Your car is selling your personal data | Github Repo-jacking
CyberInsights #110 - Cars & Data Privacy | What is a hacker owns your Github Repo?
Modern Cars - Privacy Nightmare
It’s official. Privacy is not included in your new car.
The Mozilla Foundation reviewed the privacy of cars. They say:
“It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy” [LINK]
Mozilla reviewed 25 cars. All 25 earned the ignominious “Privacy Not Included” tab.
The gist is: they can collect super intimate information about you -- from your medical information, your genetic information, to your “sex life” (seriously), to how fast you drive, where you drive, and what songs you play in your car -- in huge quantities. They then use it to invent more data about you through “inferences” about things like your intelligence, abilities, and interests.
Here’s the TL;DR
They collect way too much personal data
Most (84%) share or sell your data
Most (92%) give drivers little or no control over their personal data
There is no confirmation that they meet minimum security standards
What’s worse is that the report says - Consent is an illusion.
Take Action:
Mozilla has started a petition for asking car companies to stop doing it. It’s your moral responsibility as security and privacy professionals to sign the petition [LINK] Do it now. Educate as many people as you can.
Around 4k GitHub accounts are susceptible to repo-jacking
A race condition is repo renaming can cause hackers to own your repo
I take any news on vulnerabilities in code repos seriously. It’s like messing with the plumbing of all software.
A vulnerability in GitHub can lead to a hacker owning other repos. [LINK]
Repo-jacking is where someone steals repositories and starts controlling. This particular vulnerability results from a race condition that occurs when an owner renames their code repo. It’s an interesting read.
Microsoft has closed this vulnerability.
Take Action:
Repo security is restricted to managing users on the repos. Typical IDAM controls are applied. However, there are many other attack vectors for repo security.
As cybersecurity professionals, when you add your code base as assets, ensure you do an assessment of risks that goes beyond the traditional “Manage users using an SSO”.
As cyber insurance professionals, understand the number of public and private repos that an organisation has while underwriting the risks.
I had seen that Mozilla report last week. It's a great report and it's terrible for all the reasons you highlighted. I'm definitely signing the petition.