security

ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.   First post was about CSMS and ISO 21434 and this one is about TISAX.   Query: Tell me about challenges in TISAX certification    ChatGPT: “TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector. There are several challenges associated with TISAX certification: Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification. Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses. Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements. Cost: The cost of TISAX certification can be…



I am worried: AV-Comparatives tests of Business Security products

Av-Comparatives did a long-term test of security Business Products. The details can be seen here: https://www.av-comparatives.org/tests/business-security-test-august-september-2022-factsheet/ Initially, I wanted to write about this test because I was surprised to see how well Microsoft Defender performed. But then, I started to read the details, even if the full report will only be released in December 2022.   Read below the things which surprised me:   Engines used Information about additional third-party engines/signatures used by some of the products: Acronis, Cisco, Cybereason, G Data, Trellix and VIPRE use the Bitdefender engine (in addition to their own protection features). VMware uses the Avira engine (in addition to their own protection features). G Data’s OutbreakShield is based on Cyren.   Of course, most of this is not new … What surprised me was: Cisco is using Bitdefender Watch Guard, Crowdstrike and K7 have own engines Crowdstrike’s ML engine is good G Data is using also Cyren    2) The special settings are not even close to the defaults. It is normal that in business environments, and with business products in general, to be configured by the system administrator, in accordance with vendor’s guidelines and their own expectations. But, this also tells me that there can be huge differences in the detection, performance and FP rate of…


ENISA: ADVANCING SOFTWARE SECURITY IN THE EU

While I was looking after some resources for a presentation, I found this interesting lecture from ENISA.   Advancing Software Security in the EU Download PDF document, 622 KB This study discusses some key elements of software security and provides a concise overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape, related to different inherent aspects of the process. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the newly established EU cybersecurity certification framework and the EU cybersecurity certification schemes. Fundamental security principles are often overlooked during software development. This is because Security is a non functional feature. Functional requirements are about behaviour of the system towards the outside world (e.g. a user), whereas non-functional requirements are mainly about the internal mechanisms. Many of the security requirements are non-functional; for example on how to store passwords in a database. Security requirements originate from different sources, such as – explicit functional and non-functional requests from user(s), – requirements and obligations originating from the underlying legal framework – requirements that are considered as best practices, company policies, in widely accepted guidelines, from threat…



A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…


How to stay safe when being exclusively online

EN https://www.europol.europa.eu/sites/default/files/documents/safe-at-home_final.pdf DE https://www.europol.europa.eu/sites/default/files/documents/safe-at-home_de.pdf RO https://www.europol.europa.eu/sites/default/files/documents/safe-at-home_ro.pdf More here: https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/make-your-home-cyber-safe-stronghold    Recommendations: Wi-Fi: always change the default router password Install antivirus software on all devices connected to the internet Choose strong and different passwords  for your email and social media accounts Review your apps’ permissions and delete those you don’t use Back up your data and run regular  software updates Secure electronic devices with passwords, PIN or biometric information Review the privacy  settings of your social media accounts Online shopping safety tips Buy from reliable online vendors and check individual ratings Think twice: if an offer sounds too good to be true, it probably is Use credit cards when shopping online for stronger customer protection Check your bank account often for suspicious activity   DO NOT: Reply to suspicious messages or calls Open links and attachments in unsolicited emails and text messages Share your bank card details or personal financial information Buy things online that seem to be sold out everywhere else Send money upfront to someone you don’t know Share news that doesn’t come from official sources Make donations to charities without double-checking their authenticity                              …


The Ultimate Parent Guide for Protecting Your Child on the Internet Series

You can see in the next 8 weeks a post per week about this topic. The short versions of these posts will be published here (from the RSS feed). The full version will always be on Improve-your-security.org Start reading here: The Ultimate Parent Guide for Protecting Your Child on the Internet Series   Happy reading and try to apply some of these.    


Microsoft Updates Guideline on Windows Driver Security

Microsoft has released an updated guide on driver security. This new guide offers advice that developers could use to ensure Windows drivers are secured against basic attacks and preventable flaws.   Driver Security Guidance This section contains information on enhancing driver security. In this section Topic Description Driver security checklist This topic provides a driver security checklist for driver developers. Threat modeling for drivers Driver writers and architects should make threat modeling an integral part of the design process for any driver. This topic provides guidelines for creating threat models for drivers. Windows security model for driver developers This topic describes how the Windows security model applies to drivers and explains what driver writers must do to improve the security of their devices. Use the Device Guard Readiness Tool to evaluate HVCI driver compatibility This topic describes how to use the tool to evaluate the ability of a driver to run in a Hypervisor-protected Code Integrity (HVCI) environment.   The nice part is that all this is also available as PDF. I am starting to like these new initiatives from Microsoft. I wrote that they are taking a clear stance on PUA and now I see that they are actually…


Results of the experiment “HTTPS and HSTS for ITSecurityNews.info”

I wrote 4 months ago (Aug 14) about the switch to HTTPS per default on the new site ITSecurityNews.info. A week ago I wrote about the experiment of enhancing the headers of the website to show full compatibility with HSTS. Experiment started: HTTPS for ITSecurityNews.info Moving to HSTS   Now it is too early to say what impact the HSTS has over the traffic, but we can have a look on the traffic for HTTPS. Here is the shape:   The red vertical line is the point when I switched to HTTPS. There is a 10% increase in September, but then the traffic goes to the normal patterns. Does this mean that the switch to HTTPS failed?  Or is November the result of switching HSTS on? Let’s have a deeper look:   As can be seen in the screenshot above, the trend is to lose visits than to gain. So, I can say that SSL + HSTS is making me lose visitors. But, then we need to look deeper, because a “visitor” is a page visit, which it is not the same as “eyeballs”. In that week of October I’ve had 2.5 views per visitor, while in November I’ve never…


%d bloggers like this: