Let’s just say it. The world is going mobile. Practically any task you can perform on your computer, you can also do with a mobile phone, and there are even a few that your computer can’t do. In just moments, you can simultaneously shop for shoes, deposit a check and then quickly buy a plan Read more…
Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.
If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.
There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car’s functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.
Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car’s functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.
Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.
In a recent post, AppAppeal ranked the most popular URL shorteners. The top five includes TinyURL, Goo.gl, Bit.ly, Ow.ly and is.gd. Unfortunately, these helpful services are also used to hide a large number of malicious URLs. This result has made me want to learn more about malicious links that may be hidden behind these shortcuts. Read more…
Symantec’s Internet Security Threat Report (ISTR) is an annual report which provides an overview and in-depth analysis of the online security landscape over the previous year. The report is based on data from Symantec’s Global Intelligence …
Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the Read more…
Softonic, one of the world’s largest download site for Windows, Mac and mobile, has just announced that avast! Free Antivirus is the most popular download in Europe. Thank you to our users who have downloaded AVAST from Softonic! Here’s what some reviews said about AVAST: Good protection at no cost Very good protection for a […]
There are deep and disturbing sides to the Internet where businesses should fear to tread, if they want to keep themselves safe. So called ‘dark’ search engines, for example, certainly need to be approached with extreme caution.
Take Shodan, a search engine that navigates the Internet’s back channels. It’s akin to a ‘dark’ Google, helping hackers to find out the servers, webcams, printers, routers, systems, networks etc… that are vulnerable to tampering.
Shodan has been designed to help users track down certain types of software and hardware, determine which applications are most popular, identify anonymous FTP servers, or investigate new vulnerabilities and what hosts they could infect. All good stuff and useful to know. But Shodan also serves as a window into millions of unsecured online connections; and you definitely wouldn’t want those connections to be yours. It’s similar to a bank opening up for business in the morning and leaving the safe ajar by the front door – an open invitation to enter the inner workings of your organisation and see what riches are there to be had.
Shodan, it seems, runs non-stop, collecting data from hundreds of millions of connected devices and services each month. Through a simple search, a user can identify a number of systems that either have no security measures in place or generic passwords that can be hacked easily, leaving unwary organisations open to hazardous attacks.
There are accounts of one independent security penetration tester confirming that, amongst a number of unsecured systems he located using Shodan, were: a carwash that could be turned on and off remotely; an ice hockey rink in Denmark that could be defrosted with a click of a mouse; and a traffic control system for an unnamed city that could be put in ‘test mode’ with one command entry. But that is by no means the worst. Cybersecurity researchers are also said to have located command and control systems for nuclear power plants and a particle-accelerating cyclotron, using Shodan. Even allowing for apocryphal stories and a degree of hyperbole, that has to be worrying.
The biggest security flaw, argues Shodan’s creator John Matherly, is that many of these susceptible systems should not even be connected to the web. “Of course, there’s no security on these things. They don’t belong on the Internet in the first place,” he says. Many systems can now be controlled by computer, so IT departments hook them up to a server, instantly making systems and devices available to anyone with an Internet connection. It’s all part of that great unknown sometimes referred to as ‘The Invisible Web’ – the area of the WWW that isn’t indexed by the search engines. And it’s a high-risk place to be, if you don’t have the right protections in force.
Indeed, tightly targeted cyber-espionage attacks, designed to steal intellectual property, are hitting the manufacturing sector and small businesses with ever greater venom, warns Symantec’s latest ‘Webiste Security Threat Report’, with the latter, highly vulnerable, organisations the target of 31% of such attacks – a threefold increase on 2011. Targeted attacks overall have seen a massive 42% surge during 2012, compared to the previous year.
It’s also worth noting that in many cases protecting yourself, your company and your intellectual property online is not difficult, as long as you start with solid foundations such as securing your websites, intranets, extranets etc… with the latest encryption technologies from Symantec.
Using Symantec SSL is a cost-effective security measure for websites; when SSL is deployed site wide in a persistent manner it helps to protect the entire user experience from start to finish, making it safer to search, share and shop online. This encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorised viewing, tampering or use. The Online Trust Alliance is one leading organisation calling for websites to adopt the use of persistent SSL on websites (which is also known as ‘Always-On SSL’), with some of the world’s most successful names having successfully implemented it, including Google, Twitter and Facebook.
You might also want to look at Symantec Validation and ID Protection Service when shoring up your defences. This is a powerful cloud-based authentication service that enables enterprises to secure access to networks and applications, while keeping out malicious, unauthorised intruders. A unified solution providing both two-factor and risk-based tokenless authentication, VIP is based on open standards and can integrate readily into your enterprise applications.
With solutions such as these firmly in place, you should have the foundations in place be able to make light of even the Internet’s darkest places but don’t stop there. And as a colleague of mine writes here….”As we near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action. “
There is no time like the present to review what you do and take the appropriate steps to ensure your organisation is protected both now and in the future.
If you are a parent today, you are among the first generation of adults tasked with raising good digital citizens. And while learning to be a “good digital citizen” is a hot topic in education circles have you noticed that it’s quickly demoted to “goofy” when you attempt to talk about it at the dinner Read more…
Earlier this week, the Chiba Prefectural Police in Japan arrested nine individuals for distributing spam that included emails with links to download Android.Enesoluty – a malware used to collect contact details stored on the owner’s device. The …
AVAST’s high-performance server-security product, avast! File Server Security, has received the VB100 award from Virus Bulletin. The independent testing lab’s latest AV comparative test focused on performance in Windows Server 2012. AVAST performed solidly with 100% detection rates and zero false alarms on both WildList and clean test sets consisting mainly of business tools to […]