News Bites For April 7, 2015
Researchers from the University of Virginia and Perrone Robotics recently completed testing of an anti hacking sensor for automobiles from startup Mission Secure, Inc. The sensor was able to detect several attempts to take over the braking, acceleration and collision avoidance systems of cars on a test track.
This article says the tests went well, but challenges remain like convincing car makers to use something they did not invent, adapting it for different cars and getting the cost down. Hopefully, car makers will do something before there is a flashy and possibly bloody demonstration of the problem.
###############
Although people love to beat up Android phones as not very secure, Google’s just released Android security year in review says that number of potentially harmful Android application installations was cut nearly in half from Q1 to Q4 of 2014 (see report).
Google found that less than 1% of Android devices had a potentially harmful app installed and the number went down to 0.15% for devices that only installed apps from the Google App Store.
###############
Darking Reading is reporting that 3 out of 4 Global 2000 companies are still vulnerable to the Heartbleed SSL bug, a year after its public disclosure (see article). Security software provider Venafi found 580,000 hosts (such as web servers) that had not completely fixed the Heartbleed problem. Gartner called these companies “lazy”, saying they patched the bug, but did not replace the old, compromised SSL keys or revoke the old certificates. The article provides a lot of potential reasons such lack of knowledge and not knowing where all their keys and certificates reside.
As a reminder, Heartbleed is a bug in the very popular open source SSL encryption package OpenSSL that has a catchy name, cute logo (a heart dripping blood) and span of millions of affected computers. The bug works on both clients and servers running OpenSSL, allowing an attacker to steal a server’s private keys (resulting in the ability to masquerade as the server) or steal a user’s password (resulting the the ability to, for example, empty your bank account).
Part of the problem is that whether a particular system is using OpenSSL is not obvious to the user like a bug in Excel 2013 would be visible.
###############
Apparently, the U.S. Government has been tracking international phone calls way longer than Snowden told us about. USAToday is reporting that as far back as 1992 under President George H.W. Bush and approved by, at least, then Attorney General William Barr. The data collection continued under Presidents Clinton, Bush II and Obama until it was killed in 2013 after the Snowden leaks.
The DEA was getting so much call data that they had to get the help of the DoD to program computers to analyze the data. They claim the call traffic has led to finding some big players, but could not name any names.
The DEA used an “expansive interpretation” of administrative subpoenas that said that the data was relevant to federal drug investigations. A former DEA official said that they knew that they were stretching the definition.
Now the DEA sends subpoenas to the phone companies to get the data. It is reported that they send as many as a thousand subpoenas a day, however, that likely represents a much smaller percentage of the call traffic than prior to 2013.
###############