rubygem-actioncable-7.0.4.2-1.fc38 rubygem-actionmailbox-7.0.4.2-1.fc38 rubygem-actionmailer-7.0.4.2-1.fc38 rubygem-actionpack-7.0.4.2-1.fc38 rubygem-actiontext-7.0.4.2-1.fc38 rubygem-actionview-7.0.4.2-1.fc38 rubygem-activejob-7.0.4.2-1.fc38 rubygem-activemodel-7.0.4.2-1.fc38 rubygem-activerecord-7.0.4.2-1.fc38 rubygem-activestorage-7.0.4.2-1.fc38 rubygem-activesupport-7.0.4.2-1.fc38 rubygem-rails-7.0.4.2-1.fc38 rubygem-railties-7.0.4.2-1.fc38

Read Time:45 Second

FEDORA-2023-f60cca0686

Packages in this update:

rubygem-actioncable-7.0.4.2-1.fc38
rubygem-actionmailbox-7.0.4.2-1.fc38
rubygem-actionmailer-7.0.4.2-1.fc38
rubygem-actionpack-7.0.4.2-1.fc38
rubygem-actiontext-7.0.4.2-1.fc38
rubygem-actionview-7.0.4.2-1.fc38
rubygem-activejob-7.0.4.2-1.fc38
rubygem-activemodel-7.0.4.2-1.fc38
rubygem-activerecord-7.0.4.2-1.fc38
rubygem-activestorage-7.0.4.2-1.fc38
rubygem-activesupport-7.0.4.2-1.fc38
rubygem-rails-7.0.4.2-1.fc38
rubygem-railties-7.0.4.2-1.fc38

Update description:

Upgrade to Ruby on Rails 7.0.4.2. Fixes numerous CVEs: https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

Read More

Passwords Are Terrible (Surprising No One)

Read Time:1 Minute, 7 Second

This is the result of a security audit:

More than a fifth of the passwords protecting network accounts at the US Department of the Interior—including Password1234, Password1234!, and ChangeItN0w!—were weak enough to be cracked using standard methods, a recently published security audit of the agency found.

[…]

The results weren’t encouraging. In all, the auditors cracked 18,174—or 21 percent—­of the 85,944 cryptographic hashes they tested; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees. In the first 90 minutes of testing, auditors cracked the hashes for 16 percent of the department’s user accounts.

The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—­or 89 percent—­of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations.

Original story:

To make their point, the watchdog spent less than $15,000 on building a password-cracking rig—a setup of a high-performance computer or several chained together ­- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like ‘Polar_bear65’ and ‘Nationalparks2014!’.

Read More

The top 8 Cybersecurity threats facing the automotive industry heading into 2023

Read Time:6 Minute, 33 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.  

Most, if not all, industries are evolving on a digital level heading into 2023 as we take the journey to edge computing. But the automotive industry is experiencing technological innovation on another level. A rise in the production of connected vehicles, new autonomous features, and software that enables cars to self-park and self-drive are great examples of the digital evolution taking the automotive industry by storm. 

According to the AT&T 2022 Cybersecurity Insights (CSI) Report, 75% of organizations plan to implement edge security changes to help mitigate the kind of risks that affect cars, trucks, fleets, and other connected vehicles and their makers. And for a good reason.

These automotive features and advancements have offered cybercriminals an array of new opportunities when it comes to cyberattacks. There are several ways that threat actors are targeting the automotive industry, including tried and true methods and new attack vectors. 

In this article, you’ll learn about the top 8 cybersecurity threats facing the automotive industry heading into 2023 and what the industry can do to prevent threats. 

Automotive Cybersecurity threats

As autos increasingly come with connectivity features, remote threats are more likely. A recent report revealed that 82% of attacks against the automotive industry (including consumer vehicles, manufacturers, and dealerships) were carried out remotely. Plus, half of all vehicle thefts involved keyless entry. 

Automakers, dealers, and consumers play a role in automotive cybersecurity. But as the industry continues to adopt connected technologies, it will become increasingly important that organizations take a proactive approach to cybersecurity. 

When it comes to automotive threats, there are countless methods that hackers use to steal vehicles and driver information and cause problems with the vehicle’s functioning. 

Let’s explore the top 8 cybersecurity threats facing the automotive industry this year.

Keyless car theft

As one of the most prominent threats, keyless car theft is a major concern for the automotive industry. Key fobs today give car owners the ability to lock and unlock their doors by standing near their vehicle and even start their car without the need for a physical key. 

Autos enabled with keyless start and keyless entry are prone to man-in-the-middle attacks that can intercept the data connection between the car and the key fob itself. Hackers take advantage of these systems to bypass authentication protocols by tricking the components into thinking they are in proximity. Then the attacker can open the door and start the vehicle without triggering any alarms. 

EV charging station exploitation

Electric vehicles are becoming more popular as the globe transitions to environmental technologies. Charging stations allow EV owners to charge their vehicles in convenient locations such as public parking lots, parks, and even their own garages. 

When you charge an EV at a charging station, data transfers between the car, the charging station, and the company that owns the device. This data chain presents many ways threat actors can exploit an EV charging station. Malware, fraud, remote manipulation, and even disabling charging stations are all examples of ways hackers take advantage of EV infrastructure. 

Infotainment system attacks

Modern cars require over 100 million lines of code to operate. Most of that code goes into the vehicle’s firmware and software that allows navigation, USB, CarPlay, SOS functions, and more. These infotainment systems also provide criminals an open door to an automobile’s ECU, endangering lives and compromising control of the vehicle. 

There are many code vulnerabilities that manufacturers need to look out for, and as infotainment systems continue to become more complex and sophisticated, there will be even more vulnerabilities to uncover. 

Brute force network attack

Another common attack type that affects the automotive industry is the good old-fashioned brute force network attack. Many of the threats that face connected and automated vehicles and businesses in the automotive industry are similar to common cloud security threats, but that doesn’t make them any less damaging.

Brute force attacks are tried and true cyberattacks that target a network with the goal of cracking credentials. In the automotive industry, the brute force attack can have far-reaching impacts. Manufacturers, dealers, and owners can all become victims of this type of attack. When credentials become compromised, entire systems can easily become the target of sophisticated attacks that can end in faulty firmware, large-scale data leaks, and vehicle theft. 

Phishing attacks

Another way that hackers can obtain the credentials to enter a target network is through social engineering attacks such as phishing. The attacker will send automotive company employees an email where they pose as a trusted sender, complete with official-looking HTML and signature. Sometimes the attacker will ask for the credentials outright, but usually, attackers will place a link with malicious code in the email. 

When the receiver clicks the link, the malicious code is executed, and the cybercriminal can roam freely in the target system, access sensitive data, and perform further attacks from the inside. 

Compromised aftermarket devices

Insurance dongles, smartphones, and other third-party connected devices also pose a cybersecurity threat to the automotive industry. These aftermarket devices are connected directly to vehicle systems, offering hackers another way to launch an attack. 

This threat also leaves much to consider for those that want to buy a used car. Many people choose to sell or trade used cars through car dealerships, where consumers can find a deal on a previously owned vehicle. Connected devices can leave malware and backdoors in the auto’s system, putting the next owner at risk, too. 

Ransomware

Ransomware is one of the most pervasive threats in tech today. Unfortunately, the automotive industry is no exception. Ransomware is a significant threat to the vehicle industry, including OEMs, consumers, and dealers. 

A threat actor can hold an organization’s data hostage in exchange for a significant ransom. Without the right credit protection services, automotive businesses can find themselves in financial trouble. These attacks affect IT systems and operations and can cause expensive shutdowns.

Automotive supply chain attacks

The auto industry utilizes a complex supply chain to source the components that are used to build new vehicles, perform repairs, and provide services. This supply chain presents a huge risk to the industry, as each connected endpoint is a vulnerability waiting to happen. 

But supply chain attacks can trickle down to consumers as well. Updates containing malicious code can be pushed to connected cars, bad actors can compromise firmware, and malware can put supplier operations to a complete halt. 

How the industry can keep automotives secure

Cybersecurity should be a central goal throughout the automotive lifecycle. But it’s also important that automakers improve their cybersecurity expertise to monitor connected and automated vehicles on the road. 

The National Highway Traffic Safety Administration (NHTSA) recently released its recommended cybersecurity best practices for modern vehicles to help strengthen the underlying data architecture of vehicles and protect against potential attacks.

They say that the automotive industry should follow the cybersecurity framework from the National Institute of Standards and Technology (NIST) that focuses on five key functions: identify, protect, detect, respond, and recover. The NHTSA recommendations for vehicles are based on the NIST framework but written specifically for the automotive industry. 

And finally, the Federal Trade Commission (FTC) has also established regulations for connected and automated vehicles. Under the new Safeguards Rule, dealers are expected to meet cybersecurity compliance for their organizations and vehicles by June 2023. 

Final thoughts

Automotive manufacturers, sellers, consumers, suppliers, repairers, and all others in the industry play a critical role in improving the security of connected vehicles in 2023 and beyond. Learn more about how to defend your network from critical incidents. 

Read More

Why you might not be done with your January Microsoft security patches

Read Time:35 Second

The January patching window for your firm has probably come and gone. But has it? While January included a huge release of patches, several releases in other months have provided more than one headache for the patch management community. These are the patches and updates you need to evaluate if you haven’t already done so.

BitLocker Security Feature Bypass Vulnerability

In January, additional information came out about CVE-2022-41099, the BitLocker Security Feature Bypass Vulnerability. If you’ve already deployed the November or later security updates to your network and have done nothing else, you aren’t done with the evaluation of this update.

To read this article in full, please click here

Read More

US DOJ applies carrot-and-stick approach to Foreign Corrupt Practices Act policy

Read Time:33 Second

The US Department of Justice (DOJ) has taken a carrot-and-stick approach to its corporate enforcement policy in regard to the Foreign Corrupt Practices Act (FCPA) in an effort to entice companies to self-report when in violation of the FCPA. Assistant Attorney General Kenneth A. Polite, Jr., shared the 2022 success of the Criminal Division of the DOJ in its pursuit of corrupt and criminal activities within corporations that “threaten the public safety and national security, [and] wrongfully divert money into the pockets of criminal actors” at a mid-January event at Georgetown University’s Law Center.

To read this article in full, please click here

Read More