Gone in 120 seconds: Tesla Model 3 child's play for hackers
Plus OIG finds Uncle Sam fibbed over Login.gov
In brief A team of hackers from French security shop Synacktiv have won $100,000 and a Tesla Model 3 after subverting the Muskmobile's entertainment system, and from there opening up the car's core management systems.
The prize was awarded at the annual Pwn2Own competition in Vancouver and it wasn't Synacktiv's only win. The team walked away from the competition with over half a million dollars in prize money after a series of cracks found not only in Tesla's armor but in that of established players too.
Ubuntu took a hammering, with three different teams finding critical flaws in the open source operating system. Windows 11 was also shown to have serious flaws and VMWare Workstation was also successfully cracked. Expect updates soon.
In all, over a million dollars was dished out to competitors, and software companies will now get fixes that could save much more than that if these issues got into the wrong hands. It's a win-win for the industry - proper hackers get a payday and the flaws aren't sold on to others.
"Contestants disclosed 27 unique zero days and won a combined $1,035,000 (and a car)!" said Dustin Childs, Head of Threat Awareness, Zero Day Initiative at Trend Micro.
"Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3."
Twitter's source code leaked online
The troubled Twitter has taken action after chunks of its source code were leaked online, despite its current owner promising to make the code open source at the end of this month.
Twitter will open source all code used to recommend tweets on March 31st
— Elon Musk (@elonmusk) March 17, 2023
The code was posted on GitHub and was taken down after being spotted, but appears to have been live for some months. Twitter is also asking GitHub to identify who posted the code and anyone who downloaded it, according to a filing in the US District Court for the Northern District of California.
This isn't going to help Twitter's value, which Musk admitted on Friday was around $20 billion, less than half what he had paid for the social network. However, he said the company could be worth $250 billion one day - although given Musk's loose deadlines that could take some time.
Login.gov accused of biometric balderdash
In the US, the Office of Inspector General (OIG) of General Services Administration (GSA), issued a redacted report [PDF] earlier this month that found the government agency had misled its customers and other government agencies by telling them that Login.gov complied with NIST standards.
Per SP 800-63-3, Identity Assurance Level 2 (IAL2), "strong" identity verification calls for physical comparison to a photograph, or biometric comparison to the strongest available evidence (e.g. face image or selfie, iris, fingerprint). If done remotely, when physical comparison is not an option, IAL2 requires biometric comparison.
According to the OIG report, "18 of Login.gov's 22 interagency agreements executed from September 18, 2018 to July 7, 2021 stated that they included IAL2 services that met and/or were consistent with the IAL2 requirements." But Login.gov never actually supported the requirements.
- GitHub publishes RSA SSH host keys by mistake, issues update
- Police pounce on 'pompompurin' – alleged mastermind of BreachForums
- Europe, America fear Twitter job cuts mean it can't protect users
- Where are the women in cyber security? On the dark side, study suggests
The report says IAL2 non-compliance was a matter of discussion as early as 2019.
That discussion ended, according to the OIG report, when Vladlen "Dave" Zvenyach, former director of GSA's Technology Transformation Services (TTS), the group overseeing the development of the authentication service, determined that facial recognition via submitted selfies was discriminatory.
The agency's position states that facial recognition will not be implemented until it "can be implemented equitably and without causing disproportionate harm to vulnerable populations."
That plan, the OIG report says, "omitted any mention of the duration and nature of Login.gov's noncompliance with NIST's IAL2 requirements." It concluded "GSA knowingly billed customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards." ®