San Francisco police use driverless cars for surveillance
Plus: Tech giants commit $30m to open-source security, miscreants breach DEA portal, and US signs cybercrime treaty
In brief San Francisco police have been using driverless cars for surveillance to assist in law enforcement investigations.
According to an SFPD training document obtained by Motherboard [PDF]: "Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads."
It indicates that police officers will receive additional information about how to access this evidence, and added: "Investigations have already done this several times."
The document, obtained via a public records request, specifically names Alphabet's Waymo and General Motors' Cruise, both of which obtained permits in August 2021 to offer rides to passengers in their self-driving vehicles.
However, nine autonomous vehicle companies are testing driverless tech in California alone, according to the California Public Utilities Commission, which could spell more trouble for privacy advocates.
A Waymo spokesperson told the site that it doesn't collect data "to identify individuals" and that it "requires law enforcement agencies who seek information and data from Waymo to follow valid legal processes in making such requests (e.g. secure and present a valid warrant, etc). Our policy is to challenge, limit or reject requests that do not have a valid legal basis or are overly broad."
Cruise, for its part, told the publication: "We work closely with law enforcement on our common goal of making our roads safer. We share footage and other information when we are served with a valid warrant or subpoena, and we may voluntarily share information if public safety is at risk."
Big tech commits $30m+ for open-source security
A handful of tech giants have pledged more than $30 million to implement a plan to improve open-source and software supply chain security.
The multimillion-dollar pledge follows a meeting at the White House this week, led by the National Security Council, that brought together public and private-sector experts to discuss ways to improve the security of open-source software. This included execs from 37 private companies and government officials from the NSC, CISA, NIST, the Office of the National Cyber Director, the Department of Energy and the Office of Management and Budget.
This was the second such meeting since President Joe Biden issued an Executive Order on Improving the Nation's Cybersecurity.
Following the Thursday meeting, the Linux Foundation and its Open Source Software Security Foundation (OpenSSF) released a plan that outlines about $150 million of needed funding over two years to help solve 10 open-source security problems.
Five OpenSSF member organizations — Amazon, Ericsson, Google, Intel, Microsoft, and VMware — collectively pledged an initial $30 million-plus towards implementation of the plan with Amazon committing to $10 million of that.
"We believe this investment will help improve the security of open source software," wrote Mark Ryland, director of the Office of the CISO for AWS, in a blog. "In addition, we will continue and increase our existing commitments of direct engineering contributions to critical open source projects."
In addition to the funding, Google announced its "Open Source Maintenance Crew." This dedicated staff of Google engineers will work with upstream maintainers to improve the security of open-source projects.
Miscreants reportedly breach DEA portal
The US Drug Enforcement Administration (DEA) is reportedly investigating a breach that gave attackers unauthorized access to an agency portal that connects to 16 different federal law enforcement databases.
The breach, reported by infosec journalist Brian Krebs, is allegedly linked to a cybercrime group that impersonates cops and government officials to steal the personal data of their targets.
Krebs says he received a tip that the criminals had somehow obtained credentials for an authorized user of the Law Enforcement Inquiry and Alerts (LEIA) system, which is managed by the DEA.
LEIA "provides federated search capabilities for both EPIC and external database repositories," including data that's classified as "law enforcement sensitive" and "mission sensitive," according to the Justice Department.
Krebs says he shared the information he received about the stolen username and password with the DEA, the FBI, and the Justice Department.
The DEA issued this statement in response: "DEA takes cyber security and information of intrusions seriously and investigates all such reports to the fullest extent."
The agency did not respond to The Register's request for additional comment.
Where have all the printer vulns gone?
A critical sandbox breakout vulnerability that affected "hundreds of thousands" of Konica Minolta bizhub MFP printers could be exploited with physical access to give a miscreant full read and write access to the printer's OS.
Don't worry, it has since been patched. SEC Consult Vulnerability Lab identified the software nasty at the end of 2019, and Konica Minolta promptly fixed the bug in early 2020.
However, because of the sheer number of affected devices, along with the need to apply firmware updates manually, the process took a long time — and don't forget this was during the COVID-19 pandemic lockdowns, which prohibited service techies from going onsite to make the fixes.
But now that the printers appear to be in the clear, SEC Consult Vulnerability Lab has published an analysis of the vulnerabilities and patches along with an example of the attack — so we all can learn from not-to-distant history.
A technical security advisory has been published that lists affected models and fixed firmware versions.
- Europe proposes tackling child abuse by killing privacy, strong encryption
- Google says open source software should be more secure
- Big tech proud as punch about cameos in Joe Biden's security theatre
- UN mulls Russia's pitch for cybercrime treaty
The interesting thing about this exploit, according to the security researchers, is that it's not due to a vuln in the networking features and protocols exposed by the printer, its software and drivers, or web apps running on the printer.
Instead, it was due to flaws in the printer's terminal. SEC Consult identified three vulnerabilities:
- Sandbox escape on the physical printer touch screen terminal (CVE-2022-29586)
- Terminal UI/Chromium running as root (CVE-2022-29587)
- Passwords stored in clear text on the file system (CVE-2022-29588)
After opening certain applications and settings via the terminals, they noticed changes in the look and feel of the user interface. They then determined that this was due to context change, "meaning that the applications running are not solely based on the proprietary application only."
Some application parts were running an ordinary Chromium browser in kiosk mode, which the researchers noted can be escaped easily.
"This allows an attacker to get full access to the underlying printer's operating and file system, including configuration files, passwords in clear text, proprietary scripts and many more," they wrote. "Access to all those files was easily possible as chrome was running as root."
US signs cybercrime law enforcement treaty
The US government this week signed an international treaty that aims to help signatory nations fight cybercrime by sharing electronic evidence.
The so-called Second Additional Protocol to the Budapest Convention cybercrime treaty is designed to help law enforcement authorities obtain access to electronic evidence stored in different jurisdictions.
It does this via direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies.
The original Budapest Convention on Cybercrime agreement was put into effect by the Council of Europe in 2004. To date, it has 66 signatories and Russia is notably absent from the list.
However, the Kremlin has long been lobbying for a new treaty to replace the Budapest Convention, and in March a United Nations committee began hearings on a Russia-backed proposal. The alternate cybercrime treaty has been heavily criticized by the US, the European Union, and other Western countries. ®