New Bluetooth hack can unlock your Tesla—and all kinds of other devices

This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers. In the case of the locked Tesla, the first attacker, which we’ll call Attacker 1, is in close proximity to the car while it’s out of range of the authenticating phone. Attacker 2, meanwhile, is in close proximity to the legitimate phone used to unlock the vehicle. Attacker 1 and Attacker 2 have an open Internet connection that allows them to exchange data.

Source: New Bluetooth hack can unlock your Tesla—and all kinds of other devices | Ars Technica

Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability

Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.

Source: Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability | ZDNet

Equifax Breach Response Turns Dumpster Fire

I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.

Source: Equifax Breach Response Turns Dumpster Fire — Krebs on Security

How IoT hackers turned a university’s network against itself

While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”

The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.

Source: How IoT hackers turned a university’s network against itself | ZDNet

The network that IoT devices must use should be isolated and secured by a firewall.  This isn’t that difficult to do.

How to Spot Ingenico Self-Checkout Skimmers

The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.

Source: How to Spot Ingenico Self-Checkout Skimmers — Krebs on Security

Rudy Giuliani is an absurd choice to defend the US from hackers

While it’s amusing to make fun of Giuliani, hiring people with little or no bona fide security experience to head up cybersecurity practices in government is sadly a tried and true pastime in Washington. Instead of tapping actual computer security experts, politicians in many cases continue to put their friends or people they know in charge of a monumental problem that requires expertise beyond having many political connections or relationships with donors.

Source: Rudy Giuliani is an absurd choice to defend the US from hackers | Trevor Timm | Opinion | The Guardian

From:  Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’

“You can probably break into Giuliani’s server,” said Robert Graham of Errata Security. “I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses.

“But that doesn’t matter. There’s nothing on Giuliani’s server worth hacking.”

Stop Trying to Fix the User

We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without­ — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ — “stress of mind, or knowledge of a long series of rules.”

Source: Security Design: Stop Trying to Fix the User – Schneier on Security