Bug in Tesla Software Demonstrates How Cyber Threats Are Now Also Our Physical Safety Concerns

Amsterdam Holland Canal - May 7 2015: Tesla electric car parked in the charging point on the canal

Security experts have been warning that the increased complexity and computerization of vehicles is inviting additional risk to the already high-risk activity of being on the roadways. Recently, Chinese security researchers from Tencent’s Keen Security Lab found a flaw in the Tesla electric car’s Controller Area Network bus (CANbus) that allowed them to switch on the windshield  wipers, open the sunroof, activate a turn signal, and apply the vehicle’s brakes (as well as perform other actions) remotely.

While being able to remotely control a car won’t allow hackers to steal your identity, it could allow other nefarious acts to take place, such as acts of terrorism. Should someone with bad intentions be able to exploit a vulnerability in the vehicle’s software, they could conceivably orchestrate an event in which they applied the brakes on thousands of vehicles driving on the roadways at once. This could result in massive pileups, injuries, and deaths.

It’s important that no matter what software or firmware is running on any system; be it a computer or a vehicle, if a security or critical patch is released that you apply it right away. If your car is recalled for a software vulnerability, take it in to the dealer or other shop to get it remedied right away. Otherwise you are putting your physical well-being at unnecessary risk.

Cyber terrorism has already made an appearance in recent years. Some may consider the Stuxnet malware that infiltrated one of Iran’s nuclear facilities a form of cyber terrorism. That virus caused approximately one-fifth of Iran’s nuclear centrifuges to be destroyed by sending them spinning out of control. It demonstrated that a cyber attack could result in real mass physical harm should it be so desired. The attack against Sony where information about unreleased movies, payroll information, and email conversations among executives were posted for all the world to see, not only hurt Sony financially, but also harmed its reputation. This could also be considered cyber terrorism. These types of attacks are expected to get more frequent and more dangerous. They also are not expected to be limited to nation states, but will likely creep into the private business space as well. So for those charged with the company’s cyber security, make sure to update all computer systems ASAP when a patch is released.

Cyber security no longer applies only to fraud and identity theft. As this issue shows, it has now crossed the line into threatening our physical safety. So as much as technology can improve our lives, instances like this show it can also be very harmful. That’s why it’s important to stay on top of patching and updating all software; even for that which is in our garages.

© Copyright 2016 Stickley on Security

The Ripper Malware Jackpotting an ATM Near You

Withdraw some money from the ATM machine

There is a term, or two, for the type of attack that the malware Ripper performs. It’s called “jackpotting” or a “cash out” attack. This happens when malware is planted in an ATM and allows thieves to send it commands to, well, dispense cash. It happened in Taiwan not long ago and recently, it also happened in Thailand. Three groups of men throughout six Thai provinces managed to steal roughly the equivalent of $350,000 from 21 ATMs. While “pocket change” compared to the $2.2 million in the Taiwanese machines, it demonstrates a continuing and disturbing trend.

According to experts, one reason this works is that many ATMs are still running on embedded versions of Windows XP, which is no longer supported by Microsoft. ATMs are computers and therefore are susceptible to the same types of attacks that can hit any organization’s network. Unfortunately, it is not known how this malware made its way onto the ATMs. However, the cash is dispensed after a payment card is inserted into the card slot and authenticates with the malware that was previously installed.

The best defense for those in charge of ATM security, is upgrade any of these outdated machines with newer technology that has fewer vulnerabilities and that run on products that are still supported by manufacturers. It’s also important to keep all systems updated with security and critical patches when they are made available. This doesn’t apply only to the desktops and laptops, but also applies to those ATMs.

Yes, it might be expensive and time consuming to do this, but with millions of dollars in cash at stake, it’s worth it. Criminals know what an effort this is, which is why they are having success.

Ripper involves taking advantage of the common APIs that many of the ATMs use to communicate with the hardware. Ripper is sophisticated enough to use the public specifications that are used on many brands. Although this particular attack happened on NCR machines, researchers found that it is also effective on machines by two other vendors. However, the researchers (from FireEye and NCR) have not identified the others. So to be on the safe side, regardless of the brand at your institution(s), it’s a great idea to get it up-to-date.

© Copyright 2016 Stickley on Security

Yahoo! Confirms Theft of Data of 500 Million Users


About a month ago, it was reported that Yahoo! was investigating a possible data breach affecting 500 million users from 2012 (the New York Times is reporting 2014). Since then, the company has confirmed the breach. The same hacker that claimed responsibility for the breaches of MySpace and LinkedIn has claimed this one too. Information accessed included user names, birthdates, contact email addresses, and poorly scrambled passwords.

The advice is the same as it was before. If you haven’t changed your Yahoo! password in a while, it’s a great time to do it. Also change passwords on any accounts for which you reused that one. Use strong passwords that:

  • are at least eight characters,
  • include at least one number,
  • include at least one special character, such as a number sign,
  • are not dictionary words or names,
  • cannot be easily guessed,
  • are not used on any other online site.

It is difficult to remember so many passwords. However, it is important to have different ones for all the sites you visit. Password reuse happens more often than ever and is being blamed for breaches and account access regularly. If the thief (or thieves) figures out that some of the contacts in those Yahoo! accounts are related to financial sites or people, they could try them on banking sites.

Jim Stickley of Stickley on Security recommends having a core password or phrase of at least six characters such as “Xu8*V@” and adding letters from the URL to your password in some manner you can remember. For example, if you were visiting Yahoo, your password would become “Xu8*V@YO” or some other derivation of that. It is highly unlikely a password would be reused this way.

Another way is the “dice” method. This is when you take dice with words on them (create your own dice if needed) and roll them to combine words into a password.

If you have to write down passwords, try to use clues to trigger your memory as opposed to writing down actual passwords. Then keep the list in a place separate from your computer; in a locked cabinet is preferred. And never put your passwords on sticky notes and attach it anywhere on your desk or monitor at work. This leaves your accounts vulnerable to a physical security breach.

In addition to changing your password, keep an eye out for additional email showing up in your in box that includes links or attachments that you don’t expect. These could be phishing. Even if the email comes from a known sender, the theft of such a large number of email addresses means that spam and phishing messages may appear to come from Yahoo! account holders and/or from any email address in their contact lists.

Some news sources have reported the perpetrator is a state-sponsored actor. However, this information has not been confirmed by Yahoo! or the U.S. Government.

© Copyright 2016 Stickley on Security

What College Students Should Learn About Money


As you prepare for a new year at college, managing your money may be the last thing on your mind. But, college is the perfect time to instill strong and healthy financial habits, such as budgeting and living within your means.

By starting on the right foot with good saving and spending habits, you’ll have a good chance to set yourself up for a life of financial success. Here are some ideas students – with the help of parents, relatives and the school’s financial aid office – can consider while taking the leap into living away from home.

Create a financial plan early on. Create a general financial plan for your college years right away, and a more detailed budget for the upcoming semester. You can start with estimated costs for tuition, fees, room and board from your school’s financial aid office and fill in the actual numbers once you know them.

Even with financial aid, most college students need to be frugal as they balance major expenses and a limited income from work or parental support. While you may need to take out student loans, the better you manage your personal and educational expenses the less you’ll have to borrow now, and repay later.

Adjust your budget as you go. Your focus should be school, but you can also take time to track your money and stick to your budget. A budget can be a tool and a learning opportunity, and particularly during your first few semesters, you’ll likely have to make adjustments as you learn to balance wants and needs. Try to stick with it and remember it’s okay to make changes (and an occasional mistake) as you go.

Parents can discuss how they manage their personal or family budget and offer suggestions for cutting expenses or finding work. College students may face many financial firsts, such as signing a rental agreement, purchasing insurance or applying for a loan, and parents can share their experiences and advice.

Make your budget add up. Learning how to roll with the punches and live within your means are timeless skills. You’ll have to balance academic obligations with a part- or full-time job to increase your income. But, there are often flexible on-campus jobs you can qualify for if you have a work-study grant as part of your financial aid package.

When it comes to saving, there are all sorts of ways to cut costs on necessities and indulgences. Consider the following three tactics almost any college student can use to spend less money.

  • Use student discounts. Dozens of stores offer students discounts, validated with an official ID, or a .edu email address, and you may be able to save 10 to 20 percent off your purchase. Ask store employees or check online before to see if a store offers a student discount before checking out.
  • Save on textbooks. Look for alternatives to buying new textbooks, such as renting textbooks, buying used books, purchasing or renting e-textbooks or using the library’s reference copies.
  • Mobilize your savings. If saving money is just one more thing you don’t want to think about, you can save your spare cash via your smartphone. Thinking about buying a car next summer or saving money for spring break? There are mobile apps that will calculate how much money you can afford to save at a given moment – whether that’s $20 or ten cents – and will save it for you. You could also set up an automatic weekly or monthly transfer to your savings account through your bank. Chances are you won’t miss the money, and you won’t spend it if you don’t see it in your checking account.

Make a practice of saving for the future. You’ll want to figure out the best way to use your savings. If you’ve taken out student loans, you could allocate some of the money to early loan payments.

Private and unsubsidized federal student loans accrue interest while you’re in school. Making a payment can help you avoid increasing your debt load and save you money on interest. Plus, unlike with some other types of loans, there’s no penalty for making early student loan payments.

Bottom line. College is an ideal time to instill healthy financial habits. Ask your parents or other relatives for guidance, discuss student loans and budgeting with your college’s financial aid office, learn a new skill online or attend a local personal finance workshop or seminar. While you set off on a series of firsts, take advantage of these resources to learn how to manage, save and wisely spend your money.

By Nathaniel Sillin


How to Tackle Your Grocery Bill


Food shopping can quickly take over your budget despite your best intentions. Perhaps it’s due to impulse purchases, unplanned shopping trips, food going bad or a combination of all three. If you’re looking for ways to save money while enjoying nutritious and delicious meals, consider these money-saving tactics.

Stick to your budget to save time and money. Look at your food budget before making a trip to the store. If you don’t have one yet, figure out your overall budget including food costs with a simple budget worksheet. Knowing how much you want to spend and actually spent can help you make informed decisions.

Plan out the week’s meals with your budget in mind. If you make dishes that rely on the same staples, you can save money by using leftovers to create a new dish. But mix things up to avoid boredom.

Make your trip to the grocery store even easier with a shopping list. Sticking to a list can help limit food waste and make it easy to get in and out of the grocery store. If you share food shopping duties with a spouse or partner, you can avoid double purchases by using grocery apps that let you create and sync shopping lists.

Stack different discounts and deals to rack up savings. Once you enter the grocery store, it’s time to put your plan into action. Plan for the occasional indulgence and let yourself make impulse purchases occasionally, but try to stick to the list.

You can also often save money at grocery stores by joining the store’s loyalty program. Members get exclusive discounts, and some programs offer additional savings at partner stores. Check your membership account online or with the app before checking out, as some programs have electronic coupons that you need to “clip” to get the savings.

One way to increase your grocery budget is to use one, or several, of the apps that give you cash back when you buy groceries. Sometimes you can even earn cash back on general purchases like a loaf of bread or a gallon of milk. Depending on the app and food, you may need to verify the purchase by scanning the barcode and sending a picture of your receipt.

The store you choose can also significantly impact how much you’ll spend.

Strategically plan your shopping route. Planning your grocery shopping after reviewing your local stores’ weekly sales and coupons can help you determine what to buy and where. Also take the time to explore your neighborhood stores, as one grocer may frequently have high-quality yet inexpensive produce while another might have a great butcher.

No matter where you shop, be mindful of how the store’s design can entice you to make purchases. The outside ring is often where you’ll find the fewest processed foods, however you might notice that you need to walk to the back of the store to grab milk or eggs. The store hopes you’ll be tempted by something you see along the way.

Sticking to your list, refraining from walking through an aisle unless you need to and remembering that the eye-level products aren’t necessarily the best bang for your buck can help you avoid these traps.

Stick to inexpensive foods. Consider choosing store-brand rather than name-brand products as they’re often cheaper, but not necessarily lower quality. You may also want to consider changing what you buy. Filet mignon can be delicious, but so can cheaper cuts of meat and there’s a lot of advice online for how to best prepare them. Staples, such as rice, beans and canned or frozen goods are also a low-cost way to supplement meals.

Bottom line. Buying food is a necessity, but you don’t have to overspend to keep a well-stocked fridge and pantry. By planning your meals and grocery trips, using the money-saving tactics above and carefully choosing where you shop, you can save time and money – and cook up something delicious.

By Nathaniel Sillin

Android Photographers Shutter with News of Malicious Prisma Apps


Photographers and editors on Android devices, beware! The wildly popular Prisma app, which transforms your photos into artwork, is a recent target of the cybercrime world. Researchers at security company ESET have discovered several fake versions of the app that can infect users with malware.

The app has been out only a very short time, but the popularity has made it attractive for those wanting to spread either malware or annoying adware and possibly both. In some of the cases, the infected apps tricked users into visiting sites where surveys were displayed that ultimately stole the entered personal information. Subsequently, those unfortunate victims were “signed up” for various bogus and pricey SMS services. One of them displayed fake messages on the screen saying the phone was infected with a virus that could be removed if he downloaded another anti-virus app, which was also malicious.

This stresses the importance of doing the background research on all apps that you download to your mobile devices; and any software to your computer. Read the reviews both inside the app store and elsewhere online. Don’t get the apps from any location other than the official app store for your particular devices.  Sideloading, which is getting them from location other than the app stores, is more riskier because generally those in the app stores go through more stringent security checks before they are allowed to be placed into them. Unfortunately, no process is 100% guaranteed, so they sometimes will slip through, which is what happened in this case.

Another version of the app found by ESET displayed fake Android 6.0 update messages, which then redirected users to a site that stole Gmail credentials. Those were subsequently used in a phishing scam.

Google has removed all of the known malicious apps from the Google Play store, but look out for this to happen again with the next popular app craze. Not long ago it was Pokémon Go and it’s likely even more malicious versions of that and its support apps will pop up. So, always make sure the apps you want are from the legitimate developers. While you’re in there searching for Prisma, make sure you download a good anti-malware app too, if you haven’t already. Then update it. While it won’t guarantee malware won’t end up on your devices, it is certainly a first line of defense.

For those who have Apple devices, you’re not completely safe from malicious apps either. Toward the end of last year, Apple removed over 300 malicious apps from its official store.

© Copyright 2016 Stickley on Security