https://www.freep.com/story/money/c.../03/22/gm-data-firms-lexis-nexis/73057931007/

General Motors said Friday it is severing ties with two data brokers following a lawsuit that connected the automaker to sharing driver data that resulted in higher auto insurance rates for that plaintiff.

In a lawsuit filed March 13, Romeo Chicco of Florida claims GM, its connected-services subsidiary OnStar and data and analytics company LexisNexis Risk Solutions violated privacy and consumer protection laws.

Chicco alleges GM captured and shared his driving data — which included information about his speeding, braking and acceleration — with LexisNexis, which then shared it with insurers. The complaint, filed in the U.S. District Court Southern District of Florida, seeks class-action status.

I will still never buy a new car, unless the dealer shows me where the wifi is so I can destroy it.

 

I will still never buy a new car, unless the dealer shows me where the wifi is so I can destroy it.

Modern cars have no WiFi for navigation, but rather a direct satellite link

 

Modern cars have no WiFi for navigation, but rather a direct satellite link

I used the word "wifi" as a generic place holder for whatever data-link technology they use to phone home.

My first choice was "radio" -- which would have been accurate under any circumstances -- but I'm an old guy. Saying you're going to rip out a car's radio used to mean something else. God I miss the old days.

 

I used the word "wifi" as a generic place holder for whatever data-link technology they use to phone home.

My first choice was "radio" -- which would have been accurate under any circumstances -- but I'm an old guy. Saying you're going to rip out a car's radio used to mean something else. God I miss the old days.

View attachment 318206

We could track old cars using the heterodyne osc signal , among a few other things. There was usually sufficient leakage from the mixer stage to car antenna to detect a car and DF it, in the right conditions.
https://scholarsmine.mst.edu/cgi/viewcontent.cgi?article=3154&context=doctoral_dissertations&ved=2ahUKEwik18OBv4qFAxWzIEQIHeKqBmAQFnoECDYQAQ&usg=AOvVaw1osGQKvqNsfnlcopinslB7

With today's high frequency digital in everything, unintentional emissions are everywhere.

 

https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/
Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

https://www.ndss-symposium.org/wp-content/uploads/vehiclesec2024-47-paper.pdf

The hardware and software described here are specific to
the device we analyzed. However, we observed that multiple
ELDs from the same manufacturer utilized almost identical
architectures. Furthermore, we noted that there were large
overlapping similarities between many of the diagnostic port
mounted ELDs.
1) Physical Device: The ELD we analyzed is a small,
hand-held device that plugins into the 9-pin diagnostic port
on Heavy Vehicles. The device gathers data from the vehicle
through the CAN channels exposed on the diagnostic port
and is powered by the diagnostic port. The device has no
other ports on it as all other communication is performed
over wireless interfaces. The ELD presents 3 wireless interfaces namely: WiFi, Bluetooth, and GPS. GPS is used for
gathering location data while WiFi and Bluetooth are used
to communicate with an application on the user’s phone or
tablet. Depending upon the reseller, either WiFi or Bluetooth
Low Energy (BLE) is used, but we did not find an instance
where both where necessary. An ESP32 chip is in charge
of controlling the device. While the exact chip model varied
between devices, they all were dual threaded with integrated
storage, and supported WiFi, BLE, GPS, and CAN. Other
notable features include a small PCB antenna and an ESP
programming port.
2) Execution Environment: The ESP32 chips executes a
32-bit Xtensa instruction set architecture (ISA) that blends
16-bit and 24-bit instructions in a RISC-based framework
[19]. The device utilizes the Espressif Integrated Development
Framework (ESP-IDF) which makes use of a Symmetric
Multiprocessing implementation of FreeRTOS, a lightweight
and fast Real Time Operating System [20].

The totally insecure ESP32 (minimal security, or none at all really) is being used. No shocker it's an easy target for a virus/worm.

Firmware Security Flaws The device lacks enforcement
of firmware signing for authenticity, relying only on
rudimentary integrity checks via checksums and hashes,
which are inadequate for assuring firmware security.
Digitally signed firmware is a better alternative.
1) Criteria for Successful Exploitation:
• Proximity for Wireless Access Attackers must be within
the wireless range to leverage WiFi and Bluetooth vulnerabilities for actions like sending arbitrary CAN messages
or uploading malicious firmware.
• Exploiting Default Settings
– Bluetooth Access With a predictable Bluetooth identifier and a ”Just Works” pairing mode, attackers can connect to the device if the driver is not
currently connected [21]. Post-connection, the API
allows them to either upload malicious firmware or
manipulate CAN messages.
– WiFi Access The device’s WiFi, identifiable by a
predictable SSID and protected by a weak password,
grants network access. Once connected, attackers can
either utilize the /upload.php endpoint on the internal
web server for firmware uploads or exploit the API
on port 23 via Telnet for sending/receiving CAN
messages or firmware manipulation.

This research has illuminated significant vulnerabilities in electronic logging devices (ELDs), a mandated technology in the trucking industry, underscoring the critical need for enhanced cybersecurity measures. Through comprehensive testing, both in controlled settings and in real-world environments, we have demonstrated the practical risks and potential impacts of a Truck to Truck Worm facilitated by these devices. The findings from our study highlight the importance of security in technologies that are not only integral to operational efficiency but also legally mandated. The vulnerability of such systems poses a broader risk to the entire supply chain, making it imperative that security measures evolve in tandem with technological advancements. Our recommendations for bolstering ELD security, such as optimizing default security settings, ensuring firmware integrity, and limiting unnecessary API features, are designed to be practical and effective, considering the constraints of cost, reliability, and user-friendliness. These steps are crucial for mitigating the risks identified and setting a foundation for more secure operations.

It's almost like they intentionally made it as insecure as possible so it could be easily hacked but it's much more likely, Plain-Jane programmer incompetence.

 

 

 

I'm confused by how Google can even provide that information for everyone that watched a YouTube video. since you don't have to have a Google, or a YouTube account in order to watch a video. If I go to a library and watch a YouTube video, what information does Google have that they can share, even if they want to? It would seem that the very fact that people can easily watch videos without disclosing identifying information makes any such data collections highly problematic, since the likelihood that the very people you want to identify are the people mostly to take steps to avoid being identified.

This guy also seems to be under the impression that Google somehow has information on people that were sent links to a video even if they didn't watch it.

Which, of course, is completely separate from the issue of whether the government would still try to get whatever data they can and the issue of whether or not they should be allowed to do so.

 

Unless you're using IP spoofing, privacy gateways, or other means they, will has at least some info on the ISP servers directly on the network and likely also access to regional location data for optimization of those networks. It's likely a wide net designed to narrow by maybe the city of viewership.

 

https://www.notus.org/technology/dhs-access-phone-movements-data
DHS Is Expected to Stop Buying Access to Your Phone Movements
The controversial practice has allowed for warrantless tracking of hundreds of millions of people for years.

“The information that is available commercially would kind of knock your socks off,” said former top CIA official Michael Morell on a podcast last year. “If we collected it using traditional intelligence methods, it would be top-secret sensitive. And you wouldn’t put it in a database, you’d keep it in a safe.”

In documents that the American Civil Liberties obtained under the Freedom of Information Act, DHS said that agents and analysts using the data “were able to identify specific stash houses, suspicious trucking firms in North Carolina, links to Native American reservations in Arizona, connections in Mexico and Central America which were not known and possible [accomplices] and international links to MS-13 gang homicides.”

DHS’ internal watchdog opened an investigation after a bipartisan outcry from lawmakers and civil society groups about warrantless tracking. The inspector general’s report, released in September 2023, found that the department lacked adequate privacy controls on the use of the data and recommended that DHS stop using the data until such controls were adopted.

 

https://www.notus.org/technology/dhs-access-phone-movements-data
DHS Is Expected to Stop Buying Access to Your Phone Movements
The controversial practice has allowed for warrantless tracking of hundreds of millions of people for years.

"Expected to Stop" ????

 

https://www.politico.com/news/2024/03/31/thwarted-supply-chain-hack-alarm-bells-00149877
Thwarted supply-chain hack sets off alarm bells across DC
“This is like an insider threat in the open source ecosystem, which we haven’t really seen before,” one official said.

A GitHub user identified as Jia Tan — who may not be a real or an individual person — spent roughly two years building their bona fides in the developer community before exploiting that trust to take over control of Xz. In marking that trajectory, Jia Tan also appears to have gotten a reputational boost from at least five other GitHub users who aggressively vouched for their trustworthiness, according to Marc Rogers, a white hat researcher who has been investigating the hack.
...
“I’m 100% certain there are people in the U.S. government who lost their weekends over this and are working diligently to get to the bottom of it,” said Jake Williams, a former NSA hacker. Other researchers said state involvement is likely given how skilled the Xz exploit code was.

The was not directly in openssh. The Xz exploit was pulled in from systemd. Systems without systemd still had security. Systemd is a mess I try not to have running on my systems.

Systemd was long been considered to be a vector for exploit code because it touches so many vital systems and needs elevated privilege.

 

https://www.politico.com/news/2024/03/31/thwarted-supply-chain-hack-alarm-bells-00149877
Thwarted supply-chain hack sets off alarm bells across DC
“This is like an insider threat in the open source ecosystem, which we haven’t really seen before,” one official said.

The was not directly in openssh. The Xz exploit was pulled in from systemd. Systems without systemd still had security. Systemd is a mess I try not to have running on my systems.

Systemd was long been considered to be a vector for exploit code because it touches so many vital systems and needs elevated privilege.

Imagine how many of these exploits are embedded and undetectable in closed-source OSs.

"Many eyes makes bugs shallow."

 

Imagine how many of these exploits are embedded and undetectable in closed-source OSs.

"Many eyes makes bugs shallow."

True but this was more about social engineering than software engineering. A target with access was selected (by personality traits and personal messages consistent with specific vulnerabilities used in the past) that had a high likelihood of being manipulated into giving the attacker access. It was well planned and executed but the actual software hack had a fatal flaw of detectability because of timing and memory corruption issues. We got lucky that the only ones affected were those running a rolling release, bleeding-edge versions of software like I do to test things before they are installed on a 'stable' production system. There is currently a search for others because most don't believe this is a isolated incident.

 

We got lucky that the only ones affected were those running a rolling release, bleeding-edge versions of software like I do to test things before they are installed on a 'stable' production system.

You got time on your hands.

I wait at least 6 mos. (usually one or two years) before installing the latest LTS -- with the assumption that most of the kinks have been worked out.

 

You got time on your hands.

I wait at least 6 mos. (usually one or two years) before installing the latest LTS -- with the assumption that most of the kinks have been worked out.

TIme and a ridiculous level of processing redundancy, backup (on and off site). I test things in the Debian related source tree in unstable and experimental releases and report issues so that in 6 mos. it's safe for production.
https://wiki.debian.org/DebianUnstable
https://www.devuan.org/os/releases

 

https://www.wired.com/story/jia-tan-xz-backdoor/
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. Independent security reporter Brian Krebs writes that he could find “zero trace” of Jia Tan’s email address outside of the messages they sent to fellow open source contributors, even after scouring breached databases. Jia Tan also appears to have routed all their communications through a VPN with a Singaporean IP address.


The lack of any other online presence linked to Jia Tan points toward the account being a “single-purpose invented persona” and indicates how much sophistication, patience, and thought was put into developing the backdoor, says Will Thomas, an instructor at the SANS Institute, a cybersecurity training firm. The Jia Tan persona has vanished since the backdoor was discovered, and emails sent by WIRED to a Gmail address linked to it have gone unanswered. Jia Tan’s GitHub account has been suspended, a company spokesperson tells WIRED.

At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead, perhaps when Jia Tan forgot to make the change.
...
Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a government’s secret intentions in their code commits.

It's not paranoia, there are active, ongoing attacks to our critical infrastructure.

 

https://www.wired.com/story/jia-tan-xz-backdoor/
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

It's not paranoia, there are active, ongoing attacks to our critical infrastructure.

Wow.

 

Wow.

Exactly, this was no accident, the original maintainer was targeted by traditional tradecraft of selecting a good target using a individuals weakness. It might be sex, money, drugs, personal health demons or a dozen other things.
The government has programs like PRP, counterintelligence, etc... for their personnel in sensitive positions but guys like Snowden or the Walkers prove it's not a magical fix.
https://en.wikipedia.org/wiki/Personnel_Reliability_Program

The PRP evaluates many aspects of the individual's work life and home life. Any disruption of these, or severe deviation from an established norm would be cause to deny access. The denial might be temporary or permanent. However, the policy does explicitly state,

The denial of eligibility or the revocation of certification for assignment to PRP positions is neither a punitive measure nor the basis for disciplinary action. The failure of an individual to be certified for assignment to PRP duties does not necessarily reflect unfavorably on the individual's suitability for assignment to other duties.

Once in this program, you have no legal privacy about the things that are still classified decades later.

https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

MORAL
The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of
source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler.
I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs
will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

 

https://www.nbcnews.com/tech/innova...gineer-alleged-thief-trade-secrets-rcna146623
Linwei Ding was a Google software engineer. He was also a prolific thief of trade secrets, say prosecutors.
U.S. officials say some of America’s most prominent tech firms have had their virtual pockets picked by Chinese corporate spies and intelligence agencies.

Days after the Ding case was announced, prosecutors charged the owners of a Chinese company with conspiring to steal battery secrets from Tesla. This week, a government cybersecurity board ripped Microsoft for an “inadequate security culture” and a “cascade … of avoidable errors” that allowed Chinese intelligence hackers to compromise the company’s email software and gain access to the accounts of the U.S. commerce secretary.

In February, the Justice Department charged a Chinese engineer with stealing missile-tracking technology from a company owned by aerospace giant Boeing. Last year, prosecutors accused a Chinese national of stealing Apple’s self-driving car technology and fleeing to China.