InfoSec News Nuggets – August 8, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – August 8, 2018

Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim

A former Tesla Inc. employee at the electric car maker’s battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media. Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla’s “own negligence, acts or omissions.” Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla’s Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being shipped to customers. A punctured battery could pose a fire risk.

Mozilla to Researchers: Stay Away From User Data and We Won’t Sue

Mozilla, which has had a security bug bounty program for over a decade, is discontent with how legal issues are interfering with the bug hunting process and has decided to change its bug bounty program policies to mitigate that. Because legal protections afforded to those participating in bounty programs failed to evolve, security researchers are often at risk, and the organization is determined to offer a safe harbor to those researchers seeking bugs in its web browser. According to the Internet organization, bug bounty participants could end up punished for their activities under the Computer Fraud and Abuse Act (CFAA),the anti-hacking law that criminalizes unauthorized access to computer systems.

Making millions out of prisoners’ email

Inside prisons, e-messaging companies are quietly building a money-making machine virtually unhindered by competition—a monopoly that would be intolerable in the outside world. It’s based in a simple formula: Whatever it costs to send a message, prisoners and their loved ones will find a way to pay it. And, the more ways prisoners are cut off from communicating with their families, the better it is for business. Which means that stamp by stamp, companies like JPay – and the prisons that accept a commission with each message – are profiting from isolation of one of the most vulnerable groups in the country. And, with prisoners typically earning 20 cents to 95 cents an hour in jobs behind bars, the cost of keeping in touch most likely falls to family members and friends.

GitHub to Warn Users on Compromised Passwords

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services. Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts. The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

FCC admits it was never actually hacked

The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its inspector general found a lack of evidence supporting the idea. Chairman Ajit Pai blamed the former chief information officer and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.” The semi-apology and finger-pointing are a disappointing conclusion to the year-long web of obfuscation that the FCC has woven. Since the first moment it was reported that there was a hack of the system, there have been questions about the nature, scale and response to it that the FCC has studiously avoided even under direct Congressional questioning.

Kirstjen Nielsen: Private sector needs to help the US  respond to cyber threats

In case you missed it, Secretary of Homeland Security Kirstjen M. Nielsen’s opinion piece “Private sector needs to help the U.S. respond to cyber threats” ran on CNBC today. The piece calls for bold action to secure America’s cybernetworks and protect our critical infrastructure from cyberattacks. It also outlines the need for the Department’s newly launched National Risk Management Center, an initiative driven by industry needs and focused on fostering a better way to bring government and the private sector together to defend our nation’s critical infrastructure.

Facebook denies asking banks for your financial details

Facebook has rushed to deny allegations that it is in talks with banks with a view to gathering information about users’ card transitions and other financial information. The allegations came in a story in the Wall Street Journal which claimed the social networking giant had asked US banks to share information about their customers. The WSJ story paints a scary image, but Facebook tells a different story. Spokeswoman Elisabeth Diana says: “We don’t use purchase data from banks or credit card companies for ads. We also don’t have special relationships, partnerships, or contracts with banks or credit-card companies to use their customers’ purchase data for ads.”

Study: Law Enforcement Need Technical Skills, Not Backdoors

According to a recent study by The Center for Strategic and International Studies (CSIS) encryption is not the most critical issue facing law enforcement in the digital realm. CSIS’s study includes a series of interviews with federal, state, and local law enforcement officials, attorneys, service providers, and civil society groups. They also commissioned a nationwide survey of law enforcement to better comprehend the full range of challenges they face in accessing and using digital evidence for their cases. The CSIS study states: “Survey results indicate that accessing data from service providers — much of which is not encrypted — is the biggest problem that law enforcement currently faces in leveraging digital evidence.”

Exoskeletons debut at Ford factories

Following successful trials, Ford will now offer employees the use of exoskeletons to reduce the strain of factory work. Despite the emergence of Industry 4.0, smart factories, sensors, and data analytics, much of the heavy-duty operations of today’s industrial and manufacturing still rely heavily on human input. Over time, the physical demand of such work can cause injury, muscle stress, and accidents. However, Ford hopes that by augmenting our bodies, exoskeletons may be able to reduce some of the strain.

Atlanta ransomware recovery cost now at $17 million

The cost to rebuild Atlanta’s computer network after it was hit with a SamSam ransomware attack in March continues to climb with a new report now placing the tab at $17 million, almost six times the initial estimate. The Atlanta Constitution-Journal reported that it came across the new figure after obtaining a seven-page confidential city document that identifies $11 million in additional spending, on top of the $6 million already tapped for the project. The newspaper noted there was no indication which city department created the document.

Pentagon restricts use of geolocation software for troops

The U.S. military is prohibiting its deployed personnel from using geolocation features on smartphones, fitness trackers and other devices because they could create security risks by revealing their location, the Pentagon said on Monday. The decision follows concerns raised in January when an Australian researcher’s analysis of data posted by Strava, a fitness tracking app, on activities of its users revealed locations of American forces in Syria and Iraq. The Pentagon made public a memo issued on Friday which said the geolocation capabilities presented a “significant risk.”

New Attack on WPA/WPA2 Protocols Could Potentially Impact Many Wi-Fi Devices

Security researchers have recently found a new attack on the Wi-Fi Protected Access Protocols (WPA/WPA2) which you know are security standards aimed at making your wireless networks more secure. They discovered it by accident while testing the new WPA3 security standard that was recently announced. What makes this attack different from previous attacks against WPA is that it does not require to collect a complete EAPOL (Extensible Authentication Protocol over LAN) 4-way handshake. It is performed on the RSN IE (Robust Security Network Information Element) with a simple EAPOL frame and means that could let malicious actors to get the data they need  via a packet capture tool (such as hascat) and then brute-force metod.

How the Army is competing with Google for these ninjas

One of the Army’s most urgent, ongoing cyber fights is for talent, and it’s hauling out some new weapons, like bringing in new officers in ranks up to colonel to be cyber ninjas and offering big bonuses across the cyber force. Direct officer commissions at high ranks are now being considered in Congress for all the services to build up their cyber capabilities, Army officials say. That and hefty cash incentives are part of the Army’s strategy to bring in and keep people with high-demand cyber skills at a time when the civilian unemployment rate for them is essentially zero, the officials say.

Hacker swipes Snapchat’s source code, publishes it on GitHub

Snapchat doesn’t just make messages disappear after a period of time. It also does the same to GitHub repositories — especially when they contain the company’s proprietary source code. So, what happened? Well, let’s start from the beginning. A GitHub with the handle i5xx, believed to be from the village of Tando Bago in Pakistan’s southeastern Sindh province, created a GitHub repository called Source-Snapchat. At the time of writing, the repo has been removed by GitHub following a DMCA request from Snap Inc (we’ll get to that later), so we can’t take a closer look and see what it contains. That said, there are a few clues to its contents.

Apple responds to Congress on privacy, reaffirms ‘the customer is not our product’

In a letter dated Tuesday, Timothy Powderly, Apple’s director of federal government affairs, writes to Rep. Greg Walden (R-OR), chairman of the House Committee on Energy and Commerce, in response to questions Walden had posed to CEO Tim Cook in a July 9 letter. While the letter does not mention Facebook by name, it’s fairly clear that that’s who Apple is seeking to contrast themselves with. “We believe privacy is a fundamental human right and purposely design our products and services to minimize our collection of customer data,” the August 7 letter from Powderly says. “When we do collect data, we’re transparent about it and work to disassociate it from the user. We utilize on-device processing to minimize data collection by Apple. The customer is not our product, and our business model does not depend on collecting vast amounts of personally identifiable information to enrich targeted profiles marketed to advertising.”