Tesla’s Cloud Systems Hacked

Standard

Tesla Logo 2One of the most upstart and well known tech companies of late is Tesla.  Everyone knows their name and their vehicles and battery systems have been very well received by the market.

Tesla not only produces technically advanced products, they heavily leverage technology to do so.  News emerged this week that security researchers have discovered that Tesla’s Cloud platform has been exploited by hackers to mine crtypocurrencies.  This took place within Tesla’s infrastructure hosted on Amazon Web Services (AWS).  The hack appears to have been done to leverage Tesla’s resources in AWS for other purposes.  However, there is a concern that some vehicle data was exposed as a result.

To Tesla’s credit, they responded very quickly and issued the following response to technology news site ZDNet:

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

Good for Tesla for addressing this so quickly and tranparently.  They have done a great job of owning the issue and responding appropriately.  A good lesson for others to follow.

Disgusting, But Sadly Expected

Standard

Hackers are hard at work trying to scam you with phishing campaigns related to the horrific Parkland, FL school shooting incident last week.  As disgusting as this is, it’s become the new norm.  A shocking tragedy takes place and hackers come out of the woodwork, trying to trick unsuspecting people with fake fundraising and news links and stories.  It’s all about the scam.

EmailScam

You may receive email messages asking for donations, sharing new information about the incident or links to new videos and news reports.  Be very suspect of anything you receive that references a recent tragic event liks this.

If you want to research news stories or donate to charitable funds setup in response to the tragedy, please go directly to the web site of the organization you wish to support or the site of the news source.  Don’t click email links that could take you to compromised sites that the hackers are using to try to steal your payment or other information.

Be vigilant against these heartless and slimy operators, both at home and at work.

Olympic Technology is Going for Gold

Standard

This post was originally published in today’s Foster’s and Seacoast Sunday.

The Olympics taking place in PyeongChang is a spectacle of technology that is giving us a glimpse into our future. With technological powerhouses like Samsung being one of South Korea’s most well known exports, it’s no wonder technology is taking center stage.

Intel Olympics Drone TechnologyThis awesome display of technology is not without its pitfalls. On the first day of this year’s Olympics, hackers took center stage, breaking into some Olympic technology and causing the office website of the 2018 Winter Games to be taken down overnight. As of now, there does not appear to have been any serious breach, but investigators are still at work and we may not know what has really happened during the Olympic Games until well after the Olympic torch has been extinguished in PyeongChang.

One of the massive challenges for technology at an event like the Olympics is security. It’s even more of a challenge due to the nature of the event. A temporary sporting event that brings the attention of the world on a small part of the host country for a short window of time. Talk about a target of opportunity.

Olympic Games are put on by local organizing committees under the auspices of the International Olympic Committee, the IOC. Technology contracts are awarded to multiple companies by the local organizing committee and are often decentralized, meaning each vendor chosen must secure their own networks. This brings multiple players to the table and multiple vulnerabilities. Intel, Samsung, Visa, Atos, Korea Telecom, Comcast, NBC and more all have extensive technology infrastructures in place at the Olympics. Even clothier Ralph Lauren has introduced technology to Team USA’s uniforms for this year’s Winter Olympics. The jackets Team USA will be wearing include active heating technology to keep the athlete’s warm.

Multiple organizations and government agencies have warned attendees to steer clear of public WiFi and be on alert for all manner of cyber scams. Some have gone so far as to recommend turning off WiFi and Bluetooth while at the Games, to avoid what are known as drive-by attacks, where a hacker may theoretically access your device to steal information and use it as part of a larger attack.

There will be plenty of technological marvels on display, from Intel’s amazing drone light shows to Samsung’s robots. A robot even carried the Olympic Torch for part of the relay leading up to the lighting of the Olympic Flame during the opening ceremonies one week ago. Technology will also be available to the athletes to help them tune their performance and maximize their experience. Suits with smart sensors will provide a level of athletic performance feedback not previously seen. It will be interesting to see if any competitors make changes based on this new information that will be available.

Another first for these Olympics is that all of the technology systems running and broadcasting the games will be Cloud based. You won’t find the temporary data centers that powered past games. This year, critical systems will all be physically away from the games in Cloud data centers. There are some fifty critical applications behind this year’s Olympic experience, all out in the Cloud.

Even with this reliance on the Cloud, there will still be well over three thousand IT workers on the ground in PyeongChang supporting the games. Whether things are based in the Cloud or not, you still need an on-site IT infrastructure to enable everything from accurately capturing race times to broadcasting the events live online and to television viewers worldwide.

For spectators who are in PyeongChang, Intel is providing virtual reality experiences from the athlete’s point of view. Imagine putting on a virtual reality headset and finding yourself hurtling down a slalom course at 70 to 80 mph. You can if you want to.

I mentioned Visa earlier as one of the technology companies on display at the Olympics. Yes, Visa is a financial services company, mostly known for issuing debit and credit cards. In PyeongChang, Visa is showcasing payment technologies of the future. There are contactless payment terminals throughout the venues. Visa provided special rings to the athletes that have embedded payment technology, allowing an athlete to simply wave their hand over a payment terminal to pay for something. Visa even has smart gloves in use so that when you are outside, you won’t have to take your gloves off to pay for something. Just place your hand near a payment terminal and make your payment.

The Olympics are always a great event, showcases known and unknown athletes and great stories of triumph and defeat. Technology is giving us a glimpse into the future as well this year, except the future is now.

Strong Warnings Not to Purchase a Huawei Smartphone

Standard

About a month ago, I published a post titled Huawei & ZTE, the New Lenovo and Kaspersky?  It appears that the answer is yes, at least in terms of suspicion on the part of the US intelligence community.

This is not new news, however with Huawei set to begin shipping it’s first device in the US market in just a few days, the warnings are getting louder and stronger.

Just this week, the heads of the three major US intelligence agencies, the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA), all testified on Capitol Hill and issued a dire warning: do not buy a Huawei phone.  Several members of the Senate committee before which the leaders testified, echoed their concerns and warning.
robber-on-phoneThe US government has long suspected that Huawei and another company, ZTE are actively cooperating with the Chinese government to use these devices to spy on US businesses and citizens.  There has been no proof offered in the public domain and both companies firmly deny the allegations.  However, testimony and comments from these leaders and multiple elected officials send a strong message that there may be evidence that is not yet public.

These new smartphones get very good reviews in terms of their technical capabilities and user experience.  That’s a shame given the allegations, which are likely to limit their penetration in the US and other markets.  There will surely be several who purchase devices from these companies, not knowing of these concerns.  I’m sure that is why we are seeing stronger and more frequent statements on the matter now that the US launch of these devices is upon us.

This is just another example of how complex choosing and using technology is becoming for us all.  Concerns around how governments are using technology companies to further their interests and disrupt other societities has been proven to be a very real threat, so do your homework before you invest in new technology.

Yup, the Olympics are Being Hacked

Standard

PyeongChang OlympicsThe good news is that no known damage has been done, but it didn’t take long for bad actors to attempt to disrupt the Olympic Games currently underway in PyeongChang.  In fact, a yet to be identified hacker disrupted some servers during the opening ceremony that ultimately led to the web site for this years games being taken down overnight that first day.

The Olympics are a particularly complicated even to safeguard.  Numerous IT related vendors are working together to manage a very robust IT infrastructure that is temporary.  Everything is done under the auspices of the local Olympic organizing committee, which is also a temporary entity.

Personally, a permanent home for the Olympic Games would go a long way to making cybersecurity less of a concern, but I’m not sure the politics of such a move are going to allow that in the foreseeable future, but this is another topic altogether.

For now, the Olympics seem to be safe, though several instances of vaious malware have been detected within the various networks in use.  The vendors and organizing committee are working dilligently to be sure that nothing more malicious is in play, but given the tensions between the Korea’s and general geopolitical tensions around the world, the Olympics being a target was more of a sure thing that any one athlete winning gold.

Data Privacy Day is Every Day

Standard

Yesterday, January 28, was Data Privacy Day, an annual campaign about online privacy awareness led by the National Cyber Security Alliance (NCSA).  This annual event began in 2008 and this years theme is “Respecting Privacy, Safeguarding Data and Enabling Trust.”

share-with-care-twitter

“Data Privacy Day highlights our ever-more connected lives and the critical roles consumers and businesses play in protecting personal information and online privacy,” says Michael Kaiser, executive director of NCSA. “Our personal information and our habits and interests fuel the next generation of technological advancement like the Internet of Things, which will connect devices in our homes, schools and workplaces. Consumers must learn how best to protect their information and businesses must ensure that they are transparent about the ways they handle and protect personal information. The future holds tremendous opportunities for improving our lives through connected technologies, but we can only build a safer, more trusted internet if everyone works in collaboration to make respecting and protecting personal information a priority.”

While this is an annual awareness campaign, the fact of the matter is that every day is Data Privacy Day.

Here are some tips from this years event:

PRIVACY INSIGHTS AND ADVICE FOR CONSUMERS: OWN YOUR ONLINE PRESENCE

+ PERSONAL INFO IS LIKE MONEY: VALUE IT. PROTECT IT. Information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions.

+ SHARE WITH CARE. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future. It’s a good idea to review your social network friends and all contact lists to ensure everyone still belongs.

+ OWN YOUR ONLINE PRESENCE. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. It’s OK to ask others for help.

+ LOCK DOWN YOUR LOGIN. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Choose one account and turn on the strongest authentication tools available, such as biometrics, security keys or a unique one-time code sent to your mobile device.

+ KEEP A CLEAN MACHINE. Keep all software, operating systems (mobile and PC) and apps up to date to protect data loss from infections and malware.

+ APPLY THE GOLDEN RULE ONLINE. Post only about others as you would have them post about you.

+ SECURE YOUR DEVICES. Every device should be secured by a password or strong authentication – finger swipe, facial recognition etc. These security measures limit access to authorized users only and protect your information if devices are lost or stolen.

+ THINK BEFORE YOU APP. Information about you, such as the games you like to play, your contacts list, where you shop and your location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through apps

PRIVACY INSIGHTS AND ADVICE FOR ORGANIZATIONS: PRIVACY IS GOOD FOR BUSINESS

+ IF YOU COLLECT IT, PROTECT IT. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.

+ BE OPEN AND HONEST ABOUT HOW YOU COLLECT, USE AND SHARE CONSUMERS’ PERSONAL INFORMATION. Think about how the consumer may expect their data to be used, and design settings to protect their information by default.

+ BUILD TRUST BY DOING WHAT YOU SAY YOU WILL DO. Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.

+ CREATE A CULTURE OF PRIVACY IN YOUR ORGANIZATION. Educate employees on the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.

+ DON’T COUNT ON YOUR PRIVACY NOTICE AS YOUR ONLY TOOL TO EDUCATE CONSUMERS ABOUT YOUR DATA PRACTICES. Consider features that allow consumers to opt-in to certain forms of data sharing rather than requiring them to opt-out.

+ CONDUCT DUE DILIGENCE AND MAINTAIN OVERSIGHT OF PARTNERS AND VENDORS. If someone provides services on your behalf, you are also responsible for how they collect and use your customers’ personal information.

To learn more and get involved, visit https://staysafeonline.org/data-privacy-day/.

Solid Phishing Example

Standard

I received the following email the other day and it’s one of the best examples of a phishing email I have seen.  It’s clean, branded properly and I can certainly envision an unsuspecting recipient clicking the link and exposing themselves to theft and hacking.

Here’s what the email looked like when it arrived in my Inbox:

Inbox Message

This particular phishing campaign is obviously targeting users of Microsoft OneDrive.  With so many people now using Office 365 subscriptions, of which OneDrive is a part, this is a fertile target for hackers to go after.

When I opened the email this is what I saw:

Phishing Email.png

The address looks like it should be legitimate and the branding is very good.  I could easily see someone going ahead and clicking on the View File link, so let’s look a little more closely at this message.

Email Tips.png

What you can see inside the red circles is what gives this away as a fake.  In the upper red circle, the actual “from” address is clearly not a Microsoft email address.  You will never receive a message from a service like OneDrive where the display name says “Microsoft Office OneDrive Online Notification Message Center” and the actual email address is a person at a different domain name.  The spacing between the words “Online” and “Notification” in the display name is also a hint that something is suspicious with this message.

Finally, the lower red circle shows that if you hover the mouse over the View File link without actually clicking, that the URL that the link goes to is not a OneDrive address.  This is a clear warning sign that if you click the link you will be directed to a web site that may try to trick you into entering private information or worse, may silently install malware onto your device.

I hope sharing this example will help you avoid falling victim to any phishing attempt, not just this one.  Stay Safe Online!

%d bloggers like this: