Nerds Gummy Clusters (12:46)

This episode is brought to you by Nerds Gummy Clusters the sweet treat that always elevates the vibe with a sweet gummy surrounded with tangy, crunchy nerds. Every bite of Nerds Gummy Clusters brings you a whole new world of flavor. Whether it's game night, on the way to a concert or kicking back with your crew, unleash your senses with Nerds Gummy Clusters.

Dave Buettner (13:08)

And now a message from our sponsor zscaler. The leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement connecting users only to specific apps, not the entire network continuously verifying every request based on identity and context, simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler, Zero Trust and AI. Learn more@zscaler.com Security hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete me. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeletMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K. Ivan Novikov is CEO at Walarm. I recently caught up with him to discuss a recent US ruling that bars certain Chinese and Russian connected car tech.

Ivan Novikov (15:57)

Ultimately, what do we have now right to the market as there is a plenty of Chinese car makers, right? The automotive vehicle makers already ready to kind of like fulfill the market, buy a lot of new cars, right? They're cheaper and in many cases even more convenient for customers specifically to count latest features such as amount of electronics they have and so on. And that's I think what they want to do is to kind of prevent American customers against using these cars in the future because they might be very inexpensive and also kind of like rich by features. Why? Because ultimately there is a plenty of cars that exist in the market already connected and connected cars means not only sending your current location but also in many cases send some parts, if not all the video stream from some cameras or lidars or different other electronic components that built in a car including microphones and so on. So cars just are full of electronics and this parts and components connected to the cloud. So they want to protect privacy at personal level and also kind of government privacy. Because if it's plenty of cars, they can literally film everything around and you don't even know what could be filmed right outside of the car. I guess what they want to do is to kind of improve security level very proactively before American market kind of like fulfilled by these Chinese cars.

Dave Buettner (17:38)

What sort of components are we talking about here?

Ivan Novikov (17:42)

Sure. I mean, it's not a secret, right. Many of these electronic components such as chips. Right. Produced in China or Taiwan, which is very unclear region, is it? For now and then that's specifically an interesting part of those. And definitely these components, software and hardware components, as you can see in this notice, in this requirement, they split hardware and software a little bit separately and they can kind of like push software a little bit faster than headwear. Headwear is not that easy to replace because many of American car vendors and car makers using this Chinese header. Right. We're mainly talking about pretty much everything that connect car, definitely the chips itself and less about AI components because many of them produced by intel and Nvidia, they're based in states. Right. But all this component that basically make this car connect to the, to the cloud, to the main servers. That's what I'm talking about. So built in embedded systems and built in computers and definitely all the lidars and cameras, all of this.

Dave Buettner (19:08)

This rule was put in by the Commerce Department, of course, under the previous administration. Do we suspect that this rule will hold with the Trump administration coming into office?

Ivan Novikov (19:19)

This is a little bit kind of like unclear, but is it? For me this question is definitely kind of rely on the main point that I have to make. The main point is like, who will enforce this? Right. Ultimately it should be department on Transportation who actually applied these rules and making this as in any form, such as recall, if you already own the car or kind of like, you know, some restriction for dealership to sell such cars. And this is what we will see. So I really think that this may stay in any form. But most interesting, how Department of Transportation will act on this and which new kind of rules, right. Or guidances or you know, commands in that sense will be issued by Department of Transportation.

Dave Buettner (20:13)

I know you and your colleagues at Wall ARM work with automakers, looking at the potential vulnerabilities of components and the software and so on. When you look at the big cyber risks when it comes to cars, what are some of the things that you think folks should know about?

Ivan Novikov (20:31)

Yeah, you're right. We're doing a lot of research and working with car makers and automotive companies over the world. Our main idea is to help them to secure their APIs. Basically the data layer used to connect cars and clouds. Right. Or servers somewhere in the Internet to basically connect cars to Internet and then what I have to say, first of all, all the cars are vulnerable, some of them more, some of them less. But there is absolutely no vendor that can claim that hey guys, we 100% secure, right? All of them vulnerable. There is a few things that I have to point that we call this kind of attack Surface means which attacks and how and where attackers can do to compromise very specific cars or vendor in general. So just a few things to mention. First of all, there's definitely all the APIs related to dealerships and management such as technical station and so on. They should be connected. And for attackers, it's kind of a lot of benefits to hack them and hack many cars altogether rather than target very specific cars such as mine and yours and others one by one. It's less productive for them. The other thing overall, the data centers and clouds that used to serve the data came from cars. Imagine you have plenty of cars such as hundreds of times a minute connect to the cloud, but you better try to hack the cloud rather than go after each car which could be everywhere, right? The cloud itself and a dealership with the first thing and then cloud of this automakers, however, they definitely protect that much better than many other IT components and systems because automotive cars already recognize this risk a while ago and they invested in this security. And the third point, I guess overall communication protocols, it could be, you know, direct link between your car and the cloud. It could be some indirect links such as your Bluetooth that you can activate in the car and some, some other guy can connect. But this attacks a little bit more targeted and I really think that it's more about, you know, the more targeted, you know, kind of like internal system to break this, to break them and you know, steal your car rather than, you know, compromise your car during the driving and so on. Dealerships and cloud provider and clouds like IT systems for built to serve. This connected car is definitely kind of number one, number two priorities for attackers.

Dave Buettner (23:17)

That's Ivan Novikov from Walar.

Ivan Novikov (23:29)

Foreign.

Dave Buettner (23:35)

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off.

Nerds Gummy Clusters (24:39)

This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast terms and conditions apply.

Dave Buettner (25:15)

And finally, there's a popular optical illusion that features the faces of Albert Einstein and Marilyn Monroe superimposed over one another. Depending on how far away you are from the image, you see either Albert or Marilyn. And if you vary your distance, the two faces seemingly morph back and forth. The illusion takes advantage of the way our visual systems interpret contrast and sharpness, and how our brains prefer to lock into the familiar. Curious researchers wondered if the same effect could be applied to QR codes. In a post on Mastodon, Guy Dupont experimented with using lenticular lenses on QR codes to activate one of two different URLs depending on the angle the code was viewed at. Christian Walther took it to the next level, creating a version with no lens required, taking advantage of the previously mentioned peculiarities of perceived contrast and sharpness. It works. Depending on the distance your camera is from the QR code, you will be directed to one of two unrelated URLs. Needless to say, this opens up a whole new world of possibilities for QR code shenanigans. We'll have a link in the show notes. See for yourself. It's fun and not just a little bit unnerving. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Ivan Novikov (28:05)

Foreign.

Dave Buettner (28:12)

Cyber threats are evolving every second. And staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with Threat Locker, a cybersecurity solution trusted by businesses worldwide. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.