Author's Posts

Hello All. US President-Elect Joe Biden has confirmed that cybersecurity is a priority for the incoming administration with the addition of Anne Neuberger, the NSA’s Director of Cybersecurity as its the new Whitehouse Cybersecurity Coordinator and member of the National Security Council (NSC).

Given the recent SolarWinds breach and the steady increase or foreign cyberattacks from nation states such as Russia and China, I think Biden, or at least his advisors understand that this is an important seat at the NSC table.  For those of you who may not remember, it was in 2018 when then National Security Advisor, John Bolton eliminated the role filled by Rob Joyce, former Tailored Access Operations unit with the NSA. Bolton said the post was no longer considered necessary because lower-level officials had already made cybersecurity issues a “core function” of the president’s national security team. Most of us in the industry were baffled by this move.

I know about the importance of the role well enough having heard numerous stories from my good friend, the late Howard Schmidt who served as the inaugural WH cybersecurity coordinator for President George W. Bush and returned to the role under President Barak Obama. He mentioned how critical the role was in advising the President via the NSC.

The new appointee, Anne Neuberger, joined the NSA more than a decade ago and has been serving as the agency’s director of cybersecurity since 2019, will be named deputy national security adviser for cybersecurity in the incoming NSC. She will be responsible for coordinating the fed’s cybersecurity efforts. She will most probably focus on responding to the attacks campaign by Russian hackers in 2020. She is a perfect candidate for the role. She was the NSA’s first director of cybersecurity, responsible for managing intelligence information sharing between the NSA and other government agencies, as well as the private sector, about threats to country’s critical infrastructure.

Read more

Hello All. Again we see that basic cybersecurity hygiene such as the use of default passwords has again slipped the minds of another well-respected company. It seems as though Nissan North America, yes the same Nissan that manufacture cars and SUVs we know such as the Maxima and the Pathfinder have leaked source code online from a misconfigured Git server.

The leaked included 20GB of source code for the following applications:

  • Nissan NA Mobile apps
  • Components of the Nissan ASIST diagnostics tool
  • Dealer Business Systems / Dealer Portal
  • Nissan internal core mobile library
  • Nissan/Infiniti NCAR/ICAR services
  • Client acquisition and retention tools
  • Sales / market research tools and data
  • Nissan vehicle logistics portal
  • Vehicle connected services / Nissan connect things

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin.

Contents of the Torrent file “nissan-na-gitdump-EXCONFIDENTIAL”:

A post on a hacker forum explaining what happened:

Nissan was quoted following the breach in saying, “Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”

This only proves that simple cybersecurity hygiene could be the difference between retaining your intellectual property or losing it to thieves. In the case of Nissan, even if they fix the problem and investigate further, the damage is already done with source code up on torrent sites.

Read more

Hello All. The US Army is once again running their public bug bounty.  Hack the Army 3.0 is the Defense Digital Service’s (DDS) eleventh bug bounty program run in conjunction with HackerOne and the third with the US Army. Previous programs include Hack the Pentagon, Hack the Defense Travel System and Hack the Air Force.

The goal of this bug bounty is for cybersecurity researchers to identify and disclose security vulnerabilities in US Army networks and systems so they can be remediated before they are discovered and exploited by malicious hackers such as a nation state. Civilian hackers who successfully discover valid security bugs could receive a bounty in the form of a financial reward. As a comparison, the Hack the Air Force  bug bounty run in 2018 uncovered 120 vulnerabilities and paid out $130,000 to participants.

“Bug bounty programs are a unique and effective force multiplier for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brigadier General Adam C. Volant, U.S. Army Cyber Command Director of Operations.

For further information visit: http://bit.ly/38rkU5G

If you would like to participate, please visit: https://www.hackerone.com/dds-apply

Read more