Automakers warm up to friendly hackers at cybersecurity conference

Attendees of the cybersecurity event test their skills at the conference’s car hacking village in Las Vegas. (Reuters)
Updated 13 August 2019
0

Automakers warm up to friendly hackers at cybersecurity conference

LAS VEGAS: At a conference where hackers can try their hand at picking locks and discover cyber vulnerabilities in a makeshift hospital, they can also endeavor to break into the control units of cars and take over driving functions.
Those efforts at the DEF CON security convention in Las Vegas are sponsored by carmakers and suppliers that have increasingly recognized the need to collaborate with so-called white hat hackers — cyber experts who specialize in discovering vulnerabilities to help organizations.
Attendees who visited the car hacking site had to escape a vehicle by deciphering the code to open its trunk, control its radio volume and speed, and lock the doors through their computers.
“A big part of it is redefining the term ‘hacker’ away from that of a criminal to make automakers understand that we’re here to make their systems more secure,” said Sam Houston, senior community manager at Bugcrowd, which recruits researchers for so called bug bounty programs at Tesla Inc, Fiat Chrysler Automobiles NV and other automakers.
Volkswagen AG, Fiat Chrysler and suppliers Aptiv PLC and NXP Semiconductors NV were among the sponsors of this year’s car hacking village — as some have done at previous DEF CON conventions.
Las Vegas once a year becomes the gathering place for tens of thousands of cybersecurity enthusiasts who attend DEF CON and the preceding corporate Black Hat conference.
Weaving their way through revelers at Blackjack tables and beauty salons promising non-surgical face lifts, DEF CON expects at least 25,000 attendees by the end of the weekend.
At DEF CON, the largely male participants are not registered by name to protect their privacy and attendees need to pay in cash to receive a blinking badge featuring an exposed circuit board that allows them to complete tasks.

BACKGROUND

Las Vegas once a year becomes the gathering place for tens of thousands of cybersecurity enthusiasts who attend DEF CON and the preceding corporate Black Hat conference.

The conference provides a rare opportunity for enthusiasts to learn about car hacking.
“Automotive provides a great challenge because the systems are distinct from other security areas,” said Craig Smith, a security researcher who, together with Robert Leale, founded the car hacking village in 2015.
Leale and Smith said they witnessed a steady annual growth in participants.
More connections and technological features in modern vehicles also increasingly attract security professionals from other research areas, said Aaron Cornelius, senior researcher at cybersecurity company Grimm. Cornelius was supervising a station where participants could try to hack into the control units of a 2012 Ford Focus.
Assaf Harel, chief scientist of Karamba Security, a company that provides automotive security technology and works with car manufacturers and suppliers including Denso and Alpine Electronics, said the hacking community has opened the auto industry’s eyes.
“Carmakers have been discovering new issues with their traditional architectures thanks to white hat hackers, which highlighted security needs for carmakers and suppliers alike,” said Harel. 
He operated a station where hackers could try to modify a model traffic light.


Facebook still auto-generating Daesh, Al-Qaeda pages

Updated 19 September 2019

Facebook still auto-generating Daesh, Al-Qaeda pages

  • Facebook has been working to limit the spread of extremist material on its service, so far with mixed success
  • But as the report shows, plenty of material gets through the cracks — and gets auto-generated

WASHINGTON: In the face of criticism that Facebook is not doing enough to combat extremist messaging, the company likes to say that its automated systems remove the vast majority of prohibited content glorifying the Daesh group and Al-Qaeda before it’s reported.
But a whistleblower’s complaint shows that Facebook itself has inadvertently provided the two extremist groups with a networking and recruitment tool by producing dozens of pages in their names.
The social networking company appears to have made little progress on the issue in the four months since The Associated Press detailed how pages that Facebook auto-generates for businesses are aiding Middle East extremists and white supremacists in the United States.
On Wednesday, US senators on the Committee on Commerce, Science, and Transportation questioned representatives from social media companies, including Monika Bickert, who heads Facebook’s efforts to stem extremist messaging. Bickert did not address Facebook’s auto-generation during the hearing, but faced some skepticism that the company’s efforts were effectively countering extremists.
The new details come from an update of a complaint to the Securities and Exchange Commission that the National Whistleblower Center plans to file this week. The filing obtained by the AP identifies almost 200 auto-generated pages — some for businesses, others for schools or other categories — that directly reference the Daesh group and dozens more representing Al-Qaeda and other known groups. One page listed as a “political ideology” is titled “I love Islamic state.” It features an IS logo inside the outlines of Facebook’s famous thumbs-up icon.
In response to a request for comment, a Facebook spokesperson told the AP: “Our priority is detecting and removing content posted by people that violates our policy against dangerous individuals and organizations to stay ahead of bad actors. Auto-generated pages are not like normal Facebook pages as people can’t comment or post on them and we remove any that violate our policies. While we cannot catch every one, we remain vigilant in this effort.”

“Yet those very same algorithms are auto-generating pages with titles like ‘I Love Islamic State,’ which are ideal for terrorists to use for networking and recruiting.”

John Kostyack, executive director of the National Whistleblower Center

Facebook has a number of functions that auto-generate pages from content posted by users. The updated complaint scrutinizes one function that is meant to help business networking. It scrapes employment information from users’ pages to create pages for businesses. In this case, it may be helping the extremist groups because it allows users to like the pages, potentially providing a list of sympathizers for recruiters.
The new filing also found that users’ pages promoting extremist groups remain easy to find with simple searches using their names. They uncovered one page for “Mohammed Atta” with an iconic photo of one of the Al-Qaeda adherents, who was a hijacker in the Sept. 11 attacks. The page lists the user’s work as “Al Qaidah” and education as “University Master Bin Laden” and “School Terrorist Afghanistan.”
Facebook has been working to limit the spread of extremist material on its service, so far with mixed success. In March, it expanded its definition of prohibited content to include US white nationalist and white separatist material as well as that from international extremist groups. It says it has banned 200 white supremacist organizations and 26 million pieces of content related to global extremist groups like IS and Al-Qaeda.
It also expanded its definition of terrorism to include not just acts of violence intended to achieve a political or ideological aim, but also attempts at violence, especially when aimed at civilians with the intent to coerce and intimidate. It’s unclear, though, how well enforcement works if the company is still having trouble ridding its platform of well-known extremist organizations’ supporters.
But as the report shows, plenty of material gets through the cracks — and gets auto-generated.
The AP story in May highlighted the auto-generation problem, but the new content identified in the report suggests that Facebook has not solved it.
The report also says that researchers found that many of the pages referenced in the AP report were removed more than six weeks later on June 25, the day before Bickert was questioned for another congressional hearing.
The issue was flagged in the initial SEC complaint filed by the center’s executive director, John Kostyack, which alleges the social media company has exaggerated its success combatting extremist messaging.
“Facebook would like us to believe that its magical algorithms are somehow scrubbing its website of extremist content,” Kostyack said. “Yet those very same algorithms are auto-generating pages with titles like ‘I Love Islamic State,’ which are ideal for terrorists to use for networking and recruiting.”