Tesla Model S Hack Explained

security

There has been several media stories lately about the ability of Chinese hackers to compromise the technology systems on a Tesla and demonstrate their ability to partially control the vehicle. Most of these stories don’t provide much technical details, so I thought it might be helpful to provide some of the details to help you understand how the hack was performed, and what the hackers were able to control during their demonstration.

The demonstrated exploit works by compromising the car’s CAN bus by having a user inside the vehicle access a malicious Wi-Fi network via the car’s built-in web browser. The group also demonstrated how they were able to remotely control the hacked Model S by showing they were able to open the trunk, adjust the sunroof, adjust the mirrors, and apply the brakes while the vehicle is in motion.

This demonstration illustrates how cybersecurity weaknesses can impact internet-connected vehicles, and is a call to vehicle manufacturers to redouble their efforts to address these concerns. Tesla already patched the exploit before it was publicly announced with the Firmware 7.1 update. Let’s hope future vulnerabilities are addressed by the various brands before someone is injured or killed.

Video of the hacking demonstration:

 

Biggest Security Concerns Facing Your Business

bd051-hacker

You should be concerned about the security risks facing your company. Most business leaders seem to have decided to approach the risk of a breach by basically acknowledging that they will be eventually breached, so let’s just try everything we can to reduce the risk and how we will deal with the PR issues when it happens. Your business needs to acknowledge the need for a information security program, so you can significantly reduce the risk of a successful attack. You should also begin deciding how you will respond to an attack.

You need to understand what your business stands to lose in the event of a successful attack. Depending on the scale of the breach and the size of your business, the impact could be catastrophic. What is a risk from a successful attack?

  • Data Compromise – Loss of customer or vendor data crucial to your business operations.
  • Loss of intellectual property – You might have unique business data or knowledge that makes your business unique in your market segment, and that edge would be lost if the data is published on the internet.
  • Government or Regulator Fines – Breaches could lead to massive fines from business regulators and the government.
  • Lawsuits – Lawsuits from clients or business partners could lead to an unrecoverable financial situation.
  • Brand Identity – if people can’t trust your business to protect their data, they may move their business to your competitor.

If a hacker gains unrestricted access to your entire business infrastructure, you could experience some or all of these issues and it could take months (or years) to fully recover. It is also possible that the financial impact will be so severe that your business will never recover from a breach. As the risks to business security grow more sophisticated, the need for your business to be at the forefront of security initiatives is even more important.

Steps required to address this concern:

  • Focus – Creating a business agenda that focuses on preventing and responding to attacks is essential.
  • Build Walls – Segmenting your network to make successful attacks more difficult and easier to contain.
  • Be Aware – Actively monitor for attacks using trained technicians and modern vendor tools.
  • Discuss – Include cybersecurity discussions in every project, and review established security solutions periodically as your risk profile changes with new vulnerabilities.

SQL Server Instance Information using PowerShell

people-skills

You can use PowerShell, provided by Microsoft, to gather and display information about your instance of SQL Server. The scripting process is fairly easy, and it can help you gather information about an instance very quickly.

In this blog post by Michiel Worie, he covers the building and running of a PowerShell script from SQL Server 2008:

#
# Initialize-SqlpsEnvironment.ps1
#
# Loads the SQL Server provider extensions
#
# Usage: Powershell -NoExit -Command "& '.\Initialize-SqlPsEnvironment.ps1'"
#
# Change log:
# June 14, 2008: Michiel Wories
#   Initial Version
# June 17, 2008: Michiel Wories
#   Fixed issue with path that did not allow for snapin\provider:: prefix of path
#   Fixed issue with provider variables. Provider does not handle case yet
#   that these variables do not exist (bug has been filed)
$ErrorActionPreference = "Stop"
$sqlpsreg="HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.SqlServer.Management.PowerShell.sqlps"
if (Get-ChildItem $sqlpsreg -ErrorAction "SilentlyContinue")
{
    throw "SQL Server Powershell is not installed."
}
else
{
    $item = Get-ItemProperty $sqlpsreg
    $sqlpsPath = [System.IO.Path]::GetDirectoryName($item.Path)
}

#
# Preload the assemblies. Note that most assemblies will be loaded when the provider
# is used. if you work only within the provider this may not be needed. It will reduce
# the shell's footprint if you leave these out.
#
$assemblylist = 
"Microsoft.SqlServer.Smo",
"Microsoft.SqlServer.Dmf ",
"Microsoft.SqlServer.SqlWmiManagement ",
"Microsoft.SqlServer.ConnectionInfo ",
"Microsoft.SqlServer.SmoExtended ",
"Microsoft.SqlServer.Management.RegisteredServers ",
"Microsoft.SqlServer.Management.Sdk.Sfc ",
"Microsoft.SqlServer.SqlEnum ",
"Microsoft.SqlServer.RegSvrEnum ",
"Microsoft.SqlServer.WmiEnum ",
"Microsoft.SqlServer.ServiceBrokerEnum ",
"Microsoft.SqlServer.ConnectionInfoExtended ",
"Microsoft.SqlServer.Management.Collector ",
"Microsoft.SqlServer.Management.CollectorEnum"

foreach ($asm in $assemblylist)
{
    $asm = [Reflection.Assembly]::LoadWithPartialName($asm)
}
#
# Set variables that the provider expects (mandatory for the SQL provider)
#
Set-Variable -scope Global -name SqlServerMaximumChildItems -Value 0
Set-Variable -scope Global -name SqlServerConnectionTimeout -Value 30
Set-Variable -scope Global -name SqlServerIncludeSystemObjects -Value $false
Set-Variable -scope Global -name SqlServerMaximumTabCompletion -Value 1000
#
# Load the snapins, type data, format data
#
Push-Location
cd $sqlpsPath
Add-PSSnapin SqlServerCmdletSnapin100
Add-PSSnapin SqlServerProviderSnapin100
Update-TypeData -PrependPath SQLProvider.Types.ps1xml 
update-FormatData -prependpath SQLProvider.Format.ps1xml 
Pop-Location
Write-Host -ForegroundColor Yellow 'SQL Server Powershell extensions are loaded.'
Write-Host
Write-Host -ForegroundColor Yellow 'Type "cd SQLSERVER:\" to step into the provider.'
Write-Host
Write-Host -ForegroundColor Yellow 'For more information, type "help SQLServer".'

Protect Stored Procedures Against Multiple Concurrent Executions

Project Management

Stored procedures are a great way to encapsulate business logic in your database, but we don’t always want the stored procedure to be executed by more than one user at the exact same time. In this article by Hans Michiels, we see how he creates the logic to prevent concurrent execution.

How it works

  • You create the table [dbo].[udm_storedproc_executions] (or name it differently) in your database.
  • You create the stored procedure [sp].[GetPace] (or name it differently) in your database.
  • You add the code snippet below to stored procedures that are not supposed to run multiple times concurrently.

Proof that it works

For the demo I use the following stored procedures:

  • [sp].[SubStoredProc]
  • [sp].[StoredProcGettingPace]
  • [sp].[StoredProcGettingPaceNoWait]

[sp].[SubStoredProc] is being executed by both other stored procedures.

PCI Update Targets PIN Vendor Systems

credit-cards

The Payment Card Industry (PCI) Security Standards Council has updated its requirements for payment device vendors to help address increased attacks against point of sale (POS) systems that allow interaction via a PIN. This new guidance also covers the manner in which payment devices are manufactured, stored, and transported to the merchants that end up using the devices.

The PCI Security Council now wants payment device vendors to demonstrate that changes in operational or environmental conditions do not compromise a device. This includes subjecting these POS devices (including PIN pads) to abnormal operating voltages or temperatures or outside normal range. Starting with this update, payment devices are also required to support vendor firmware updates. The device must cryptographically authenticate the firmware update and reject any update if it is unauthenticated.

Now vendors of PIN entry devices must ensure their devices cannot be modified while bring transported to a customer facility, and the opportunity for tampering is minimized.

Cybersecurity Talent Shortage Challenges

Communication

In a recent study by Intel Security (McAfee), Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills, we learn the global cybersecurity workforce shortfall is predicted to leave almost 2 million cybersecurity positions unfilled by 2019. This is a serious issue for the technology field, and must be addressed soon. We already have a large number of unfilled positions, and it is going to get much worst before it gets any better.

The shortage of cybersecurity personnel might leave organizations vulnerable to attacks because unskilled workers are a huge risk. You might find that your security tools are not monitored, new threats are not adequately analyzed, and an your ability to respond to breaches might be compromised. The short-term solution is lean harder on your security vendors for better ways to address security needs, but we must see more effort directed at better tools and automation before we can ease the pressure on personnel vacancies.

Another long-term solution might be to train your internal resources, developing the skills of personnel already showing the ability to gain the skills required for a cybersecurity profession. You can also apply some pressure on your local colleges and training companies to encourage specialized training. You can also look for external resources that look promising in the area of cybersecurity skills, or reaching out to untapped opportunities like creating apprenticeships and internships for high school students.

10 Tips for Motivating Technical Teams

When you manage a group of technical people, you have to be aware that they may have some specific needs to motivate them effectively. It’s important to know how to keep your team motivated.

  1. Treat them as Experts – As managers, we spend a lot of time finding the best possible candidate for any technical position. It is our responsibility to allow those great technical resources as much control as possible on their everyday tasks, and resist the urge to micromanage their actions. If they are your expert on specific subjects, deter decisions based on their feedback, and encourage them to provide as much information to the team as possible.
  2. Reward Progress – Technical work can be very difficult and time consuming, so when even mundane tasks are completed you should recognize the success and reward the team with a reward when possible. This can be as siple as a public recognition of a persons direct contribution to a project or someones help in resoving a production issue. You can also look at allowing someone to work at home for a few days, leaving early on a Friday, or removing them from after-hours support rotation.
  3. Delegate Responsibility – Allow members of your technical team to take some responsibility as part of a project, which might include some non-technical or managerial tasks. This will show your team your willingness to share in your responsibility, without the appearance of you pushing your job on your team members. Explain the opportunity and encourage those interested team members in taking on additional responsibilities that will help them grow in non-technical areas and coach them in building the skills required to move into management.
  4. Reduce Stress – Working in the field can generate a lot of stress. This can lead to many a late night trying to resolve problems. Some of these late night can not be avoided, by a manager must be aware of these late nights and make sure you keep them to an absolute minimum. Acting as a communication buffer between angry users and your technical team can be the easiest way to dramatically reduce their stress level.
  5. Encourage Solutions – People tend to recognize problems, but they don’t always propose a solution. You must allow your team to discover problems, but they must be allowed to also propose the solution. This helps them understand what it takes to resolve issues, but also allows hem to grow more comfortable in proposing useable solutions.
  6. Remove the Rotten Apple – Do not allow the troublemakers to destroy your team. Negativity can kill the collaboration and innovation efforts of your team, and you must not allow that to happen. Keep the complainers away from your team.
  7. Promote Communication – If  your team doesn’t feel comfortable in communicating with you and the other employees at your company, your team will never be successful. Listen to what your team has to say, and always try to understand the what and why they are trying to tell you.
  8. Turn Failure Into Success – Unless a failure is intentional or a result of laziness, stop punishing your team for mistakes. Mistakes and errors are opportunities for improvement. Hold retrospectives after any major event and and lead the team in a fact-based review to identify what can be done differently to avoid the same problem in the future.
  9. Encourage Innovation – Seek innovative ideas so that you can reward your team for anything that is adopted as a new best practice. You have some of the best technical minds available on your team, so unleash their ideas to uncover new innovation.
  10. Be Helpful – Address the concerns of your team and look for ways to make their life better. This might be handling difficult users, reducing nonessential tasks, or handling some paperwork so they can deal with the technical work.