14.1 C
Thursday, November 23, 2017
Home Tags Outlander

Tag: Outlander

Swells the ranks of ethical hackers at Secarma Secarma, the cyber security business owned by UKFast chief exec Lawrence Jones, has bought application security specialists Pentest Limited reportedly for £10m. The CHECK and CREST accredited company, whose 45-strong team work with global blue chip organisations, will add a team of ethical hackers to Secarma's roster. John Denneny, managing director for Altrincham, Cheshire-based Pentest Limited, said: “The deal gives us the opportunity to invest in our people and its future growth to a degree that we could not match standalone." Pentest Limited is unrelated to Buckinghamshire-based Pen Test Partners of Mitsubishi Outlander and iKettle hacking fame. Penetration testing (AKA pen testing or ethical hacking) is a core service offered by many security consultancies to corporates, so it's not too surprising there are a few firms whose name shares the same root. The security team at Pentest are set to move to UKFast's main offices in Manchester, where cyber research lab and SOC are being erected. Pentest Ltd filed abreviated accounts for the year ended 31 May 2015 showing total net assets of £1.259m. Manchester-based UKFast started off as a business focused ISP but these days describes itself as a cloud infrastructure provider. ® Sponsored: Global DDoS threat landscape report
Hey, this isn't the way to Chad's house... and who unlocked the doors? Two unpatched vulnerabilities in BMW's ConnectedDrive web portal create a mechanism to manipulate car settings, a security researcher warns. The first (and more serious) vulnerability creates a means for a hacker to access another driver’s Vehicle Identification Number (VIN) before changing in-car settings such as lock/unlocking the vehicle, accessing email accounts, managing routes and real-time traffic information as managed through BMW's In-Car Infotainment Systems.

The second (lesser) issue involves a reflective cross-site scripting bug on BMW’s ConnectedDrive portal password reset webpage. Both flaws were uncovered by security researcher Benjamin Kunz Mejri of Vulnerability Laboratory, who went public with two advisories (here and here). El Reg has put in a request for comment on the flaws to BMW but is yet to hear back from the German carmaker. We’ll update this story as and when we hear more. Kunz Mejri explained: “The VIN ID is connected to the configuration of the cars.

After the first login you have to add a valid VIN to access the configuration.

The manipulation allows to bypass the validation approval of the VIN and to access your configuration.

At the end an attacker is able to fully (unauthorised) access the configuration of another BMW car user.” The cross-site scripting flaw also needs addressing, according to Kunz Mejri. “The XSS is at the location of the secure token that is approved for each login requested,” he explained. “An attacker can send a valid token with this payload to exploit the BMW portal account users." The bug has been estimated to be of medium severity.” The security issues with BMW’s connected car technology follow earlier issues with its kit and just weeks after security shortcoming in the Mitsubishi Outlander were exposed by security researchers at Pen Test Partners. Independent security experts argue that a re-think in vehicle security architectures is overdue. Simon Moffatt, EMEA director of advanced customer engineering at identity and access management firm ForgeRock, commented: “The BMW zero-day vulnerability that allows VIN session hijacking is yet another example of why an identity-centric approach to connected device management is essential in reducing risk and enhancing user experience.

As more and more objects join the Internet of Things, high-end items such as connected cars will become increasingly attractive targets for hackers. “Whilst manufacturers focus on end user experience and device connectivity, there needs to be a more joined-up approach to security, including a strong focus on device, service and user identity management,” he added. ® Sponsored: Global DDoS threat landscape report