Monday, January 29, 2024

Interesting Security News

Item the first: follow the money:

Trend Micro's Zero Day Initiative (ZDI) held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.

Researchers from French security outfit Synacktiv took home $450,000 after demonstrating six successful exploits, one of which saw the company’s crew gain root access to a Tesla Modem. Another effort found a sandbox escape in the Musk-mobiles’ infotainment system.

Other popular targets at the three day event included after-market infotainment systems and, more troublingly, a whole host of successful hacks on EV chargers.

This is a good strategy - show me the hack, I'll show you the money.  More, please.  Plus, good on them picking automotive computing as the target.  Long time readers will recall that this is something I've been harping on for quite some time.

Item the second: SEC gets pwned (same link as above): 

We had our suspicions when Twitter/X blamed the US Securities and Exchange Commission for the account takeover that led to the premature release of news the regulator would allow Bitcoin exchange-traded funds– and those suspicions have been confirmed.

"The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," the Commission admitted last week.

For those unfamiliar with this form of attack, SIM swaps involve convincing a telecom carrier to transfer a phone number to a new SIM card (a shift for which there are a variety of legitimate reasons), giving an attacker control over communications going to and from that number – like a second authentication factor.

That didn't matter, of course, because the SEC also admitted it disabled multi-factor authentication with Twitter support in July last year "due to issues accessing the account," but no one bothered to turn it back on.

"It made security too hard and then we forgot all about it" is an excuse that I suspect that SEC investigators wouldn't accept.  Top. Men.

1 comment:

  1. Security through Obscurity isn't a plan, either...
    I've seen too much of that in Gubmint systems!

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.