On May 2, 2018 we reported that two ethical hackers had discovered a number of vulnerabilities in certain Audi and Volkswagen cars. Now it’s been reported by Auto Express that a group of white hat Chinese hackers have discovered a slew of vulnerabilities in late model BMWs.

BMW Recognizes and Appreciates the Contribution

Rather than being defensive or dismissive over the vulnerability revelation BMW has rewarded the group responsible for uncovering the flaws.  According to Auto Express, BMW awarded Tencent Keen Security the “BMW Group Digitalization and IT Research award”. Furthermore, BMW was so impressed with the firm’s work that the two are now “discussing options for joint in-depth research and development activities.”

14 Flaws Uncovered

As is often the case, the vehicle infotainment centers were at, well the “center” of the vulnerabilities.  In all, 14 vulnerabilities were identified. Here’s how they broke down:

  • Infotainment System – 8 Vulnerabilities
  • Telematics Units – 4 Vulnerabilities
  • On-board Diagnostics Gateway – 2

It should be noted that while 9 of these vulnerabilities required a physical connection to the vehicle, 5 did not, leading Tencent Keen Security Lab to remark:

“these attack chains could be utilized by skilled attackers at a very low cost” and “they would allow hackers to “trigger or control car functions over a wide-range distance”

Konsultek’s Take

Our take away from this? Information security is becoming more important in virtually every aspect of our lives. Automobiles included. Once a vehicle’s infotainment system is breached, any connected devices such as smartphones are instantly made more vulnerable. Ubiquitous BYOD policies then place networks at risk.

As we have chronicled before, “smart” objects ranging from medical instruments, to HVAC systems to manufacturing equipment all present potential entry points to your network.

That is why one of the first things we do when developing a custom security solution is audit the network to determine what has access and to what degree. The best technology, ill-applied does no good.  Let’s get the process right together. Give us a call and let’s begin a security dialogue.

 

read more

Back in February of this year we covered the hacking of Batavia, Illinois’ municipal workers personal information. In that case municipal worker W-2s were pilfered through a well-crafted spear phishing attack.

Well, this week govtech.com published a story chronicling the woes of Riverside, OH, a small town near Dayton that has been the target of multiple cyber-attacks, some reported as “ransomware” which have resulted in the loss public records.

Computer Virus cripples Riverside Police & Fire Server

Earlier in April of this year a server for the Riverside Police and Fire departments was hit with a virus that denied access to approximately 1 years’ worth of records. The entry vector for that attack appears to have been an email fax.

Secret Service Involved

According the report on govtech.com, U.S. Secret Service agents are investigating the latest attack on Riverside’s computer server. Since the attack investigation is still active the Secret Service is abstaining from discussing the details of the attack and their response.

Data Loss Personal Information Not Released

In the latest attack approximately 8 hours of police and fire reports were lost. Fortunately, most of this data was either backed up on other servers or existed in hard copy form. While police and fire reports often contain personal information there is no indication that personal information was disseminated during the attack.

Atlanta, Rockport, Davidson…

Riverside and Batavia are just two of the many municipalities attacked of late. One of the largest and most costly attacks has been the March, 22 2018 ransomware attack on Atlanta.

That attack locked down 6 separate systems, each held “ransom” for 0.8 bitcoins or approximately $50,000 if a master key was purchased. Atlanta, DHS and the FBI concluded that the ransom should not be paid and according to a report on wsbtv.com the resulting repairs and recovery will cost the city an estimated $2.7 million dollars.

Konsultek Knows Security

Municipalities large and small are being targeted with increasing frequency indicating that cyber-criminals see an opportunity that is ripe for the picking. If your municipal systems haven’t had a security checkup by an independent 3rd party in the last 12 months you might consider contacting Konsultek to learn about our vulnerability assessments. When it comes to security, an ounce of prevention is certainly worth far more than a pound of cure.

 

read more

The use of “Shimmers” first came to light in Mexico back in 2015. Later in late 2016 to early 2017 the devices started showing up in Canada. This week Fox News reports that these svelte skimmers are beginning to appear in the USA.

What is a “Shimmer”?

A shimmer or “shim skimmer” is a wafer thin skimming device that is inserted by criminals into the card slot of an ATM or POP card reader. The device can steal and store the data from “secure” chip enabled cards. After a period of time the criminals return to the shimmer’s location and extract the data by using a special card during a purchase or cash withdrawal which simultaneously downloads the data. The information is then used to make fake cards.

Konsultek’s Advice

While the odds are quite low that you’ll ever encounter a “Shimmer” here are some recommendations as to how to be as safe as possible when using an ATM or Point-of-Sale device:

  • If you notice any friction or difficulty inserting your card, report it to the store or bank! A difficult to insert card is a tell tale sign of a “shimmer”.
  • Cover the PIN pad while you enter your PIN.
  • Use common sense and avoid sketchy-looking and standalone cash machines in low-lit areas, if possible.
  • Stick to ATMs that are physically installed in a bank. Stand-alone ATMs are usually easier for thieves to hack into.
  • Be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on a weekend — when they know the bank won’t be open again for more than 24 hours.
  • Keep a close eye on your bank statements, and dispute any unauthorized charges or withdrawals immediately.

 

read more

Two ethical hackers, Daan Keuper and Thijs Alkemade have shown that it has been possible for hackers to break into 2015 Volkswagen GOLF GTE and 2015 Audi A3 Sportback e-tron. This according to a post on CarComplaints.com.

The remote hacking was made possible through the Harman infotainment systems included in the cars.

They Know Where You Are

Once the vehicle’s internal systems were accessed the two researchers showed it was possible to know where the vehicles were and then remotely follow them.

They Are Listening

Beyond just tracking your location, Keuper and Alkemade were also able to listen to conversations, access the address book and conversation history.

Volkswagen verified the findings and allegedly fixed the security flaws by updating the infotainment systems so that new vehicles won’t have the same flaws. However, security researchers responded to the fix by saying,

“…it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.”

Researchers say the only way older models could be updated is with dealers or consumers performing the updates since the Harman systems that were hacked are not capable of remote security updates.

They Could Have Done More

The researchers believe that they could have gone further, potentially taking control of portions of the automobiles engine, transmission and braking systems but stopped their research where they did due to legal and safety concerns.

Reminiscent of JEEP Vulnerabilities

Back in September, 2015 and then again in March, 2016 we discussed the vulnerabilities of the Jeep Grand Cherokee that were uncovered by researchers who also gained entry into vehicle systems through their infotainment systems.

Konsultek’s Take

Our take away from this? Information security is becoming more important in virtually every aspect of our lives. As we have chronicled before, “smart” objects ranging from medical instruments, to HVAC systems to manufacturing equipment all present potential entry points to your network.

That is why one of the first things we do when developing a custom security solution is audit the network to determine what has access and to what degree. The best technology, ill-applied does no good.  Let’s get the process right together. Give us a call and let’s begin a security dialogue.

 

read more

Last September 21st we first discussed the CC Cleaner breach. In that post we described how the hackers behind the attack used the malicious doppleganger software to cast a wide net, infecting hundreds of thousands of users in the hopes of finding a few big fish amongst the fry.

Yesterday on the Avast blog, Avast CTO, Ondrej Vlcek, shared some insights and a timeline that shows just how the breach was developed.

How Does a Security Company Get Breached?

The old fashioned way – with user credentials!

According to Vlcek:

To initiate the CCleaner attack, the threat actors first accessed Piriform’s network on March 11, 2017, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate. They successfully gained access with a single sign-in, which means they knew the login credentials. While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account.

Updating the Numbers

In our initial post we cited experts from Talos who were putting the size of the infection at approximately 700,000 users with approximately 20 of those becoming actual targets for the second stage of the exploitation. Yesterday Vlcek provided more accurate figures.

In terms of CCleaner, up to 2.27 million CCleaner consumers and businesses downloaded the infected CCleaner product. The attackers then installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs.

Very Similar to the NetSarang Compromise

Last year Kaspersky identified and shutdown a similar attack that used an infected version of the popular server management software produced by NetSarang.

Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software. Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim system (user name, domain name, host name). If the attackers considered the system to be “interesting”, the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code. (Emphasis added to highlight similarities)

Konsultek’s Approach

Protect, detect and respond are the hallmarks of a robust security solution. When Konsultek develops your custom security solution you can bet that all 3 approaches will be included. Interested in taking your security to the next level? Call us and let’s begin a dialogue.

 

read more