Category Archives: Security

Tesla Says Data Breach Impacting 75,000 Employees Was An Insider Job

Security,

Tesla has said that insider wrongdoing was to blame for a data breach affecting more than 75,000 company employees, TechCrunch reported.

Tesla, the electric car maker owned by Elon Musk, said in a data breach notice filed with Maine’s attorney general that an investigation had found that two former employees leaked more than 75,000 individuals’ personal information to a foreign media company.

“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with a media outlet,” Steven Elentukh, Tesla’s data privacy officer, wrote in the notice.

According to TechCrunch, this information includes personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees.

Tesla said two former employees had shared the data with German newspaper Handelsblatt. The outlet assured Tesla that it wouldn’t publish the information and that it is “legally prohibited from using it inappropriately,” according to the notice.

The publication obtained more than 23,000 internal documents, dubbed the “Tesla Files,” containing 100 gigabytes of confidential data. This included employees’ personal information, customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features.

According to Handelsblatt, Musk’s Social Security number was also included in the leak.

The Verge reported that, according to a filing with the state of Maine’s attorney general office, Tesla’s data privacy officer Steven Elentukh, reported the breach as “insider wrongdoing,” leaking employee information including social security numbers.

The Maine filing includes a template letter by Elentukh written to send to affected employees in the state. It confirms that Handelsblatt, the German media outlet recipient of 100GB of Tesla’s data, had notified Tesla on May 10th that it had received confidential information.

According to The Verge, what Handelsblatt did let out was customer complaints about Tesla’s Full Self-Driving (FSD). It found that the automaker’s advanced driver-assistant system, which aims to achieve autonomous city driving capability, had 2,400 self-acceleration issues and more than 1,500 braking problems reported by customers. The occurrences spanned between 2015 and March 2022. Tesla demanded that Handelsblatt delete the data, according to the news outlet.

The Verge also reported that this isn’t the first time Tesla employees have mishandled internal data. In April, it was reported that workers viewed and shared private videos recorded by customers’ Teslas, which are made from the vehicles’ Sentry Mode security systems.

Personally, I think this entire situation is a gigantic mess. It appears that the two employees who sent personal information about the other employees to a German news site not only shouldn’t have done that, but also should face some kind of reprimand for what they did. The other sketchy part of this story is that some Tesla employees appear to enjoy spying on Tesla owners through videos the vehicle creates.

WhatsApp Announces New Security Features

Security

WhatsApp posted “New Security Features: Account Protect, Device Verification, Automatic Security Codes”. From the blog post:

At WhatsApp, we believe that your messages should be private and secure as an in-person conversation. Protecting your personal messages with default end-to-end encryption is the foundation of that security, and we’ll never stop building features to give you extra layers of privacy, and more control over your messages.

WhatsApp will be adding the following:

Account Protect: If you need to switch out your WhatsApp account to a new device – we want to double check that it’s really you. From now on, we may ask you on your old device to verify that you want to take this step as an extra security check. This feature can help alert you to an unauthorized attempt to move you account to another device.

Device Verification: Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advance of your phone without your permission and use your WhatsApp to send unwanted messages. To help prevent this, we have added checks to help authenticate your account – with no action needed from you – and better protect you if your device is compromised. This lets you continue using WhatsApp uninterrupted.

Automatic Security Codes: Our most security conscious users have always been able to take advantage of our security code verification feature, which helps ensure you are chatting with the intended recipient. You can check this manually by going to the encryption tab under a contact’s info. To make this process easier and more accessible to everyone, we’re rolling out a security feature based on a process called “Key Transparency” that allows you to automatically verify that you have a secure connection. What it means for you is that when you click on the encryption tab, you’ll be able to verify away with your personal conversation is secured.

These are additions ways we’re helping secure your account. While there’s many things we can do to make security easy for everyone, there are two features that only can turn on: two-step verification and use of end-to-end encrypted backups. If you’re already using both, please tell your friends about them so more people can benefit from these layers of security too.

Engadget reported that the most notable of the security features set the company doing more to protect users against SIM jacking and other social engineering attacks that could compromise your account. The next time you download WhatsApp on a new device, you may be asked to use your old device to confirm you want to move your account to a new phone.

According to Engadget, if you’re worried about the potential of being locked out of your account, a WhatsApp spokesperson told Engadget Account Protect will only activate if the company detects a suspicious registration attempt. Moreover, if you don’t have access to your old device, you can request the company send you a second one-time passcode.

In my opinion, it is a very good idea for WhatsApp to add additional protection for users. Ideally, these changes would make it much more difficult for nefarious people to hijack other people’s WhatsApp accounts.

FCC Bans U.S. Sales Of Huawei And ZTE Over Security Concerns

Security,

Huawei, ZTE, Hikvision, Hytera and Dahua all sell telecommunications equipment and video surveillance technology into the United States, but many of their future security cams and radio hardware will no longer be welcome, The Verge reported.

According to The Verge, the Federal Communications Commission has just announced it will no longer authorize some of their equipment – which is a big deal, because companies can’t legally import or sell anything with a radio in the US without authorization.

The FCC posted news (in the form of a PDF, Docx, or Txt) titled: “FCC Bans Equipment Authorizations For Chinese Telecommunications And Video Surveillance Equipment Deemed To Pose A Threat To National Security”.

From the news:

The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks. In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”…

… The new rules prohibit the authorization of equipment through the FCC’s Certification process, and makes clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemptions from an equipment authorization. The Covered List (which includes both equipment and services) currently includes communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (and their subsidiaries and affiliates). The new rules implement the directive in the Secure Equipment Act of 2021, signed into law by President Biden last November, the requires the Commission to adopt such rules…

Brendan Carr, the FCC’s commissioner tweeted: “Today the FCC takes an unprecedented step to safeguard our networks and strengthen America’s national security. Our unanimous decision represents the first time in FCC history that we have voted to prohibit the authorization of new equipment based on national security concerns.”

Engadget reported that this latest move follows years of conflict between the US and companies closely tied to Chinese governments. That’s included placing several notable Chinese companies, including DJI, on the Department of Commerce’s “Entity List,” which prohibits US firms from selling equipment to them.

According to Engadget, the FCC is also calling for $5 billion to help US carriers with the massive task of replacing equipment from Huawei and ZTE.

In my opinion, it seems like a good idea for the United States to try and protect itself from products and services that “could pose a threat to national security”. I think the FCC is right to request $5 billion to help US carriers remove equipment from Huawei and ZTE, and I hope the money will also enable the carriers to install equipment made in the United States.

GitHub Will Require All Users Who Contribute Code to Enable 2FA

Security,

GitHub announced that it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.

GitHub described their reasoning for requiring 2FA this way:

The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.

Protocol reports that just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.

According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.

U.S. Commerce Department Tightens Exports of Hacking Tools

Security,

The U.S. Commerce Department’s Bureau of Industry and Security (BIS) has released an interim final rule that establishes controls on the export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.

Here is a key part of the press release:

The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices. U.S. exporters are likewise encouraged to consult the State Department’s Guidance in Implementing the “Guiding Principles” for Transactions Linked to Foreign Government End Users for Products or Services with Surveillance Capabilities to minimize the risk that their products or services are misused by governments to violate or abuse human rights.

The Washington Post eported that this was a long-awaited rule that officials hope will stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders.

The rule will take effect after 90 days. Here is what it covers:

  • Software such as Pegasus, a potent spyware product sold by the Israeli firm NGO Group to governments that have used it to spy on dissidents and journalists
  • Bars sales of hacking software and equipment to China and Russia, as well as to a number of other countries of concern, without a license from the department’s Bureau of Industry and Security (BIS)

According to The Washington Post, The U.S. Department of Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption. The Washington Post also reported that any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether or not they work for the government, will require a license, according to the rule.

In addition, the rule will align the United States with the 42 European and other allies that are members of the Wassennaar Arrangement. This group sets voluntary export control policies on military and dual-use technologies (products that can be used both for civilian ad military purposes).

The Washington Post says that China is not a Wassenaar member. Israel is also not a member but voluntarily adopts its controls. Russia is a Wassenaar member.

In my opinion, the rule seems like a common-sense idea. There is no good reason to sell, transfer, or export tools to other countries that might be inclined to use those tools to hurt people.

TikTok Won’t Be Shut Down Due to Ongoing Lawsuit

Security

The U.S. Department of Commerce said that it wouldn’t enforce its order that would have forced the Chinese-owned TikTok video sharing app to shut down, The Wall Street Journal reported. The reason is due to the result of a lawsuit.

In September of 2020, the U.S. Department of Commerce announced a prohibition on transactions relating to mobile apps WeChat and TikTok. It would have barred companies from providing internet hosting or content-delivery services to TikTok. This would have resulted in making TikTok inoperable in the United States.

In October of 2020, three popular TikTok creators, Douglas Marland, Cosette Rinab, and Alec Chambers filed a lawsuit against the Department of Commerce. TechCrunch reported that each have millions of followers on TikTok. Their argument was that banning the app would make them lose access to their followers, and impact their ability to earn a living.

U.S. District Judge for the Eastern District of Pennsylvania Wendy Beetlestone granted the three TikTok creators the preliminary injunction hey asked for. According to NBC News, Judge Beetlestone also found that the government had gone beyond the authority under the International Emergency Economic Powers Act.

As a result, the U.S. Department of Commerce announced that the preliminary injunction enjoined it from enforcing the prohibition on TikTok. It appears that the U.S. government intends to appeal this ruling.

CISA Says November 3rd Election was Most Secure in American History

Security

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) posted a joint statement in which they declared: “The November 3rd election was the most secure in American history”. This should be a big relief to those who were concerned about potential security issues, or who have become convinced that the election was “rigged”.

“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes and errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised”.

The statement also pointed out: “Other security measures like pre-election testing, state certification of voting equipment, and the U.S. Election Assistance Commission’s (EAC) certification of voting equipment help to build additional confidence in the voting systems used in 2020.”

CISA is the nation’s risk advisor, working with partners against today’s threats and collaborating to build more secure and resilient infrastructure for the future.

The Joint Statement included people from the CISA, the Election Infrastructure Government Coordinating Council (GCC) executive committee, the U.S. Election Assistance Commission Chair, the National Association of Secretaries of State (NASS), the National Association of State Election Directors (NASEED), and members of the Election Infrastructure Sector Coordinating Council (SCC).

In short, this group includes people who have the job of making sure our election infrastructure is secure. Together, they have more data about this election than anyone else. Personally, I think this statement should be viewed as a major debunking of the misinformation that has been spread about this election.