This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers. In the case of the locked Tesla, the first attacker, which we’ll call Attacker 1, is in close proximity to the car while it’s out of range of the authenticating phone. Attacker 2, meanwhile, is in close proximity to the legitimate phone used to unlock the vehicle. Attacker 1 and Attacker 2 have an open Internet connection that allows them to exchange data.
Source: New Bluetooth hack can unlock your Tesla—and all kinds of other devices | Ars Technica
Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software that could be at risk from attempts to exploit the vulnerability.
Source: Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability | ZDNet
The fundamental problem, however, is Republican insiders who have convinced themselves that to keep and hold power, they need to trash the shared beliefs that hold American democracy together.
Source: Undermining Democracy – Schneier on Security
Linus describes Secure Boot as being “pushed in your face by people with an agenda.” But his real problem is that Secure Boot would then imply Kernel Lockdown mode.
Source: Torvalds Expresses Concerns Over Current “Kernel Lockdown” Approach – Phoronix
I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans.
Source: Equifax Breach Response Turns Dumpster Fire — Krebs on Security
“Everybody I know in the cryptocurrency space has gotten their phone number stolen,” said Joby Weeks, a Bitcoin entrepreneur.
Source: Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency – The New York Times
While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”
The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.
Source: How IoT hackers turned a university’s network against itself | ZDNet
The network that IoT devices must use should be isolated and secured by a firewall. This isn’t that difficult to do.
The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.
Source: How to Spot Ingenico Self-Checkout Skimmers — Krebs on Security
While it’s amusing to make fun of Giuliani, hiring people with little or no bona fide security experience to head up cybersecurity practices in government is sadly a tried and true pastime in Washington. Instead of tapping actual computer security experts, politicians in many cases continue to put their friends or people they know in charge of a monumental problem that requires expertise beyond having many political connections or relationships with donors.
Source: Rudy Giuliani is an absurd choice to defend the US from hackers | Trevor Timm | Opinion | The Guardian
From: Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’
“You can probably break into Giuliani’s server,” said Robert Graham of Errata Security. “I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses.
“But that doesn’t matter. There’s nothing on Giuliani’s server worth hacking.”
We must stop trying to fix the user to achieve security. We’ll never get there, and research toward those goals just obscures the real problems. Usable security does not mean “getting people to do what we want.” It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users’ security goals without — as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it — “stress of mind, or knowledge of a long series of rules.”
Source: Security Design: Stop Trying to Fix the User – Schneier on Security