Tag Archives: cyber

[ISN] Researcher says he can hack GM’s OnStar app, open vehicle, start engine

http://venturebeat.com/2015/07/30/researcher-says-can-hack-gms-onstar-app-open-vehicle-start-engine/ By Bernie Woodall in Detroit and Jim Finkle in Boston Reuters July 30, 2015 BOSTON/DETROIT (Reuters) – A researcher is advising drivers not to use a mobile app for the General Motors OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacking Critical Infrastructure: A How-To Guide

http://www.defenseone.com/technology/2015/07/hack-critical-infrastructure/118756/ By Patrick Tucker Defense One July 31, 2015 Cyber-aided physical attacks on power plants and the like are a growing concern. A pair of experts is set to reveal how to pull them off — and how to defend against them. How easy would it be to pull off a catastrophic cyber attack on, say, a nuclear power plant? At next week’s Black Hat and Def Con cybersecurity conferences, two security consultants will describe how bits might be used to disrupt physical infrastructure. U.S. Cyber Command officials say this is the threat that most deeply concerns them, according to a recent Government Accountability Office report. “This is because a cyber-physical incident could result in a loss of utility service or the catastrophic destruction of utility infrastructure, such as an explosion,” the report said. The most famous such attack is the 2010 Stuxnet worm, which damaged centrifuges at Iran’s Natanz nuclear enrichment plant. (It’s never been positively attributed to anyone, but common suspicion holds that it was the United States, possibly with Israel.) Scheduled to speak at the Las Vegas conferences are Jason Larsen, a principal security consultant with the firm IOActive, and Marina Krotofil, a security consultant at the European Network for Cyber Security. Larsen and Krotofil didn’t necessarily hack power plants to prove the exploits work; instead Krotofil has developed a model that can be used to simulate power plant attacks. It’s so credible that NIST uses it to find weakness in systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Intel Assessment: Weak Response to Breaches Will Lead to More Cyber Attacks

http://freebeacon.com/national-security/intel-assessment-obama-admin-response-to-cyber-encourages-more-attacks/ By Bill Gertz Follow @BillGertz Washington Free Beacon July 28, 2015 The United States will continue to suffer increasingly damaging cyber attacks against both government and private sector networks as long as there is no significant response, according to a recent U.S. intelligence community assessment. Disclosure of the intelligence assessment, an analytical consensus of 16 U.S. spy agencies, comes as the Obama administration is debating how to respond to a major cyber attack against the Office of Personnel Management. Sensitive records on 22.1 million federal workers, including millions cleared for access to secrets, were stolen by hackers linked to China’s government. U.S. officials familiar with the classified cyber assessment discussed its central conclusion but did not provide details. Spokesmen for the White House and office of the director of national intelligence declined to comment. Recent comments by President Obama and senior military and security officials, however, reflect the intelligence assessment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers give up when they go up against this cybersecurity company

http://fortune.com/2015/07/29/crowdstrike-cybersecurity-george-kurtz/ By Robert Hackett @rhhackett Fortune.com July 29, 2015 It’s not every day that a company can compel hackers to give up. Yet that’s exactly what CrowdStrike managed to do earlier this year. CEO and co-founder George Kurtz tells it like this: A besieged customer needed backup. So Kurtz’s team sent in reinforcements, placed its cloud-based software sensors across the breached business’s computing environment, and started gathering intel. Aha! Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013. What happened next surprised them: When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled. CrowdStrike’s reputation precedes it. The company, founded in 2011 and based in Irvine, Calif., has gone toe-to-toe with some of the world’s most sophisticated state-sponsored hacking groups. The firm analyzed the data behind the breaches of millions of sensitive records at the Office of Personnel Management, the federal agency responsible for human resources, in what may have been the biggest act of cyberespionage the U.S. has ever seen. It has published threat reports on many of the more than 50 adversaries it tracks, which include the likes of Ghost Jackal (the Syrian Electronic Army), Viceroy Tiger (an Indian intruder), and Andromeda Spider (a criminal coterie). Between 2013 and 2014 its revenue grew 142% and its customer base more than tripled, two reasons Google Capital GOOG 0.63% , the tech giant’s growth equity arm, led a $100 million investment in CrowdStrike in July, its first ever for a computer security company. Kurtz used to travel hundreds of thousands of miles a year as CTO of McAfee, now called Intel Security INTC 0.17% , to meet with beleaguered customers. It struck him that they did not need more anti-malware and antivirus products, the traditional realm of information security, so much as software oriented toward tradecraft and technique, the domain of cyberspies. Co-founder and CTO Dmitri Alperovitch, then McAfee’s head of threat intelligence, agreed. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] GAO: Defense installation utilities at risk of cyber attack

http://www.militarytimes.com/story/military/2015/07/24/utility-cyber-attack/30615033/ By Andrew Tilghman Staff writer Military Times July 25, 2015 The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber-attacks, putting many bases at risk for a “serious mission-disabling event,” a new Government Accountability Office report says. A recent GAO investigation identified a disturbing vulnerability in the military’s network of “industrial control systems,” the computers that monitor or operate physical utility infrastructure. For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO. That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] GAO: Defense installation utilities at risk of cyber attack

http://www.militarytimes.com/story/military/2015/07/24/utility-cyber-attack/30615033/ By Andrew Tilghman Staff writer Military Times July 25, 2015 The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber-attacks, putting many bases at risk for a “serious mission-disabling event,” a new Government Accountability Office report says. A recent GAO investigation identified a disturbing vulnerability in the military’s network of “industrial control systems,” the computers that monitor or operate physical utility infrastructure. For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO. That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Cybercom: Big Data Theft at OPM, Private Networks is New Trend in Cyber Attacks

http://freebeacon.com/national-security/cybercom-big-data-theft-at-opm-private-networks-is-new-trend-in-cyber-attacks/ By Bill Gertz Washington Free Beacon July 27, 2015 The commander of U.S. Cyber Command said last week that the Office of Personnel Management hack of millions of records of federal workers shows a new trend toward using Big Data analytics for both nation-state and criminal cyber attacks. “One of the lessons from OPM for me is we need to recognize that increasingly data has a value all its own and that there are people actively out there interested in acquiring data in volumes and numbers that we didn’t see before,” said Adm. Mike Rogers, the Cyber Command commander and also director of the National Security Agency. The theft of 22.1 million federal records, including sensitive background information on millions of security clearance holders, will assist foreign nations in conducting future cyber attacks through so-called “spear-phishing,” Rogers said, declining to name China as the nation state behind the OPM hacks. Additionally, China is suspected in the hack uncovered in February of 80 million medical records of the health care provider Anthem, which would have given it access to valuable personal intelligence that can be used to identify foreign spies and conduct additional cyber attacks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Outrage: Iran deal commits U.S. to teach them how to defeat a cyber attack

http://www.americanthinker.com/blog/2015/07/outrage_iran_deal_commits_us_to_teach_them_how_to_defeat_a_cyber_attack_.html By Thomas Lifson American Thinker July 22, 2015 Perhaps the very worst aspect of the Iran deal reached in Vienna is the commitment of the U.S. and European powers to teach the Iranians how to resist attacks such as Stuxnet. Although it has received very little media coverage (Adam Kredo of the Free Beacon is the notable exception), the agreement states (buried on page 142 of the 159-page deal, in Annex III, under Civil Nuclear Cooperation, Section D, under Nuclear Safety, Safeguards and Security, item 10): 10. Nuclear Security E3/EU+3 parties, and possibly other states, as appropriate, are prepared to cooperate with Iran on the implementation of nuclear security guidelines and best practices. Co- operation in the following areas can be envisaged: 10. Co-operation in the form of training courses and workshops to strengthen Iran’s ability to prevent, protect and respond to nuclear security threats to nuclear facilities and systems as well as to enable effective and sustainable nuclear security and physical protection systems; 10. Co-operation through training and workshops to strengthen Iran’s ability to protect against, and respond to nuclear security threats, including sabotage, as well as to enable effective and sustainable nuclear security and physical protection systems. The language obviously s not limited to physical threats, so it must include advanced cyber warfare training. The Israelis are outraged. Ari Yasher of Israel National News writes: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail