IT Support and Hardware for Clinics
32.4K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Ramping Up Automobile Cybersecurity

Ramping Up Automobile Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.

See Also: Solving the Mobile Security Challenge

For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.


Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.

"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.

The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.

But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.

"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."

Key Risks

Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.

Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.

"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."

Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."

Security Gaps Remain

The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.

Among the findings:

  • Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.

Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.

Legislation

The new legislation proposed by Markey would include three key requirements:

  • All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
  • All collected information must be appropriately secured and encrypted to prevent unwanted access; and
  • The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.

To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.

"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.

But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says. "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."

Proactive Approach

As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.

Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."

Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."

In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.

It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.


more...
Secunoid's curator insight, February 19, 2015 1:52 PM

The next frontier to keep an eye out for from security perspective, Automobiles.

Sandesh's curator insight, March 23, 2015 9:55 AM

They have introduced the cybersecurity which is attached withh audio player

Scoop.it!

Malware runs on Apple's iOS7 and iOS8 to steal photos, texts and contacts

Malware runs on Apple's iOS7 and iOS8 to steal photos, texts and contacts | IT Support and Hardware for Clinics | Scoop.it

Hackers are using spyware to steal text messages, contacts, pictures and other personal information from iPhones, according to computer security experts.

Anti-virus company Trend Micro claims it has discovered new software that infects iPhones running iOS 7 and iOS8.

The software is spread via phishing attacks that are sent from the phones of friends and associates to encourage targets to click on a link and install the spyware.


The XAgent malware will run on Apple devices like the new iPhone 6 (above) even if they are not jailbroken

Known as XAgent, the spyware will then collect text messages, contact lists, pictures, location data, lists of apps and any software running on the device.

This information is then sent to a remote server while the malware will also switch on the iPhone's microphone and record everything going on around it.

Trend Micro believe the malware has been created by a group of Russian hackers who have in the past been targetting governments, the military and the media.

WHAT IS XAGENT MALWARE? 

The XAgent malware is not the first to hack into Apple's iOS software for its mobile devices.

iPhone users were left unaware for approximately a year-and-a half that a software bug could have made them the victims of ‘hi-tech eavesdropping’.

Security experts warned that past iterations of iOS software - dating from as long ago as September 2012 - had a vulnerability that hackers could have exploited to see financial transactions, emails and Facebook activity.

The vulnerability was eventually fixed by an update to the iOS7 software last February.

Hackers also claim to have been able to circumvent the fingerprint recognition hardware installed on the iPhone 5S and iPhone 6.

Some iPhone users reported last May that they received messages telling them their phones had been hacked by Oleg Pliss and demanding money for their devices to be unlocked.

However, perhaps the worst breach of Apple security was the hack into the company's iCloud that saw the leak of hundreds of personal and naked photographs belonging to celebrities, Jennifer Lawrence, Kelly Brook and Rihanna. 

It is thought that XAgent was designed by the group to help them obtain information from specific high profile targets.

Trend Micro said it had also identified a second malware programme that is focused on recording audio from so-called 'jailbroken' devices. These devices have had limitations on their iOS software removed, which can compromise the phone's security.

Feike Hacquebord, senior threat researcher at Trend Micro, said: 'While spyware targeting Apple users is highly notable by itself, this particular spyware is also involved in a targetted attack.

'The XAgent app is fully functional malware. After being installed on iOS 7, the app’s icon is hidden and it runs in the background immediately.

'When we try to terminate it by killing the process, it will restart almost immediately.

'Installing the malware into an iOS 8 device yields different results. The icon is not hidden and it also cannot restart automatically.

'This suggests that the malware was designed prior to the release of iOS 8 last September 2014.'

Nearly three quarters of Apple iPhones and tablets are now thought to be using iOS8, although a quarter are still running the older iOS7 software.

This could mean that up to 200 million devices could be the most vulnerable to the spyware.

Trend Micro believe the XAgent malware is related to another type of spyware it has been tracking that works on Microsoft Windows' systems called SEDNIT.

They claim that the malware has been created by a group of hackers that it calls Operation Pawn Storm. 

XAgent can turn on the microphone of any iPhone it runs on and record the sound going on around it

Experts at Micro Trend first identified Operation Pawn Storm as being behind a series of online attacks targeting military officials and defence contractors in a cyber-espionage operation.

Subsequently they have also been linked to attacks against government officials and journalists.

Trend Micro said that it is unclear exactly how the new iOS malware is spread, although the group tends to infect the devices of contacts and friends of its targets.

Writing on its blog, Mr Hacquebord and his colleagues who have been investigating XAgent, said they had seen one instance where the malware was attacked to a simple link with the words 'Tap Here to Install the Application'.

However, they added: 'The exact methods of installing these malware is unknown.

'There may be other methods of infection that are used to install this particular malware.

'One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication | IT Support and Hardware for Clinics | Scoop.it

Apple has improved the security of FaceTime and iMessage, its voice/video and multimedia chat communication tools. The services got two-factor authentication today as an option for users to enable, meaning that even if someone uses their Apple ID email and password to enable iMessage or FaceTime on a new device, they’ll still need to use a pin code from an existing trusted device to gain access to those services.

You may recognize the system from iCloud’s two-factor authentication, or if you’ve tried to set up Keychain to keep your passwords in sync between Apple devices. If you’ve previously enabled two-factor for iCloud, it’ll also be enabled to FaceTime and iMessage. The additional level of protection applied to these services helps ensure that people will have a harder time grabbing potentially private images from your iMessage history, or pretending to be you via online communication methods.

Two-step comes into play when users log out of an account on their device and try to log back in, as well, meaning you’ll have to get that trusted device out should you temporarily disable your account on the device, or in some cases if you run a system update or switch SIMs. This is a good step for Apple, and hopefully an indication that it intends to roll out two-step security to all of its services in good time.

more...
Gabriela Atuesta's curator insight, February 17, 2015 12:25 AM

Nuevo sistema de seguridad para el uso de IMessage y de FaceTime en los dipositivos Apple.