Tuesday, July 21, 2015

Could Hollywood improve cyber security?

The digerati know that vehicles using Chrysler's Uconnect can be compromised remotely. You can read more in the Wired Article (Hackers Remotely Kill Jeep). The problem is that the general public, nor their elected representatives know or care much about it. If they did, they might understand how this is a threat to both our nation's economy and security.

Q: How do you raise awareness?
A: Motion Pictures.

The basic idea: Standard fare action adventure movie. Someone pretending to be a valet at a car park slaps a device into the OBD port of the target's car. They drive away and are remotely executed in what looks like a plausible car crash.

Now you need a few reviewers to point out that this is not fiction, and possible today. With that you might generate some justified public concern. Make the movie target an elected representative and you might get some actual movement in our laws.

Senators Markey and Blumenthal have introduced a bill which addresses these issues. (http://www.markey.senate.gov/news/press-releases/sens-markey-blumenthal-introduce-legislation-to-protect-drivers-from-auto-security-privacy-risks-with-standards-and-cyber-dashboard-rating-system, http://www.markey.senate.gov/imo/media/doc/SPY%20Car%20legislation.pdf). It is a great start, but it misses one point. It should not simply say "such as penetration testing". It should require "penetration testing by multiple independent third parties".

Well, I seemed to have gotten a little off topic here, but I do think it would make a great plot element in a film. I'm claiming copyright on that idea. I won't require much in residuals.


Tuesday, July 14, 2015

Online banking password fun

Security teams that do not test UI flows deserve a special place in hell....

  • I bank with Chase.
  • My current password is long enough and not made of any known words, but it has no digits in it.
  • www.chase.com recognizes machines you sign in from (cookie or browser fingerprint, I do not know).
  • When I use a new machine or browser installation, they redirect to a page where I can get a verification code sent to me via text or email.
  • When I click Send, they direct me to a page where I must enter the access code and my current password.

Nothing that special so far, simple 2-factor authorization. But wait for it.......

When I enter my access code and password, it rejects the password in browser side code because it does not have a number in it. They have implemented the new password policy in the UI, without making sure the customers have complied with the new policy. I can certainly work around this, but they are going to have some unhappy people over the next few months.