Connected cars: How to improve their connection to cybersecurity

With software becoming more important than ever, how can engaging the security industry make the road ahead less winding?

Here at CES, the car manufacturers race to launch the latest gadgets in their new models before the competition. And that’s hard to do without breaking down the software silos. That would mean using widely developed, open-source toolsets with rich histories, not developing similar functionality that’s already available, but in your own black box. Auto manufacturers have resisted this for years.

For example, why aren’t car makers standardizing around Automotive Grade Linux (AGL)? While some are warming to the idea, it’s taken years to make even modest progress. An open-source initiative aimed squarely at providing the underpinnings for a new generation of automotive innovation – it’s been a long time coming.

Why? Historically, the car manufacturers have been busy perfecting their technology silos, complete with specialized developers, piles of legacy code (that will last forever) with technology they (mostly) understand. Still, it’s not a smooth way forward.

No? Ask operating system manufacturers who built the whole stack themselves. Later, they understood the differentiator in the market was in the magic they built on the foundation perfected by others. It worked. Using a foundation of open source yields a product with better features, sooner, which consumers are happy to buy. Not so much in the car market. Yet.

Still, with the advocacy of The Linux Foundation and seemingly glacial pace of buy-in – first from the tier one providers in a sort of begrudging forward motion of the automotive manufacturers themselves – we’re finally seeing progress.

I spoke with one proponent of AGL who said he’d come from a tier one provider where he’d been advocating for using a standardized development environment for graphics for its automotive systems – they said ‘no’. Viewed with suspicion, standardized build environments were verboten. Years later, they’re starting to see the light.

RELATED ARTICLE: CES – Singularity and securing the car

Now AGL seems to be moving down the stack from the infotainment systems to the instrument cluster. It makes sense. Linux has been doing network duties almost since there was a Linux. Now, with the increasing support from their employers, developers in the automotive industry can rapidly accelerate the development process itself, standardize testing, engage a host of experts and, basically, make cars a lot better, very quickly.

It won’t be any too soon, as security pundits have been warning for years. But progress is progress, and at CES it’s as refreshing as a cool desert breeze to see them all huddled in an area facing the same direction – forward.

For example, there were several companies at CES offering what seem like standard security techniques for cars, things like network monitors, intrusion detection, whitelisting and the like. But they’re sort of bolt-on patches, because car communication protocols themselves lag far behind current network technology. Most cars on the road today have little, if any, authentication on the systems that control the car itself.

It’s most welcome that for the past couple of years there has been significant energy toward upgrading the control communication to be robust enough to have more meaningful authentication, which is a start.

In the future, hopefully, we can get to the business of bringing robust toolsets to bear, and the companies that already have the experience using them, and on to the business of baking in security.

And since your next car will have more networks and electronics than your last one – probably much more – this can result in lower prices, fuller feature sets and more confidence that the industry is moving in the direction the experts have already paved. If you engage the security industry in this manner, the road ahead just might be a bit smoother.

10 Jan 2020 – 02:34PM

Mozilla rushes out patch for Firefox zero‑day

The US cybersecurity agency warns that the critical vulnerability could allow attackers to take control of people’s computers

Mozilla has rolled out a new version of its Firefox web browser to address a critical zero-day vulnerability that has been abused for targeted attacks.

Details about the flaw and its exploitation are rather sparse, however. What little is known, according to Mozilla’s security advisory released on Wednesday, is that it is a type confusion error that resides in IonMonkey, the just-in-time (JIT) compiler for the browser’s SpiderMonkey JavaScript engine.

A warning from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) notes that the flaw could be exploited to take control of an affected system.

Mozilla said that it is “aware of targeted attacks in the wild abusing this flaw”. The vulnerability is tracked as CVE-2019-17026 and affects both Firefox and Firefox ESR, the latter of which is used by large organizations.

The browser’s new versions – Firefox 72.0.1 and Firefox ESR 68.4.1 – are available for all of its supported desktop platforms: Windows, macOS and Linux. Needless to say, users are recommended to waste no time in applying the update. The fixes can be implemented by going to the Firefox menu and clicking on Help and then About Firefox. Per Statcounter, Firefox commands a 9-percent desktop browser market share.

The updates came merely a day after Mozilla shipped out Firefox 72.0 and Firefox ESR 68.4, which themselves included fixes for several security flaws, albeit largely lesser in severity.

Last June, Mozilla patched two zero-days two days apart. Other web browsers, notably Chrome and Internet Explorer, have also received emergency patches for zero-days in recent months.

A few years back, ESET researchers documented how a then zero-day affecting Firefox was being abused by threat actors.

9 Jan 2020 – 01:48PM

CES – Taking a smart city for a test drive

No one has a road map for securing a connected city – but there should be a whole atlas of such maps

Here at CES, Toyota just announced plans to build a 175 acre (70 hectare) playground in Japan to test connected cities, complete with cars, buildings and real residents willing to be something of ongoing beta-testers. While this promises to be closely watched by the industry, it also points to the need to get some test-world feedback prior to launching connected cities in the real world.

Not so with most of the exhibitors here who merely dream of a connected city and hope for the best. Who will secure it? Where will they get the budget? Where will they get the high-priced expertise to make it all run? These, and a host of other related questions will come to the fore in 2020. No one has a good road map.

Some cities are making progress and are trying to work with the National Institute of Standards and Technology (NIST) to develop a framework eventually. This is good progress, but the cities that are taking the lead have very high tax bases to fund such initiatives, have invested heavily to build and own the infrastructure necessary to “encourage” third-party providers to play nice, and have buy-in from local legislators. All of these things must be in place to have a chance of making it all work. They usually aren’t.

I recently sat at a county planning meeting where officials wrestled with 5G rollout being foisted upon them. Those in charge at that meeting had to have 5G explained at a fundamental level. This means they’re not really in a position to weigh in as experts on issues like granting development permits that mesh with county initiatives and a future path to becoming a smart city. It’s not good. It’s also not rare.

RELATED ARTICLE: Smart cities must be cyber‑smart cities

International Data Corporation (IDC) predicts that between 10% and 30% of IoT-related smart city projects will fail next year due to a combination of poorly defined outcomes, a lack of understanding of vendor offerings, and limited funding and stakeholder engagement – a sobering prediction.

Once a city becomes willing, it has to generate a raft of legal documents to set the stage. Here’s where, hopefully, NIST will do the heavy lifting.

After that, it has to actually be built – not just a piece of it, but the whole comprehensive plan.

It’s one thing to secure a single piece of the ecosystem; it’s quite another to secure the whole ecosystem. Ask the operating system developers how that works, with many programs fighting to share resources, resolve conflicts and avoid blame for malfunctions. How would this work in a smart city?

Presumably, the municipality would be open to lawsuits when things go wrong, or at least vulnerable to escalating insurance premiums in case things go wrong. It’s unclear to smaller, non-tech-savvy cities with tighter budgets whether the benefit will outweigh the expense of going the smart city route.

But they may be forced into it, anyway.

Remember when bring-your-own-device (BYOD) started hitting the workplace and IT groups scrambled to do damage control and put some management systems in place? What few BYOD management suites were available either lacked full-featured management, or were broken altogether? Every IT department went into defensive mode until issues could be resolved. But BYOD still happened. This is that, but for cities.

Eventually, the needed safeguards and standards will be trotted out, but will be preceded by years of infighting amongst the stakeholders.

What can you do to prepare?

Now is a good time to take stock of your systems and decide whether they come outfitted with security by design or merely as an afterthought. If data are protected by default at rest and in motion, breaches in the ecosystem will be less impactful. If, on the other hand you decide to leave security up to the ecosystem itself, the road will be much rockier.

Meanwhile, cities will be scrambling to find information and budget to make it all work. That will take a while. As that clock ticks, you can still work to secure your own data in the best way, so when smart cities are foisted upon you, you’ll be safe. Well, safer, anyway.

8 Jan 2020 – 07:33PM

Facebook bans deepfakes but not all altered content

Footage defined as parody or satire will be permitted, as the social network isn’t slamming the door on all types of manipulated media

Facebook is rolling out a new set of rules aimed at curbing the spread of manipulated media as the specter of highly convincing deepfake videos looms large over not only the US presidential elections.

An announcement by the platform’s vice president of global policy management Monika Bickert reveals that Facebook is deploying a multi-pronged approach to deal with the growing threat of manipulated media that are created to spread disinformation and sway public opinion.

For one thing, Facebook will remove manipulated content that ticks these two boxes:

it has been “edited or synthesized – beyond adjustments for clarity or quality – in ways that aren’t apparent to an average person and would likely mislead someone into thinking that a subject of the video said words that they did not actually say”, and it is “the product of artificial intelligence or machine learning that merges, replaces or superimposes content onto a video, making it appear to be authentic”.

It follows that the tighter policy applies to deepfake technology, which an example of a way in which machine-learning algorithms can be deployed for nefarious purposes. [Deepfakes were also singled out by ESET experts as one of the cybersecurity trends to watch out for in 2020.]

So far so good, but the ban won’t actually extend to other types of doctored media. More precisely, the social network won’t banish “video that has been edited solely to omit or change the order of words” or content altered for the sake of parody and satire.

One issue that may sometimes arise is, where do you draw the line and decide that something is meant to be purely humorous?

RELATED ARTICLE: Deepfakes: When seeing isn’t believing

Nevertheless, Facebook vows not to sit on its hands when it comes to media that are doctored, including with less advanced methods, and don’t meet the criteria for removal. Such content may still be subject to an independent fact-check and ultimately regulated, as it were.

“If a photo or video is rated false or partly false by a fact-checker, we significantly reduce its distribution in News Feed and reject it if it’s being run as an ad. And critically, people who see it, try to share it, or have already shared it, will see warnings alerting them that it’s false,” said Bickert.

She argued that taking such videos down wouldn’t stop people from viewing them elsewhere – all the while being unaware that the videos are fake. Leaving them up and labelling them as false instead will provide people with crucial information and context, she said.

ESET security specialist Jake Moore recognized Facebook’s move but also noted that bans can only go so far and that we need to be more discerning, as well as be ready for what’s to come. “Not only do we need better software to recognize these digitally manipulated videos, but we also need to make people aware that we are moving towards a time where we shouldn’t always believe what we see,” says Moore.

7 Jan 2020 – 05:08PM

Week in security with Tony Anscombe

ESET experts offered some valuable advice this week to help keep your digital life secure in the new year

Law enforcement in Thailand is looking into an incident that resulted in the broadcasting of live CCTV footage from a prison on YouTube. The issue reminds us of the need to stick to basic cybersecurity practices, and ESET experts offered some excellent advice this week on how to stay safe online when using various devices in 2020. All this – and more – on WeLiveSecurity.com.

Google disables Xiaomi smart home integration after camera bug

A Xiaomi security camera owner reports receiving random images from strangers’ homes

Smart-home security appliances are not always what they are made out to be and recently some have been running into more problems than is healthy. Some smart doorbells have been caught recording more data than thought, while Wyze Labs, which makes connected home gadgets, has been hit by a data breach.

The latest news is that a mishap involving one of Xiaomi’s security cameras has lead Google to temporarily shut down access for Xiaomi devices to Google Nest Hub and Assistant. This was after a user reported that his Xiaomi Mijia 1080p Smart IP Security Camera received still images from random people’s homes when he tried to stream the feed from his camera to his Google Nest Hub. The mix-up – uncovered by a Reddit user going by the handle /u/Dio-V and apparently picked up first by Android Police – is described in detail in Reddit’s r/googlehome thread.

The security camera itself can be linked to the Google Nest line of devices using Xiaomi’s proprietary Mi Home app. The hub, while trying to access the camera feed, started showing still images from random locations. Some of the black-and-white, partly corrupted images even included people sleeping and a baby in a cradle, which is especially disturbing.

Google reacted promptly: “We’re aware of the issue and are in contact with Xiaomi to work on a fix. In the meantime, we’re disabling Xiaomi integrations on our devices.”

The Chinese tech giant has acknowledged the issue and said that it doesn’t take users’ privacy issues lightly: “We apologize for the inconvenience this has caused to our users. Our team has since acted immediately to solve the issue and it is now fixed. Upon investigation, we have found out the issue was caused by a cache update on December 26, 2019, which was designed to improve camera streaming quality. This has only happened in extremely rare conditions. In this case, it happened during the integration between Mi Home Security Camera Basic 1080p and the Google Home Hub with a display screen under poor network conditions,” reads Xiaomi’s statement for XDA developers.

Although IoT devices have come a long way in simplifying our lives, they still have a long way to go before we can consider them secure enough to become a regular part of our lives. Manufacturers have to make cybersecurity one of the pillars of their devices and not a mere afterthought.

On a related note, ESET researchers recently documented a series of security holes in a D-Link cloud camera that allowed attackers to not only intercept and view the recorded video, but also to manipulate the device’s firmware.

3 Jan 2020 – 03:30PM

Simple steps to protect yourself against identity theft

As we enter the New Year, be sure to keep up, or adopt, these good data security habits to avoid identity theft

Are you doing enough to reduce the risk of having your identity stolen? As you start the New Year, this is a good time to reflect on what kinds of measures you should take to prevent thieves from stealing and using your Personally Identifiable Information (PII) for fraudulent activities. As more and more of our personal information is online and cybercriminals target everything from bank accounts to tax refunds, identity theft is a growing concern. With your sensitive information in their hands, crooks can make fraudulent purchases, open new accounts or apply for loans in your name.

Watch the video to see how you can reduce the risk of falling victim to identity theft. Among other things, you’ll learn:

How to respond to requests for your personal information Why register with credit bureaus as well as monitor your financial accounts How to stop scammers from pulling off a SIM card swap Why using weak passwords is risky and what to do instead Why opt for multi-factor authentication wherever it is available How security software can help Why encrypt your data and devices and shred documents containing sensitive information

[embedded content]

Stay safe in 2020!

2 Jan 2020 – 11:30AM

20 tips for 2020: Be smarter with your smartphone

In the second blogpost of the two-part series we’ll suggest handy tips to help enhance the security of your mobile devices

Yesterday, we discussed bad cybersecurity habits you should avoid in 2020, especially where computers are involved. We’re not done yet. Some of the recommendations apply to both computers and smartphones, such as being especially wary when connecting to a public Wi-Fi network. Our upcoming cybersecurity tips are more smartphone-centric.

Authentication

You’d think that locking your phone would be a no-brainer, but contrary to popular belief, not all people secure their smartphones with an authentication measure. According to a report by the Pew Research Center, almost a third of Americans don’t use any kind of screen lock. You should always securely lock your device, period. And by locking your device, we don’t mean half-hearted measures like an L pattern or a 1234 PIN. Optimally, use a combination of a biometric feature if possible (fingerprint or face recognition) and a password.

Using the official store

As enticing as the prospect of rooting or jailbreaking your device might sound, most manufacturers advise against it. Not without good reason: it opens your device to unnecessary risks. It also sometimes adds an unofficial app store, which isn’t as strictly monitored as official stores. Apps aren’t curated on such alternative stores, nor do they go through an approval process, which means you could download an overtly malicious app that may wreak havoc on your device. You have probably surmised that it’s best to stick to official stores to minimize the risks.

Granting apps permissions

Apps request a variety of permissions so they can work appropriately. You usually just scroll over them absentmindedly and tap accept. As convenient as that might be, you should always peruse the permission list requested by an application.  If you accept them all you may be granting bad actors access to sensitive data or allowing them to scam you out of money, or even to spy on you. After all, does a flashlight app really need access to your microphone or camera?

Using security software

Most people underestimate the value of using security software to protect their smartphones, which is surprising, to say the least. The reasoning behind it may be that they still consider it to be a phone more than a pocket personal computer. Regardless of the reason, we have seen time and again that smartphones are susceptible to breaches and attacks the same way computers are. Therefore, reputable security software can spare you from a headache in the future.

Remote wiping

Expanding on the previous tip, the better security software providers offer the nuclear option of remotely wiping your device if it is lost or stolen. As radical as the idea may sound, it is a good option to have if you store sensitive data you don’t want anyone to see. Alternatively, you may be able to set up your device to wipe itself if authentication fails a certain number of times.

Encryption, backup, and patching

One rule all of us should always follow is to back up our data. In the event you become a victim of a malicious attack that may corrupt or lock your files, at least you’ll have a backup you can use for recovery.  Encryption is also a critical step you should not underestimate. Encrypting the files on your smartphone will give the bad actors a run for their money, making it harder for them to realize their malicious intent. To lower the chance of any of the mentioned things happening, you should always install the latest official updates on your device since they often contain security patches that help keep you protected.

Safe disposal of the device

You might want to pass along your device or even sell it, but that entails several steps you have to go through so that you dispose of it safely. Depending on the device, that might include anything from encrypting the drive before wiping it to logging out of all the services you use. Whatever the case, don’t underestimate the critical importance of conducting the process thoroughly so that your privacy remains intact.

Dodgy calls and phishing texts

Phishing scams take all kinds of forms and although email is the most popular conduit, by far it is not the only one. Scammers have been known to send out text messages that contain infected links that can contain all types of malware. Recently, bad actors have been engaging in more sinister attempts. You may receive calls from international numbers from countries you have never had any interaction with. By calling the number back you can be charged exorbitant prices, so if that ever happens think long and hard before calling back.

It can’t happen to me

Hopefully, you’ll never have to deal with the fallout of a security breach or of your accounts being hacked. But admitting that the possibility is always there can help you in the long run. Being prepared is by no means a bad thing. From securing your device, to having backups at the ready, or having the option to remotely wipe your device, you can reduce the damage to a minimum. If nothing happens great; if something does, you’re ready to face it head-on.

That sums up our list of 20 cybersecurity tips for 2020. We hope that these tips will help you in having a better, safer year with less to worry about and more to look forward to.

31 Dec 2019 – 11:30AM

20 tips for 2020: Mistakes to avoid

In this first instalment of the two-article series we will be looking at cybersecurity habits to avoid when using your computing devices

As we’re entering 2020, we’re also plotting out our New Year’s resolutions. Instead of suggesting what you should do next year, however, let’s have a look at some cybersecurity mistakes you should avoid for a more secure 2020.

Denying you are a target

You’ve probably already brushed off this possibility with contempt, thinking the chances are slim to none. To quote Dwight from The Office, “False”. When it comes to the internet, you cannot anticipate if a breach will directly affect you. New malware may appear or a service that you use may get hacked and your password can be leaked. All of these are probabilities that you should be aware of, and prevention can go a long way in securing your connected presence.

Clicking on suspicious links

Receiving spam has become a part of everyday life. Sometimes it’s just a harmless ad, but every now and then it can be something more sinister. You might get an email coaxing you to click on a suspicious link to claim a prize you’ve won. Or an offer that sounds too good to pass up might appear in an ad. Whatever the case, if you have even a shred of doubt about it: avoid clicking on it at all costs. The link just may contain malware that may wreak all kinds of havoc on your computer.

Failing to patch

Is your computer nagging you for the umpteenth time to install that pesky update? Perhaps the latest patch for your smartphone’s OS has been released. You’ve probably hit the postpone button more times than you’ve snoozed your alarm. We can’t speak to your sleeping habits, but you should always keep your devices updated to the latest version of software available. It will probably save you from a headache in the long run. The infamous WannaCryptor malware spread due to devices not being patched.

Recycling your passwords

To simplify the arduous task of memorizing scores of passwords, some people resort to recycling. This means that they reuse the same password or passphrase, perhaps varying a character or two or by adding upon it. This practice should be avoided. It allows bad actors to guess the rest of your passwords if they can figure out one.

Not using 2FA

Two-factor authentication (2FA), also known as multifactor authentication (MFA), is a simple way to add an extra layer of security to your accounts. The most common 2FA method used by popular online services is a text message with an authentication code sent to your phone. It is one of the most basic methods but use at least this one if you have no other option. If bad actors are missing one piece of the puzzle, they cannot get in until they overcome that hurdle, which might make them look for an easier challenge elsewhere.

Ignoring your router setup

When it comes to home interconnectivity, the router is the heart of your home. All your devices with an internet connection are linked to it, be it your smart TV, smartphone, personal computer or laptop. For convenience’s sake, a lot of people just go through the bare necessities when installing it or keep the default settings pre-configured by your ISP. You should always take steps to secure your router, so you can browse the internet safely.

Using unsecured public Wi-Fi

Most places like cafes, restaurants, and even shops offer complimentary Wi-Fi connections, which is a welcome alternative to using up your precious data plan. As convenient as such free connections might be, you should be careful what you connect to. An unsecured public Wi-Fi can lead to your private data being stolen or your device being hacked.

Disregarding VPN

Besides using a Virtual Private Network (VPN) to connect to your work’s servers, there are other security reasons to use one in private. You can use VPNs to access your home network remotely or to limit your ISP from seeing what you are doing, or to browse safely on public Wi-Fi. Depending on what you want to do, there are various types of VPNs you can choose from to protect your communication.

Skimping on security software

The internet is a useful tool, no doubt, but to paraphrase G.R.R. Martin, it can be dark and full of terrors. Granted, this leans towards hyperbole, but you should always use reputable security software to protect your data. Clicking on the wrong link might lead to malicious code making its way to your computer. Security software provides multiple layers that can stop these threats in their tracks. Prevention is the mother of security; athletes in contact sports use mouthguards as a preventive measure because fixing their teeth is more expensive than protecting them. The same goes for your data.

Underestimating backup and encryption

If, due to some unforeseen circumstances, your computer kicks the can, having a backup comes in handy. Always back up your sensitive data and things you have been working on recently; thus, if something does happen, you can continue unhindered by the unfortunate loss of your device. The same goes for encryption. Never underestimate the value of having your data encrypted: if you get hacked, the bad actor will have a tough time getting to your data; if your device gets stolen, you have an extra layer of security in place before you remotely wipe it.

If you just counted ten tips and not twenty, you would be right. So stay tuned, as tomorrow we’ll continue with tips that will be geared towards smartphones.

30 Dec 2019 – 11:30AM

Prison surveillance footage posted on YouTube

It’s not a stretch to surmise that the incident was enabled by poor security settings

Law enforcement in Thailand is looking into an incident that resulted in the streaming of live surveillance footage from a local prison on YouTube, according to a report by The Bangkok Post

The feed, which gave a glimpse into inmates’ daily lives in crowded cells, contained materials from several locations within the facility. The footage was aired on the video-sharing platform for several hours on Tuesday and was leaked by an as-yet unknown attacker on a YouTube account named ‘Big Brother’s Gaze’ after he compromised, apparently on Monday, the CCTV system of the Lang Suan prison in the southern part of the country.

The cameras were connected to the internet so that authorized individuals, notably prison and other law-enforcement officials, could keep tabs on the situation in the prison from any smart device. The CCTV system was taken offline in the wake of the incident.

The authorities didn’t say what opened the door to the intrusion, but the attacker himself did give more than a hint: “When installing video surveillance change the standard passwords,” reads a message in the ‘About’ section of the said YouTube channel. According to the Associated Press, the account previously contained footage from security cameras at a Thai company’s office, street views of Salt Lake City, an office in Australia and a café in Amsterdam.

Poor password practices, along with vulnerable embedded firmware and the absence of patches, are just some of the main problems that plague all sorts of internet-connected things, including, somewhat ironically, security cameras.

As one might have expected, this was not the first time that an unauthorized party has remotely tapped into a CCTV feed and streamed it online. For example, in early 2018 live footage from surveillance cameras in four British schools was put online. The incidents were also caused by poor password hygiene.

In another highly publicized case involving CCTV systems, two-thirds of public-space cameras in Washington, DC, were put out of action as part of a ransomware operation in January 2017.

27 Dec 2019 – 04:26PM