Cybersecurity Thread

[3rd_gear_Ted]

A thread for the latest and greatest Cybersecurity threats.

Here's what is new to me. https://flipperzero.one/

What say you about theses devices and their capabilities?

ZL-1 Camaro's are being stolen with these devices all over SoCal.

[Paul T]

Interesting gadget...never knew such a thing existed. Now I want one....

[1990C4S]

They were banned where I live, which raised the price from $200 to $500. I still see them for sale online every day.

From what I've read, Flipper's are NOT the source of the stolen car epidemic, new cars apparently use rolling codes, so capturing someone's code is useless, unless it's a fairly old car.

[MBAtarga]

At work we had a briefing on the flipper and its capabilities (I'm in an IT security organization.) Really incredible device which in nefarious hands can cause quite a bit of turmoil.

[stealthn]

You can do this with multiple devices, it’s basically a replay attack, fooling the vehicle to think your keys have unlocked it. Just keep your keys in a metal box, and it’s defeated. More modern vehicles have better rolling codes to defeat this. Another attack is the CAN bus attack, getting access to the bus via the headlight connector, you can unlock the doors and start the car in under two minutes with a device you can easily buy.

Cars are becoming easier to steal the more they rely on computers.

I’m sure someone is actively working on compromising OTA updates from major manufacturers as we speak…

[Alan A]

Quote:

Originally Posted by stealthn

I’m sure someone is actively working on compromising OTA updates from major manufacturers as we speak…

They don’t need to. The mfrs are doing a great job of compromising their own ota updates…

[Bill Douglas]

It will be a problem for people locking their buildings with electronic keypads. And a handy tool for interfering with wifi transmissions.

[1990C4S]

Quote:

Originally Posted by stealthn

I’m sure someone is actively working on compromising OTA updates from major manufacturers as we speak…

Do they even care? People continue to buy cars with flawed security, then they complain when the car gets stolen. The consumer buys another car, and the manufacturer sells another car.

Where's the pressure to fix the problem coming from?

Push-button start is the source of a lot of problems, no one seems to be going back to a physical key.

[GH85Carrera]

I see that AT&T was hacked again. Only name address and social security numbers put on the dark web.

And so many companies are pushing me to move to "cloud" based data storage. I am 100% certain I have never been hacked. I will keep my data on my local computers, and the banks and credit union I use are hopefully batter at security than AT&T.

[flipper35]

Quote:

Originally Posted by 1990C4S

They were banned where I live, which raised the price from $200 to $500. I still see them for sale online every day.

From what I've read, Flipper's are NOT the source of the stolen car epidemic, new cars apparently use rolling codes, so capturing someone's code is useless, unless it's a fairly old car.

Correct, as they come from the manufacturer they cannot unlock and start a modern car. They are good at cloning RFID and with different modules hack wifi and what not. Great at changing the channel at a sports bar or airport!

They are no different than the little Pi kits or anything else, but they do come in a small case with lots of capability from the factory.

My daughter has one.

You can buy different modules for them and root them for different purposes, but as stated, they are not any differnt than the hobbyist Pi kits.

Professinal kits can do a whole lot more and are far more expensive!

[Arizona_928]

Flipper zero is the least of your worries.

AI and voice models have been scamming Asian corporations this last year

[Dixie]

Quote:

Originally Posted by stealthn

Just keep your keys in a metal box, and it’s defeated.

I simply unplugged my On-Star module. Between car thefts, and GM selling everyone's driving data, it seemed prudent.

[3rd_gear_Ted]

Recent $30M heist in L.A. from a state of the art secret money storage depot smells like the alarm system was compromised.

Reports are saying the Easter morning, area wide internet outage related to the facility location was a deliberate step in the robbery

[3rd_gear_Ted]

Microsoft developer did some nefarious stuff.

https://finance.yahoo.com/news/1-why-near-miss-cyberattack-151035964.html

[masraum]

Quote:

Originally Posted by 3rd_gear_Ted

Microsoft(wrong) developer did some nefarious stuff.

https://finance.yahoo.com/news/1-why-near-miss-cyberattack-151035964.html

FYI, some random developer named "Tan" did nefarious stuff. A Microsoft developer named Freund discovered the issue.

Excerpts from the article...

Quote:

Freund, who works for Microsoft out of San Francisco, discovered that the latest version of the open source software program XZ Utils had been deliberately sabotaged by one of its developers, a move that could have carved out a secret door to millions of servers across the internet.

Security experts say it’s only because Freund spotted the change before the latest version of XZ had been widely deployed that the world was spared a digital security crisis.

“We really dodged a bullet,” said Satnam Narang, a security researcher with Tenable who has been tracking the fallout from the find. “It is one of those moments where we have to wipe our brow and say, ‘We were really lucky with this one.’”

XZ, a suite of file compression tools packaged into distributions of the Linux operating system, was long maintained by a single author, Lasse Collin.

In recent years, he appeared to be under strain.

In a message posted to a public mailing list in June 2022, Collin said he was dealing with "longterm mental health issues" and hinted that he working privately with a new developer named Jia Tan and that “perhaps he will have a bigger role in the future.”

Update logs available through the open source software site Github show that Tan’s role quickly expanded. By 2023 the logs show Tan was merging his code into XZ, a sign that he had won a trusted role in the project.

Tan could easily have gotten away with it had it not been for Freund, the Microsoft developer, whose curiosity was piqued when he noticed the latest version of XZ intermittently using an unexpected amount of processing power on the system he was testing.

[Alenbaarz]

I’m not a cybersecurity expert by any means, but I’m working on getting my PMI-PMP certification, and it’s wild to think how much project management overlaps with this kind of tech, especially with risk management and safeguarding project data. I’ve seen those Pi kits, and yeah, the modules are cool for hobbyists. My cousin’s really into this stuff and she’s built a bunch of things with them. It’s crazy how accessible the tech is these days. The pmp training I’m doing has really made me think about how important it is to stay on top of security risks, especially as things get more advanced. Anyway, great discussion!

[stealthn]

Right now Insurance policies for companies are really driving cyber security. It’s great but most clients who’ve been slacking/cheap on this over the years are now forced to spend the money to buy a lot of software and services and change policies/processes otherwise they cannot be insured.

To me it’s a step in the right direction to smarten companies up, but I still feel the supply chain attacks (especially with software updates) are the biggest targets/threats.