Full Report
Do you know what data your car is collecting about you? Do you think it’s right for a car manufacturer to collect a subscription to keep your bottom warm? And just why has YouPorn sent an email to Graham about his sex video? All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown’s Andrew Agnês. Plus don’t miss our featured interview with Gigamon’s Mark Jow.
Analysis Summary
# Main Topic
Discussion revolving around contemporary cybersecurity issues highlighted in the Smashing Security podcast #340, specifically focusing on automotive data privacy concerns, ransomware/subscription models exploiting vehicle features, and historical/current sextortion threats related to compromised adult content platforms.
## Key Points
- **Automotive Data Collection:** Significant discussion about the extensive data collected by modern cars and the ethics of manufacturers charging subscriptions for pre-existing hardware features (e.g., heated seats).
- **Car Privacy Critique:** Reference is made to Mozilla Foundation's finding that cars are among the worst product categories reviewed for privacy.
- **Sextortion/Compromise:** Mention of a specific incident where an individual (Graham) received an email referencing a sex video hosted on YouPorn, tying into broader sextortion campaigns.
- **Historical Context:** Reference to a 2012 YouPorn data breach affecting 1 million users that required no security penetration, suggesting recurring vulnerability themes.
## Threat Actors
- **Car Manufacturers:** Implied actors in the collection and monetization of private vehicle data.
- **Hackers/Extortionists:** Actors responsible for the YouPorn-related sextortion emails. (No specific attribution beyond generalized criminal activity is provided in the core description, but linked articles suggest historical compromise of YouPorn).
## TTPs
- **Data Harvesting:** Collection of sensitive data directly from vehicles.
- **Feature Gatekeeping/Ransomware-as-a-Service:** Manufacturers charging subscriptions for functionality seemingly already present in the vehicle hardware (e.g., Tesla seat heaters).
- **Sextortion:** Use of compromised/leaked data (referenced via YouPorn breach context) to send threatening or blackmailing emails.
## Affected Systems
- **Modern Automobiles:** Systems capable of extensive data logging and subscription-based feature unlocking.
- **YouPorn Users:** Specifically systems/accounts compromised in past breaches (referenced 2012 breach).
## Mitigations
- **Policy Advocacy:** Calls for car companies to cease extensive data collection programs (Mozilla Foundation stance).
- **Privacy Awareness:** Understanding and scrutinizing the data collected by connected vehicles.
- **Defense against Sextortion:** General awareness of sextortion campaigns utilizing historical breach data.
## Conclusion
The primary threat intelligence focus is twofold: the invasion of privacy via modern vehicle data collection practices, including monetization efforts, and the persistent danger of sextortion scams often leveraging old data leaks from compromised platforms like adult websites. Consumers should be highly cautious about the data their vehicles transmit and remain vigilant against targeted phishing/extortion attempts.