Infosec in brief Nissan has admitted to another data loss - this time involving the theft of personal information belonging to more than 50,000 Nissan employees.

According to the carmaker's disclosure [PDF], filed with the US state of Maine, Nissan was breached back in November 2023 through "a targeted cyber attack" - as the incident is described in a sample letter to be sent to victims, which was included with the breach notification.

According to the disclosure, 53,038 stateside Nissan employees - presumably past and present, since it has a current staff count of around 21,000 - had their social security numbers stolen after "a criminal threat actor" compromised Nissan's external VPN, shut down "certain" Nissan systems and demanded a payment.

According to Nissan, the auto manufacturer initially believed only business information had been stolen. By late February it realized otherwise, and let some employees know that it looked like their SSNs were part of the data accessed by baddies.

Nissan claimed it has no indication that the employee data was among the criminal's targets, nor that it has been misused (yet).

"Since the attack, NNA has taken several steps to strengthen its security environment, including an enterprise-wide password reset, implementation of Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access," the biz told the state of Maine.

Nissan also disclosed in March that systems at its Oceania division had been hit by the Akira ransomware gang, making off with more personal information belonging to more than 100,000 customers.

The Akira attack on Nissan Oceania reportedly occurred in December 2023. It's not clear if there's any connection between the Oceania and North American breaches. We've asked Nissan for more details.

Don't make these privacy mistakes with connected car tech in the US

The United States Federal Trade Commission (FTC) wants automakers to know that it's keeping its eyes peeled for signs of privacy violations around the use of connected car technology. Such tech, the FTC noted, could be used to stalk people, affect insurance rates and otherwise harm consumers or endanger national security.

"Connected cars have been on the FTC's radar for years," the FTC revealed in a notice it published last week. "Car manufacturers - and all businesses - should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data."

The FTC pointed to recent decisions against X-Mode, Rite Aid, and Cerebral, as signs that it's not messing around.

"Firms do not have the free license to monetize people's information beyond purposes needed to provide their requested product or service, and firms shouldn't let business model incentives outweigh the need for meaningful privacy safeguards," the FTC warned.

The Commission urged automakers to build products that include safeguards to protect consumer data. Just a friendly reminder, lest an investigation should come your way.

Cisco Talos manages to fuzz its way into the depths of macOS

Apple can be a tricky customer on the security front, as Cisco has been finding out the fun way.

"Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open source, targeting anything on macOS presents a few difficulties," Cisco Talos's Aleksandar Nikolic wrote in a blog post.

Fuzzing can also provide valuable insight into system vulnerabilities, and for security researchers and penetration testers like the folks at Talos, not being able to do that on macOS is a serious hurdle. Like any good team of hackers, they found a way around it: Snapshots.

"Using a snapshot-based approach enables us to target closed source code without custom harnesses precisely," Nikolic wrote.

Talos built a snapshot fuzzing environment that takes snapshots of macOS executing a program at a given point, records all the processes running on a system, and runs a loop to a predetermined point.

Insert fuzzing test case, run, repeat.

The new kit "enables us to perform precisely targeted fuzz testing of otherwise hard-to-pinpoint chunks of macOS kernel," Nikolic wrote. Even better: all the fuzzing can be performed on a commodity CPU, so feel free to toss those snapshots into a server to run at scale.

The full project is available for other security researchers to test out now. ®

®

https://www.theregister.com//2024/05/20/in_brief_security/