Darkreading.com reported that ‘Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle’s safety and other components.”  The March 24, 2023 article entitled “Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest” (https://tinyurl.com/yuxpaesj) included these comments:

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle’s safety and other components.

One of the exploits involved executing what is known as a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla’s Gateway energy management system. They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.

The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities that researchers from 10 countries uncovered during the first two days of the three-day Pwn2Own contest this week.

What do you think?

First published at https://www.vogelitlaw.com/blog/did-you-know-that-your-tesla-be-hacked-in-less-than-2-minutes

GovInfoSecurity.com reported that “The global shift into cloud computing may come under increased scrutiny by U.S. regulators following an announcement by the U.S. Federal Trade Commission that it is studying cloud industry market dynamics, including potential security risks.  The oversight agency issued a request for information asking whether cloud providers use contractual or technological measures to entrench customers.”  The March 22, 2023 article entitled “US FTC Seeks Information on Cloud Provider Cybersecurity” (https://tinyurl.com/4aa3xxau) included this comment from Stephanie Nguyen (FTC Chief Technology Officer):

Large parts of the economy now rely on cloud computing services for a range of services,…

And the article included these comments:

The top three providers – AWS, Microsoft Azure and Google Cloud – collectively accounted for approximately two-thirds of the total spend. Consolidation has been a fact of life in the cloud computing market for more than a decade, marked by incidents such as the 2013 failure of infrastructure-as-a-service provider Nirvanix.

What do you think about Cloud Cybersecurity?

First published at https://www.vogelitlaw.com/blog/the-ftc-seeks-information-about-cloud-cybersecurity

Darkreading.com reported that “UK cybersecurity authorities and researchers tamp down fears that ChatGPT will overwhelm current defenses, while the CEO of OpenAI worries about its use in cyberattacks.”  The March 20, 2023 article entitled “ChatGPT Gut Check: Cybersecurity Threats Overhyped or Not?” (https://www.darkreading.com/attacks-breaches/chatgpt-gut-check-openai-cybersecurity-threat-overhyped) included these comments:

The dizzying capacity for OpenAI to vacuum up vast amounts of data and spit out custom-tailored content has ushered in all sorts of worrying predictions about the technology’s ability to overwhelm everything — including cybersecurity defenses.

Indeed, ChatGPT’s latest iteration, GPT-4, is smart enough to pass the bar exam, generate thousands of words of text, and write malicious code. And thanks to its stripped-down interface anyone can use, concerns that the OpenAI tools could turn any would-be petty thief into a technically savvy malicious coder in moments were, and still are, well-founded. ChatGPT-enabled cyberattacks started popping up just after its user-friendly interface premiered in November 2022.

What do you think about ChatGPT?

First published at https://www.vogelitlaw.com/blog/should-you-be-concerned-about-cybersecurity-threats-of-chatgpt

HealthCareInfoSecurity.com reported that “Emergency medical device provider Zoll Medical is notifying more than 1 million individuals – including employees, patients and former patients – of a hacking incident that compromised their personal information.”  The March 13, 2023 article entitled “Heart Device Maker Says Hack Affected 1 Million Patients” (https://tinyurl.com/3yvy7muv) included these comments:  

The company told Information Security Media Group that the cybersecurity incident affects current and former users of the company’s LifeVest device – a wearable cardioverter defibrillator worn by patients at high risk of sudden cardiac death. The incident does not affect the operation or safety of the product or any other Zoll medical device or related software, a company spokesperson said.

Massachusetts-based Zoll, a subsidiary of Japanese technology firm Asahi Kasei Group, reported the incident on Friday as affecting more than 1 million individuals.

The incident illustrates how deeply networked connectivity has penetrated the medical device market, a development that has created new opportunities for hackers to steal personal information in an industry historically unaccustomed to fending off threat actors.

Information potentially disclosed in the cybersecurity incident includes individuals’ names, addresses, birthdates and Social Security numbers. “It may also be inferred that you used or were considered for use of a Zoll product,” the company says in a sample breach notification letter.

Unfortunately I’m sure no one is surprised!

First published at https://www.vogelitlaw.com/blog/iot-heart-devices-threat-to-personal-health-information-phi-for-at-least-1-million-patients

GovInfoSecurity.com reported that “A Georgia man who is the chief operating officer of a network security firm can’t escape criminal charges related to a 2018 cyberattack against a local medical center.”  The March 2, 2023 article entitled “Security Firm COO Loses Bid to Dismiss Cyberattack Case” (https://tinyurl.com/9kac7nwu) includes these comments:

Federal prosecutors charged [Vikas] Singla in 2021 with hacking offenses – in an 18-count indictment. They say that Singla conducted a cyberattack in September 2018 that affected two hospitals of Gwinnett Medical Center. The attack allegedly disrupted the medical system’s Ascom phone service, obtained information from a Hologic R2 digitizing device, and disrupted a Lexmark printer network, in part for “commercial advantage and private financial gain.” Fifteen of the charges against Singla stem from the Lexmark printer disruption.

It will interesting to watch this trial!

First published at https://www.vogelitlaw.com/blog/network-security-coo-to-stand-trial-for-healthcare-cyberattack-to-phones-and-printers

The Federal Trade Commission (FTC) issued a press release that “BetterHelp will be required to pay $7.8 million for deceiving consumers after promising to keep sensitive personal data private,…”  The March 2, 2023 press release entitled “FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising” (https://tinyurl.com/muz5w4z9) included these comments:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward.

The FTC’s action sends a great message about privacy! First published at https://www.vogelitlaw.com/blog/ftc-bans-sharing-personal-health-date-to-facebook

HealthInfoSecurity.com reported about an alert issued by “…the U.S. Department of Health and Human Services’ [HHS] Health Sector Cybersecurity Coordination Center warned that Clop claims to have hit more than 130 organizations, including healthcare industry entities, with attacks involving the GoAnyWhere MFT flaw.”  The February 24, 2023 entitled “Authorities Warn Healthcare Sector of Ongoing Clop Threats” (https://tinyurl.com/yd2y42hj) included these comments:

Hackers can exploit the flaw, which is present in the software’s administrator console, without having to authenticate or otherwise log into the console. Fortra first issued a security alert on Feb. 1 and released an update that includes a patch (see: Clop Ransomware Claims Widespread GoAnyWhere MFT Exploits).

Clop has been active since February 2019. Unlike other ransomware-as-a-service groups, “Clop unabashedly and almost exclusively targets the healthcare sector,” HHS writes. Law enforcement dealt the group a blow when Ukrainian authorities arrested six suspected members. “Continued and successful attacks, however, demonstrate that this prolific group is still a viable threat to the healthcare sector,” HHS writes.

Also the “American Hospital Association issued an alert for its members on Thursday based on HHS HC3’s warning”:

“Healthcare organizations should immediately apply the security patches recommended..”

Is anyone surprised by this alert?

First published at https://www.vogelitlaw.com/blog/ransomware-as-a-service-continues-to-target-healthcare

BankInfoSecurity.com reported that “Coinbase on Friday revealed that the hacking campaign against the company began on Feb. 5 when its employees received SMS messages requesting that they urgently log into their official email accounts to receive an important message.”  The February 21, 2023 article entitled “Crypto Exchange Coinbase Details SMS Phishing Attacks” (https://tinyurl.com/2s3umnpm) included these comments:

Although the majority of the workforce ignored the messages, the company says an unidentified employee clicked on the malicious link and entered his or her email ID and password on a fake login page. When the hackers gained the user’s credentials, they attempted to get remote access to the Coinbase network, but due to two-factor authentication controls, they couldn’t gain further access, the company says.

The hackers then directly contacted an employee, according to Coinbase, and claimed to be a Coinbase corporate IT staff member seeking help. But the Coinbase employee became suspicious, and when the SIEM alerted the incident response team to unusual behavior, the team notified the employee, who terminated all communication with the attackers, Coinbase says.

Although the company says it was able to prevent the attack quickly, it acknowledged the incident did cause limited leaks of employee data such as user names and contact details.

This is alarming to say the least! What do you think?

First published at https://www.vogelitlaw.com/blog/sms-phishing-attack-caused-coinbase-employee-data-leak


GovInfoSecurity.com reported “The California city of Oakland is in a state of emergency as its response to a ransomware attack enters its second week.”  The February 15, 2023 report entitled “Oakland Declares Emergency Following Ransomware Attack” (https://tinyurl.com/yc3pv8x5) included these comments:

The ransomware attack, detected during the night of Feb. 8, forced the closure of Oakland City Hall. The city says the attack left “several nonemergency systems including phone lines within the City of Oakland impacted or offline.” The attack did not affect emergency systems, including 911 dispatch and fire services, or the city’s financial systems, the city says. Oakland police have warned the attack is delaying responses to nonemergency matters. 

Which ransomware criminal group is behind the attack and the amount of its extortion demand are currently known. Oakland says it “working with a leading forensics firm to perform an extensive incident response and analysis,” and law enforcement agencies from all levels of government, including federal, are investigating the attack. 

Ransomware attacks show no signs of slowing although fewer victims are paying the extortion demand. This change has led to a significant fall in ransomware gang revenue (see: Ransomware Profits Dip as Fewer Victims Pay Extortion). 

How prepared is your community?

First published at https://www.vogelitlaw.com/blog/nbspcity-governments-are-very-vulnerable-as-highlighted-by-ransomware-attack-disabled-the-city-of-oakland

DarkReading.com reported that “The National Institute of Standards and Technology has settled on a standard for encrypting Internet of Things (IoT) communications, but many devices remain vulnerable and unpatched. A new encryption standard for Internet of Things (IoT) should help advance security for these connected devices in businesses, manufacturers, critical infrastructure, and other sectors running this equipment.”  The February 15, 2023 article entitled “NIST’s New Crypto Standard a Step Forward in IoT Security” (https://www.darkreading.com/ics-ot/nists-new-crypto-standard-a-step-forward-in-iot-security) included these comments:

…the Industrial Internet of Things (IIoT) — an umbrella term for connected devices that monitor and control physical systems and industrial processes — is predicted to grow dramatically. The number of industrial IoT connections — a measure of the number of devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020, according to Juniper Research.

However, the massive growth also brings a massive attack surface area. Vulnerabilities in the so-called Extended Internet of Things (XIoT), which includes both devices and the systems that manage those devices, jumped 57% in the first half of 2022 continuing a dramatic rise from the prior year. On the enterprise side, security researchers demonstrated 63 exploitable vulnerabilities in a variety of connected devices at this year’s Pwn2Own, such as printers and network-attached storage.

Meanwhile, enterprise and industrial IoT devices and systems are often used for decades without regular updates, unlike conventional IT environments, which are replaced every three to five years and updated regularly in between, says Bill Malik, vice president of infrastructure strategies at cybersecurity firm Trend Micro.

What do you think?

First published at: https://www.vogelitlaw.com/blog/iot-crypto-standard-is-unlikely-to-fix-20billion-old-iot-devices