Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 11 hours ago

Fake Cancerous Nodes in CT Scans, Created By Malware, Trick Radiologists

Wed, 04/03/2019 - 11:11
Researchers in Israel created malware to draw attention to serious security weaknesses in medical imaging equipment and networks. An anonymous reader shares a report: Researchers in Israel say they have developed malware to draw attention to serious security weaknesses in critical medical imaging equipment used for diagnosing conditions and the networks that transmit those images -- vulnerabilities that could have potentially life-altering consequences if unaddressed. The malware they created would let attackers automatically add realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them. Or it could remove real cancerous nodules and lesions without detection, leading to misdiagnosis and possibly a failure to treat patients who need critical and timely care. Yisroel Mirsky, Yuval Elovici and two others at the Ben-Gurion University Cyber Security Research Center in Israel who created the malware say that attackers could target a presidential candidate or other politicians to trick them into believing they have a serious illness and cause them to withdraw from a race to seek treatment. The research isn't theoretical. In a blind study the researchers conducted involving real CT lung scans, 70 of which were altered by their malware, they were able to trick three skilled radiologists into misdiagnosing conditions nearly every time. In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.

A Suite of Digital Cryptography Tools, Released Today, Has Been Mathematically Proven To Be Completely Secure and Free of Bugs

Wed, 04/03/2019 - 07:26
By making programming more mathematical, a community of computer scientists is hoping to eliminate the coding bugs that can open doors to hackers, spill digital secrets and generally plague modern society. From a report: Now a set of computer scientists has taken a major step toward this goal with the release today of EverCrypt, a set of digital cryptography tools. The researchers were able to prove -- in the sense that you can prove the Pythagorean theorem -- that their approach to online security is completely invulnerable to the main types of hacking attacks that have felled other programs in the past. "When we say proof, we mean we prove that our code can't suffer these kinds of attacks," said Karthik Bhargavan, a computer scientist at Inria in Paris who worked on EverCrypt. EverCrypt was not written the way most code is written. Ordinarily, a team of programmers creates software that they hope will satisfy certain objectives. Once they finish, they test the code. If it accomplishes the objectives without showing any unwanted behavior, the programmers conclude that the software does what it's supposed to do. Yet coding errors often manifest only in extreme "corner cases" -- a perfect storm of unlikely events that reveals a critical vulnerability. Many of the most damaging hacking attacks in recent years have exploited just such corner cases.

Facebook is Demanding Some Users Share the Password For Their Outside Email Account

Wed, 04/03/2019 - 06:01
An anonymous reader shares a report: Just two weeks after admitting it stored hundreds of millions of its users' own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network. Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. "To continue using Facebook, you'll need to confirm your email," the message demands. "Since you signed up with [email address], you can do that automatically ..." A form below the message asked for the users' "email password." "That's beyond sketchy," security consultant Jake Williams told the Daily Beast. "They should not be taking your password or handling your password in the background. If that's what's required to sign up with Facebook, you're better off not being on Facebook." In a statement emailed to the Daily Beast after this story published, Facebook reiterated its claim it doesn't store the email passwords. But the company also announced it will end the practice altogether. "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it," Facebook wrote. It's not clear how widely the new measure was deployed, but in its statement Facebook said users retain the option of bypassing the password demand and activating their account through more conventional means, such as "a code sent to their phone or a link sent to their email." Those options are presented to users who click on the words "Need help?" in one corner of the page.

Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API

Wed, 04/03/2019 - 05:00
An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps. Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

IT and Security Professionals Think Normal People Are Just the Worst

Tue, 04/02/2019 - 10:54
Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent. [...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

Laptops To Stay in Bags as TSA Brings New Technology To Airports

Tue, 04/02/2019 - 06:44
Air passengers at a growing number of U.S. airports will no longer need to remove electronics, liquids, and other items from their carry-on luggage at security checkpoints as the Transportation Security Administration rolls out new technology. From a report: The TSA took a major step in a broader plan to revamp its overall screening process with faster, more advanced technology when it signed a contract Thursday for hundreds of new carry-on baggage screening machines, Administrator David Pekoske said on a press call Friday. The agency has tested the new technology at more than a dozen airports since 2017, along with the relaxed protocols that allow passengers to leave items such as laptops and toiletries inside their luggage. The rollout of the computed tomography, or CT, machines will begin this summer, Pekoske said. The $97 million contract will buy 300 machines, but the list of airports receiving them has yet to be made final, Pekoske said. The technology creates 3-D images of bags' contents and will eventually be able to detect items automatically that the TSA now asks passengers to remove, he said.

Researchers Trick Tesla Autopilot Into Steering Into Oncoming Traffic

Tue, 04/02/2019 - 05:00
An anonymous reader quotes a report from Ars Technica: Researchers have devised a simple attack that might cause a Tesla to automatically steer into oncoming traffic under certain conditions. The proof-of-concept exploit works not by hacking into the car's onboard computing system. Instead, it works by using small, inconspicuous stickers that trick the Enhanced Autopilot of a Model S 75 into detecting and then following a change in the current lane. Researchers from Tencent's Keen Security Lab recently reverse-engineered several of Tesla's automated processes to see how they reacted when environmental variables changed. One of the most striking discoveries was a way to cause Autopilot to steer into oncoming traffic. The attack worked by carefully affixing three stickers to the road. The stickers were nearly invisible to drivers, but machine-learning algorithms used by by the Autopilot detected them as a line that indicated the lane was shifting to the left. As a result, Autopilot steered in that direction. The researchers noted that Autopilot uses a variety of measures to prevent incorrect detections. The measures include the position of road shoulders, lane histories, and the size and distance of various object. [A section of the researchers' 37-page report] showed how researchers could tamper with a Tesla's autowiper system to activate wipers on when rain wasn't falling. Unlike traditional autowiper systems -- which use optical sensors to detect moisture -- Tesla's system uses a suite of cameras that feeds data into an artificial intelligence network to determine when wipers should be turned on. The researchers found that -- in much the way it's easy for small changes in an image to throw off artificial intelligence-based image recognition (for instance, changes that cause an AI system to mistake a panda for a gibbon) -- it wasn't hard to trick Tesla's autowiper feature into thinking rain was falling even when it was not. So far, the researchers have only been able to fool autowiper when they feed images directly into the system. Eventually, they said, it may be possible for attackers to display an "adversarial image" that's displayed on road signs or other cars that do the same thing. In a statement, Tesla officials said that the vulnerabilities addressed in the report have been fixed via security update in 2017, "followed by another comprehensive security update in 2018, both of which we released before this group reported this research to us." They added: "The rest of the findings are all based on scenarios in which the physical environment around the vehicle is artificially altered to make the automatic windshield wipers or Autopilot system behave differently, which is not a realistic concern given that a driver can easily override Autopilot at any time by using the steering wheel or brakes and should always be prepared to do so and can manually operate the windshield wiper settings at all times."

Taiwan To Block Tencent and Baidu Streaming Sites, Citing National Security and Propaganda Concerns

Mon, 04/01/2019 - 18:20
Taiwan is blocking video streaming services of Chinese tech giants Baidu and Tencent Holdings, citing national security and propaganda concerns ahead of a presidential election next year. "Chiu Chui-Cheng, deputy minister of Taiwan's Mainland Affairs Council, [said] that Taiwan is likely to ban Baidu's popular iQiyi platform, and block Tencent's plan to bring its streaming service to the island later this year," Nikkei Asian Review reports. From the report: "We are concerned that streaming media services that have close ties with Beijing could have cultural and political influences in Taiwan... and even affect Taiwan's elections," Chiu said. "If Tencent's streaming video service is trying to enter the Taiwanese market, it's very likely that it's a part of Beijing's propaganda campaign," he said. "What if the company inserts some content that Beijing hopes to advertise? What if it implements messages linked to the Communist Party or its army? We should treat this seriously and carefully at a national security level." The official said that Beijing has stepped up its "cultural infiltration" into Taiwan after Chinese President Xi Jinping used a speech in January to push for an accelerated reunification process. Taiwan does not allow any Chinese Netflix-like streaming services to operate locally, but search engine giant Baidu has been operating in Taiwan through an agent, OTT Entertainment, after Taipei blocked the platform in November 2016. The company's data shows iQiyi's Taiwan site -- one of the most popular video streaming platforms on the island, has 2 million active daily users.

Former NSA Spies Hacked BBC Host, Al Jazeera Chairman for UAE

Mon, 04/01/2019 - 12:45
A UAE cyber espionage contractor staffed with several former U.S. intelligence agents hacked journalists or news executives at Al Jazeera, the BBC, Al Arabi and others throughout June 2017, Reuters reported Monday. From the report: The American operatives worked for Project Raven, a secret Emirati intelligence program that spied on dissidents, militants and political opponents of the UAE monarchy. A Reuters investigation in January revealed Project Raven's existence and inner workings, including the fact that it surveilled a British activist and several unnamed U.S. journalists. The Raven operatives -- who included at least nine former employees of the U.S. National Security Agency and the U.S. military -- found themselves thrust into the thick of a high-stakes dispute among America's Gulf allies. The Americans' role in the UAE-Qatar imbroglio highlights how former U.S. intelligence officials have become key players in the cyber wars of other nations, with little oversight from Washington. The crisis erupted in the spring of 2017, when the UAE and allies -- including Saudi Arabia and Egypt -- accused Qatar of sowing unrest in the Middle East through its support of media outlets and political groups. The UAE camp demanded Qatar take a series of actions, including shuttering the Qatar-funded Al Jazeera satellite television network, withdrawing funding from other media outlets Doha supports, and cracking down on the Muslim Brotherhood, an Islamic movement some Arab governments regard as a threat.

Over 13K iSCSI Storage Clusters Left Exposed Online Without a Password

Mon, 04/01/2019 - 12:05
Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication. From a report: This misconfiguration has the risk of causing serious harm to devices' owners, as cyber-criminal groups could access these internet-accessible hard drives (storage disk arrays and NAS devices) to replace legitimate files with malware, insert backdoors inside backups, or steal company information stored on the unprotected devices. [...] Over the weekend, penetration tester A Shadow tipped ZDNet about this hugely dangerous misconfiguration issue. The researcher found over 13,500 iSCSI clusters on Shodan, a search engine that indexes internet-connected devices. In an online conversation with ZDNet, the researcher described this iSCSI exposure as a "dangerous backdoor" that can allow cyber-criminals to plant ransomware-infected files on companies' networks, steal company data, or place backdoors inside backup archives that may get activated when a company restores one of these booby-trapped files.

Tenants Outraged Over New York Landlord's Plan To Install Facial Recognition Technology

Sun, 03/31/2019 - 14:04
A Brooklyn landlord plans to install facial recognition technology at the entrance of a 700-unit building, according to Gothamist, "raising alarm among tenants and housing rights attorneys about what they say is a far-reaching and egregious form of digital surveillance." [Last] Sunday, several tenants told Gothamist that, unbeknownst to them, their landlord, Nelson Management, had sought state approval in July 2018 to install a facial recognition system known as StoneLock. Under state rules, landlords of rent-regulated apartments built before 1974 must seek permission from the state's Homes and Community Renewal (HCR) for any "modification in service." Tenants at the two buildings, located at 249 Thomas S. Boyland Street and 216 Rockaway Avenue, said they began receiving notices about the system in the fall. According to its website, Kansas-based company StoneLock offers a "frictionless" entry system that collects biometric data based on facial features. "We don't want to be tracked," said Icemae Downes, a longtime tenant. "We are not animals. This is like tagging us through our faces because they can't implant us with a chip." It is not clear how many New York City apartments are using facial scanning software or how such technology is being regulated. But in a sign of the times, the city's Department of Housing Preservation and Development last June began marketing 107 affordable units at a new apartment complex in the South Bronx. Among the amenities listed was "State of the Art Facial Recognition Building Access...." Across the real estate industry, New York City landlords have increasingly been moving to keyless entry systems, citing convenience as well as a desire to offer enhanced security. Over the years, in response to appeals filed by tenants, HCR has ruled in favor of key fob and card entry systems, saying that such substitutions did not violate rent-stabilization and rent-control laws. But the latest technology has triggered even more concerns about the ethics of data collection.... Last month, the management company reached out to a group of tenants to assuage their concerns about StoneLock. But tenants said the presentation, if anything, only deepened their fears that they were being asked to submit to a technology that had very little research behind it. "This was not something we asked for at any given time," one tenant complaint, while one of the attorneys representing the tenants said that, among other things, their landlord had "made no assurances to protect the data from being accessed by NYPD, ICE, or any other city, state, or federal agency." "Citing concerns over the potential for privacy and civil liberties violations, tenants at Brownsville's Atlantic Plaza Towers filed an objection to the plan in January..."

Devuan.org Now Points To 'Pwned' Page With Gopher URLs

Sun, 03/31/2019 - 13:04
"DEVUAN.ORG HAS BEEN PWNED" reads a new message at the home page for Devuan (a fork of Debian without systemd) -- which re-redirects to a new page named pwned.html, reports Slashdot reader DevNull127: In all capital letters, its carefully-indented message (complete with an ascii-art logo) now informs visitors that "the web sucks -- JavaScript sucks -- browsers suck." Posting the URLs to several gopher sites, it adds that "Gopher is the way -- gopher is the future." "Kiss port 80 goodbye. Join the revolution on port 70." The attackers identify themselves as "Green Hat Hackers," a term generally understood to mean ambitious newbie hackers who want to improve their skills. "Stop the madness," continues their message, which appeared just hours before the first day of April. "Get yourself a gopher client."

US Lawmakers Propose Allowing Prisons To Jam Signals From Smuggled Cellphones

Sun, 03/31/2019 - 11:34
An anonymous reader quotes the Associated Press: Federal legislation proposed Thursday would give state prison officials the ability they have long sought to jam the signals of cellphones smuggled to inmates within their walls... The legislation could help provide a solution to a problem prison officials have said represents the top security threat to their institutions. Corrections chiefs across the country have long argued for the ability to jam the signals, saying the phones -- smuggled into their institutions by the thousands, by visitors, errant employees, and even delivered by drone -- are dangerous because inmates use them to carry out crimes and plot violence both inside and outside prison.

In Massive Breach, Ex-NSA Contractor Pleads Guilty to Hoarding Highly Classified Secrets

Sun, 03/31/2019 - 09:34
"A former National Security Agency contractor on Thursday pleaded guilty to stealing secret defense information over two decades in what legal experts have described as the biggest breach of classified information in U.S. history." Long-time Slashdot reader mencik quotes USA Today: In his plea deal in U.S. District Court in Baltimore, Harold Thomas Martin III admitted to removing highly classified digital and hard copy documents, then storing them in his home and car from the late 1990s through 2016. Prosecutors say there is no indication Martin ever shared the stolen secrets. His defense attorneys say he simply hoarded the information... One of his lawyers previously described Martin as a "compulsive hoarder" who took home work documents... Martin, who held multiple security clearances while working at government agencies as a private contractor, said he knew stealing the documents risked the country's security. He pleaded guilty on Thursday to one felony count of willful retention of national defense information. He could be sentenced to nine years in prison. Martin also told a federal judge that he'd been diagnosed with ADHD. "His actions were the product of mental illness," his federal defenders' statement said. "Not treason."

Does India's Anti-Satellite Missile Test Mean The Weaponization of Space?

Sat, 03/30/2019 - 23:34
Reuters reports: India expects space debris from its anti-satellite weapons launch to burn out in less than 45 days, its top defense scientist said on Thursday, seeking to allay global concern about fragments hitting objects. The comments came a day after India said it used an indigenously developed ballistic missile interceptor to destroy one of its own satellites at a height of 300 km (186 miles), in a test aimed at boosting its defenses in space. Critics say such technology, known to be possessed only by the United States, Russia and China, raises the prospect of an arms race in outer space, besides posing a hazard by creating a cloud of fragments that could persist for years. G. Satheesh Reddy, the chief of India's Defence Research and Development Organisation, said a low-altitude military satellite was picked for the test, to reduce the risk of debris left in space. Space.com shared a reaction from a national security affairs professor at Naval War College in Newport, Rhode Island. They argued that India's test "likely represents a feeling by other countries, specifically India in this case, that the weaponization of space is forthcoming, and India doesn't want to be left out of the 'have' category if arms-control agreements are eventually reached."

Saudis Gained Access to Amazon CEO's Phone, Says Bezos' Security Chief

Sat, 03/30/2019 - 20:34
"The security chief for Amazon chief executive Jeff Bezos said on Saturday that the Saudi government had access to Bezos' phone and gained private information from it," Reuters reports. But in addition, the National Enquirer's lawyer "tried to get me to say there was no hacking," writes security specialist Gavin de Becker. I've recently seen things that have surprised even me, such as National Enquirer's parent company, AMI, being in league with a foreign nation that's been actively trying to harm American citizens and companies, including the owner of the Washington Post. You know him as Jeff Bezos; I know him as my client of 22 years... Why did AMI's people work so hard to identify a source, and insist to the New York Times and others that he was their sole source for everything? My best answer is contained in what happened next: AMI threatened to publish embarrassing photos of Jeff Bezos unless certain conditions were met. (These were photos that, for some reason, they had held back and not published in their first story on the Bezos affair, or any subsequent story.) While a brief summary of those terms has been made public before, others that I'm sharing are new -- and they reveal a great deal about what was motivating AMI. An eight-page contract AMI sent for me and Bezos to sign would have required that I make a public statement, composed by them and then widely disseminated, saying that my investigation had concluded they hadn't relied upon "any form of electronic eavesdropping or hacking in their news-gathering process." Note here that I'd never publicly said anything about electronic eavesdropping or hacking -- and they wanted to be sure I couldn't.... An earlier set of their proposed terms included AMI making a statement "affirming that it undertook no electronic eavesdropping in connection with its reporting and has no knowledge of such conduct" -- but now they wanted me to say that for them. The contract further held that if Bezos or I were ever in our lives to "state, suggest or allude to" anything contrary to what AMI wanted said about electronic eavesdropping and hacking, then they could publish the embarrassing photos. I'm writing this today because it's exactly what the Enquirer scheme was intended to prevent me from doing. Their contract also contained terms that would have inhibited both me and Bezos from initiating a report to law enforcement. Things didn't work out as they hoped. De Becker instead turned over his investigation's results to U.S. federal officials, then published today's essay warning the National Enquirer and its chairman have "evolved into trying to strong-arm an American citizen whom that country's leadership wanted harmed, compromised, and silenced." He also suggests it's in response to the "relentless" coverage by the Washington Post (which Bezos owns) of the murder of Saudi Arabian journalist and dissident Jamal Khashoggi. "Experts with whom we consulted confirmed New York Times reports on the Saudi capability to 'collect vast amounts of previously inaccessible data from smartphones in the air without leaving a trace -- including phone calls, texts, emails.'"

Phone Carrier Apps Can Help Fight Robocalls -- Sometimes, Even For Free

Sat, 03/30/2019 - 11:34
Friday CNN reported on "what you can do right now to stop robocalls." "Short of throwing your phone in the garbage, there's no way to avoid them altogether. But wireless providers and smartphone developers offer tools to filter out at least some unwanted calls." - Verizon's Call Filter app is free to download on iPhones and Android devices. The company announced Thursday the app will offer some free features -- including auto-blocking calls from known fraudsters, showing warning banners for suspicious calls, and a spam reporting tool. For $2.99 a month per line, the Call Filter app can use a phonebook feature to look up the names of unknown callers, and it can show a "risk meter" for spam calls. - AT&T's Call Protect has similar free features and add-ons with a $3.99 per month subscription. (iOS and Android) - T-Mobile phones come loaded with Scam ID, which warns customers about suspicious phone numbers. It's also free to activate Scam Block, which automatically rejects calls from those numbers. An additional app called Name ID offers premium caller identification for $4 per line monthly. (iOS and Android) - Sprint's Premium Caller ID , which comes pre-installed, looks up unknown numbers and filters and blocks robocalls for $2.99 per line. - Google's Pixel phones also give you the option to have your voice assistant answer suspicious calls for you. The phone can transcribe the conversation and lets you decide whether to answer.

Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker'

Sat, 03/30/2019 - 08:34
An anonymous reader quotes Ars Technica: People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer. What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion. The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter. Ars Technica calls the story "practically a case study in the problems that can arise with vulnerability research and disclosure," adding "the vast majority of companies have no clear mechanism for outsiders to share information about security gaps." A security research director at Rapid7 joked his first reaction was "man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty." But they later warned, "It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up."

Tesla Cars Keep More Data Than You Think

Fri, 03/29/2019 - 18:10
Tesla vehicles sent to the junk yard after a crash carry much more data than you'd think. According to CNBC, citing two security researchers, "Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash." From the report: One researcher, who calls himself GreenTheOnly, describes himself as a "white hat hacker" and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. Many other cars download and store data from users, particularly information from paired cellphones, such as contact information. But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers." The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset." The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.

Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

Fri, 03/29/2019 - 17:30
itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. "Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication," writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri "have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing," says Constantin. "The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites," the researchers warn in a blog post. "Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated -- making it easy for hackers to mount successful, widespread attacks against vulnerable websites," the Sucuri researchers warned. "The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous." Since the researchers were able to create a working proof-of-concept exploit, it's only a matter of time until hackers discover a way to use the exploit to plant payment card skimmers on sites that have yet to install the new patch.