Wireless technology in vehicles is far from secure, potentially giving hackers the ability to take control of automobiles or even steal personal data, a report from a senator’s office has revealed. Millions of cars and trucks are vulnerable to hacking through wireless technologies that could jeopardize driver safety and privacy, a report released late Sunday says.
Sen. Ed Markey (D-Mass.) is warning drivers that automobile companies are not doing enough to protect their customers’ privacy.
Senator Edward Markey
“Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyber-attacks or privacy invasions,” Markey in a statement released to the Washington Post. “Even as we are more connected than ever in our cars and trucks, our technology systems and data security remain largely unprotected.”
Markey asked for data from 19 automakers, 16 of which complied.
The report is based on data received from BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai, Jaguar Land Rover, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen and Volvo.
Aston Martin, Lamborghini and Tesla were the companies that failed to comply with the senator’s request for information.
The senator’s office discovered that virtually every newer vehicle for sale includes “wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.”
The report, which was released Monday, also found security was lax when it comes to foiling remote access to a vehicle’s electronic systems. The report describes such security practices to be “inconsistent and haphazard.” The report added that many automakers were either unaware or unable to report on past hacking occurrences.
The report also detailed how auto companies not only track drivers’ behavior but also gather and store the data, often without customers’ knowledge or consent.
According to the data collected by the senator’s office, nine automakers use third-party companies to amass vehicle data — and some of the automakers even transmit the collected data to third-party data centers.
“This reveals that a majority of vehicle manufacturers offer features that not only record but also transmit driving history wirelessly to themselves or to third parties,” the report said.
Collected information includes driver locations and destinations, distances and times traveled, where a vehicle is parked and info entered into navigation systems. Vehicles’ diagnostic data is also recorded.
While none of the automakers would comment on the report, the Alliance of Automobile Manufacturers insisted the companies do all they can to ensure privacy and safety.
“Automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers,” spokesman Wade Newton told the New York Times. “Auto engineers incorporate security solutions into vehicles from the very first stages of design and production — and security testing never stops.”
Security specialists discovered Over a dozen iPhone apps linked to Golduck malware
Security specialists state they’ve discovered more than a dozen iPhone apps covertly communicating with a server associated with Golduck, a historically Android-focused malware that infects popular classic game apps, according to a report by Techcrunch.
The malware, which was first discovered by Appthority over a year, for infecting classic and retro games on Google Play, by embedding backdoor code that allowed malicious payloads to be silently pushed to the device. At the time, more than 10 million users were affected by the malware, allowing hackers to run malicious commands at the highest privileges, like sending premium SMS messages from a victim’s phone to make money.
Now, the researchers say iPhone apps linked to the malware could also present a risk.
Wandera, an enterprise security firm, said it found 14 apps — all retro-style games — that were communicating with the same command and control server used by the Golduck malware.
“The [Golduck] domain was on a watchlist we established due to its use in distributing a specific strain of Android malware in the past,” said Michael Covington, Wandera’s vice-president of product. “When we started seeing communication between iOS devices and the known malware domain, we investigated further.”
The affected apps include: Commando Metal: Classic Contra, Super Pentron Adventure: Super Hard, Classic Tank vs Super Bomber, Super Adventure of Maritron, Roy Adventure Troll Game, Trap Dungeons: Super Adventure, Bounce Classic Legend, Block Game, Classic Bomber: Super Legend, Brain It On: Stickman Physics, Bomber Game: Classic Bomberman, Classic Brick – Retro Block, The Climber Brick, and Chicken Shoot Galaxy Invaders.
It was further discovered that the command and control server simply pushes a list of icons in a pocket of ad space in the upper-right corner of the app, When the user opens the game, the server tells the app which icons and links it should serve to the user, according to the enterprise security firm research(Wandera). They did, however, see the apps sending IP address data — and, in some cases, location data — back to the Golduck command and control server.
However, TechCrunch verified their claims, running the apps on a clean iPhone through a proxy, allowing us to see where the data goes. Based on what we saw, the app tells the malicious Golduck server what app, version, device type, and the IP address of the device — including how many ads were displayed on the phone.
As of now, the researchers say that the apps are packed with ads — likely as a way to make a quick buck. But they expressed concern that the communication between the app and the known-to-be-malicious server could open up the app — and the device — to malicious commands down the line.
“The apps themselves are technically not compromised; while they do not contain any malicious code, the backdoor they open presents a risk for exposure that our customers do not want to take.
“A hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed,” said the researchers.
One of the iPhone apps, “Classic Bomber,” which was spotted communicating with a malicious command and control server. It’s since been pulled from the U.S. store. (Screenshot: TechCrunch)
That could be said for any game or app, regardless of device maker or software. But the connection to a known malicious server isn’t a good look. Covington said that the company has “observed malicious content being shared from the server,” but that it wasn’t related to the games.
The implication is that if the server is sending malicious payloads to Android users, iPhone users could be next.
TechCrunch sent the list of apps to data insights firm Sensor Tower, which estimated that the 14 apps had been installed close to one million times since they were released — excluding repeated downloads or install across different devices.
When we tried contacting the app makers, many of the App Store links pointed to dead links or to pages with boilerplate privacy policies but no contact information. The registrant on the Golduck domain appears to be fake, along with other domains associated with Golduck, which often have different names and email addresses.
Apple did not comment when reached prior to publication. The apps are appear to still be downloadable from the App Store, but all now say they are “not currently available in the U.S. store.”
Apple’s app stores may have a better rap than Google’s, which every once in a while lets malicious apps slip through the net. In reality, neither store is perfect. Earlier this year, security researchers found a top-tier app in the Mac App Store that was collecting users’ browsing history without permission, and dozens of iPhone apps that were sending user location data to advertisers without explicitly asking first.
For the average user, malicious apps remain the largest and most common threat to mobile users — even with locked down device software and the extensive vetting of apps.
If there’s one lesson, now and always: don’t download what you don’t need, or can’t trust.
Verifying the Authenticity of Websites That Ask for Sign-Up
“Look Up Service” Provides Information on Official Ownership of Domains
WhoisLogin.com is pleased to announce their “Whois” Lookup Service for verifying the domain details of a particular website or company. Almost every website or online portal or an ecommerce site requires the users to register with their site. These sites ask a lot of personal information of the users which includes their personal details, bank details, etc. These details are highly vulnerable to phishing, malicious emails and fraud. Many people are extra cautious before giving away any personal information. This is an absolutely good approach. One of the best ways to verify the authenticity of a website is to check their domain. The “Whois Lookup” feature by whoislogin.comoffers this service for users who want to know everything about the website.
Many websites have privately owned domains. This feature helps users look into details such as name under which the domain is registered, contact details, addresses, email addresses and so on about that particular domain. For businesses and ecommerce sites, one can find the business name as well, along with administrator details, expiry date of domain, etc. Public domains on the other hand are very easy to verify. Users can simply see if they have followed the right registration process for registering or not. One of the most important advantages is that people can identify those parties who are using private information for abusing or using the information illegally to spam the users as well as the domain owners.
There is another catch here. People use login pages to either signup or sign-in. However, they are not aware that all those pages are not hosted by a similar or same domain. The lookup service for domain names will help users search for all available results on the domain name registration of that particular owner. Users can verify the login page ownership. They can match them with the actual service provider. This will help them keep their login credentials from being abused or exposed to other parties or spoofed websites. In simple terms “whois lookup” feature allows people to search the whois lookup database so as to find out the official ownership of any signup or sign-in page online.
To know more visit http://whoislogin.com/.
4 Ways to Protect Your Online Business from Credit Card Fraud
Every day we keep hearing more and more about credit card frauds that cause online businesses huge troubles. Not only that cybercriminals steal money from online businesses but their wrongdoings can completely ruin a company’s reputation. So, if you’re running an online business, you might want to think about investing some money and effort in protecting your company from credit card fraud. And if you’re wondering how to do this, here are four ways that are guaranteed to do the trick.
Tracking the location of your customers
One of the first things you should do when trying to protect your business from credit card fraud is start tracking your customers’ IP addresses. This way, you’ll be able to notice if there any significant changes of location have been made. Of course, even if you notice a change has been made, it doesn’t mean you’ve been a victim of a fraud, since a customer of yours can always decide to shop from a different location or relocate. In situations like this, you shouldn’t be overly protective, as your customers will start thinking you don’t trust them which is never a good thing. A simple additional step of verification for those who don’t shop from their usual location is more than enough.
Identify proxy servers
We’ve talked about tracking your customers’ IP addresses but that may not always be enough to keep you safe from fraudsters. These cybercriminals might decide to use an anonymous proxy server in order to keep their real location secret. For example, let’s say a fraudster from Brazil wants to buy something from you using a stolen credit card with a billing address in New York. They’ll use a proxy to hide their real IP address and use one that appears to have come from New York. This tends to work simply because the IP address they use matches the location on the billing address. Luckily, there are free websites you can use to check whether or not a given IP is hiding behind a proxy. It might be a good idea to turn to these every time you notice something suspicious.
Achieve PCI DSS compliance
Another great way to keep your online business safe from credit card fraud is to make sure you’re following PCI DSS. This is short for “Payment Card Industry Data Security Standard” and can be defined as an information security standard for companies that handle credit cards. In order to achieve PCI DSS compliance, you’ll need to follow a whole range of methods and protocols for keeping your online business safe. This includes things such as network protection and card safety. Investing in network protection is extremely important since you need a good anti-malware software that’s going to keep fraudsters at bay. Tokenization is another interesting option, as it includes replacing your data with a token that hackers have no use of.
Stay updated on credit card frauds
We’ve already mentioned that credit card frauds tend to happen quite often. So, besides protecting your online business from these you might want to stay updated on the latest credit card frauds that have taken place. That way, you’ll know what hackers are up to and what you can do to prevent them from targeting your online business. And don’t just keep an eye on card, number and identity frauds but stay aware of ransomware and invoice frauds as well. Hackers are constantly becoming more dangerous and we can’t possibly imagine what they’re going to come up with next.
While there are so many things you’ll have to do to keep your online business afloat, one of the most important goals you’ll need to set is protecting your business from credit card fraud. Fail to do this, and you might end up losing money and having your reputation tainted.