13 years jail for spoofing scammer, a rogue IT security expert’s Bitcoin blackmail goes wrong, and Facebook’s eyewatering GDPR fine may be only the beginning of its problems.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by the Imposter Syndrome Network podcast’s Zoë Rose.
Category: Privacy
It’s been a big month for US data privacy. Indiana, Iowa, and Tennessee all passed state privacy laws, bringing the total number of states with a privacy law up to eight. No private right of action in any of those, which means it’s up to the states to enforce the laws.
Site marketing video promised total anonymity, but that was a lie. 170 arrested already. Potentially 1000s more to follow.
The ransomware plague endures — and has arisen as a potent weapon in geopolitical conflicts.
Related: The Golden Age of cyber espionage
Cyber extortion remains a material threat to organizations of all sizes across all industries. Ransomware purveyors have demonstrated their capability to endlessly take advantage of a vastly expanded network attack surface – one that will only continue to expand as the shift to massively interconnected digital services accelerates.
Meanwhile, Russia has turned to weaponing ransomware in its attempt to conquer Ukraine, redoubling this threat. Now that RSA Conference 2023 has wrapped, these things seem clear: ransomware is here to stay; it is not, at this moment, being adequately mitigated; and a new approach is needed to slow, and effectively put a stop to, ransomware.
I had the chance to visit with Steve Hahn, EVP Americas, at Bullwall, which is in the vanguard of security vendors advancing ways to instantly contain threat actors who manage to slip inside an organization’s network.
Guest expert: Steve Hahn, EVP Americas, Bullwall
Bullwall has a bird’s eye view of Russia’s ongoing deployment of ransomware attacks against Ukraine, and its allies, especially the U.S.
Weaponized ransomware doubly benefits Russia: it’s lucrative, generating billions in revenue and thus adding to Putin’s war chest; and at the same time it also weakens a wide breadth of infrastructure of Putin’s adversaries across Europe and North America.
Containment is a logical tactic that could make a big difference in stopping ransomware and other types of attacks. For a full drill down, please give the accompanying podcast a listen. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Your go-to mobile apps aren’t nearly has hackproof as you might like to believe.
Related: Fallout of T-Mobile hack
Hackers of modest skill routinely bypass legacy security measures, even two-factor authentication, with techniques such as overlay attacks. And hard data shows instances of such breaches on the rise.
I had an evocative conversation about this at RSA Conference 2023 with Asaf Ashkenazi, CEO of Verimatrix, a cybersecurity company headquartered in southern France. We discussed how the Dark Web teems with hackers offering targeted mobile app attacks on major companies.
Many corporations outsource their mobile app development, and these apps often exhibit poor security practices, making them easy targets for cybercriminals, he says.
Verimatrix is coming at this problem with a fresh approach that has proven its efficacy in Hollywood where the company has long helped lock down content such as premium movies and live streamed sporting events.
Guest expert: Asaf Ashkenazi, CEO, Verimatrix
Its technology revolves around application-level protection and monitoring, which allows Verimatrix to collect data on app behavior without invading user privacy.
Coding embedded in the app provide a granular level of insight into what’s happening — when the app is actually running — and a degree of control that’s simply not doable with legacy mobile app security solutions, he told me.
For a full drill down, please give the accompanying podcast a close listen. Ashkenazi argues that we need better security solutions in general to mitigate the AI-generated threats running on our most cherished devices.
He observes that threat actors already use generative AI tools like ChatGPT, Google Bard and Microsoft Edge to innovate malware; to keep pace, companies are going to have to get much better at not just identifying, but predicting attacks, especially on mobile apps. Agreed. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
Personal information is going for a song, and the banks want social media sites to pay when their users get scammed.
All this and much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.
Twitter's new "encrypted DM" feature is a costly (and weaker) alternative to proper end-to-end encrypted messages.
We asked you once, we told you twice, now we're ordering you for the third time...
In an increasingly interconnected world, the evolution of the automotive industry presents an exciting yet daunting prospect.
Related: Privacy rules for vehicles
As vehicles continue to offer modern features such as app-to-car connectivity, remote control access, and driver assistance software, a huge risk lurks in the shadows.
The physical safety of things like airbags, rearview mirrors, and brakes is well accounted for; yet cybersecurity auto safety concerns are rising to the fore.
What used to be a focus on physical safety has now shifted to cybersecurity due to the widened attack surface that connected cars present. The rapid advancements in electric vehicles (EVs) has only served to heighten these concerns.
Funso Richard, Information Security Officer at Ensemble, highlighted the gravity of these threats. He told Last Watchdog that apart from conventional attacks, such as data theft and vehicle theft, much more worrisome types of attacks are emerging. These include ransomware targeting backend servers, distributed denial of service (DDoS) attacks, destructive malware, and even weaponizing charging stations to deploy malware.
Risk of compromise
The National Highway Traffic Safety Administration defines automotive cybersecurity as the protection of automotive electronic systems, communication networks, control algorithms, software, users, and underlying data from malicious attacks, damage, unauthorized access, or manipulation. The risk of compromise is not just theoretical; there have been instances where vehicles were momentarily commandeered.
Notably, in 2016, Nissan suspended a remote telematics system in its all-electric hatchback, the Leaf, due to a vulnerability in the NissanConnect app’s server. More recently, Sultan Qasim Khan, a principal security adviser with a UK-based security firm, tricked a Tesla into thinking the driver was inside by rerouting communication between the automaker’s mobile app and the car.
Rising regulations
As the attack surface broadens, original equipment manufacturers (OEMs) find themselves in a unique position. Roy Fridman, CEO at C2A Security, emphasized the complexity of the automotive industry, citing the intricate supply chain, the exponential growth of software in modern vehicles, and the heavily regulated environment as contributing factors.
In terms of regulations, Fridman highlighted WP.29 UN R155, for which C2A Security’s David Mor Ofek helped to draft, as a key regulation that makes car manufacturers liable for the entire supply chain of their products. However, he warned against a cursory compliance just to satisfy the regulatory bodies, emphasizing the need for OEMs to truly understand and address the threats.
“These laws imply that whether in design, development, production, or post-production, car manufacturers must have full visibility into the security of their software products through a cybersecurity management system (CSMS),” Fridman says.
Richard
Richard echoed this sentiment, emphasizing the importance of secure design principles and the need for evidence of implemented cybersecurity controls from third-party suppliers. He noted the temptation for OEMs to kit up new models with the latest features without assessing their security implications, but urged manufacturers to prioritize security.
“It’s not enough that smart automakers are doing their best to secure their products, a supplier could be the weakest link,” Richard says.
Consumer trust
This increased focus on automotive cybersecurity is also reflected in the consumer market, with customers putting more emphasis on their security posture and overall risk management. Fridman suggested that this trend presents an excellent opportunity for OEMs to build trust with their customers, and he expects to see more of this development in the future.
Fridman
According to Fridman, there will be a shift from the mechanical side of car development to the software side, with the industry witnessing a proliferation of the Software Defined Vehicle (SDV). This implies an even greater potential for cyberattacks as more devices get connected and the demand for software-powered smart cars increases in an IoT-powered world.
The Automotive Cybersecurity Market Global Forecast by MarketandMarkets corroborates this, predicting a rising demand for automotive cybersecurity solutions among OEMs globally – and noting that a passenger car equipped with modern connected features already has more than 100 million lines of code.
Richard added that smart vehicles will play a significant role in smart city development and the “connected everything” concept. This means that smart cars will redefine how we understand IoT in the next few years, becoming one of the leading data generators of connected devices and internet activities.
The comments of Fridman and Richard show consensus gelling in the cybersecurity community that connected vehicle safety must jump ahead of emerging regulations.
“The EV charging grid is left estranged from any formal guidelines, despite recent security breaches, increased interest from malicious hackers, and FBI warnings,” notes Fridman, “We should all double down on this front.”
Editor’s note: Kolawole Samuel Adebayo is a Last Watchdog special correspondent based in Lagos, Nigeria.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
Twitter shares explicit photos without users' permission, one US company can look forward to a $1.4 billion payout seven years after an infamous cyberattack, and how might hackers target Eurovision?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by cybersecurity reporter John Leyden.
Plus don't miss our featured interview with Outpost24's John Stock.