Plaintext: Connected Cars, National Security Risks

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Wing Security. In this issue of Plaintext, we look at the recent multinational meeting at the White House to address national security risks associated with connected vehicles. We also look at the unsettling news about North Korean threat actors getting jobs as IT workers in companies. If you enjoy Plaintext, please share with friends and colleagues!

Connected Cars Maneuvering a Twisty Road to Security. Officials from Australia, Canada, Germany, India, Japan, South Korea, Spain, the United Kingdom, and other countries met with officials from the White House and State Department last week to discuss data and cybersecurity risks associated with connected vehicles. While it is not known whether any specific automakers attended this multinational meeting, what's interesting is the acknowledgement on the government level that connected vehicles are "emerging as a key node in critical infrastructure." These vehicles connect with other vehicles, personal devices, telecommunications networks, the electric grid, and other infrastructure, the State Department said in a release.

“The United States and like-minded nations will explore options for advancing affirmative cybersecurity standards and coordinating other possible policy measures to mitigate risks.” —Department of State press release.

Deloitte defines software-defined vehicles (SDVs) as "the gradual transformation of automobiles from highly electromechanical terminals to intelligent, expandable mobile electronic terminals that can be continuously upgraded." That jives with a White House directive which referred to connected cars as "smartphones on wheels" and warned of attacks that could remotely access or disable the vehicles. In response, the Department of Commerce announced in March that its Bureau of Industry and Security will propose new rules regarding connected cars and car parts manufactured abroad.

Vehicles have been connected for decades, whether as part of an in-vehicle maintenance system or driver assistance. Software-defined vehicles go even further, with capabilities such as remote start via a smartphone app — essentially turning cars into Internet-of-things (IoT) devices. Sens. Ron Wyden and Edward Markey have urged the US Federal Trade Commission to hold automakers accountable for how they share driver data.

Dark Reading in Plaintext is brought to you by Wing Security

Free SaaS Security Monitoring From Wing Security

Uncover your SaaS security risks for free with Wing Security.  Uncover app usage, users and permissions in minutes.  Do you have the next security incident lurking in your SaaS usage?

Wait, Who Did We Hire? There has been stories about "imposter interviews" where the person who interviewed for a job and received the offer is not the same person who showed up to work. The popular Ask the Manager site had such a story two years ago about a person joining the IT team who clearly was not the person who had interviewed for the job. That is already wacky and sounds like something that belongs only in movies (remember Good Will Hunting?) — but here is an even more confounding, and more damaging, scenario: Employees who are receiving instructions from a nation-state attack group.

"By directing its IT workers to gain employment at Western companies, North Korea has weaponized its tech talent and created the ultimate insider threat," said Michael Barnhart, Mandiant principal analyst at Google Cloud. "These operatives bypass sanctions by diverting their paychecks to help fund North Korea’s nuclear program. Simultaneously, they’re providing a foothold into major organizations for North Korea’s more advanced threat groups." 

In just the last few months, the Department of Justice announced the arrest of an individual suspected of using a "laptop farm" to deceive companies into hiring IT workers who were actually North Korean actors, and a separate case where multiple individuals tricked over 300 US companies this way. North Korea has dispatched "thousands of IT workers to live abroad" and get jobs at companies in order to "generate revenue for its WMD [weapons of mass destruction] programs," the DoJ said. A few weeks ago security firm KnowBe4 disclosed how a recently hired software engineer for its internal AI team turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

What We Are Reading

• [Wing Security] Is the use of AI in SaaS a security risk to your company?

• Microsoft on CISOs: Thriving Community == Stronger Security

• Could Intel Have Acted to Fix Spectre & Meltdown Earlier?

• SaaS Apps Present an Abbreviated Kill Chain for Attackers

• Monitoring Changes in KEV List Can Guide Security Teams

Check out Dark Reading's Black Hat coverage

What We Heard On-Air

The Dark Reading team had some interesting conversations while at Dark Reading News Desk during Black Hat in Las Vegas.

"What has been the innovations over the last 50 years that has done the most to shift that advantage to the defense?" — Jason Healey on "Is Defense Winning?"

From Our Library

Check out some of the latest reports from our Dark Reading Library.

• [Wing Security] Third-party risk management for SaaS from Wing Security

• Tech Insight: Managing Third-Party Risk Through Situational Awareness

• Dark Reading Research: State of Enterprise Cloud Security

• Tech Insight: Threat Hunting's Evolution: From On-Premises to Cloud

• Dark Reading Research: How Enterprises Secure their Applications

On That Note

We came across a post by Andrew Brandt talking about the "Elect More Hackers" project. The thing that jumped out was this line: "With so many technology issues that we face as a society, it would certainly help (a lot!) to have many more knowledgeable people helping craft 21st century law, policy, or regulations, whether that's at a city, county, school board, state government, or federal government level." If that line resonates with you, check out what Andrew has to say.

Dark Reading in Plaintext is brought to you by Wing Security