Tesla exploits, a hacker obituary and a look past Capitol Hill’s TikTok fixation

The west side of the U.S. Capitol. Wikimedia Commons

Welcome to Changelog for 3/26/23, published by Synack! It’s me, Blake, and I can’t believe RSA is less than a month away. There’s still plenty to cover until then, so we’ll get right to it:

 

The payload

It was a busy week for cyber news on Capitol Hill, between a hearing on the Cybersecurity and Infrastructure Security Agency’s operational roadmap to closely watched testimony from TikTok CEO Shou Zi Chew, who was raked over the coals for five hours over privacy and security concerns tied to the company’s Chinese ownership.

But putting aside lawmakers’ TikTok bluster, I was most struck by testimony Thursday before the Senate Energy and Natural Resources Committee, which held its own hearing on cyber vulnerabilities in U.S. energy infrastructure.

Stephen Swick, Chief Security Officer of Ohio-based electric utility American Electric Power, warned lawmakers of the “increasingly dynamic” threat landscape facing large energy providers today. “Offensive cyber operations tools and services are now widely accessible to bad-actors of all types — from low-level criminals to nation-states,” he said.

AEP would know: It’s one of the biggest investor-owner utilities in the country. As Swick pointed out in his prepared testimony, the company oversees some 40,000 miles of electric transmission lines, more than any other U.S. power provider.

That puts a big target on its back. And if nation-state attackers are chasing energy industry targets alphabetically, AEP is unfortunately near the top of the list, as a senior executive there quipped when I visited the company’s security operations center several years ago.

Despite its early alphabetical position, AEP has managed to stay out of the headlines when it comes to cybersecurity breaches. That’s perhaps why Swick felt comfortable sharing his candid perspectives on Capitol Hill. It’s also a testament to his 25 years at the helm of the company’s cyber operations.

Still, even if AEP holds its own against malicious hackers, it can still fall prey to supply chain attacks or disruptive cyberattacks on other utilities that spill into its sprawling territory.

“Regardless of what we do to protect our own systems, we each are as strong as our weakest interconnected peer,” Swick said, encouraging lawmakers to develop a “unified, risk-based approach from coast to coast” to lift all boats in the electric sector and avoid a mishmash of state-level cybersecurity requirements.

Forget TikTok: Threats to U.S. energy infrastructure pose a much more urgent national security challenge.

The week, compiled

The cybersecurity community lost a venerated hacker far too soon last week. Kelly “Aloria” Lum passed away at the age of 41, the SummerCon cybersecurity conference announced on Monday.

Aloria was a prolific contributor to the New York City security scene throughout the 2010s and was an early advocate of routing all traffic through HTTPS, even at large organizations like Tumblr, where she previously worked.

 1_P9QkkyggMo12ZBHyLOCHDg
Kelly “Aloria Lum. Credit: SummerCon

She was also a “formidable karaoker,” as TechCrunch reported in an obituary that also credited Aloria’s trailblazing openness about mental health.

Her death was met by an outpouring of grief and tributes from a wide range of cybersecurity professionals.

Luta Security CEO Katie Moussouris, who knew Aloria for over a decade, told TechCrunch that Aloria “was so giving not just with her time, but her spirit. Anything she could share that would help a person she would, and she did.”

Rest in peace, Aloria.

PCMag: Federal authorities may have obtained a backend database that amounts to a treasure trove of evidence (including IP addresses) of users of the BreachForums cybercriminal site. The news comes a week after FBI agents arrested the alleged leader of the site’s operations, 20-year-old New York resident Conor Fitzpatrick.

Ars Technica: Critical bugs in image-cropping tools keep, well, cropping up. Certain vulnerable Windows and Android applications allow cropped-out content to be recovered from images users thought they had snipped down to size. Workarounds are already available, but still: Take care with your crops, folks.

SecurityWeek: Researchers competing in the high-stakes Pwn2Own contest in Vancouver, Canada, last week uncovered two ways to “fully compromise” a new Tesla Model 3, scoring a six-figure cash prize (along with winning the hakced car in question).

 1_oR5qVzrhLARvGxKVz4kdgw
Researchers at French offensive security company Synacktiv demonstrated two successful exploit chains for a Tesla Model 3. Zero Day Initiative/@thezdi via Twitter


A message from Synack

Heading to RSA this year? Swing by Fogo de Chão to join Synack’s “Journey by the Bay” experience just 98 steps away from the Moscone Center. We have a jam-packed week lined up, from an exclusive whiskey and dry-aged steak tasting to an executive panel discussion on women in the boardroom. Check out the full roster of events and parties here.

Flash memory

Eight years ago, researchers at Ben Gurion University discovered a fanciful way to inject code into supposedly “air-gapped” systems.

Mordechai Guri’s research took advantage of the fact that computers generate varying degrees of heat while processing. The “BitWhisper” attack concept leverages these fluctuations to open lines of communication between two nearby machines.

Kim Zetter had the juicy details for Wired, but I’d be very surprised if anyone leveraged this attack path in the wild over the past eight years. Still, the research into thermal sensors underscored what has since become a cyber truism: Air gapped networks’ supposed separation from the internet does not make them inherently secure.

Local files

The New York Times: A Meta employee who is a U.S.-Greek national was allegedly targeted by powerful spyware and saw her phone wiretapped by intelligence agents while she was living in Greece from 2020 to 2022. “In my case, I do not know why I was targeted, but I cannot see any reasonable national security concerns behind it,” said Artemis Seaford, who worked on Meta’s security and trust team while in Greece.

SC Media: Oakland city officials are disputing claims that their networks were hit with LockBit ransomware weeks after an all-too-real Play ransomware attack caused IT outages at local agencies.

Off-script

Aurora pillars spread as far south as Virginia on Thursday evening as an incredibly rare solar storm painted the sky, as The Washington Post reported.

The Northern Lights aren’t known to dip down into the Shenandoah Valley 75 miles southwest of my home in Washington, D.C., and I’m jealous of the locals and visitors who got to soak in the otherworldly slashes of color.

Photographer Peter Forister was there to capture the magic. Behold, solar particles and energy exciting molecules in Earth’s upper atmosphere:

 1_HtXs_YaA2EemsuB5_C9EBQ
Peter Forister/@Forecaster25 via Twitter

That’s all for now — please send any feedback and RSA-related pitches to bsobczak@synack.com. Until next week!