[ISN] Researcher says he can hack GM’s OnStar app, open vehicle, start engine

http://venturebeat.com/2015/07/30/researcher-says-can-hack-gms-onstar-app-open-vehicle-start-engine/ By Bernie Woodall in Detroit and Jim Finkle in Boston Reuters July 30, 2015 BOSTON/DETROIT (Reuters) – A researcher is advising drivers not to use a mobile app for the General Motors OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities. Kamkar released the video a week after Fiat Chrysler Automobiles recalled some 1.4 million vehicles after hacking experts demonstrated a more serious vulnerability in the Jeep Cherokee. That bug allowed them to gain remote control of a Jeep traveling at 70 miles per hour on a public highway. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hacking Critical Infrastructure: A How-To Guide

http://www.defenseone.com/technology/2015/07/hack-critical-infrastructure/118756/ By Patrick Tucker Defense One July 31, 2015 Cyber-aided physical attacks on power plants and the like are a growing concern. A pair of experts is set to reveal how to pull them off — and how to defend against them. How easy would it be to pull off a catastrophic cyber attack on, say, a nuclear power plant? At next week’s Black Hat and Def Con cybersecurity conferences, two security consultants will describe how bits might be used to disrupt physical infrastructure. U.S. Cyber Command officials say this is the threat that most deeply concerns them, according to a recent Government Accountability Office report. “This is because a cyber-physical incident could result in a loss of utility service or the catastrophic destruction of utility infrastructure, such as an explosion,” the report said. The most famous such attack is the 2010 Stuxnet worm, which damaged centrifuges at Iran’s Natanz nuclear enrichment plant. (It’s never been positively attributed to anyone, but common suspicion holds that it was the United States, possibly with Israel.) Scheduled to speak at the Las Vegas conferences are Jason Larsen, a principal security consultant with the firm IOActive, and Marina Krotofil, a security consultant at the European Network for Cyber Security. Larsen and Krotofil didn’t necessarily hack power plants to prove the exploits work; instead Krotofil has developed a model that can be used to simulate power plant attacks. It’s so credible that NIST uses it to find weakness in systems. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Intel Assessment: Weak Response to Breaches Will Lead to More Cyber Attacks

http://freebeacon.com/national-security/intel-assessment-obama-admin-response-to-cyber-encourages-more-attacks/ By Bill Gertz Follow @BillGertz Washington Free Beacon July 28, 2015 The United States will continue to suffer increasingly damaging cyber attacks against both government and private sector networks as long as there is no significant response, according to a recent U.S. intelligence community assessment. Disclosure of the intelligence assessment, an analytical consensus of 16 U.S. spy agencies, comes as the Obama administration is debating how to respond to a major cyber attack against the Office of Personnel Management. Sensitive records on 22.1 million federal workers, including millions cleared for access to secrets, were stolen by hackers linked to China’s government. U.S. officials familiar with the classified cyber assessment discussed its central conclusion but did not provide details. Spokesmen for the White House and office of the director of national intelligence declined to comment. Recent comments by President Obama and senior military and security officials, however, reflect the intelligence assessment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Critical BIND denial-of-service flaw could disrupt large portions of the Internet

http://www.computerworld.com/article/2955005/security/critical-bind-denialofservice-flaw-could-disrupt-large-portions-of-the-internet.html By Lucian Constantin IDG News Service July 30, 2015 Attackers could exploit a new vulnerability in BIND, the most popular Domain Name System (DNS) server software, to disrupt the Internet for many users. The vulnerability affects all versions of BIND 9, from BIND 9.1.0 to BIND 9.10.2-P2, and can be exploited to crash DNS servers that are powered by the software. The Domain Name System is the Internet’s phone book. It’s used to convert domain and host names into numerical Internet Protocol (IP) addresses that computers need to communicate with each other. The DNS is made up of a global network of servers and a very large number of them run BIND, a software package developed and maintained by a nonprofit corporation called the Internet Systems Consortium (ISC). The vulnerability, announced and patched by ISC Tuesday, is critical because it can be used to crash both authoritative and recursive DNS servers with a single packet. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Federal Employee May Have Been Cooking Meth at Government Agency’s Campus

http://www.govexec.com/oversight/2015/07/fbi-and-congress-are-investigating-if-meth-lab-exploded-federal-building/118751/ By Eric Katz Govexec.com July 30, 2015 A federal employee may have recently learned the hard way that cooking meth should be left to the chemistry experts. The FBI and a congressional committee are investigating whether a federal worker was manufacturing methamphetamine in a federal building after a room exploded earlier this month. After a July 18 explosion at a building at the National Institute of Standards and Technology’s Gaithersburg, Md., campus, authorities found many of the key ingredients for making meth and a recipe for the drug, according to News4, the NBC’s Washington, D.C., affiliate. The House Science, Space and Technology Committee is looking into whether a federal police lieutenant who was injured in the blast was involved in cooking the meth. The lieutenant resigned from NIST last week, according to The Washington Post. The officer originally told authorities the blast occurred after trying to refill a butane lighter. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Windows 10 Shares Your Wi-Fi With Contacts

http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/ By Brian Krebs Krebs on Security July 29, 2015 Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends. This brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!). I first read about this disaster waiting to happen over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail