adopt their two-step authentication process, which is a must-do no-brainer for any users of the service who have been made aware of it. Dropbox and their user base were lucky on this occasion because the stolen passwords were salted (obfuscated with a secret text string) before hashing, which means that cracking them is unlikely. However, they are now out there and may be cracked one day. Therefore any reuse of a password that was used for a Dropbox account should be changed immediately.

It goes to show that, as users of Internet services, we simply must take nothing for granted. Any service is a potential victim of a security breach.

If we truly want to create a virtual Fort Knox for our critical and sensitive data, images, plans, or anything else that is in digital format – the best way (and according to many experts, the only way) is to encrypt the data and hold those encryption keys ourselves. Stay tuned for some announcements from us at Scram Software on how we’ll make it easy for you to do exactly that.

Cyber Criminals Demand Ransom for 655,000 Patient Records

By Brad Rudisail

The famous American criminal Willie Sutton was asked once why he robbed banks, to which he is reported to have answered, “Because that’s where the money is”. The statement is apropos to a question that many people are asking in response to the accelerating frequency of cyberattacks on hospitals. Because that’s where the personal information is. Personal information equals money! In fact, it is estimated that personal information is worth ten times more on the black market than a credit card number. As Paul Syverson, Co-creator of the Tor web browser says, “Your medical records have bullseyes on them.”

Therefore, it should come as no surprise to read the numerous headlines in 2016 concerning cyber attacks on healthcare organizations. The year started with a highly publicized ransomware attack on the Hollywood Presbyterian Medical Center in February of this year shut down the hospital for nearly a week until management agreed to pay $17K to the cyber criminals.

Unfortunately, that attack proved simply the opening shot across the bow at the health care industry. Earlier this summer a trio of data breaches culminated in a loot of 655,000 patient records. The breach was discovered when a hacker or hacker group using the name, “The DarkOverLord,” a former ransomware expert who has now chosen pursue the high stakes game of stealing patient health information records or PHI. The breach was discovered when the hacker contacted the three health organization involved to alert them that their patient databases had been captured and that samples had been posted on a site called RealDealMarket, a unscrupulous site on the dark web where cybercriminals sell everything from stolen credit cards to drugs.

The data breach included the following:

  • 48,000 patient records from a clinic in Farmington, Missouri, United States. The records were acquired from a Microsoft Access Database in plain text.

  • 210,000 patient records from clinic in the central Midwest United States that was captured in plain text. The records include Social Security numbers, first and last names, middle initial, gender, date of birth, and postal address.

  • The largest breach was a database of 397,000 records from a large clinic based in Atlanta, Georgia which also included, including primary and secondary health insurance and policy numbers. Like the other incidents, the data was not encrypted.

The DarkOverLord is demanding a ransom of $1 per record from each of the organizations and has assigned a separate deadline to each victimized organization. If his demands are not met by those dates, the records will then be sold to multiple buyers. The hacker claims that he contacted all three organizations prior to stealing the patient records to inform them that he had breached their networks and was asking for funds to inform them of their vulnerabilities but heard nothing. “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer,” The Dark Overlord said in an interview to a news site that reports on the hacking community.

The three attacks all share the same means of incursion as they were affiliated with a third party health care information management application. The hacker was able to infiltrate the vendors network and took advantage of several SQL exploits. The attacker(s) then used a zero-day RDP exploit to gain access to the three clinics.

All three clinics contacted their patients to alert them of the breach and the impending risk of identity theft. In the case of the Atlanta based firm, local police have already begun documenting police reports from patient victims reporting that their credit has been compromised. All three organizations must now suffer major hits to their credibility and reputation and impending lawsuits will undoubtedly be coming soon. According to a study in 2016 by the Ponemon Institute, the average cost per stolen record in the United States healthcare industry is $355 and $158 globally.

All of this points to the importance of encrypting your data, especially in the cloud. The of storing data in the form of plain text is over. No one wants to ever be contacted by a hacker.