Dr. T's security brief

[dtau...@gmail.com]

Wearable Devices Could Use Your Breathing Patterns Like a Password
New Scientist
Chris Stokel-Walker
July 31, 2021

Cleveland State University's Jafar Pourbemany and colleagues have developed a protocol that generates a 256-bit encryption key every few seconds based on the way a user breathes; the key can then be sent to a wearable device to keep the two in sync. The protocol employs a respiratory inductance plethysmography sensor to measure the user's breathing, with an accelerometer on the chest providing additional data on the way it moves during each breath. The wearer's unique breathing pattern is translated into an encrypted key that can be used to confirm that a device matches correctly with the wearable. Pourbemany said, "Devices need to have a shared secure key for encryption to ensure that an attacker cannot compromise the process."

Full Article

 

 

EU Fines Amazon Record $888 Million Over Data Violations Bloomberg Stephanie Bodoni July 30, 2021 Luxembourg's CNPD data protection authority fined Amazon a record $888 million for breaching the EU's General Data Protection Regulation (GDPR). The EU regulator charged the online retailer with processing personal data in violation of GDPR rules, which Amazon denies. The ruling closes an investigation triggered by a 2018 complaint from French privacy rights group La Quadrature du Net. Amazon says it gathers data to augment the customer experience, and its guidelines restrict what employees can do with it; some lawmakers and regulators allege the company exploits this data to gain an unfair competitive advantage. Amazon also is under EU scrutiny concerning its use of data from sellers on its platform, and whether it unfairly champions its own products. Full Article

 

 

Malware Developers Turn to 'Exotic' Programming Languages to Thwart Researchers
ZDNet
Charlie Osborne
July 27, 2021

Cybersecurity service provider BlackBerry's Research & Intelligence team has found that malware developers are increasingly employing "exotic" coding languages to foil analysis. A report published by the team cited an "escalation" in the use of Go (Golang), D (DLang), Nim, and Rust to "try to evade detection by the security community, or address specific pain-points in their development process." Malware authors are experimenting with first-stage droppers and loaders written in these languages to evade detection on a target endpoint; once the malware has bypassed existing security controls that can identify more typical forms of malicious code, they are used for decoding, loading, and deploying malware. The researchers said cybercriminals’ use of exotic programming languages could impede reverse engineering, circumvent signature-based detection tools, and enhance cross-compatibility over target systems.
 

Full Article

 

 

Honeypot Security Technique Can Stop Attacks in Natural Language Processing Penn State News Jessica Hallman July 28, 2021 A machine learning framework can proactively counter universal trigger attacks—a phrase or series of words that deceive an indefinite number of inputs—in natural language processing (NLP) applications. Scientists at Pennsylvania State University (Penn State) and South Korea's Yonsei University engineered the DARCY model to catch potential NLP attacks using a honeypot, offering up words and phrases that hackers target in their exploits. DARCY searches and injects multiple trapdoors into a textual neural network to detect and thresh out malicious content produced by universal trigger attacks. When tested on four text classification datasets and used to defend against six different potential attack scenarios, DARCY outperformed five existing adversarial detection algorithms. Full Article

 

 

Cybersecurity Technique Keeps Hackers Guessing
U.S. Army DEVCOM Army Research Laboratory
July 27, 2021

Development Command's Army Research Laboratory (ARL) has designed a machine learning-based framework to augment the security of in-vehicle computer networks. The DESOLATOR (deep reinforcement learning-based resource allocation and moving target defense deployment framework) framework is engineered to help an in-vehicle network identify the optimal Internet Protocol (IP) shuffling frequency and bandwidth allocation to enable effective, long-term moving target defense. Explained ARL's Terrence Moore, "If you shuffle the IP addresses fast enough, then the information assigned to the IP quickly becomes lost, and the adversary has to look for it again." ARL's Frederica Free-Nelson said the framework keeps uncertainty sufficiently high to defeat potential attackers without incurring excessive maintenance costs, and prevents performance slowdowns in high-priority areas of the network.
 

Full Article

 

 

As Cyberattacks Surge, Security Startups Reap the Rewards
The New York Times
Erin Woo
July 26, 2021

Security startups have seen venture capital flooding in as cyberattacks ramp up. Research firm PitchBook estimates investors have injected over $12.2 billion into startups that offer cloud security, identify verification, and privacy protection so far this year, compared to $10.4 billion during all of 2020. Capital is flowing into companies developing anti-hack measures related to the shift to cloud computing, like identity verification software supplier Qomplx and cloud security provider Netskope. Cloud security startup Lacework, whose products use artificial intelligence to identify threats, got a $525-million funding boost in January, which CEO David Hatfield credits to "the combination of all of these ransomware and nation-state attacks, together with people moving to the cloud so aggressively."

Full Article

*May Require Paid Registration

 

 

Ancient Printer Security Bug Affects Millions of Devices Worldwide
TechRadar
Mayank Sharma
July 21, 2021

Cybersecurity researchers at SentinelOne have identified a highly severe privilege escalation vulnerability in HP, Samsung, and Xerox printer drivers. The vulnerability appears to have been present since 2005. The researchers said millions of devices and users worldwide likely have been impacted by the buffer overflow vulnerability, which can be exploited whether or not a printer is connected to a targeted device. SentinelOne's Asaf Amir said, "Successfully exploiting a driver vulnerability might allow attackers to potentially install programs; view, change, encrypt, or delete data, or create new accounts with full user rights." Hackers would need local user access to the system to access the affected driver and take advantage of the vulnerability.

Full Article

 

 

Hackers Got Past Windows Hello by Tricking Webcam
Ars Technica
Lily Hay Newman
July 18, 2021

Researchers at the security firm CyberArk uncovered a security feature bypass vulnerability in Microsoft's Windows Hello facial-recognition system that permitted them to manipulate a USB webcam to unlock a Windows Hello-protected device. CyberArk's Omer Tsarfati said, "We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera, because the whole system is relying on this input." Hackers would need a good-quality infrared image of the victim's face and physical access to the webcam to take advantage of the vulnerability. Said Tsarfati, "A really motivated attacker could do those things. Microsoft was great to work with and produced mitigations, but the deeper problem itself about trust between the computer and the camera stays there." Microsoft has released patches to fix the issue.

Full Article

 

 

Test of Time Award Bestowed for Data Privacy Paper
Penn State News
Sarah Small
July 23, 2021

ACM's Special Interest Group on Management of Data (SIGMOD) has named Dan Kifer, professor of computer science and engineering at Pennsylvania State University, and Duke University's Ashwin Machanavajjhala, recipients of its 2021 Test of Time award. The 2011 paper explored how an individual's information can be incorporated in datasets in a manner that can complicate privacy protection. The awards committee cited the paper as raising "fundamental questions on how to define privacy, and the situations when differential private mechanisms provide meaningful semantic privacy guarantees." The committee also said the research covered by the paper led to enhanced privacy frameworks.

Full Article

 

 

Russia Disconnects from Internet in Tests as It Bolsters Security Reuters Alexander Marrow; Dmitry Antonov July 22, 2021 Russia reportedly disconnected from the global Internet during tests in June and July, according to a report by the RBC daily that cited documents from the working group responsible for strengthening Russia's Internet security under the 2019 "sovereign Internet" law, which aims to prevent Russia from being cut off from foreign infrastructure. A working group source said the purpose of tests was "to determine the ability of the 'Runet' to work in case of external distortions, blocks and other threats." The Internet Research Institute's Karen Kazaryan said, "Given the general secrecy of the process and the lack of public documents on the subject, it is difficult to say what happened in these tests." Full Article

 

 

TSA Issues Cybersecurity Rules for Pipeline Companies
The Washington Post
Aaron Gregg
July 20, 2021

A U.S. Transportation Security Administration (TSA) directive imposes new rules requiring pipeline operators to strengthen their cyberdefenses. The order coincides with the first-ever disclosure by the Department of Homeland Security and the Federal Bureau of Investigation that Chinese state-sponsored hackers targeted 23 U.S. natural gas pipeline operators between 2011 and 2013. The announcement offers few details on the directive or its enforcement, as much is classified to keep hackers in the dark about pipeline operators' cybersecurity measures. The directive requires pipeline operators to deploy safeguards against ransomware on information technology (IT) systems commonly targeted by hackers, as well as on physical fuel-flow controls. Operators also must review their IT infrastructures and develop hacking response plans.

Full Article

*May Require Paid Registration