10Fold – Security Never Sleeps – 53

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to considerAfter the Nissan leaf security vulnerability became public knowledge yesterday, Nissan has since removed the mobile app till further security patches can be applied. Google has launched their “project shield” that will help fight against DDOS attacks on independent news sites. A federal judge has confirmed that researchers at Carnegie Mellon were paid to find criminals on TOR, contrary to denial in both government and the university’s statements. Lastly, interesting contributed article on organizational privacy and operational alignment.

Nissan’s connected car app offline after shocking vulnerability revealed Publication: Ars Technica Reporter name: Jonathan M. Gitlin

In a statement given to Helme, the company said the service was unavailable following “information from an independent IT consultant and subsequent Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a nonsecure route.” The consequences of maliciously exploiting Nissan’s lackadaisical attitude towards security in this case would have been relatively minor; the system couldn’t remotely start or stop a vehicle, nor lock or unlock it. But that doesn’t excuse a fundamental disregard for its customers’ safety and privacy.


Google Wants to Save News Sites From Cyberattacks—For Free Publication: Wired Reporter name: Andy Greenberg

Google had quietly adopted Balatarin into an early pilot of a service called Project Shield. That service, designed to stop DDOS attacks from being used as a censorship tool, currently protects close to a hundred similar sites focused on human rights, election monitoring and independent political news. And now it’s finally coming out of its invite-only beta phase to offer its free cyberattack protection to not just the most at-risk sites on the Internet, but to virtually any news site that requests it.


Tor Users Were Caught By CMU Researchers – And Lack Reasonable Expectation Of Privacy, Judge Rules Publication: Forbes Reporter name:  Emma Woollacott

A federal judge has confirmed what the Tor Project has long claimed: that the US authorities hired researchers from Carnegie Mellon University (CMU) to hack the Tor anonymizing network. And, says US District Judge Richard Jones, Tor users don’t have grounds to complain. In a blog post last year, the Tor Project alleged that the FBI paid researchers $1 million to exploit a vulnerability in Tor software to find some users’ true IP addresses – and then trawl through their data to find anybody they could accuse of a crime. Both parties denied the reports, with CMU implying that while it had provided research, it had done this only because it had been forced to. Now, though, it’s been confirmed that a subpoena was issued, and payment was indeed made – although by the Department of Defense, rather than the FBI. It seems that the information was later passed on to the FBI, allowing it to deny commissioning the research itself.


Privacy and operational alignment Publication: CIO Reporter name:  Bob Siegel

Most discussions surrounding a privacy program and business alignment revolve around the goals and objectives of an organization. Naturally a privacy program should support (and influence) what an organization is focused on achieving. How a business is going to achieve these goals is left to the operational areas. It is true that a privacy program should have policies and standards defined to provide guidance to the operational areas for their activities, but often these are high level and somewhat vague leaving the operational areas to figure out how to comply with the policy on their own. If an operational area gets it wrong, then the privacy police swoop in.