Are Connected Cars on a Collision Course with Network Security?

Flipping through any consumer publication that rates vehicles, you’ll see all the metrics you would expect – from safety and performance (acceleration, braking, etc.) to comfort, convenience and fuel economy. What you won’t find is an assessment of the car’s risk of being remotely hacked. Unfortunately, if you happen to drive a 2014 Jeep Cherokee or 2015 Cadillac Escalade, your vehicle would likely have a one-star review in Consumer Reports for cybersecurity. These vehicles, along with 22 others with network capabilities, were profiled by researchers Charlie Miller and Chris Valasek during Black Hat 2014 earlier this month. They warned that a malicious attacker could hack into a connected car, doing anything from “enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.” Days later, during the DefCon hacker conference, a group of security researchers calling themselves “I Am The Cavalry” sounded the same alarm, urging the automobile industry to build safer computer systems in vehicles. The warning comes years after automakers started testing the connected car waters, most notably Ford, as far back as 2010, with its “MyFord Touch” mobile Wi-Fi hotspot. Since then, Google has been in the driver’s seat of the connected car movement. There’s been buzz around Google’s efforts to produce self-driving cars for years, and the smoke signals only grew more prominent after Google moved its head of Android, Andy Rubin, to the robotics division of the company. While the convenience of connected cars will no doubt increase their popularity, it’s important for manufacturers of all network-ready vehicles to remember the importance of security technology. As we wrote last year about...

‘BadUSB’ Malware Leaves Terrible Taste at Black Hat 2014

If awards were given out at Black Hat 2014, one nominee for “Exploit of the Conference” would have won in a runaway – the “BadUSB” exploit. Researchers Karsten Nohl and Jakob Lell caused quite a stir in Las Vegas earlier this month, which quickly spread to the rest of the world of cybersecurity, when they showed how USB drives could be reprogrammed and transformed into portable malware carriers. Nohl and Lell explained that since USB drives are designed to be reprogrammable, a hacker could make a drive masquerade as another device. In one example an attacker could reprogram a USB device to assume the function of a keyboard, and then issue commands to the computer or install malware. And possibly the worst part of the vulnerability is that a user has no visibility into the software running a USB drive, so there’s no way to find out if their drive has been affected. In the wrong hands, a BadUSB drive really is “scarily insecure,” as Nohl put it. USB Drives are Repeat Cybersecurity Offenders Long before Black Hat 2014, it’s been widely known that USB drives are not the most secure way to transfer data between devices. Convenient, yes. Secure, no. Not only are USB drives easy to lose, but any device with a USB interface could potentially be affected by malware originating from a USB drive, including laptops and phones. As far back as July 2011, the Ponemon Institute found that 70 percent of businesses could trace data breaches back to USB drives. Even the NSA found USB drives to be useful for espionage purposes. In December 2013,...

It’s Time for Retailers to Tell Point-of-Sale Hackers to ‘Back Off’

It’s Groundhog Day all over again for retailers, following the U.S. Department of Homeland Security’s warning that they could, once again, be exploited by malicious actors. Less than a year after hacks of Target and Neiman Marcus caught the attention of government investigators, and the whole country, Homeland Security is again weighing in on a hack targeting retailers. This time, the culprit – “Backoff” – is able to establish command-and-control of retail point-of-sale systems, giving hackers free reign to steal customer credit card numbers and other personal information, like email addresses and phone numbers. According to Homeland Security, malicious actors are able to compromise PoS systems through remote desktop applications – such as LogMeIn, Join.Me, and other similar solutions from Microsoft, Apple and Google – and then use brute force attacks to deploy the PoS malware. Once they’ve seized control of the desktop, attackers can run roughshod however they please. Variations of Backoff attacks have been traced back as far as October of last year with up to 600 retailers thought to have been affected. Download a VPN Client or Install a Remote Desktop? In its release, Homeland Security issued a number of network security solutions retailers can deploy to mitigate the risk of a Backoff attack – some more effective than others. The first suggestion is for retailers to configure their remote desktop client so that specific users, or IP addresses, are locked out after multiple failed login attempts. Generally, but not always, brute force attacks like Backoff can be prevented this way. The problem is that denial of access is only a bandage solution. We’ve written it before...

Poor Communication Leads to Defeat on the Network Security Battlefield

In September 1862, the 27th Indiana Infantry Regiment, situated near Frederick, Maryland, made a discovery that could have altered the Civil War. It all began without much fanfare. Two soldiers found three cigars, held together with an unassuming piece of paper. There was nothing extraordinary about it, until the soldiers realized the document was actually a Confederate battle plan. The soldiers then acted quickly, passing the battle plan up the chain of command, all the way to Union leader General George B. McClellan, who, historians note, could have used that information to “destroy the opposing army one piece at a time.” Yet, McClellan took 18 hours to act, and by the time he started moving against the Confederate forces, General Robert E. Lee had enough time to mobilize his forces and hold off the assault. The Power of Information During wartime, information can create just as much of an advantage for one side as the size of an army or the weapons they hold. That is, as long as this information is accurate, passed along to the right people and then acted upon quickly. In McClellan’s case, everything fell into place, except for the “acted upon” step. The situation is similar for IT security professionals today, in their own war against threats to cybersecurity. They constantly gather intelligence about threats to sensitive corporate information and they understand how remote access vulnerabilities could be exploited by attackers. Where they fall short – or rather, where their “commanding officers” (executive teams) fall short – is with how that information is passed along and acted upon. Nearly one-third of IT security teams...