Security Central: Eight U.S. Banks Join Forces to Fight Cybercrime, Millions of Cars Susceptible to Remote Hacker Hijinks
The financial sector is one of the most targeted industries for cyber-attacks and breaches, ranking third in the lineup just behind the healthcare and manufacturing industries. This week, big banks decided that they’ve had enough. Eight of the U.S.’s largest banks are joining financial forces and are forming a group designed to tackle issues and security vulnerabilities concerning institutions of their size.
The financial sector is one of the most targeted industries for cyber-attacks and breaches, ranking third in the lineup just behind the healthcare and manufacturing industries. This week, big banks decided that they’ve had enough. Eight of the U.S.’s largest banks are joining financial forces and are forming a group designed to tackle issues and security vulnerabilities concerning institutions of their size. According to the Wall Street Journal, the group consists of Goldman Sachs, Morgan Stanley, Bank of America, J.P. Morgan Chase, State Street, Bank of New York Mellon, Wells Fargo and Citigroup.
This new team of eight is a smaller division of a larger group that already exists, made up of 7,000 financial institutions that formed to share threat intelligence and security insights with each other. This is an extremely beneficial and vital practice, as it alerts the organizations involved of new threats, attack campaigns and holes in security they may not have otherwise known about. However, according to the Wall Street Journal article, the members of this new fellowship felt it necessary to separate themselves from the pack and form this smaller subset, stating that their sheer size paints bigger targets on their backs, therefore creating the need for their own category.
With banking cyber-attacks occurring on a near-daily basis, the team will be looking for new and more effective ways to combat and prevent these threats. The group’s primary objectives will be to share information with each other regarding threats, collaborate on and prepare responses for when attacks do occur, test defense strategies and conduct war games to address the issues facing the banking giants.
The banks involved in this smaller team of eight will still be mandated by the Cybersecurity Information Sharing Act, a federal law that streamlines the sharing of cyberthreat information between private companies and the government. The law has caused some unrest and is seen as a bit controversial in the banking sector. “In recent months, banks have griped that they are providing more information to the government than they are receiving from federal agencies,” states the WSJ. Hopefully, the two entities can come up with solutions that benefit everyone.
Shifting gears, if you will, we turn our attention to the auto industry and some bad news that surfaced in terms of car security this week. Drivers, buckle up.
This week at the Usenix security conference in Austin, TX, researchers from the University of Birmingham and the German engineering firm Kasper & Oswald revealed two key vulnerabilities that affect the remote keyless entry (RKE) systems for millions of vehicles worldwide. Specifically, using cloned remote keyless entry controls, hackers have the capability to wirelessly unlock nearly every Volkswagen vehicle sold in the last 20 years.
According to an article by Wired, the hackers use a cheap piece of radio hardware to pick up the signals from a victim’s key fob, then use those signals to clone the key. The attacks are carried out with scarily simple methods, performed with a software-defined radio connected to a laptop. “The cost of the hardware is small, and the design is trivial,” says University of Birmingham computer scientist Flavio Garcia. “You can really build something that functions exactly like the original remote.” The attacker does need to be within close proximity of the vehicle they’re targeting in order for it to work, but the process is still worryingly easy to do undetected.
According to Garcia, a fix for this problem won’t be simple. “These vehicles have a very slow software development cycle,” says Garcia. “They’re not able to respond very quickly with new designs.” Until that happens, Garcia and other researchers suggest that car owners with the vulnerable vehicles take measures such as not leaving valuables in their car that could entice thieves, and perhaps should even consider locking and opening their cars the old-school, mechanical way.
On a larger scale, the researchers and experts point to the lack of security scrutiny for vehicles today, urging automakers to turn a fresh eye on their systems. “It’s a bit worrying to see security techniques from the 1990s used in new vehicles,” says Garcia. “If we want to have secure, autonomous, interconnected vehicles, that has to change.” This is indeed a valid concern and cry for change, as the possibilities in terms of car hackings won’t be so limited for long.
To wrap up the week, Apple recently announced its first bug bounty program, which officially launches in September. Head of Apple security engineering and architecture Ivan Krstic announced the program during his presentation at Black Hat security conference in Las Vegas. Participation at this stage appears to be fairly exclusive, limited to a group of invite-only researchers. However, Apple plans to expand the program gradually, bringing in more researchers and experts over time.
According to a TechNewsWorld article, the bug bounty program “signifies how important it is to have community-based security versus an exclusive in-house security program,” said Chenxi Wang, chief strategy officer at Twistlock.
“To their credit [Apple] have done a great job in the quality and security of their software,” Wang told TechNewsWorld, “but even Apple can’t do it alone. They need the collective brain power of the hacking community to help.”
Apple will be offering handsome bounties for several items, such as vulnerabilities in boot firmware components.