Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.
Big items to consider: GM has quietly started a program that allows hackers to submit any vulnerabilities they may find within the vehicles. Christopher Mims of The Wall Street journal published an opinion piece on how we don’t need backdoors if we allow lawful hacking to vet all of our systems, which he claims would solve the encryption/backdoor conflict. An update on the Ukraine power outage revealed that this attack was actually coordinated perfectly and included flooding the Ukrainian power customer service line, so they actually had no idea there was a power outage for 8 hours. Lastly, a piece written by the security blogger Brian Krebs that takes a deeper look into cybercriminal call centers and how they are a profitable/successful way to extort money from a country that the criminal is not familiar with.
Earlier this week, General Motors quietly launched a vulnerability submission program that allows security researchers to submit information about hackable vulnerabilities in GM automobiles and rest assured that—as long as they follow a few guidelines—they’ll be thanked rather than hit with a lawsuit. In partnership with HackerOne, a security startup devoted to helping companies coordinate security vulnerability disclosure with independent researchers, GM has created a portal welcoming bug reports from benign hackers.
Fortunately, there is a solution to both of these issues, and it doesn’t involve compromising the security of our devices—security, let us not forget, that prevents countless other crimes. It is called “lawful hacking.” As outlined in a paper by four influential academics who work on cryptography and security, lawful hacking is an acknowledgment of the fact that our personal and mobile computers are in fact quite insecure.
The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine’s Prykarpattyaoblenergo utility. SANS ICS, which advises infrastructure operators on combating cyber attacks, also said the attackers crippled the utility’s customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down. “This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics,” said Robert Lee, a former U.S. Air Force cyber warfare operations officer who helped compile the report for SANS ICS. “They sort of blinded them in every way possible.”
Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal. Some of these call centers are Web-based, allowing customers to upload information about their targets to a service that initiates the call to a bank, credit provider, shipping company or dating scam victim (for more on the role played by call centers in dating schemes, see last week’s story, Fraudsters Automate Russian Dating Scams). Other call centers require customers to supply information about the target and the needed service via Jabber instant message. This post focuses on Web-based call services.