Friday Five: 9/14 Edition
Academics hack a Tesla, cybercrime costs Germany billions, and a biotechnology company admits it was phished - catch up on the week's infosec news with this wrap-up!
1. Cyber attacks cost German industry almost $50 billion: study by Thomas Escritt
It's tricky to say which number is more shocking from this Reuters report: The fact that two-thirds of Germany's manufacturers have been hit by cyberattacks or the fact the attacks have cost the businesses $50 billion. The numbers come via a survey carried out by Bitkom, a German IT conglomerate, of 503 members from the sector. 19 percent of those surveyed said their IT and production systems were sabotaged digitally, perhaps in an attempt to hamper competitors.
2. Back up a minute: Veeam database config snafu exposed millions of customer records by John Leyden
Not a week goes by without researchers stumbling upon a cache of sensitive data left open to the public that was supposed to be locked down. The latest instance, a misconfigured server at Veeam, a Swiss data recovery and backup firm, spilled roughly 200 gigs of data collected between 2013 and 2017, including user email addresses, names, and even IP addresses. To blame? A MongoDB resource that wasn't password-protected or encrypted.
3. Tesla Model S Hack Could Let Thieves Clone Key Fobs to Steal Cars by Mohit Kumar
Academics from the Computer Security and Industrial Cryptography (COSIC) group, a division in the Department of Electrical Engineering at the KU Leuven University in Belgium, said this week they discovered a way to crack the encryption used in Tesla's Model S key fobs. The technique, first described in a Wired article this week could potentially work on Triumph motorcycles and cars made by McLaren and Karma. The hack would involve cloning the key fob, something possible with $600 in radio and computing equipment. Technically a hacker would have to read signals from a fob, and retrieve the cryptographic key to copy it. Tesla hasn't fixed the issue yet but is encouraging users to deploy two-factor authentication which requires customers to set a unique PIN that needs to be entered before their vehicle is driven.
Data-centric Security for Healthcare Compliance
4. Guardant Exposed to Cybersecurity Threat from Phishing Scheme by Omar Ford
It took until Guardant Health, an oncology company based in California filed to raise $100 million in a U.S. IPO this week that it disclosed it was hit by a phishing attack two months ago. The company said in an SEC filing related to the IPO that the private data of 1,100 individuals was compromised. As the company is an oncology firm, data like names, birth dates, medical diagnosis codes, and some Social Security numbers, were included in the leak.
5. Should DHS do more with DMARC data? by Derek B. Johnson
We're almost a month away from a deadline that's been looming over the federal government around email and website security for a year. Last October the Department of Homeland Security stressed that federal agencies need to implement tools to help thwart spoofing on public-facing federal sites. DMARC, Domain Message Authentication Reporting and Conformance, is at the center of the directive but it's unclear what exactly the DHS plans to do with data sent their way by agencies. The DHS isn’t required to but it could help prevent future attacks, per Sen. Ron Wyden (D-Ore.) "Currently, DHS has not implemented analysis of the DMARC reports," NPPD Undersecretary Christopher Krebs told Wyden according to FCW, "As agencies implement and submit their reports to DHS, we are collecting data in a common format for future analysis."