Kitz Forum
Announcements => News Articles => Topic started by: AArdvark on September 04, 2015, 08:30:20 PM
-
How not to perform a critical software update.
Hacked Jeep USB update criticised
http://www.bbc.co.uk/news/technology-34156598 (http://www.bbc.co.uk/news/technology-34156598)
Obviously, saving money is more important than security.
This lunacy is worse than the original fault and opens the door to further grief when the update methodology is reverse engineered from the USB stick.
Who could possibly have signed this off ?
-
Does seem a bit silly with hindsight.
I wonder to what extent take control means "able to take control of a Jeep Cherokee via its internet-connected entertainment system"
-
I read about it a few weeks ago, quite disturbing. My understanding is that these cars are actually internet-connected, via their own mobile radio connection. That is becoming quite common for new cars. The remote attackers were able to make the radio play unpleasant music, control the aircon, etc. And. more scarily, to make the car go faster or slower, and stop altogether. :o
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
I would personally argue that for any system that connects to the public internet, it is just a matter of time til the bad guys find a vulnerability and do something nasty. The real problem might then come when modern cars reach such an age - maybe just five or ten years old - that the manufacturers can no longer be bothered offering updates to fix vulnerabilities? ???
-
Thanks for that 7LM. I had wondered if it was just say the radio. The fact that it can affect steering and speed is really very scary. :o
-
@sevenlayermuddle
Ditto.
It has been all over the Internet because it was so serious.
The point is first you discover how to change things in a moving car.
The next you allow the update process to be reversed.
It is only a small step to someone working out how to make system changes on the fly *without* the usb stick.
The rest is an exercise in how good your imagination is. :(
Sent from my LG-D855 using Tapatalk
-
The real risk is that it is likely not to be a 'Bad guy' but some clever kid(s) who don't realise the possible consequences.
The old "I didn't mean that, It was a joke" line. :(
Sent from my LG-D855 using Tapatalk
-
Actually, I'm not too alarmed by the USB update.
Relying on the 'secrecy' of an update mechanism is security through obscurity, which is always doomed. That being the case, they might as well publish the update mechanism from day one, accepting it will eventually escape.
And at least they are clearly taking practical action to fix a very urgent and safety critical problem. The obvious alternative would be a dealer recall, but the dealer network then has to find time for all this unscheduled work, it can take many months before all cars are updated.
I'm not too clued up on what possibilities there might be for a cryptographic signature on the update to allow phoney updates to be rejected. I'd very much like to think they have that covered...?
-
I would like to think it also, but the track record of anticipation seems to suggest this isn't a forgone conclusion, by any measure. :)
Sent from my LG-D855 using Tapatalk
-
I would like to think it also, but the track record of anticipation seems to suggest this isn't a forgone conclusion, by any measure. :)
Sent from my LG-D855 using Tapatalk
Agreed.
I read an article recently (maybe the one I posted earlier?) that compared modern cars to smartphones on wheels. That must be a steep learning curve requiring new skills for the car makers, figuring out how to handle security aspects. I would also hazard a guess that as discussed elsewhere recently for software vendors, the car makers will also face temptations for commercially valuable 'data grabs', which might be at odds with the best security interests.
It would be rash to assume they'd all get it right, and it would be rash to assume that more than a tiny percentage of car buyers understand the risks.
-
Exactly the point.
Car makers know nothing about IT security. Even the IT industry has problems :)
They have probably 'rolled their own' when it comes to security.
They would have to pay to use something more secure from someone who knows what they are doing.
Such as QNX.
Also such things take time to develop and test, maybe they were in a hurry to beat a competitor??
They sure know the downside to that decision now!
:D
Sent from my LG-D855 using Tapatalk
-
Security never matters
until ....
A compromise happens that makes the news, then it will temporarily matter until the fuss dies down.
Think of all these sites been hacked as an example.
Only banks seem to take security seriously which is because of course they are responsible for damages, so e.g. they have to refund an account that has transactions due to security breaches in their systems.
As an example pretty much all routers that use linux are using very obselete code, I am surprised router exploits are as low as they are, but they will increase as they started to be targeted more now.
-
Only banks seem to take security
Banks? I beg to differ, in the extreme... many banks are IMAO absolutely clueless when it comes to security. :D
They often accept 'postcode and date of birth' as 'proof of identity' for customers calling by phone. ::) That is despite the fact that DOB is trivially easy to find out for a great many people. And when banks call the customer, customers are expected to provide answers to security questions, even though the call could be fishing. Calling line ID means nothing, it is as easy to spoof a calling line ID on a phone call is it is to spoof a 'from' address in email.
Their liability for fraud is often non existent when the bank thinks you have disclosed passwords or PINs, or even just wrote them down. They then create password requirements that are so horrendously complicated that most people must write it down to have any chance of remembering it.
They are generally in complete denial about the actual possibility of transaction errors caused by hardware or software bugs (or hacks), despite the fact we all know that all software has bugs, all servers will eventually be hacked if somebody tries hard enough, and that all cash machines will once in a while miscount some bank notes. :)
-
@sevenlayermuddle
Totally agree.
All the high profile institutions engage in 'Security Theatre'.
It looks good and can be backed up by a good story but is in reality not doing much really.
Security that works is hard to do and costs a lot.
The usual compromise is 'Make it look good' and make sure there is a way to re-direct the blame on someone else.
Banks when caught out blame the customer on the basis of a suspicion which does not need to be proven.
The Post Office has had people sent to prison for fraud when the fraud cannot be demonstrated but just the fact that money is missing is enough to win the case.
(The defence is that the software used by the PO franchisee is faulty but this cannot be proven/accepted by the PO.)
'Security Theatre' is everywhere, when you fly on a plane, invest money/trade stocks & shares, Banks (as above), drive a car ........ etc etc.
Everyone wants Security but nobody wants to pay for it.
End result is what we have now.
You get what you pay for sometimes.
-
As an example pretty much all routers that use linux are using very obselete code, I am surprised router exploits are as low as they are, but they will increase as they started to be targeted more now.
Agreed on the Linux factor. One has to tread carefully on Kitz forums when criticising Linux so to be clear, I think it is as well written as any other OS and that vulnerabilities are patched in double quick time, generally patched much faster than say Apple or Microsoft.
The trouble is, those who have adopted Linux 'snapshots' for embedded application in everything from electric toothbrushes to telecoms switches, with TVs, DVD players and the likes in between. For a toothbrush or a coffee grinder, that's not a problem. For a TV or DVD player, with an Internet connection, like a router, it is a worry. But for a critical telecoms switch, it really scares me. :o
-
Only banks seem to take security
Banks? I beg to differ, in the extreme... many banks are IMAO absolutely clueless when it comes to security. :D
They often accept 'postcode and date of birth' as 'proof of identity' for customers calling by phone. ::) That is despite the fact that DOB is trivially easy to find out for a great many people. And when banks call the customer, customers are expected to provide answers to security questions, even though the call could be fishing. Calling line ID means nothing, it is as easy to spoof a calling line ID on a phone call is it is to spoof a 'from' address in email.
Their liability for fraud is often non existent when the bank thinks you have disclosed passwords or PINs, or even just wrote them down. They then create password requirements that are so horrendously complicated that most people must write it down to have any chance of remembering it.
They are generally in complete denial about the actual possibility of transaction errors caused by hardware or software bugs (or hacks), despite the fact we all know that all software has bugs, all servers will eventually be hacked if somebody tries hard enough, and that all cash machines will once in a while miscount some bank notes. :)
talking about internet security.
ultimately tho allowing people to remotely manage their accounts will always carry loopholes or weaknesses as you put it.
But if you compare banks to how other companies approach web site security there is a clear difference.
By the way my first hand experience differs, I suffered fraud some years back, they put the money back in my account extremely quickly, before they even sent out the form for me to fill in.
-
talking about internet security.
ultimately tho allowing people to remotely manage their accounts will always carry loopholes or weaknesses as you put it.
But if you compare banks to how other companies approach web site security there is a clear difference.
By the way my first hand experience differs, I suffered fraud some years back, they put the money back in my account extremely quickly, before they even sent out the form for me to fill in.
Glad to hear you had good experience.
My own only relevant experience was when a major discrepancy (several £1,000) appeared on my statement. The error was in my favour, a cheque I paid in a few weeks previous had been credited multiple times. I quickly researched the legal situation and concluded, sadly, that to have kept it would legally be theft. So I had to tell them. But it was really quite a struggle to persuade the bank to correct it, simply because they had it ingrained that such errors cannot happen. :D
Eventually, having worked my way up the management chain, I persuaded them to take back the money ::) . But it left me with an uncomfortable foreboding that, should I ever suffer bank error in their favour, getting them to admit it would be neigh on impossible.
No explanation was ever given. The cheque holder's account had only been debited the once, so the cash had apparently come from nowhere.
-
A system error is a bit different to a security breach, in addition they will obviously take something more seriously when a customer is losing money rather than gaining it.
I am at a loss as to why you havent noticed web sites of banks are no more secure than non banking companies.
e.g.
I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.
Maybe some banks do this, but not any I have used, I have seen plenty of other companies follow those kind of practices tho, so I am not saying banks have flawless protection, there is no such thing, but rather that their security is at a different level to non banking operations.
Not to mention there is numerous banks in a high level private security mailing list I am a member off, with the likes of google and microsoft also contributing to that list, but no representatives from places like retailers, social media sites, game companies etc. They play an active role in how security moves forward.
end of the day if you want a server completely protected, then disconnect the network cable.
-
end of the day if you want a server completely protected, then disconnect the network cable.
And lock the door.
-
As if on cue, a major breach at Lloyds in the news today...
http://www.bbc.co.uk/news/business-34209500
I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.
These are just tick boxes and whilst commendable, are no substitute for a responsible and considered attitude. Moreover, I have never personally heard of a major breach based on failure to tick these boxes - far more likely, a vulnerability will be found (like recent TLS/SSL bugs), that render the ticks somewhat irrelevant.
I'm not much given to praising Google these days, but I have to admit their 'Bounty' program whereby they reward researchers who find security vulnerabilities is hard to criticise. The trouble with banks is they seem to honestly think that think that, as long as they tick all the boxes, there will be no vulnerabilities.
Which of course is utter nonsense, especially if you leave a data storage box in a vulnerable place. Or as I stressed earlier, if you accept knowledge of date-of-birth as 'proof of id', or if you condition your customers to freely disclose information to 'phishing' phone calls.
-
Nevertheless customers are being advised to take out identity protection, as an extra layer of security.
That's not security, it's insurance. And it does little or nothing to protect you against the consequences of having your identity stolen.
-
Nevertheless customers are being advised to take out identity protection, as an extra layer of security.
That's not security, it's insurance. And it does little or nothing to protect you against the consequences of having your identity stolen.
I agree.
But somebody at Lloyds probably went home with a big bonus today, for having dreamed up a way of turning negative news into an opportunity to promote another insurance product. ::)
-
As if on cue, a major breach at Lloyds in the news today...
http://www.bbc.co.uk/news/business-34209500
I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.
These are just tick boxes and whilst commendable, are no substitute for a responsible and considered attitude. Moreover, I have never personally heard of a major breach based on failure to tick these boxes - far more likely, a vulnerability will be found (like recent TLS/SSL bugs), that render the ticks somewhat irrelevant.
I'm not much given to praising Google these days, but I have to admit their 'Bounty' program whereby they reward researchers who find security vulnerabilities is hard to criticise. The trouble with banks is they seem to honestly think that think that, as long as they tick all the boxes, there will be no vulnerabilities.
Which of course is utter nonsense, especially if you leave a data storage box in a vulnerable place. Or as I stressed earlier, if you accept knowledge of date-of-birth as 'proof of id', or if you condition your customers to freely disclose information to 'phishing' phone calls.
whilst its amusing the date of this event, it bears no relation to their web services. :)
One simple question, is it your belief banks dont take security more seriously than tesco and co on their web portals?
-
One simple question, is it your belief banks dont take security more seriously than tesco and co on their web portals?
I have no personal experience of Tesco, but I would anticipate their attitude to overall customer security to very probably be even worse than that of the banks.
The fact that others may be even worse does not alter my perception that most banks' approach to overall security of online accounts, in my opinion, leaves an awful lot to be desired.