Hackers hijack Tesla’s cloud system to mine cryptocurrency

Tesla’s cloud system was hijacked by attackers last week. The company’s Kubernetes administration console was not password protected, which left the company extremely vulnerable. With this vulnerability, attackers sent Stratum, a cryptocurrency mining software to Tesla’s Amazon Web Services account.

This event was another occurrence of ‘cryptojacking’, which is when an attacker deploys malware to “mine” cryptocurrency. The cryptocurrency mined in this attack was not specified.

RedLock is the security company responsible for protecting the company’s cloud system. Gaurav Kumar, CTO of RedLock, made an announcement about the attack last Tuesday. “The message from this research is loud and clear — the unmistakable potential of cloud environments is seriously compromised by sophisticated hackers identifying easy-to-exploit vulnerabilities.”

A spokesperson for Tesla assured that this attack did not affect the safety of their vehicles, saying “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

– Spencer Fleming

Source: https://www.cnbc.com/2018/02/21/hackers-hijack-teslas-cloud-system-to-mine-cryptocurrency-redlock.html

Advertisements

The Evolution of Cryptography

Throughout history, keeping data secure was a major issue. Messengers in times as far back as ancient Greece would try to keep information secure using things like invisible ink, and shaving the messenger’s head, writing the message on his head, and letting the hair grow back. These tricks are classified as steganography, which means to conceal information. This was useful for keeping information where your enemy couldn’t find it, but eventually, methods of making information unreadable, called encryption, came about. The first major method of encryption, called the shift cipher, was widely used for centuries.

Eventually, different nations, eager to read stolen information from their enemies, started to develop methods of breaking codes. In the case of the shift cipher, frequency analysis was used to determine how much a message was shifted. This lead to a sort of evolutionary conflict. Code makers would develop a new method of encryption, ad code breakers would find some way to beat it, and the cycle would continue. Ciphers like the poly alphabetic cipher, le chiffre indechiffrable, and enigma all came and went. Today, we use systems like public key encryption and RSA to encode our data, but even these codes aren’t unbreakable.

We are approaching a new age of computing and of encryption as a whole. The advent of quantum computers will greatly change the state of security. Systems like RSA will no longer be as secure, as quantum computers will allow things like Shor’s Algorithm to run, which quickly solves RSA encryption. Code makers will have to adapt to this new technology, but I have confidence that they will.

 

Sources: The Code Book by Simon Singh

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton

References:

Court Ruling (German):

https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf

German Court News:

https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0

https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court

https://www.theguardian.com/technology/2017/oct/26/whatsapp-facebook-eu-data-article-29-working-party-taskforce-sharing-user

Belgian Court News:

https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court

Tesla’s Cloud Server Hacked to Mine Cryptocurrency

Tesla has fallen victim to the recent wave of cryptojacking, or the use of someone else’s computing power to mine for cryptocurrencies. Last month, the cloud monitoring and defense firm Red Lock discovered the mining malware was being run on Tesla’s AWS infrastructure. Red lock discovered the hack while scanning for misconfigured cloud servers. They discovered that an open server that was running a Kubernetes, an administrative console for cloud application management, which was mining cryptocurrency.

How did this breach occur? The Kubernetes console wasn’t password protected, meaning that it could have actually been accessed by anyone. One of the containers within that console contained login credentials for  Tesla’s AWS cloud environment. From that point the attackers just logged in and deployed their mining scripts. It is unknown how long the mining was going on for, as the attackers hid themselves well. Since the mining occurred on a large cloud server, where power consumption is already quite high, the mining didn’t cause a significant change that would alert suspicion. The attackers also used their own mining server, communicated over an unusual IP port, encrypted all communications, and used a proxy server.

However, Tesla claims that customer privacy or vehicle safety was not compromised in any way. They also said that the impact seemed only to be in engineering test cars only. The hack was submitted by Red Lock through Tesla’s bug bounty program and they were awarded just over $3,000 which they donated to charity.

What can we make of this? Because of the sophistication of these attacks, you can assume that since hackers are “lazy” that the basic security measures are doing their jobs. But this also means that with the rise of cryptocurrency value, the payoff is becoming worth it to invest so much resources and effort to pull off a sophisticated hack on a major corporation. Organizations with cloud servers are being targeted more than ever and not all of them are prepared for it.

Owen Ryan

Sources:

https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/

http://www.bbc.com/news/technology-43140005

Why are my Video Games Safer than my Bank Account?

Why are my Video Games Safer Than my Bank Account?

Valve software has implemented one of the most popular two-factor authentication(2FA) clients in the world. They use their mobile app to handle 2FA for accounts on their PC gaming platform Steam. They have pushed adoption of this by giving limitations on accounts that do not have it enabled. These limitations are mostly focused on trading in-game items such as trade-able copies of games, in game items such as different paint jobs, hats, or loot boxes. The nature of these items has caused these games to create a full blown economy, users relying on natural supply and demand to trade items with other users, on steam, or with third party sites. With how Valve’s own games are set up, most items can only be gotten from random via a paid loot box style system, with different rarities deciding how likely it is for a user to get an item. With supply limited by how much money users are willing to throw into digital items, and demand mostly placed on how these items look or their rarity, many of these items have value over $100, and some others with value even greater than $1,000.

Naturally, we ask, how does a video game company with 400 employees have better security on average for their users than most online banking accounts? In 2012, Valve did not have any of these securities in place, what drove them to force users’ hands to secure their accounts? Valve answered this as a response to fraud. With the popularity of these items increasing, they saw people posing as Valve staff or using phishing sites to get users passwords. These attacks grew rampant in 2012, and it was near impossible to find a steam account that didn’t have bot accounts posting phishing links in the comments. Valve finally added 2FA over email, requiring users to confirm trades with this too. This mitigated how much damage could be done when you knew someone’s steam login, as you still could not trade without the email.

Obviously, this wasn’t the end of the story, phishers were making ten of thousands of dollars and they weren’t planning to stop yet. They now employed new tactics, creating malware with the express purpose of gathering email login info and the local steam session files. These new attacks often relied on spreading this malware as popular communication programs. One personal encounter was someone that asked me to join their game, they said they were playing in a tournament and needed an extra player. I was abit on guard, and they asked me to join their voice server. The user gave me a link to what looked like the site for voice client, but was actually a fake. I caught it because it claimed to be a newer version than the one I had downloaded from the real site, and was a lot smaller. At this point, I knew it was a scam, but was amazed by how well orchestrated it was. This was about the time valve used their mobile app for all authentication. Locking accounts temporarily when it changed, and requiring all trades to be done through it or for them to get stuck pending for 3 days.

Now Valve has implemented some of the toughest required account security features in the industry. Their reasoning? To cut down the need for support to duplicate items people that were scammed. Because while account phishing was a problem, Valve was practically forced to duplicate the item for the victim. The original item was likely already sold to multiple people, via real world money or other items, and couldn’t be deleted without upsetting innocent users. With requirement of 2FA and account limitations, it is now impossible for a hacker to take items from an account without alerting the user. At best the hacker might be able to get 2FA removed and trade the item in 18 days, but usually the user would notice by then.

Steam accounts are safer than most bank accounts because Valve doesn’t want to upset their in game economy. And that only makes me wonder why banks don’t do the same, even Bank of America will let you transfer all your money online without a single 2FA or notification.

-Tyler Hart

https://support.steampowered.com/kb_article.php?ref=8625-wrah-9030

https://www.kotaku.com.au/2016/03/steam-users-think-valves-new-trading-restrictions-go-too-far/