Friday Cyber Security News 02 August 2019 – Department of Defense Buys IoT Tech from Chinese Companies With Government Ties – FTC Warns of Equifax Scam Sites DHS Cautions Aircraft Owners about IoT Airplanes
US DOD Warned About Risks of Buying Chinese Technology
The United States Inspector General issued a report detailing the findings of an audit of US Department of Defense (DoD) purchases. The audit found that DoD continues to purchase commercially available off-the-shelf (COTS) electronics that are considered cyber security risks. The questionable purchases are attributed to items that cost under $10,000 each and are bought from fixed price and delivery schedules on Government Procurement Cards. The report questions why DoD has not banned the purchase of products with associated with cyber security risks.
In the audit, the U.S. Inspector General discovered that “70 to 80% percent of the components that comprise DOD systems are COTS items.” The audit also found that $33 million of Procurement Card purchases buy equipment considered vulnerable to cyber attacks or from companies with connections to the Chinese government like Lenovo, Lexmark, GoPro, Hikvision, and Dahu.
Chinese surveillance equipment from Hikvision and Dahu was purchased until it was banned in August 2018 even though the Department of State had issued a warning about cyber security vulnerabilities in May 2017.
The Inspector General report calls out that DoD purchased thousands of lexmark printers in 2018 for Army and Air Force networks, “Lexmark is a company with connections to the Chinese military, nuclear, and cyber espionage programs,” the report said. Internet of Things devices can be used for cyberespionage or to execute malicious code on defense IT networks.
FTC Warns Consumers of Equifax Scams
The US Federal Trade Commission (FTC) tweeted a warning to Consumers to beware of fake Equifax settlement claim websites. Last week FTC announced that Equifax had reached a settlement to help pay damages from their massive 2017 data breach.
Beware of fake websites claiming to be the Equifax settlement claims website. To be sure you are going to the legitimate site, you can access it from the @ftc’s Equifax page: https://t.co/6Dz4lQYEf2pic.twitter.com/1qDV3xyYSn
— FTC (@FTC) July 29, 2019
Equifax was sued by all 50 US states and the FTC after 174 million consumers’ data was hacked after the company left servers unpatched and vulnerable to hackers. The settlement will pay consumers who file a claim anywhere from $125 to $20,000 depending on how much time is spent on resolving identity theft claims or damages suffered from the data breach. Not long after the settlement was announced by the FTC, spoof websites popped up on the Internet trying to scam US consumers. Websites set up by scammers and hackers are out to steal personal information from people who’ve already been financially harmed by the Equifax data breach.To be sure that you file a claim on the correct website, visit the official FTC website to learn about how to file a claim and what documents you will need. Also on the FTC website is a link to the official Equifax settlement website. Make sure that you are on the correct website to file an Equifax settlement claim and not a scammer website. If you have any doubts call the number listed by the FTC.
DHS Warns About Airplane Security Flaws
The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about cyber security concerns regarding CAN bus networks used with small airplanes. The CISA alert is based on a report by Rapid7 cyber security research firm. A CAN bus is at the heart of connected car security and is a hardware-plus-software protocol.
The report warns that CAN bus networks are vulnerable to hackers. These are the same connections used in internet connected automobiles. To exploit a CAN bus connection, a hacker must have physical access to the aircraft.
Access to the connection would allow a hacker to inject malicious code into the plane’s avionics and cause false readings on instruments. Engine telemetry readings, compass headings, attitude data, altitude, airspeed, vertical airspeed, and angle of attack could all be hacked to send false readings to the pilot.
To mitigate cyber attacks on small airplanes, aircraft owners should lock equipment doors and restrict access to their planes. Manufacturers need to address CAN bus safety issues for connected planes.