InfoSec News

Hacking

Chinese Collegiate Hacking Team Hacks The Tesla Model S, Well Sort Of…

By

Tesla Sightings

By William Knowles @c4i
Senior Editor
InfoSec News
July 18, 2014

A team of Chinese collegiate hackers attending the Symposium on Security for Asia Network conference in Beijing has been succeeded in breaking into the software used in electric cars made by Elon Musk‘s Palo Alto California-based Tesla Motors.

The South China Morning Post is reporting that a team from Zhejiang University was awarded 10,600 yuan [Approximately $1707.34 USD] by the SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China Where attendees have been invited to hack into a Tesla Model S.

SyScan 360 organizers said on Friday: “Tesla Software Hack Challenge ended with team “yo”, from ZheJiang University, coming in first overall and winning 10,600 Yuan in prize money. No team succeeded in the mission of hacking Tesla’s door and engine within the timeframe of the challenge. Therefore, no one received the grand prize of $10,000 USD.”

Tesla had said it welcomed news of any vulnerabilities discovered as a result of the hacking competition. “We support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” the company said on Wednesday.

“We hope that the security researchers will act responsibly and in good faith.”

The “yo” team hackers exploited a “flow design flaw” to gain access to the Tesla car’s system, SyScan360 announced on Weibo. The loophole enabled attackers to remotely unlock the vehicle, sound the horn and flash the lights, and open the sunroof while the car was in motion.

SyScan 360 organizers say they have reported the vulnerability to Tesla. Telsa shares TSLA closed at $215.40 a share, down .81% from Thursday’s close.

Creative Commons License Steve Jurvetson via Compfight

Hacking a $100K Tesla Model S For Fun and $10K Profit

By

 

Amsterdam: Model S @ Tesla Store

By William Knowles @c4i
Senior Editor
InfoSec News
July 14, 2014

At the 2014 SyScan 360 Conference, being held July 16th and 17th 2014 at the Beijing Marriott Hotel Northeast in Beijing China. Security professionals and hackers paying $319 to attend the conference will have the opportunity to win $10,000 if they can compromise the security of the Tesla Model S.

While the official rules haven’t been released, one could surmise that this will involve remotely gaining control of the vehicle’s controls or physically via the 17-inch touchscreen in the Tesla.

Back in March 2014, Nitesh Dhanjani detailed a cursory evaluation of the Tesla Model S, pointing out threats such as Tesla’s six character password can lead to the Model S being remotely located and unlocked via social engineering, email account compromises, brute-force attacks, malware attacks, phishing attacks, and password leaks.

Tesla REST API Implicitly Encourages Credential Sharing with Untrusted Third Parties. “The Tesla iOS App uses a REST API to communicate and send commands to the car. Tesla has not intended for this API to be directly invoked by 3rd parties. However, 3rd party apps have already started to leverage the Tesla REST API to build applications.”

The Tesla for Glass application lets users monitor and control their Teslas using Google Glass.

While Tesla has confirmed that it is not officially involved in the SyScan contest, it has taken security very seriously, hiring former Apple security expert Kristin Paget to be the “Hacker Princess at Tesla Motors,” creating a Security Vulnerability Reporting Policy, and a Tesla Security Researcher Hall of Fame.

Investors in Telsa shares don’t seem concerned with the contest, TSLA closed at $226.70 a share, up 3.93% from Friday’s close.

harry_nl via Compfight

DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

By

CVC8

By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014

XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack.

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to a bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013.

According to XSSposed, the InfoSec Institute has not onetwothreefourfivesix, but SEVEN XSS vulnerabilities discovered this week.

This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013.

In a previous Web defacement statement, the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government, and military Common Access Cards (CAC).

It seems neither organization is practicing what they preach for thousands of taxpayer’s dollars training the next generation of cyber warriors.

A (supposedly) expert team of information security instructors founded the InfoSec Institute in 1998. Their goal was to build a business by offering the best possible training experience for students.’ ‘InfoSec Institute deeply understands the needs of today’s IT professionals and is best positioned to offer world-class training.

The EC-Council is an Albuquerque New Mexico based organization that offers security professionals a reasonably inexpensive certificate among other security certificates to be compliant with Department of Defense standard 8570.

 

Photo by Richard Termine Photography

Want to know the WIFI password for the Brasil World Cup security center?

By

World Cup WiFi Password

By William Knowles @c4i
Senior Editor
InfoSec News
June 24, 2014

(Updated – June 29, 2014)  The password and WiFi SSID for the World Cup’s security center were exposed after a photograph appeared n the online version of Correio Braziliense.

Luiz Cravo Dorea, head of international cooperation at the Federal Police is standing in the main security center, behind him in the lower corner of the video monitors is the SSID of WORLDCUP and the password: b5a2112014

In previous InfoSec News articles, we misidentified the RISCO Group managing the security where this photo was taken, we apologize for this error. Not surprisingly, the company that was managing the security for the command center where this photo was taken hasn’t requested their information be updated.

This isn’t the first time an SSID and password have been disclosed, in the 2014 Super Bowl XLVIII, The CBS Morning News publicized the WiFi code for the “secret, first of its kind command center” near East Rutherford, New Jersey.

Hat tip to Augusto Barros

U.S. Department of Justice Indicts Five Members of the Chinese PLA ‘Unit 61398’ for Cyber Espionage

By

wang-dong

By William Knowles @c4i
Senior Editor
InfoSec News
May 19, 2014

For the first time ever, a U.S. grand jury in the Western District of Pennsylvania has indicted five Chinese military hackers for computer hacking, economic espionage, trade secret theft, aggravated identity theft, and other offenses directed at six American victims such as a labor union, critical infrastructure, metals and solar industries from 2006 to the present.

The 56 page indictment alleges that the defendants, Wang DongSun KailiangWen XinyuHuang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA) hacked into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China.

This including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.

“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” said FBI Director James B. Comey. “The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.”

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global marketplace should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.

“State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,” said John Carlin, Assistant Attorney General for National Security. “Cyber theft is real theft and we will hold state-sponsored cyber thieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.

Soon after the indictment, the Ministry of Foreign Affairs for the People’s Republic of China, Foreign Ministry Spokesperson Qin Gang made the following remarks regarding the US Justice Department’s announcement of indictment against five Chinese military officers:

On May 19, the US side announced the indictment against five Chinese military officers on allegation of cyber theft. This US move, which is based on fabricated facts, grossly violates the basic norms governing international relations and jeopardizes China-US cooperation and mutual trust. China lodged a protest with the US side right after the announcement, urging the US side to immediately correct its mistake and withdraw the “indictment”

China has decided to suspend activities of the China-US Cyber Working Group. China will react further to the US “indictment” as the situation evolves.

In February 2013, The Alexandria VA. based information security company Mandiant, published their APT1 report featuring PLA Unit 61398 which showed the PLA conducted economic espionage against 141 victims across multiple industries, Unit 61398’s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.