The niner noteworthy stories of 2016 (week 23)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

• Wi-Fi hack disables Mitsubishi Outlander’s theft alarm – white hats
  
• Irongate: New Stuxnet-like Malware Targets Industrial Control Systems
  
• Facebook: We Don’t Spy on You Via Your Phone’s Mic
  
• One Year After OPM Data Breach, What Has The Government Learned?
  
• China pledges tighter privacy as it centralises personal health data
  
• Infosec 2016: Shadow IT Lets Employees Take Company Data To New Jobs
  
• Your comms metadata is super-revealing but the law doesn’t protect it
  
• FBI Sends Computer Information Collected By Its Hacking Tools In Unencrypted Form Over The Open Internet
  
• It happened, the “my manager keeps a paper list of all of our passwords”
  

Wi-Fi hack disables Mitsubishi Outlander’s theft alarm – white hats

Pre-shared key in owner’s manual. Hmmm

This isn’t the first and certainly not the last incident in which car manufacturers take no notice of securing connections to and from their vehicles seriously. Although it may indeed be that you can’t drive away without the remote, disabling the alarm system could potentially allow a thief to find an alternative to the remote to start and indeed drive the car away.
The reliance on WiFi instead of GSM connectivity and a cloud-based service provider may not be a bad thing as the article states, inconvenient maybe. But if the service provider itself is compromised all cars registered there are compromised instead of only the one car in this example. But that obviously only would hold true if Mitsubishi had taken implementing this feature with security by design seriously.
source: the Register (external link)

Irongate: New Stuxnet-like Malware Targets Industrial Control Systems

You make a piece of sophisticated malware, it leaks out and you have a nice piece of concept code to build upon or copy the idea. It therefore is not surprising that the Irongate malware concept found is again targeting Siemens systems, just like the original Stuxnet code was.
Not surprising by itself, it however does highlight nicely why it is of importance to adequately protect Industrial Control Systems in all shapes and sizes for these kind and other types of attacks. As specially the once with internet connectivity or the once that regularly receive updates using USB sticks and other portable media.
If you don’t have the right processes in place, you are vulnerable and, depending on your type of industry, a lot of people around your industrial site as well.
source: The Hacker News (external link)

Facebook: We Don’t Spy on You Via Your Phone’s Mic

There has been a lot of chatter on this topic and even if Facebook is right and they don’t indeed record everything, which would drain your battery significantly as well, the fact that this goes around says more on how people perceive their privacy posture then the actual truth.
This story by itself is not that interesting. If you however couple this to a story I wrote about three weeks ago on Samsung smart tv’s listing to everything you say around it and two more one week later concerning Facebook’s way of deciding on trending topics and audio fingerprinting to bypass ad-blocking software, a total picture is starting to be painted on how our privacy online is undermined and attacked from several directions at once.
If you also throw my comment on Twitter and linked F-Secure article in the mix, it isn’t hard to see why Facebook and others may not need to listen to all you are saying around your smartphone at all.
source: PCMag (external link)

One Year After OPM Data Breach, What Has The Government Learned?

OPM is moving to newer systems based on a security-by-design principle. Unfortunately for them this may take years and the older systems apparently only have security patchwork in place. Whilst having 2-factor authentication in place will certainly help from a technical point of view, security awareness of staff is very important in these cases as well. Blocking people from reading their gmail accounts at work may look like an interesting solution, but in the end it isn’t the only website, webmail or online connection that your employees can make and therefore it’s more a very symbolic solution then it will really bolster your security. Taking into account that the real culprits and method of attack is still unknown, it probably does little or nothing to prevent a new breach in the future either.
source: NPR (external link)

China pledges tighter privacy as it centralises personal health data

Beijing wants to ‘improve the government’s management of major public health issues’

So you want all kind of health data in one big national database to get a grip on large health issues and probably costs. Yet at the same time you want to strengthen privacy protection for such records in a country that notoriously is spying on it’s own citizens. Although you can argue if it technically is spying in a country that has no real privacy laws in the first place.
It is an interesting balancing act the Chinese government is proposing in this respect.
source: the Register (external link)

Infosec 2016: Shadow IT Lets Employees Take Company Data To New Jobs

This story highlights two problems a lot of companies will face and a significant number of them probably don’t even realise it. It’s not only the issue of people using non approved cloud services for their daily work and the subsequent loss of control over company data, it’s also the fact that approved IT systems usually are not tailored towards what the users (read: the business) requires to do their job properly. Or at least that is the general consensus why non-approved applications are used in the first place.
One notion that is made in this article pointing out that admins will lose control over data is fundamentally incorrect. The data belongs to the business who should exercise control over it, not IT. The IT department should however make it possible to the business to effectively control all aspects of the company’s data flows.
source: TechWeekEurope UK (external link)

Your comms metadata is super-revealing but the law doesn’t protect it

Big changes needed to bring America’s court up to speed on today’s internet privacy

For those who think that this problem is a pure US-based issue, think again. Just a couple of months ago this country (the Netherlands) past laws that would broaden the scope of the intelligence agencies access to, you guessed it, meta data on a very indiscriminate way.
But not only governments have found the usefulness of meta data and the loopholes in laws allowing them to access such data, a lot of social media outlets are using the same methods and access rights to further profile and inference information about it’s users. It is easily done to give away a false sense of security by implementing end-to-end encryption on chat messages whilst at the same time keeping the related meta data unencrypted and accessible to the chat app provider. As meta data may tell even more about the user then the content of the encrypted messages otherwise would, this is a smart move unfortunately doing little for the privacy protection of the casual internet user.
And yes this may also hold true for company’s using chat apps and other online services (approved or not) for business usage. You may be leaking more information then you are aware of or feel comfortable with.
source: the Register (external link)

FBI Sends Computer Information Collected By Its Hacking Tools In Unencrypted Form Over The Open Internet

The assertion on encrypting data made in this article from quotes by FBI agents is shocking to say the least. It also precisely is why a company like Apple did us a very big favour in fighting the FBI over creating special malware to unlock all iDevices if the FBI so requested.
Effectively there are multiple levels on which data can be transmitted: either on data level or on transport lovel. See it like a large motorway with individual cars on it, you either protect each individual car and it’s occupants (encrypting at data level) or you protect the motorway itself (transport level encryption). In eiher cases, the data can be decrypted and shared with all parties concerned.
What makes this statement even more silly is that if the FBI agent is correct in his assumption that encrypting data would render it useless to the defence, the FBI would not have a case itself either not would they?
source: Techdirt (external link)

It happened, the “my manager keeps a paper list of all of our passwords”

Yes what this manager did is bad: passwords on a paper sheet, breach of protocol on access cards etc. And if the password sheet would have been stolen or lost could even have been more disastrous as well.
What however also strikes me in this story (yes it’s the little bits that get you in the end indeed) is that the specific manager had done security awareness training very recently. So what was that training actually worth to the company? Was if effective in bolstering security awareness with the department this manager worked for? I am inclined to say no and no to these questions. There is a reason for security policies and procedures and also one for breaking them. In this case the latter clearly was time pressure and making things seemingly easier this way. However, if your security awareness training had indeed done it’s job either this manager would not have done what she did or somebody within the department would have whistle blown this way earlier. The fact that “she’s not there anymore” may help people sleep easier, but will it stop others doing either similar or related compliancy undermining activities? I seriously doubt it.
source: posted on Redit (external link)