Security Leftovers
This Bluetooth Attack Can Steal a Tesla Model X in Minutes
Lennert Wouters, a security researcher at Belgian university KU Leuven, today revealed a collection of security vulnerabilities he found in both Tesla Model X cars and their keyless entry fobs. He discovered that those combined vulnerabilities could be exploited by any car thief who manages to read a car's vehicle identification number—usually visible on a car's dashboard through the windshield—and also come within roughly 15 feet of the victim's key fob. The hardware kit necessary to pull off the heist cost Wouters around $300, fits inside a backpack, and is controlled from the thief's phone. In just 90 seconds, the hardware can extract a radio code that unlocks the owner's Model X. Once the car thief is inside, a second, distinct vulnerability Wouters found would allow the thief to pair their own key fob with the victim's vehicle after a minute's work and drive the car away.
Ransomware gangs likely to start monetising stolen data: researcher
Ransomware gangs have shown themselves to be an innovative lot, incorporating more and more tactics as they look to extort money from their victims and this trend will continue into the new year, a veteran researcher of this brand of malware says.
Victory! Court Protects Anonymity of Security Researchers Who Reported Apparent Communications Between Russian Bank and Trump Organization
Security researchers who reported observing Internet communications between the Russian financial firm Alfa Bank and the Trump Organization in 2016 can remain anonymous, an Indiana trial court ruled last week.
The ruling protects the First Amendment anonymous speech rights of the researchers, whose analysis prompted significant media attention and debate in 2016 about the meaning of digital records that reportedly showed computer servers linked to the Moscow-based bank and the Trump Organization in communication.
Imagine walking down the street, looking for a good cup of coffee. In the distance, a storefront glows in green through your smart glasses, indicating a well-reviewed cafe with a sterling public health score. You follow the holographic arrows to the crosswalk, as your wearables silently signal the self-driving cars...
Despite widespread complaints about its effects on human rights, the Brazilian Senate has fast-tracked the approval of "PLS 2630/2020", the so-called "Fake News" bill. The bill lacked the necessarily broad and intense social participation that characterized the development of the 2014 Brazilian Civil Rights...
Every system is a privileged system: Incorporating Unix/Linux in your privilege management strategy
Despite their importance, Unix/Linux local and privileged accounts often don’t get sufficient oversight in a centralized PAM strategy.
True, the Unix/Linux userbase is typically more technically savvy and has a greater understanding of security than your typical user. In some ways, Unix/Linux actually led the move toward PAM decades ago. The problem is, not much has changed in decades. They still heavily rely on their own methods for privileged management, such as Sudo controls, and are still using Sudo with few differences from when it was first introduced.
No matter how savvy the user, Unix/Linux privileged accounts are time-consuming and tedious to manage, so they often don’t get sufficient oversight. In addition, when it comes time for an audit, it’s extremely difficult to piece together all of the privileged account activities and security controls. You might have one report for Windows and Mac and a separate one or many for Unix/Linux. You can’t get a consolidated view of risk to use for decision-making or show progress to your auditors.
Strange case of the art dealer, the tech billionaire, his email and Picasso’s lover
The only problem, a judge said yesterday, is that Allen may not have written the email. In fact, Mr Justice Trower said, evidence pointed to the email having been fabricated “for the purpose of misleading the court”.
The Performance Impact To POWER9's Eager L1d Cache Flushing Fix
Last week a new vulnerability was made public for IBM POWER9 processors resulting in a mitigation of the processor's L1 data cache needing to be flushed between privilege boundaries. Due to the possibility of local users being able to obtain data from the L1 cache improperly when this CVE is paired with other side channels, the Linux kernel for POWER9 hardware is flushing the L1d on entering the kernel and on user accesses. Here are some preliminary benchmarks looking at how this security change impacts the overall system performance. All the latest Linux kernel stable series are now patched with the new POWER9 behavior for the L1 data cache flushing when crossing privilege boundaries. As outlined already, that L1d flushing behavior is the default but can be disabled with new "no_entry_flush" and "no_uaccess_flush" kernel options to maintain the prior behavior of not flushing.
