Short Takes – 3-22-24

Exploiting remote access – the ultimate living off the land attack. ScadaMag.Infracritical.com blog post. Very concise description of the need for remote access leading to living-off-the-land attacks in OT systems.

Apple Chip Flaw Lets Hackers Steal Encryption Keys. Zetter-ZeroDay.com article. Pull quote: “The site includes an instruction to developers of cryptographic applications to include code in their program that causes the processor to implement data-independent timing, or DIT, that effectively disables the prefetcher when the computer is performing cryptographic functions for their application. It’s not clear how long this instruction has been on Apple’s developers site; there’s no date on the page, but it’s part of Apple’s core documentation for developers, so presumably it’s been there for years.”

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet. TheRegister.com article. Pull quote: “Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby.”

Commercial Vehicle Electronic Logging Device Security: Unmasking the Risk of Truck-to-Truck Cyber Worms.  NDSS-Symposium.org paper. Actual paper described above. Pull quote: “These findings highlight an urgent need to improve the security posture in ELD systems. Following some existing best practices and adhering to known requirements can greatly improve the security of these systems. The process of discovering the vulnerabilities and exploiting them is explained in detail. Product designers, programmers, engineers, and consumers should use this information to raise awareness of these vulnerabilities and encourage the development of safer devices that connect to vehicular networks.”

Four questions about the new effort to oust Mike Johnson, answered. Politico.com article. Rep Greene (R,GA) introduced vacate resolution. Pull quote: “There’s no guarantee of that [voting on the resolution when the House returns from Easter break]. Greene had the option to speed up consideration of her proposal, but instead chose a slow path that will loom over House Republicans as they head home for recess.”