Author: Robert Vamosi

Tesla’s Built a Server / Database … on Wheels

In-brief: Tesla Motors CTO attends DEF CON thanking researchers for finding flaws in the Model S and seeking harmony with the security community. If you can’t beat them, join them. Not only were Tesla Motors representatives were on hand at last week’s DEF CON 23, they were recruiting, and answering questions about one of the talks targeting their Model S car. They even parked one of the cars within the Bally’s Las Vegas Hotel and Casino Convention Hall right next to the conference’s annual Capture the Flag competition. Over the course of the last two years, researchers Kevin Mahaffey, co-founder and CTO of mobile security firm Lookout, and Marc Rogers, principal security researcher for CloudFlare, discovered six vulnerabilities and then worked with the electric car company to patch them. Last Wednesday, one day before their scheduled talk, Tesla pushed out a patch to every Model S in the world. And […]

Morpho Is A Profit-Based Hacking Group, Says Symantec

Attribution in information security attack is a difficult thing. Being able to put a particular person behind a keyboard is often the problem. However, in recent years, security companies have been doing a better job of identifying groups of individuals with similar attack methods and preferences. For example CrowdStrike has identified over seven thousand discrete groups of state-sponsored groups, criminals, and hacktivists solely by their methods of operation, their patterns of attack. A report this week from Symantec looks at one particular group they call Morpho, which they believe is not state-sponsored but nonetheless responsible for intellectual property theft for monetary gain. Symantec notes that one key difference between attacks coming from competitors and state-sponsored attackers is that competitors are likely in a better position to request the theft of specific information of economic value. They make faster use of this information than a state-sponsored group. Morpho hs a preference […]

New OpenSSL Flaw Is No Heartbleed

In Brief: Although severe, a new vulnerability in OpenSSL that allows an attacker to impersonate a trusted CA serveris expected to have minimal impact. OpenSSL today issued a high severity advisory warning of forged certificates. During certificate verification, the alert says OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. This could allow an adversary to impersonate a trusted CA server and eavesdrop on otherwise encrypted communication. Fortunately, the flaw only affects versions of OpenSSL released last month and not yet available in some OSs such as Ubuntu. Affected versions are OpenSSL 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. Despite the severity, experts expect the overall impact will be minimal. “Exploiting the OpenSSL vulnerability (CVE-2015-1793) is not quick or easy, making it nowhere near as serious as Heartbleed,” said Veracode’s Vice President of Research Chris Eng in an email. “For starters, an […]

Hacking Team Breach Unleashes New Adobe Flash Zero Day

In Brief: As a result of a hack at Hacking Team, and the subsequent disclosure of nearly 400 BG of documents and tools, a new zero day targeting all versions of Adobe Flash has been reported in the wild. Last Sunday, the firm known as Hacking Team was breached. Amid the 400GB of company disclosed from the controversial Italian company were some zero days. These include two Adobe Flash and Windows kernel zero days. One of the Flash zero days is what Hacking Team described on an internal document as “the most beautiful Flash bug for the last four years.” Adobe has issued an security bulletin for CVE-2015-5119, which affects Windows, Linux, and Apple products. Successful exploitation can result in a crash and remote access to the infected machine. Adobe has said it is working on an emergency patch, which could come as early as today. Trend Micro has identified […] Finds Popular Fitness Trackers Lack Security, an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption — security lapses that are all too common in IoT devices — present in popular fitness bands., an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption—security lapses that are all too common in IoT devices—are also present in popular fitness bands such as those from Fitbit and Acer. While the Jawbone UP24, Polar Loop and Sony Smartband Talk SWR32 scored the best security of those products tested. The researchers admit that counting steps or number of calories burned may not constitute a leak of PII, but acknowledge that in the future that may be different, with manipulation and/or data theft leading to more or less serious threats to user privacy and […]