Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.
The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999.
Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.
Bosch officials emailed a statement that included the usual lines about security being a top priority. It went on to say that Nozomi reached out a few weeks ago to reveal the vulnerabilities. "Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem," the statement said. "This patch will be released at the end of January 2024."
In the USA, AWS operations are divided into four regions:
us-east-1
us-east-2
us-west-1
us-west-2
In each region, there is an employee who is a Russian spy.
In each region, there is an employee who is a Chinese spy.
The Russian spy is not Russian.
The Chinese spy is not Chinese.
The two spies do not know each other.
US Intelligence has identified both spies.
Plot twist…
There is more than one of each.
They do not know each other.
US Intelligence does not know them all. #insiderthreat
Does anyone proofread anymore? This is from a breach notification letter from a county agency. The notification letter is dated January 19, 2023 and states, in relevant part:
"What Happened?
DPSS is writing to you because of a privacy incident that occurred on January 19, 2023 at the County of Los Angeles (County) DPSS. A County employee accessed your personal information contained in our electronic systems without a legitimate business reason. County personnel discovered the incident during an internal investigation on December 27, 2022. "
And of course, they don't explain why the lengthy gap between discovery and notification -- unless the notification really was sent on January 19 and they are just first sending it to the state now? What a confusing submission.
A proposed settlement of $988,550 has been reached in a class-action lawsuit relating to patient health records being wrongfully accessed by former employees at the Peterborough Regional Health Centre more than a decade ago:
For those who blame employees for breaches or who think occasionally running a phishing exercise will suffice:
Looking at Verizon DBIR's key insights:
74% of all breaches include the human element through Error, Privilege Misuse, Use of stolen credentials or Social Engineering
So... is C-Suite really investing enough and doing enough to "human-proof?" With numbers like these, will class action lawyers be able to argue more convincingly that management was negligent if it didn't do more to human-proof against breaches?