Bug in Tesla Software Demonstrates How Cyber Threats Are Now Also Our Physical Safety Concerns

Amsterdam Holland Canal - May 7 2015: Tesla electric car parked in the charging point on the canal

Security experts have been warning that the increased complexity and computerization of vehicles is inviting additional risk to the already high-risk activity of being on the roadways. Recently, Chinese security researchers from Tencent’s Keen Security Lab found a flaw in the Tesla electric car’s Controller Area Network bus (CANbus) that allowed them to switch on the windshield  wipers, open the sunroof, activate a turn signal, and apply the vehicle’s brakes (as well as perform other actions) remotely.

While being able to remotely control a car won’t allow hackers to steal your identity, it could allow other nefarious acts to take place, such as acts of terrorism. Should someone with bad intentions be able to exploit a vulnerability in the vehicle’s software, they could conceivably orchestrate an event in which they applied the brakes on thousands of vehicles driving on the roadways at once. This could result in massive pileups, injuries, and deaths.

It’s important that no matter what software or firmware is running on any system; be it a computer or a vehicle, if a security or critical patch is released that you apply it right away. If your car is recalled for a software vulnerability, take it in to the dealer or other shop to get it remedied right away. Otherwise you are putting your physical well-being at unnecessary risk.

Cyber terrorism has already made an appearance in recent years. Some may consider the Stuxnet malware that infiltrated one of Iran’s nuclear facilities a form of cyber terrorism. That virus caused approximately one-fifth of Iran’s nuclear centrifuges to be destroyed by sending them spinning out of control. It demonstrated that a cyber attack could result in real mass physical harm should it be so desired. The attack against Sony where information about unreleased movies, payroll information, and email conversations among executives were posted for all the world to see, not only hurt Sony financially, but also harmed its reputation. This could also be considered cyber terrorism. These types of attacks are expected to get more frequent and more dangerous. They also are not expected to be limited to nation states, but will likely creep into the private business space as well. So for those charged with the company’s cyber security, make sure to update all computer systems ASAP when a patch is released.

Cyber security no longer applies only to fraud and identity theft. As this issue shows, it has now crossed the line into threatening our physical safety. So as much as technology can improve our lives, instances like this show it can also be very harmful. That’s why it’s important to stay on top of patching and updating all software; even for that which is in our garages.

© Copyright 2016 Stickley on Security

The Ripper Malware Jackpotting an ATM Near You

Withdraw some money from the ATM machine

There is a term, or two, for the type of attack that the malware Ripper performs. It’s called “jackpotting” or a “cash out” attack. This happens when malware is planted in an ATM and allows thieves to send it commands to, well, dispense cash. It happened in Taiwan not long ago and recently, it also happened in Thailand. Three groups of men throughout six Thai provinces managed to steal roughly the equivalent of $350,000 from 21 ATMs. While “pocket change” compared to the $2.2 million in the Taiwanese machines, it demonstrates a continuing and disturbing trend.

According to experts, one reason this works is that many ATMs are still running on embedded versions of Windows XP, which is no longer supported by Microsoft. ATMs are computers and therefore are susceptible to the same types of attacks that can hit any organization’s network. Unfortunately, it is not known how this malware made its way onto the ATMs. However, the cash is dispensed after a payment card is inserted into the card slot and authenticates with the malware that was previously installed.

The best defense for those in charge of ATM security, is upgrade any of these outdated machines with newer technology that has fewer vulnerabilities and that run on products that are still supported by manufacturers. It’s also important to keep all systems updated with security and critical patches when they are made available. This doesn’t apply only to the desktops and laptops, but also applies to those ATMs.

Yes, it might be expensive and time consuming to do this, but with millions of dollars in cash at stake, it’s worth it. Criminals know what an effort this is, which is why they are having success.

Ripper involves taking advantage of the common APIs that many of the ATMs use to communicate with the hardware. Ripper is sophisticated enough to use the public specifications that are used on many brands. Although this particular attack happened on NCR machines, researchers found that it is also effective on machines by two other vendors. However, the researchers (from FireEye and NCR) have not identified the others. So to be on the safe side, regardless of the brand at your institution(s), it’s a great idea to get it up-to-date.

© Copyright 2016 Stickley on Security

Yahoo! Confirms Theft of Data of 500 Million Users


About a month ago, it was reported that Yahoo! was investigating a possible data breach affecting 500 million users from 2012 (the New York Times is reporting 2014). Since then, the company has confirmed the breach. The same hacker that claimed responsibility for the breaches of MySpace and LinkedIn has claimed this one too. Information accessed included user names, birthdates, contact email addresses, and poorly scrambled passwords.

The advice is the same as it was before. If you haven’t changed your Yahoo! password in a while, it’s a great time to do it. Also change passwords on any accounts for which you reused that one. Use strong passwords that:

  • are at least eight characters,
  • include at least one number,
  • include at least one special character, such as a number sign,
  • are not dictionary words or names,
  • cannot be easily guessed,
  • are not used on any other online site.

It is difficult to remember so many passwords. However, it is important to have different ones for all the sites you visit. Password reuse happens more often than ever and is being blamed for breaches and account access regularly. If the thief (or thieves) figures out that some of the contacts in those Yahoo! accounts are related to financial sites or people, they could try them on banking sites.

Jim Stickley of Stickley on Security recommends having a core password or phrase of at least six characters such as “Xu8*V@” and adding letters from the URL to your password in some manner you can remember. For example, if you were visiting Yahoo, your password would become “Xu8*V@YO” or some other derivation of that. It is highly unlikely a password would be reused this way.

Another way is the “dice” method. This is when you take dice with words on them (create your own dice if needed) and roll them to combine words into a password.

If you have to write down passwords, try to use clues to trigger your memory as opposed to writing down actual passwords. Then keep the list in a place separate from your computer; in a locked cabinet is preferred. And never put your passwords on sticky notes and attach it anywhere on your desk or monitor at work. This leaves your accounts vulnerable to a physical security breach.

In addition to changing your password, keep an eye out for additional email showing up in your in box that includes links or attachments that you don’t expect. These could be phishing. Even if the email comes from a known sender, the theft of such a large number of email addresses means that spam and phishing messages may appear to come from Yahoo! account holders and/or from any email address in their contact lists.

Some news sources have reported the perpetrator is a state-sponsored actor. However, this information has not been confirmed by Yahoo! or the U.S. Government.

© Copyright 2016 Stickley on Security

Android Photographers Shutter with News of Malicious Prisma Apps


Photographers and editors on Android devices, beware! The wildly popular Prisma app, which transforms your photos into artwork, is a recent target of the cybercrime world. Researchers at security company ESET have discovered several fake versions of the app that can infect users with malware.

The app has been out only a very short time, but the popularity has made it attractive for those wanting to spread either malware or annoying adware and possibly both. In some of the cases, the infected apps tricked users into visiting sites where surveys were displayed that ultimately stole the entered personal information. Subsequently, those unfortunate victims were “signed up” for various bogus and pricey SMS services. One of them displayed fake messages on the screen saying the phone was infected with a virus that could be removed if he downloaded another anti-virus app, which was also malicious.

This stresses the importance of doing the background research on all apps that you download to your mobile devices; and any software to your computer. Read the reviews both inside the app store and elsewhere online. Don’t get the apps from any location other than the official app store for your particular devices.  Sideloading, which is getting them from location other than the app stores, is more riskier because generally those in the app stores go through more stringent security checks before they are allowed to be placed into them. Unfortunately, no process is 100% guaranteed, so they sometimes will slip through, which is what happened in this case.

Another version of the app found by ESET displayed fake Android 6.0 update messages, which then redirected users to a site that stole Gmail credentials. Those were subsequently used in a phishing scam.

Google has removed all of the known malicious apps from the Google Play store, but look out for this to happen again with the next popular app craze. Not long ago it was Pokémon Go and it’s likely even more malicious versions of that and its support apps will pop up. So, always make sure the apps you want are from the legitimate developers. While you’re in there searching for Prisma, make sure you download a good anti-malware app too, if you haven’t already. Then update it. While it won’t guarantee malware won’t end up on your devices, it is certainly a first line of defense.

For those who have Apple devices, you’re not completely safe from malicious apps either. Toward the end of last year, Apple removed over 300 malicious apps from its official store.

© Copyright 2016 Stickley on Security

Password Manager May Pass All of Your Passwords to an Attacker

Password Security Login Technology Business Concept

Most of us have many online accounts; financial, social media, exercise and diet accounts, etc. and if you are following guidance of security experts, you have a unique password for each one. If you’re like most people, remembering so many passwords can get a little daunting and therefore we look for solutions. One of them may be to use a password manager such as LastPass. Unfortunately, that can make you even more vulnerable, as security researcher Sean Cassidy proved recently.

He found that by exploiting some flaws in the way LastPass works and using a bit of social engineering, he could thwart the security measures put into place, including getting past their two-factor authentication. It came down to phishing and popup fatigue. He convinced users to visit a malicious site using phishing methods. Then he used java script to generate a popup dialogue in the browser telling users they were logged out of LastPass. The message the users see was identical to the one LastPass displays, but it prompted the user to login again and then for their 2-factor authentication code. Then, all information was sent to a separate server controlled by Cassidy, who could have been a hacker. At this point, anyone wishing to employ this tactic has all the information needed to get all of the passwords in the LastPass file.

While using such products to keep track of passwords is still generally safer than using a single password for all accounts, there are obviously still risks to it. If you get logged out of any program when you are not expecting to, start back at the beginning. Re-type a known URL into the address bar or use a previously bookmarked link that you know is safe.  Make sure to read all popup dialogue boxes. Often attackers use these as a means to do harm because they understand how often people just click a button to remove the box from their view.

LastPass has worked with Cassidy to try to fix these issues, but the reality is that if all of your passwords are in one place and stored online, it’s added risk. Once someone gets your password manager password, they have all of your passwords. So use caution when using these and consider writing them on paper and storing them out of sight. And if you are one who likes to login to other sites using your Facebook, Google, or other account, consider the risks of doing that as well. One password would give someone access to a lot of accounts and information. Instead, take the extra time to create a separate set of credentials for each site. It’s a little extra time at the moment, but could save a lot of hassle later.

© Copyright 2016 Stickley on Security

Are You Smarter Than Ransomware? You Can Be with These 4 Tips

Comuter laptop with key in red of ring and gears on binary code background.Vector illustration security technology concept.

Ransomware is a type of malware that encrypts and holds your sensitive data hostage until a sum of money or other type of payment is made. Most of the time ransomware is delivered via email in the form of phishing, but can also arrive in adware or even on your Facebook or Twitter feed. The ransom can be anything from a “like” on a social media page to hundreds of dollars. However, there are ways to avoid being a victim of this.

1. Backup all of your devices

This is a reasonably simple task. External hard drives are getting less expensive all the time and they come with essentially plug-and-play technology. If you don’t want to do that, just back up your important documents and files to a USB drive and store whichever method you use separately from your computer. This way, should ransomware strike, you can simply restore your files and avoid paying any ransom. Most security professionals recommend backing up weekly, but ideally it should be daily. If your data is particularly critical, such as would be data in a hospital, perhaps hourly is appropriate. Earlier in the year, Hollywood Presbyterian Medical Center was caught without adequate backups and paid to have its data returned. This is not recommended.

2. Update software and firmware

Unfortunately patching and updating software seems to be lower on the priority list than it should be. While most personal devices have automatic update functionality, in businesses this is often not enabled. In fact, a study by Google found that only two-percent of non-security experts understand the importance of regularly patching and updating.  However, it’s important to do this whether at home or at the office. Create a patching schedule for non-critical and security updates and if you see an indicator on your smartphone that an update is available, apply it if it isn’t automatic. When vulnerabilities are found that can cause security issues, update as soon as the patch is released. Don’t forget the hardware. As soon as a new piece of hardware is installed, be it at home or the office, update it and change the default password.

3. Don’t take the bait

Ransomware is often delivered via phishing. This can come in email messages, social media feeds, or even in adware. If a link arrives in email unexpectedly or from someone unknown, don’t click it. Also avoid clicking adware and links in social media. Those are often scams and clickbait just to lure you to the hook. Educate those in the office and at home on identifying these and make sure anti-malware is installed on every device and is kept updated at all times.

4. Leave work at the office

A ThreatTrack Security survey from January found that nearly one-third of IT security personnel were asked to remove some sort of malware from an executive’s computer. Family members were blamed. Keep work data and files separate from private ones. Also, teach family members good computing habits, even if they don’t use the work laptop or mobile device. It also never hurts to start teaching kids early how to keep information safe.

© Copyright 2016 Stickley on Security