Tesla vehicles sent to the junk yard after a crash carry much more data than you'd think. According to CNBC, citing two security researchers, "Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash." From the report: One researcher, who calls himself GreenTheOnly, describes himself as a "white hat hacker" and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. Many other cars download and store data from users, particularly information from paired cellphones, such as contact information.

But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."

The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."

The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.

itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. "Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication," writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri "have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing," says Constantin. "The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites," the researchers warn in a blog post. "Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated -- making it easy for hackers to mount successful, widespread attacks against vulnerable websites," the Sucuri researchers warned. "The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous." Since the researchers were able to create a working proof-of-concept exploit, it's only a matter of time until hackers discover a way to use the exploit to plant payment card skimmers on sites that have yet to install the new patch.

UPDATE: Onilab, an official Magento development partner, has a blog post explaining how you can update your store to the latest version of Magento.

Intel has reportedly laid off a number of information technology workers at sites across the company this week. Sources say the layoffs are numbered in the hundreds, but Intel has declined to specify how many people lost their jobs or describe the rationale for the cutbacks. OregonLive reports: The cuts took place at sites across the company, including Oregon, Intel's largest site with 20,000 workers. Cuts also took place at other Intel facilities in the United States and at a large administrative facility in Costa Rica, according to people familiar with the layoffs. Though Intel forecasts flat sales in 2019, people inside the company said this week's layoffs don't appear to be strictly a cost-cutting move. Rather, they said the cuts appeared to reflect a broad change in the way Intel is approaching its internal technical systems.

Information technology (IT) professionals don't usually develop new technology but they play an essential role in managing a company's internal systems. Their work is particularly important at tech companies such as Intel, which depend on IT workers to keep systems secure and running smoothly. This week's layoffs appear to be Intel's biggest cutbacks since 2016, when the company eliminated 15,000 jobs across the company through layoffs, buyouts and early retirement offers. "Changes in our workforce are driven by the needs and priorities of our business, which we continually evaluate. We are committed to treating all impacted employees with professionalism and respect," Intel said in a brief statement acknowledging the cuts to The Oregonian/OregonLive.

Intel isn't the only tech company laying off workers right now. A new report from The Mercury News reveals many Bay Area tech firms will be laying off about 1,200 jobs between now and Memorial Day. The layoffs are expected from SAP, Oracle America, PayPal, Instacart, Thin Film Electronics, and others.

An anonymous reader quotes a report from BleepingComputer: The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today. As detailed in a press release published on Toyota'a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. "It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards," says the data breach notification. Toyota has not yet confirmed if the attackers were able to exfiltrate any of the customer personal information exposed after the IT systems of its subsidiaries were breached. Toyota said in a statement: "We apologize to everyone who has been using Toyota and Lexus vehicles for the great concern. We take this situation seriously, and will thoroughly implement information security measures at dealers and the entire Toyota Group."

itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. 'Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication,' writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri 'have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing' says Constantin. 'The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,' the researchers warn in a blog post.

Speaking of the state of Android apps' security, Google today published its annual Android Security & Privacy Year in Review, a comprehensive report that details the company's ongoing efforts to keep over two billion devices running Android mobile operating system secure. From a report: Google says that Google Play Protect, Android's AI-driven built-in defense mechanism, substantially cut down on the number of Potentially Harmful Applications (PHAs) in Google Play. Last year, only 0.08 percent of devices that used Google Play exclusively for app downloads were affected by PHAs, and even devices that installed apps from outside of Play -- 0.68 percent of which were affected by one or more PHAs, down from 0.80 percent in 2017 -- saw a 15 percent reduction in malware. In fact, Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018, Google says [PDF]. Installation attempts outside of Google Play fell by 20 percent from the previous year, and 73 percent of PHA installations were successfully stopped compared to 71 percent in 2017 and 59 percent in 2016. In all, 0.45 percent of Android devices running Play Protect installed PHAs in 2018 compared with 0.56 percent of devices in 2017, equating to a 20 percent year-over-year improvement.

New submitter _observer writes: Hundreds of users are unable to read their Gmail in Apple's Mail client since the upgrade to macOS 10.14.4, with few workaround available. This is impacting business and personal users, although not all Gmail accounts are impacted. The web client and other clients like Outlook still work -- it is only Apple's Mail client that is not playing along. Users say they are caught in a login loop. It appears that the issue was even found and reported in the 10.14.4 Beta, but not addressed when the update was released. No word from Apple about this. While I am somewhat sympathetic to the software engineers having bugs in code (I am an engineer, too), but this seems to be a big QA miss. Gmail is the most popular free email service and this is blocking a large number of users. This thread on the Apple Support forum is growing rapidly (24 pages and counting)

At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

We're now very close to the next semi-annual update for Windows 10, but Microsoft has just announced today that the version 1809 released last Fall is now the recommended version for all users. From a report: This is a new milestone in the troubled history of this major release, as Microsoft had to pause its public rollout after discovering a serious file deletion bug in October. "Based on the data and the feedback we've received from consumers, OEMs, ISVs, partners, and commercial customers, Windows 10, version 1809 has transitioned to broad deployment," wrote John Wilcox, Windows as a service evangelist on the Windows IT Pro blog today. We're now a little more than four months removed from Microsoft's re-released Windows 10 version 1803, and Microsoft previously admitted that it would be more cautious during the public rollout. According to AdDuplex's latest survey on more than 100,000 Windows 10 PCS, only 26.4% of them were running the version 1809 in March.

Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android's Play Store. And they appear to have uncovered a case of lawful intercept gone wrong. An anonymous reader writes: This new case once again highlights the limits of Google's filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years. Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal. The spyware apps were discovered and studied in a joint investigation by researchers from Security Without Borders, a non-profit that often investigates threats against dissidents and human rights defenders, and Motherboard. The researchers published a detailed, technical report of their findings on Friday.