Dr. T's security brief
Daniel Tauritz
COVID-19 Malware Will Wipe Your PC, Rewrite MBR
ZDNet
Catalin Cimpanu
April 2, 2020
ZDNet identified five COVID-19-themed malware strains that can wipe an infected PC's files or rewrite its master boot record (MBR). When one strain, COVID-19.exe, infects computers, it first displays an irritating window that users cannot close because it disables Windows Task Manager while rewriting the MBR; the malware then restarts the PC, and the new MBR blocks users into a pre-boot screen. Another malware steals passwords from a compromised host and emulates ransomware to fool the user, while also secretly rewriting the MBR. The two file-wiping strains were described as "poor wipers" because the techniques they use to delete files on infected PCs are inefficient, error-prone, and time-consuming methods—but they work, which means their release into the wild is dangerous.
Crypto-Mining Botnet Has Been Hijacking MSSQL Servers for Almost Two Years |
Attackers Can Use Zoom to Steal Users' Windows Credentials with No Warning
Ars Technica
Dan Goodin
April 1, 2020
Zoom for Windows contains a bug that could allow attackers to steal users' operating system credentials without any warning, according to researchers. The exploit leverages the Zoom chat window to send targets a string of text that represents the network location on the Windows device being used, and the Zoom app for Windows automatically renders these universal naming convention (UNC) strings as clickable links. Should targets click on those links on networks that are not fully locked down, Zoom will send Windows usernames and corresponding Net-NTLM-v2 hashes to the address in the link; attackers can then use the credentials to access shared network resources, including Outlook servers and storage devices. Zoom officials said the UNC bug, as well as a separate pair of bugs for macOS, have been fixed. The company said it was enacting a feature freeze for 90 days to focus on securing features already in place.
OpenWRT Code-Execution Bug Puts Millions of Devices at Risk
Ars Technica
Dan Goodin
March 31, 2020
Guido Vranken at the ForAllSecure security firm discovered that the open source OpenWRT operating system for powering embedded systems has been vulnerable to remote code-execution attacks for three years, because updates are delivered over an unencrypted channel and digital signature verifications are easy to circumvent. This enables attackers to send malicious updates that vulnerable devices will automatically install. OpenWRT operates on home routers, smartphones, and portable and desktop PCs, which means millions of devices are at risk from the bug. In January, OpenWRT maintainers released an update requiring new installations to be "set out from a well-formed list that would not sidestep the hash verification." Vranken described the mitigation as a partial stopgap measure, because hackers could replace the legitimate update with an older package list signed by the maintainers, and subsequently use the same exploits they would use on devices that have not received the true update.
Some Mobile Phone Apps May Contain Hidden Behaviors That Users Never See
Ohio State News
Laura Arenschield
March 31, 2020
Cybersecurity researchers at Ohio State University, New York University, and Germany's CISPA Helmholtz Center for Information Security have found that many mobile phone applications may allow others to access private data or block user-provided content through "backdoor secrets." The researchers assessed 150,000 apps and found that 8.5% contained backdoor secrets that accept certain types of content to activate behaviors unknown to regular users. Some also possessed built-in master passwords allowing parties to access the app and any private data within it, and some had secret access keys that could trigger hidden options, like bypassing payments. Others blocked content featuring specific keywords subject to censorship, cyberbullying, or discrimination. The researchers created the open source InputScope tool to help developers understand flaws in their apps.
FCC Tells U.S. Telcos to Implement Caller ID Authentication by June 30, 2021 |
Not All Privacy Apps are Created Equal
MIT CSAIL
Adam Conner-Simons
March 31, 2020
An anonymity technique called k-anonymity does not prevent a user from being able to be identified by looking at the platform's wider data, according to researchers at the Massachusetts Institute of Technology (MIT). K-anonymity is used by many companies and platforms claiming they can anonymize consumers' data and comply with new laws such as the California Consumer Privacy Act (CCPA) and Europe's General Data Protection Regulation (GDPR). The researchers cite a new type of attack called "predicate singling out" that is modeled after a kind of GDPR privacy violation called "singling out." The MIT team demonstrated that a different technique, called differential privacy, prevents predicate singling out attacks by precisely controlling randomization to hide the presence or absence of any specific individual in a dataset.
Facebook, Google, Twitter Struggle to Handle November's Election
The New York Times
Kevin Roose; Sheera Frenkel; Nicole Perlroth
March 29, 2020
Major technology companies including Facebook, Twitter, and Google have spent billions in the past three years to prevent election meddling, but new challenges are adding to their struggle in the run-up to the November U.S. Presidential election. Experts warn that malefactors, both foreign and domestic, will evolve their attacks as tech companies evolve their defenses. Although the major tech firms have improved their identification and removal of certain types of election meddling like foreign trolling and misinformation campaigns, they are hesitant to police other kinds of social media electioneering for fear of appearing to steer the election’s outcome.
*May Require Paid Registration
Researchers Develop Photon Source for Tap-Proof Communication
Leibniz Universität Hannover
March 27, 2020
A 15-member research team from the U.K., Germany, and Japan has developed a new method for generating and detecting quantum-enabled photons at a wavelength of 2.1 micrometers, which could make the encryption of satellite-based communications more secure. Previously, such encryption mechanisms could only be implemented with entangled photons in the near-infrared range of 700 to 1,550 nanometers. The researchers produced entangled photon pairs at a wavelength of 2.1 micrometers by sending ultrashort light pulses from a laser into a nonlinear crystal made of lithium niobate. Michael Kues at Germany’s Leibniz University Hannover said photon pairs entangled at that wavelength would be significantly less influenced by background radiation from the sun.
4G Networks Vulnerable to Denial of Service Attacks, Subscriber Tracking |
German Industrial Firms to Build Private 5G Networks
The Wall Street Journal
Catherine Stupp
April 6, 2020
Automakers BMW and Volkswagen, chemicals company BASF, airline Deutsche Lufthansa, and other German industrial firms intend to build their own private 5G networks, now that the German Federal Network Agency has started accepting applications for that portion of the radio spectrum. The regulator said 33 companies have to date purchased 5G licenses. Private 5G networks are particularly useful for industrial applications like operating robots and driverless vehicles within factories, which experts say require fast, reliable connections that perform tasks in real time. The firms also claim the private networks will fortify cybersecurity, as they will be able to configure the networks to suit their needs, use customized security features like encryption, and avoid sharing bandwidth with other companies.
*May Require Paid Registration
A Digital Court for a Digital Age
University of Tokyo
April 6, 2020
Hitoshi Matsushima from the University of Tokyo in Japan and Shunya Noda from the University of British Columbia in Canada have created a mechanism that uses blockchain to settle legal disputes. This so-called digital court would enable enforcement of contracts wherever a traditional legal court would settle legal disputes. The blockchain is only invoked to maintain records of the parties' involvement with the agreement in question. This is important because even though ordinary smart contracts can dispense with an expensive third party to adjudicate a dispute, they still require some potentially costly interactions with the blockchain system. Said Matsushima, "We have found a way to satisfy agreements without traditional legal enforcement or the long-term reciprocal relationships which might ordinarily keep the players honest. A digital court could be built on current blockchain platforms such as Ethereum, and it could happen right now.”
Daniel Tauritz
Academics Steal Data From Air-Gapped Systems Using PC Fan Vibrations
ZDNet
Catalin Cimpanu
April 17, 2020
Academics at the Ben-Gurion University of the Negev (BGU) in Israel have developed the AiR-ViBeR technique for stealing data from air-gapped systems by manipulating the vibrations of fans inside computers. BGU's Mordechai Guri said malware planted on an air-gapped system can control fan speed, and attackers can rig the frequency of vibrations by moderating fan speed up and down, with the vibrational patterns spreading throughout the nearby environment. A nearby attacker can use accelerometer sensors in smartphones to record the vibrations, then decode the information concealed within the vibration pattern to reassemble the stolen data. Hackers can either record the vibrations by positioning a smartphone on a desk near an air-gapped system, or use malware to infect the smartphones of employees working for the targeted company operating an air-gapped system. However, AiR-ViBeR is extremely slow, enabling data exfiltration of only a half-bit per second.
Critical 'Starbleed' Vulnerability in FPGA Chips Identified
Ruhr-University Bochum
April 16, 2020
Scientists at Ruhr-Universitat Bochum's Horst Gortz Institute for Information Technology Security and the Max Planck Institute for Security and Privacy in Germany have discovered a vulnerability in field-programmable gate array (FPGA) chips. The "Starbleed" bug allows hackers to completely commandeer the chips and their functionalities; replacing the chips is the only remedy, because the vulnerability becomes integrated with the hardware. The researchers analyzed FPGAs from Xilinx, one of the two leading FPGA manufacturers. They exploited an update and fallback feature in the FPGAs to successfully decrypt the encrypted bitstream file used to program the chips, and to access and modify file content. The Max Planck Institute's Christof Paar said, "Although detailed knowledge is required, an attack can eventually be carried out remotely, [and] the attacker does not even have to have physical access to the FPGA."
'Unkillable' Android Malware Gives Hackers Full Remote Access to Your Phone
TechRadar
Cat Ellis
April 8, 2020
Igor Golovin, a researcher at cybersecurity company Kaspersky Lab, found that the xHelper malware uses a system of nested programs that makes it extremely hard to root out, even after a system restore. xHelper often is distributed through third-party stores disguised as a popular cleanup or maintenance app to improve a device's performance. When the malware is installed, it downloads a "dropper" trojan, which collects information on the device and installs another trojan. The second trojan downloads exploit code that gives it root access to the device. Said Golovin, "Using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too."
Dark_Nexus Botnet Outstrips Other Malware with New, Potent Features |
Silicon Chip 'Fingerprint' for Stronger Hardware Security at Low Cost
NUS News (Singapore)
April 15, 2020
Researchers at the National University of Singapore (NUS) have developed a method that allows Physically Unclonable Functions (PUFs) to generate silicon chip "fingerprint" outputs at low cost. The team essentially made PUFs self-repairing and self-concealing through an adaptation that employs on-chip sensors and machine learning algorithms to predict and identify PUF instability. The method adjusts the tunable correction level to the minimum required, and produces a more secure and stable PUF output; this reduces power consumption to the minimum possible, and allows the chip to be used to detect anomalous environmental conditions like temperature, voltage, or noise that attackers exploit. NUS' Massimo Alioto said, "On-chip sensing, as well as machine learning and adaptation, allow us to raise the bar in chip security at significantly lower cost. As a result, PUFs can be deployed in every silicon system on Earth, democratizing hardware security even under tight cost constraints."
Linux Security: Chinese State Hackers May Have Compromised 'Holy Grail' Targets Since 2012 |
DarkHotel Hackers Use VPN Zero-Day to Breach Chinese Government Agencies |
Zero-Day Exploits Increasingly Commodified, Say Researchers
Computer Weekly
Alex Scroxton
April 6, 2020
FireEye Threat Intelligence researchers warned of increasing commodification of the cybercriminal underworld, as evidenced by access to and exploitation of "valid" zero-day vulnerabilities. FireEye documented more zero-day exploits last year than in the previous three years, and a broader spectrum of tracked actors appear to have gained access to these capabilities. The researchers noticed an uptick in the number of zero-days leveraged by malefactors suspected of being "customers" of private firms that supply cyber capabilities to governments or law enforcement agencies. The FireEye researchers said state groups will continue backing internal exploit discovery and development, but "the availability of zero-days through private companies may offer a more attractive option than relying on domestic solutions or underground markets."
12k+ Android Apps Contain Master Passwords, Secret Access Keys, Secret Commands
ZDNet
Catalin Cimpanu
April 4, 2020
Academics from the U.S. and Europe using a tool that analyzes input form fields inside more than 150,000 Android applications found hidden backdoor-like behavior in 12,706 of the apps. The researchers used InputScope, a custom tool they developed, to analyze the top 100,000 Play Store apps, the top 20,000 apps hosted by third-party stores, and more than 30,000 apps pre-installed on Samsun handsets. The backdoor mechanisms identified by the tool include secret access keys, master passwords, and secret commands, which could allow unauthorized access to user accounts, grant hackers access to a device, or allow them to run code on a device with elevated privileges. While researchers notified all those developers whose apps had such mechanisms, they said not all have responded.
iPhone Camera Hacked: Three Zero-Days Used in $75,000 Attack Chain
Forbes
Davey Winder
April 3, 2020
Ryan Pickren, a former Amazon Web Services security engineer, found at least seven zero-day vulnerabilities in Apple Safari, and was able to use three of them to successfully hijack the iPhone camera. Said Pickren, "A bug like this shows why users should never feel totally confident that their camera is secure, regardless of operating system or manufacturer." Pickren reported his findings to the Apple Bug Bounty Program in mid-December, and was rewarded with a $75,000 bounty from the company. Apple's Safari 13.0.5 update released Jan. 28 patched the three-bug camera kill chain, and the remaining zero-day vulnerabilities were addressed in the Safari 13.1 update on March 24.
How Coronavirus Is Eroding Privacy
The Wall Street Journal
Liza Lin; Timothy W. Martin; Dasl Yoon
April 15, 2020; et al.
Governments worldwide are using digital surveillance technologies to track the spread of the coronavirus pandemic, raising concerns about the erosion of privacy. Many Asian governments are tracking people through their cellphones to identify those suspected of being infected with COVID-19, without prior consent. European countries are tracking citizens' movements via telecommunications data that they claim conceals individuals' identities; American officials are drawing cellphone location data from mobile advertising firms to monitor crowds, but not individuals. The biggest privacy debate concerns involuntary use of smartphones and other digital data to identify everyone with whom the infected had recent contact, then testing and quarantining at-risk individuals to halt the further spread of the disease. Public health officials say surveillance will be necessary in the months ahead, as quarantines are relaxed and the virus remains a threat while a vaccine is developed.
Daniel Tauritz
Flaw in iPhones, iPads May Have Allowed Hackers to Steal Data for Years |
Virtual Army Rising Up to Protect Healthcare Groups From Hackers
The Hill
Maggie Miller
April 22, 2020
A growing number of white-hat hackers are offering their skills to thwart cybercriminals attempting to exploit healthcare organizations' increased reliance on networks during the COVID-19 pandemic. For example, the nonprofit COVID-19 CTI League counts more than 1,400 volunteers throughout 76 nations, who are applying their experience in information security, telecommunications, and law enforcement to defend hospitals treating COVID-19 patients. An initial progress report from the CTI League indicated that members have assisted law enforcement in eliminating almost 3,000 cybercriminal assets online and identified more than 2,000 cyber vulnerabilities at hospitals, healthcare groups, and supporting facilities. Chris Krebs at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said the CTI League "has helped disseminate indicators of compromise to network defenders, improve vulnerability management in the nation's medical infrastructure, and manage supply-chain risks in the medical sector."
Smart IoT Home Hubs Vulnerable to Remote Code Execution Attacks
ZDNet
Charlie Osborne
April 22, 2020
Security researchers at the ESET Internet security company said three Internet of Things (IoT) home hubs contain vulnerabilities that open them up to remote code execution (RCE), data leaks, and Man-in-the-Middle (MitM) attacks. The Fibaro Home Center Lite device controller exhibits bugs that include missing certificate validation in TLS connections, exposing users to MiTM attacks and command injection. Meanwhile, eQ-3's Homematic Central Control Unit, which manages programming and logic functions for Homematic appliances, has an RCE flaw in its CGI script that permits RCE hacks by unauthenticated users, and full device hijacking. Bugs in Elko's eLAN-RF-003, a smart radio frequency box, permits all commands to be executed without credentials or session cookie usage; these flaws could leak sensitive information, enable MiTM attacks, and allow deployment of malicious packets for code execution.
AI Spots Critical Microsoft Security Bugs 97% of the Time
VentureBeat
Kyle Wiggers
April 16, 2020
Microsoft says it has developed an artificial intelligence system that correctly distinguishes between security and non-security software bugs 99% of the time. The software giant said the model also accurately identifies critical, high-priority security bugs 97% of the time. The system was trained on a dataset of 13 million work items and bugs from 47,000 developers at Microsoft stored in the AzureDevOps and GitHub repositories. As the model was created, security experts approved the training data and used statistical sampling to provide a manageable amount of data. Wrote Microsoft's Scott Christiansen and Mayana Pereira in a blog post, “We discovered that by pairing machine learning models with security experts, we can significantly improve the identification and classification of security bugs."
Why a Data Security Expert Fears U.S. Voting Will Be Hacked
The Wall Street Journal
Alexandra Wolfe
April 24, 2020
Finnish data security expert Harri Hursti worries that the U.S. voting system is rife with unpatched vulnerabilities that leave it susceptible to election rigging. One uncorrected flaw Hursti discovered in 2005 is that removable memory cards for machines used in Florida's elections could be programmed to change votes. In the ensuing years, Hursti found weaknesses in other voting machines in different states, but election officials and voting-machine manufacturers have apparently not followed his urgings to fix those flaws. Hursti also warns in the HBO documentary "Kill Chain: The Cyber War on America's Elections" that many voting systems have modems or other types of network connectivity that transmit data which hackers could intercept. Election companies claim the machines cannot be accessed externally if proper security measures are followed, but Hursti says he found more than 1,000 such machines for sale on eBay, which hackers could purchase.
Why Voting Online Is Not the Way to Hold an Election in a Pandemic
The Economist
April 28, 2020
The COVID-19 pandemic's disruption to elections worldwide has rekindled interest in voting online, but experts warn it would be too vulnerable to breaches and cyberattacks. A paper by the nonprofit International Foundation for Electoral Systems warns against launching online voting during a pandemic. Rigging elections by falsifying millions of paper ballots would be a massive undertaking, but any malefactor who finds a bug in an electronic voting system can theoretically exploit it at a large scale. A lack of unified auditing measures compounds the problem, as any suspicion of interference by an outside power can cast doubt on the entire electoral process. Estonians trust their online voting system partly because state-issued electronic identification and smartcards ensure authentication, but Jeremy Epstein of ACM’s U.S. Technology Policy Committee said, "Because of the pathological fear of government intrusion, this would never fly in the U.S."
Do Privacy Controls Lead to More Trust in Alexa? Not Necessarily, Research Finds
Penn State News
Jessica Hallman
April 23, 2020
Researchers at Penn State University have found that giving smart assistant users the option to adjust settings for privacy or content delivery, or both, does not necessarily increase their trust in the device. For some users, having such control could have an unfavorable effect. The team found that trust in Amazon Alexa increased for regular users who were given the option to adjust their privacy and content settings. However, for those users whose skills and expertise are more advanced than others—known as power users—trust decreased when they were given the opportunity to adjust privacy settings. The researchers also found that users who were sensitive about their privacy found content less credible when given the option to customize their privacy settings.
China Rolls Out Pilot Test of Digital Currency
The Wall Street Journal
Jonathan Cheng; Grace Zhu
April 20, 2020
The People's Bank of China has rolled out a digital currency across four cities—Shenzhen, Suzhou, Chengdu, and Xiong'an—in a pilot program. The cryptocurrency, presently designated digital currency/electronic payment (DC/EP), has features in common with bitcoin and Facebook's Libra cryptocurrency. China's central bankers said DC/EP is designed to replace some of the country's cash in circulation, while bank deposits and balances held by privately run payment platforms will remain intact. The government instructed civil servants in Suzhou's Xiangcheng district to begin installing an app on their smartphones this month into which the cryptocurrency would be transferred, covering half their transport subsidy. China's central bank has said transitioning to a government-run digital payment system will help counter money laundering, gambling, and terror financing, and improve the transaction efficiency of China’s financial system.
More Companies Now Require Information Technologists Who Are Dedicated To Cybersecurity
The Cincinnati Business Courier 
(4/13, Subscription Publication) reports there’s a “huge demand for more people in the workforce who are focused on cybersecurity,” according to an associate professor at the University of Cincinnati’s School of Information Technology. Chengcheng Li says that, “in the past, cybersecurity wasn’t a separate focus area in IT.” But many companies now “require information technologists who are dedicated to cybersecurity and the organizational structure to support that focus area, as well.” And for people who “already work in IT but choose to refocus their energies in the area of cybersecurity, the switch can be lucrative.”
Growing Popularity Of Online Proctor Services Raising New Concerns About Privacy
The Washington Post (4/1, Harwell) reports “online proctor” services have already “policed millions of American college exams, tapping into students’ cameras, microphones and computer screens when they take their tests at home.” Now these companies are “enjoying a rush of new business as the coronavirus pandemic closes thousands of American schools, and executives are racing to capture new clients during what some are calling a once-in-a-lifetime opportunity.” The explosive growth “casts light on what could be a pivotal moment for mass surveillance in the United States as privacy concerns clash with the unprecedented realities of a modern pandemic.”
Europe's Privacy Law Hasn't Shown Its Teeth, Frustrating Advocates
The New York Times
Adam Satariano
April 27, 2020
Lax enforcement of Europe's General Data Protection Regulation (GDPR) is disappointing proponents who hoped the law would rein in major technology companies' data collection without user consent. Since the law's 2018 enactment, only one fine of 50 million euros (nearly $55 million) has been levied against a big tech company—Google—amounting to about a tenth of its daily sales revenue. Privacy lobbyist Johnny Ryan said Europe's challenges in enforcing GDPR threaten to undermine efforts to fortify privacy rules elsewhere. Backers said forthcoming rulings involving large tech firms will constitute GDPR's biggest challenge, with Twitter expected to be penalized in an Irish case related to data breaches, while Facebook's WhatsApp messaging service could be punished for sharing data with other Facebook services. Critics argued that penalties have come too late and companies' legal appeals could stall actions, while limited government funding for data protection may discourage authorities from pursuing more complex cases.
Daniel Tauritz
Coronavirus Tracking Apps Raise Questions About Bluetooth Security
The Wall Street Journal
Catherine Stupp
April 30, 2020
Governments and businesses intend to launch mobile applications that use Bluetooth to track coronavirus infections, but working with Bluetooth raises cybersecurity concerns, despite researchers' assurances that the technology keeps identifying data confidential. European governments recently announced their development of mobile apps to notify individuals who come into close contact with persons with COVID-19, while Singapore and Australia already are using Bluetooth-based tracing apps. Ben Seri at cybersecurity firm Armis said Bluetooth's massive complexity can lead to developer errors. In 2017, he found a flaw—since patched—in how mobile devices handled Bluetooth signals, which hackers could have exploited to move between devices using Bluetooth connections. Eliot Bendinelli at nonprofit Privacy International said mass use of tracing apps could encourage hackers to try to exploit devices with Bluetooth activated in their vicinity to launch remote cyberattacks.
AMD GPU Hijacked to Sneak PC Data
TechRadar
Anthony Spadafora
April 28, 2020
Researchers at security firm Duo modified an AMD Radeon Pro WX3100 graphics processing unit (GPU) as a radio transmitter to send data, without physically altering hardware. The researchers rigged the card's shader clock rates to become a tunable radio device, which they used to siphon data from an air-gapped PC that was behind a wall 50 feet away. The team employed radio frequencies generated by the GPU as it operated at different clock rates, while a Software-Defined Radio (SDR) device that plugs into a standard USB port received the stolen data. When coupled with ultra-high-frequency and directional ultra-wideband antennas on the PC, the SDR retrieved the data, while the open source GQRX software ran the receiver. The method is limited in that the host machine would have to be compromised by another exploit like malware, in order to set up the correct code.
WordPress Security Flaws Hit Online Learning Platforms
TechRadar
Jitendra Soni
April 30, 2020
A study by Check Point Research found disconcerting security flaws in three leading WordPress plugins used by academic institutions and Fortune 500 companies to deliver remote learning sessions. These bugs expose the LearnPress, LearnDash, and LifterLMS plugins to remote code execution and SQL injection that can be used to steal personal data, alter account privileges, and siphon off money. The flaws essentially allow Learning Management System (LMS) platforms to be hijacked, and virtually anyone could change grades, forge certificates, and obtain test answers apart from stealing user data or transferring money to unauthorized accounts. Check Point's Omri Herscovici said, "Top educational institutions, as well as many online academies, rely on the systems that we researched in order to run their entire online courses and training programs." The LMS platforms have reportedly patched the flaws.
Social Media Faster Than Official Sources to Identify Software Flaws
GCN
Susan Miller
May 4, 2020
A study by computer scientists at the U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL) found software flaws are likely to be discussed on social media prior to their disclosure on government reporting websites, which could potentially jeopardize national security. The researchers estimated 25% of social media discussions of software vulnerabilities from 2015 through 2017 appeared on social-media sites before their citation in the National Vulnerability Database, and it took nearly 90 days on average for the discussed gap to appear in the database. Analysis of the GitHub, Twitter, and Reddit social platforms revealed that GitHub was by far the most likely point where software bug-related discussions originate. Despite the security threat these vulnerabilities present, the PNNL team said they also offer an opportunity for governments to track social-media discourse about software gaps more closely.
Computer Scientists Create System to Protect Users' Online Data
University of Waterloo Cheriton School of Computer Science
May 1, 2020
Computer scientists Miti Mazmudar and Ian Goldberg at the University of Waterloo's Cheriton School of Computer Science in Canada have invented a software-based system to help ensure data security for Internet users. The Mitigator system features a plugin that users can install in their browsers that will deliver a secure signal when they visit a website verified to process its data in compliance with its privacy policy. Mitigator's decryptor program passes users' data only to privacy policy-compliant programs, enabling users to confirm that the decryptor is the right program. Said Goldberg, "We want the user to get this assurance that the company's software is running correctly and is processing their data properly and not just leaving it lying around on disk to be stolen."
ACM Europe TPC Statement on Principles, Practices for COVID-19 Contact Tracing Applications
ACM
May 5, 2020
The Europe Technology Policy Committee of the ACM (Europe TPC) has issued a statement detailing essential principles and practices for policymakers when making decisions about deploying COVID-19 contact tracing systems. No known tracing applications can fully preserve individual privacy and anonymity, while multiple technical issues hinder the ability to prove or assume the apps' accuracy. Moreover, high technical quality and functionality are insufficient for ensuring their efficacy. Europe TPC's recommended principles and practices include using a technical architecture that incorporates cross-border interoperability; an opt-in mechanism for app activation and deactivation/reactivation; user consent to sharing personal information; and either non-retention, or password protection and encryption, for all sensitive personal data. Europe TPS also urged public disclosure of app and server source code, expert vetting of the code during development, and public disclosure of the technology's solicitation and procurement and any conflicts of interest among developers.
Making Cryptocurrency Payments Fast, Secure |
Cybersecurity Staff Are Being Transferred to IT Support, Adding to the Risk of Data Breaches
ZDNet
Danny Palmer
April 29, 2020
According to a survey by the International Information System Security Certification Consortium, nearly half of 256 cybersecurity professionals polled reported having been reassigned to general IT tasks due to the global COVID-19 outbreak. Overall, 23% of respondents said the number of cyberattacks and other security incidents have risen since the transition to remote work; some teams are tracking double the number of incidents. Of the cybersecurity professionals who have been reassigned, 30% report an increase in security incidents against their organizations, while 17% of those who have not changed roles say they are handling more attacks. This could signal that organizations reassigning security staff to IT are at greater risk from hacking. Meanwhile, 15% of respondents said they lack the tools needed to protect remote workers, and 34% say they have those tools but worry that it's only for the time being.
Why We Adopt Then Abandon Online Safety Practices
University of Michigan News
April 26, 2020
Researchers at the University of Michigan (UM) and NortonLifeLock's Research Group surveyed more than 900 people to gauge their use of 30 commonly recommended online safety practices, to better understand the trend of certain practices' adoption and abandonment. Security practices such as not clicking on unknown links or emails were found to be more widely adopted than privacy or identify theft countermeasures like ad blockers or credit report freezes. More than half of poll respondents did not follow recommendations for unique or strong passwords. The researchers suggested that damage from security risks is more concrete to users, versus damage from privacy and ID theft. UM's Florian Schaub said researchers, designers, and practitioners need "to not only better explain to people why it's important to keep doing something they had been doing at some point, but also figure out how to make security and privacy tools and solutions easier to use so that people are not struggling."
University Of Cincinnati Scientists Investigating Potential Security Weaknesses Of Voice-Activated Digital Assistants
Tech Xplore (4/28) reports “voice-activated speakers like Amazon’s Alexa, Apple’s Siri and Google Home are becoming ubiquitous in homes, cars and offices.” But computer scientists at the University of Cincinnati are “investigating potential security weaknesses that hackers could exploit.” Boyang Wang, assistant professor in UC’s College of Engineering and Applied Science, was “awarded a two-year National Science Foundation grant for $175,000 to investigate one particular gap that malicious actors could exploit in smart speakers.”
Efforts To Use Smartphones To Improve Contact Tracing Lead To Privacy Concerns
The New York Times (4/29, Valentino-Devries, Singer, Krolik) reports an app “being used in North and South Dakota as part of statewide efforts to ramp up contact tracing for people infected with the” novel coronavirus “is part of a worldwide scramble to deploy smartphone tools to rein in the pandemic.” Dozens of “countries, states, universities and companies are racing to develop and begin using the digital tools, which public health experts said could improve person-to-person contact tracing but are not a panacea,” but “several technology law scholars expressed concern that even well-intentioned digital surveillance tools could become problematic and are difficult to withdraw.”
The Washington Post (4/29, Timberg, Harwell, Safarpour) reports that nearly three in five Americans say they are either unable or unwilling to use the infection-alert apps under development by Google and Apple, suggesting a steep climb to win enough adoption of the technology to make it effective against the coronavirus pandemic.
Joseph Ladapo of the UCLA David Geffen School of Medicine writes in a Wall Street Journal (4/29, Subscription Publication) op-ed that there are many civil liberties concerns emerging from the pandemic, including privacy violations and restrictions on freedom of movement, and that the debate and litigation will last a long time.
Daniel Tauritz
Intel Confirms Critical New Security Problem for Windows Users
Forbes
Zak Doffman
May 11, 2020
Intel has verified a newly disclosed security flaw in Windows that exposes an apparently critical vulnerability on millions of computers. The Thunderspy exploit reportedly allows a hacker to read and copy all system data by physically wiring into the machine, even if a drive is encrypted and the computer is locked or set to sleep, while leaving no trace. Bjorn Ruytenberg at Eindhoven University of Technology in the Netherlands said the flaw affects all computers with Thunderbolt ports. Although computers shipped in the last year or so are equipped with Kernel Direct Memory Access (DMA) to patch the bug, it is uncertain how many units have this feature enabled.
Samsung Patches 0-Click Vulnerability Impacting all Smartphones Sold Since 2014
ZDNet
Catalin Cimpanu
May 6, 2020
Samsung this week released a patch for a zero-click vulnerability affecting all smartphones the company has sold since 2014. The bug resided in how the Android OS version operating on Samsung devices manages the company’s custom Qmage image format. Mateusz Jurczyk with Google's Project Zero bug-hunting team said attackers could exploit the flaw without user interaction, because Android routes images sent to a device to the Skia Android graphics library for processing without the user's awareness. Jurczyk demonstrated a proof-of-concept exploit against the Samsung Messages app by sending repeated multimedia short-messaging services messages to a Samsung device, with each attempting to guess the Skia library's position in the phone's memory to circumvent Android's Address Space Layout Randomization safeguards. Once the library was pinpointed, a final message delivered the Qmage payload and executed the malicious code on the device.
Researchers Find Bitcoin's Lightning Network Susceptible to Cyberattack |
Companies Wrestle With Growing Cybersecurity Threat: Their Own Employees
Financial Times
Hannah Murphy
May 11, 2020
As companies navigate an increase in cyberattacks amid the coronavirus pandemic, they must contend with the security threat posed by their own employees. With the rise in remote working, more companies are turning to surveillance tools to prevent staff from leaking or stealing sensitive data, and demand is on the rise for cybersecurity firms that use machine learning and analytics to analyze employees' activity and identify problematic behaviors. India’s Mordor Intelligence said the data loss prevention market is expected to surge from $1.2 billion to $3.8 billion by 2025 as companies migrate data to the cloud. Critics are uncomfortable with the privacy and trust implications of using such tools on staff. Said former U.S. army intelligence sergeant and former Palantir executive Greg Barbaccia, “It’s intrusive, it’s not very culturally palatable.” Added Barbaccia, “To me, the insider threat is a cultural human problem. If someone wants to be malicious...you need to solve the human problem.”
China's Military Is Tied to Debilitating Cyberattack Tool
The New York Times
Ronen Bergman; Steven Lee Myers; Damien Cave
May 7, 2020
Israeli security firm Check Point Software Technologies traced a devastating new cyber-espionage tool to the Chinese military-affiliated Naikon hacker group. The Aria-body tool can be used to remotely hijack computers to copy, delete, or create files and sift through systems' data, and to cover its tracks to thwart detection. Check Point determined Naikon had used Aria-body to infiltrate government agencies and state-owned technology companies throughout Asia and the Pacific. Aria-body also can penetrate any computer used to open the file in which it is embedded, and rapidly force the device to follow intruders' commands—like establishing a secret, hard-to-detect line of communication by which data on the targeted system would flow to hacker-controlled servers. Aria-body also can render itself invisible by attaching itself to various types of files, leaving no set pattern of movement.
Preventing AI From Divulging Its Own Secrets |
Coronavirus Has Upended Election Security Training with Just Months Before November
The Washington Post
Joseph Marks; Tonya Riley
May 8, 2020
The University of Southern California (USC)'s Election Security Initiative is scrambling to virtually train campaign and election officials across the U.S. before the November elections, an effort upended by the coronavirus pandemic. The project originally aimed to host in-person trainings nationwide and allow attendees to connect with experts at local universities to help them prepare for cyberattacks, disinformation campaigns, and related threats from adversaries. New challenges presented by the pandemic include preparing for more voting by mail, and ensuring officials have mailing, envelope stuffing, and sorting technology to accommodate that spike. The initiative also is holding shorter training sessions via videoconference than it used to host in person, while postponed primaries add another layer of security problems by compounding skeptical voters' vulnerability to disinformation. Initiative executive director Adam Clayton Powell III said, “Security concerns now are more urgent in almost all cases because the virus has really exacerbated security issues.”
Internet-Based Voting Is the New Front in the Election Security Wars
The Washington Post
Joseph Marks
May 11, 2020
With states racing to overhaul voting amid the coronavirus pandemic, Internet-based voting is likely to become more prominent, despite persistent warnings of the technology's shortcomings in security and verifiability. The U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation, and the Election Assistance Commission recently issued guidance to states on the hazards of online voting systems that include ballots sent digitally to voters; ballots sent and marked online but printed out and returned by physical mail; and ballots received and returned wholly digitally. The agencies deemed the third system especially vulnerable to hackers altering large numbers of votes, blocking votes from being recorded, or undermining ballot secrecy.
Software Developed by SMU Stops Ransomware Attacks
Southern Methodist University
May 13, 2020
Engineers at Southern Methodist University (SMU)'s Darwin Deason Institute for Cybersecurity have developed software that identifies ransomware attacks before attackers can cause catastrophic damage, even if the ransomware is new and has not been previously used. This sensor-based ransomware detection does not rely on data from past ransomware infections to detect new ones on a computer. The software searches for small but distinguishable power surges in certain sensors within computers, in order to detect unauthorized encryptions. The software then alerts the computer to suspend or terminate the infection before the encryption can be completed. SMU's Mike Taylor said the software can scan computers in a fraction of the time that existing software can, identifying malware before extensive damage occurs.
Security, Privacy Risks with Patient Portal Accounts in U.S. Hospitals
University of Manitoba
Chris Rutkowski
May 4, 2020
Researchers at the University of Manitoba (UM) in Canada, and North Carolina’s University of North Carolina at Charlotte and Wake Forest School of Medicine, found that U.S. hospitals may be encouraging privacy violations by allowing password sharing between patients and care providers. Staff at 102 hospitals were approached by an interviewer who said her elderly mother was moving to the area and asked how she could get access to her mother's medical data. Some 45% of those contacted recommended the mother share her patient portal credentials with the daughter, violating the hospitals’ terms of service. UM's Celine Latulipe said, “With COVID-19 and shelter-in-place orders ... older adults are relying on their caregivers to help them navigate these electronic systems and may feel they have no choice but to share passwords, opening up higher risk of fraud and undesired information disclosures."
Israel to Launch 'Cyber Defense Shield' for Health Sector
The Jerusalem Post
Maya Margit
May 7, 2020
Israeli Health Ministry official Reuven Eliahu said Israel, in coordination with cybersecurity firm FireEye, has developed a "cyber defense shield" to provide real-time protection from attacks on that nation’s health sector. The tool will be freely available to all Israeli health organizations. Eliahu said the tool is being deployed in response to spiking state-sponsored attacks since the onset of the COVID-19 pandemic. Said Eliahu, “Our workers are at home, and it’s their home [systems] that are less protected. We see more and more state-sponsored players who are working as spies…. Many are looking to get their hands on solutions to the virus.”
China's WeChat Monitors Foreign Users to Refine Censorship at Home
The Wall Street Journal
Eva Xiao
May 8, 2020
A study by the University of Toronto's Citizen Lab in Canada warned that China's multipurpose WeChat application is monitoring foreign users to strengthen government censorship. Although Chinese government censorship of foreign users is not as draconian as it is for Chinese users, images and documents sent through WeChat are still vetted for objectionable content, which the app adds to an internal blacklist to be censored for Chinese users in real time. By first applying content analysis to international users, WeChat can boost the efficiency of domestic censorship, although Citizen Lab said technical considerations rather than government directives could be the underlying reason. The Electronic Frontier Foundation's Eva Galperin thinks the study should give potential WeChat users pause. Said Galperin, "If I ... was running the security of a large corporation that was concerned about corporate spying from China, I might err on the side of caution."
Daniel Tauritz
Microsoft Open-Sources Coronavirus Threat Intelligence
TechRadar
Anthony Spadafora
May 16, 2020
Microsoft has decided to open-source its coronavirus threat intelligence in order to give the security intelligence community resources to more proactively protect, detect, and defend against cyberattackers that use the pandemic to lure victims. Microsoft's security products already have embedded protection. By making some of its own threat indicators available to those not protected by its products, Microsoft hopes to raise awareness of how attackers shift their approach, ways to spot them, and how others can track down threats by themselves. Those indicators are currently available in the Azure Sentinel GitHub and via the Microsoft Graph Security application programming interface.
Sneakier, More Sophisticated Malware On the Loose
IEEE Spectrum
Michelle Hampson
May 18, 2020
Researchers at Boston University and King's College London in the U.K., after analyzing more than 1 million samples of Android malware, have found that malware coding is being hidden more cleverly. The researchers used differential analysis to isolate software components irrelevant to the malware campaign, allowing them to study the behavior of just the malicious parts. The technique revealed several trends, including a major shift away from malware that supports premium rate fraud. Said King’s College London’s Guillermo Suarez-Tangil, “We observed that cryptography is present in 90% of the recent families [of malware]. To the best of our knowledge, there are only few malware-detection systems capable of dealing with these forms of obfuscation, and they all have limitations.”
Supercomputers Hacked Across Europe to Mine Cryptocurrency
ZDNet
Catalin Cimpanu
May 16, 2020
Hackers have reportedly compromised multiple supercomputers in the U.K., Germany, Switzerland, and possibly Spain with cryptocurrency-mining malware. Last Monday, the U.K.'s University of Edinburgh disclosed an apparent security exploitation on the ARCHER supercomputer login nodes, prompting the system's shutdown and resetting of Secure Shell (SSH) passwords to prevent further intrusions. The German state of Baden-Wurttemberg's bwHPC organization also said that five of its high-performance computing clusters had been shut down due to similar security incidents. Last Wednesday, security researcher Felix von Leitner posted in a blog that a supercomputer in Barcelona, Spain, had been infiltrated. While these incidents weren't the first time crypto-mining malware has been installed on a supercomputer, these are the first attributed to hackers, rather than malicious employees.
Apple, Google Launch Exposure Notification API, Enabling Public Health Authorities to Release Apps
TechCrunch
Darrell Etherington
May 20, 2020
Apple and Google have released the first public version of their exposure notification application programming interface (API), originally issued as a joint contact-tracing app. The Exposure Notification system is engineered to alert individuals of potential exposure to others with confirmed cases of Covid-19, while keeping identifying and location data private. Public health authorities can use the API in apps for the general public, and set standards on what defines potential exposure in terms of exposed time and distance, while also modifying transmission risk and other variables based on their own standards. The API employs a decentralized identifier system that utilizes randomly-generated temporary keys created on a user's device. Apple and Google will allow apps to use a combination of the API and voluntarily submitted user data supplied via individual apps, to enable public health agencies to contact exposed users directly and notify them of steps to take.
Microsoft, Intel Project Converts Malware Into Images Before Analyzing It |
Tech Chiefs Press Cloud Suppliers for Consistency on Security Data
The Wall Street Journal
Kim S. Nash
May 20, 2020
A coalition of corporate technology executives is pressing cloud providers to comply with a single standard of information on handling client data and cybersecurity. The Open Networking User Group this month intends to propose standards on how cloud vendors communicate security and governance information that clients need, in order to shield their systems and ensure regulatory adherence. FedEx’s Gene Sun said Amazon, Google, and Microsoft should support standardized security data disclosure, stressing that FedEx's own stakeholders demand transparency. Don Duet with the Concourse Labs consultancy said concerns about moving systems off-premises persist despite cloud's growing acceptance, and tech executives in highly regulated industries would procure more cloud services if vendors simplified how systems and data are managed. Raytheon’s Daniel Conroy added that more consistency in information would streamline customers' workload and encourage greater use of cloud computing.
Sony Says It Created World's First Image Sensor with Built-in AI
Bloomberg
Takashi Mochizuki; Vlad Savov
May 14, 2020
Sony announced its development of the world's first image sensor with built-in artificial intelligence (AI), which promises to accelerate and enhance the security of data collection. The sensor features a logic processor and memory, and can perform image recognition without generating any images in order to conduct AI tasks like identifying, analyzing, or counting objects without offloading data to a separate chip. Sony said this boosts privacy and facilitates near-instant analysis and object tracking. While the technology was developed for use by commercial customers, the company says it holds promise for consumer applications as well, like helping a smart device to identify objects and users securely.
Risks Overshadow Benefits with Online Voting, Experts Warn
Government Technology
Lucas Ropek
May 15, 2020
With a handful of U.S. states launching online voting pilots amid fears that the COVID-19 pandemic could dampen voter turnout in the 2020 election, many experts warn that such technology carries more pitfalls than benefits. Stanford University's David Dill said it is impossible to ensure that devices and applications are free of vote-gaming malware, while hackers from foreign governments could theoretically infiltrate such systems to alter or rig votes. Meanwhile, a joint statement by the U.S. Federal Bureau of Investigation, Echelons Above Corps, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency discouraged wholesale adoption of online voting. Former ACM president Barbara Simons said, "Given the threat of the virus, vote-by-mail seems like the safest way for voters to cast their ballots in November."
Blockchain: Not Just for Bitcoin
National Renewable Energy Laboratory
Wayne Hicks
May 14, 2020
National Renewable Energy Laboratory (NREL) researchers are considering the use of blockchain technology to help the nation's energy grid manage complex energy transactions at scale. Their experiments aimed to determine what could happen when two homes are connected by blockchain so one could sell excess solar power to the other, which required two blockchain transactions, one a secure transmission of data about the amount of energy generated, the other a payment to the seller. The research centered on NREL's foresee software solution, which uses homeowners' energy preferences to control connected appliances in the home. Foresee informed the second home when it would be cheaper to purchase renewable energy from its neighbor than to pay utility charges. NREL's Dane Christensen said, “Utilities are very interested in how to manage electric service without having to up-size all the grid equipment.”
Daniel Tauritz
Arizona Sues Google Over Allegations It Illegally Tracked Android Smartphone Users' Locations
The Washington Post
Tony Romm
May 27, 2020
Arizona Attorney General Mark Brnovich has filed a lawsuit against Google claiming the search engine giant monitored the locations of Android smartphone users even when such features purportedly were disabled, in violation of the state's consumer protection laws. The suit contends Google’s mobile software is designed to benefit its targeted advertising business, and deceives phone owners about privacy safeguards. Android smartphones generally allow users to deactivate location tracking, but the complaint alleges that certain applications—like mapping and weather—continue to record location records and searches, even when turned off. Blocking this requires disabling another, hard-to-find setting, and the suit described the maze of menus users must navigate as deceptive. Google’s Jose Castaneda said the suit mischaracterizes the firm's services, and that the company has "always built privacy features into our products and provided robust controls for location data."
States Plead for Cybersecurity Funds as Hacking Threat Surges
The Hill
Maggie Miller
May 25, 2020
As hackers exploit the coronavirus crisis by targeting overwhelmed government offices, cash-strapped state and local governments are turning to Congress for funds to improve cybersecurity. Government entities across the U.S. have been contending with ransomware attacks for the past two years, and now they are seeing an increase in phishing attacks and other malicious activity related to Covid-19. An April letter to U.S. House and Senate leaders from a coalition of groups representing state and local officials requested that Congress "fully fund a dedicated cybersecurity program" to help respond to the stress placed on networks by remote working and the recent increase in attempted cyberattacks.
Israeli Researchers Stop Cyberattacks with Discovery of Major DDoS Exploit |
Smartphones, Laptops, IoT Devices Vulnerable to BIAS Bluetooth Attack |
Don’t Stand So Close to Me: AI Cameras Police Social Distancing at Work
The Wall Street Journal
Parmy Olson
May 15, 2020
Artificial intelligence-powered sensors are being repurposed to meet a surge in demand from organizations trying to comply with government guidelines on social distancing due to the COVID-19 pandemic. However, privacy advocates are concerned the technology could be used to track individuals and monitor productivity. Even if the initial implementation is for health and safety in the workplace, in the future vendors could repurpose their technology to monitor other kinds of behavior, according to Albert Gidari, director of privacy at the Stanford Center for Internet and Society. Employers should be transparent with workers and consider removing the technology after the pandemic is over, Gidari adds.
Daniel Tauritz
Apple Fixes Bug That Could Have Given Hackers Full Access to User Accounts
Ars Technica
Dan Goodin
June 1, 2020
The Sign in with Apple tool, which allows users to log in to third-party apps without revealing their email addresses, has fixed a bug that could enable attackers to gain access to those accounts. App developer Bhavuk Jain reported the zero-day vulnerability in the privacy-enhancing tool to Apple as part of the company's bug bounty program, and received a $100,000 reward. Sign in with Apple logs in users with either a JSON Web Token (JWT) or a code generated by an Apple server, which is then used to generate a JWT. Users can share the Apple email ID with a third party or keep it hidden, and in the latter instance, Apple creates a JWT that contains a user-specific relay ID. Jain found that an attacker could forge a JWT by linking any email ID to it, which would provide access to the victim's account.
Java-Based Ransomware Targets Windows, Linux
TechCrunch
Zack Whittaker
June 4, 2020
Security researchers have uncovered new Windows- and Linux-targeting ransomware that uses a little-known Java file format to complicate detection before it is activated. An attack against an unnamed European educational institute was probed by consultancy KPMG in partnership with BlackBerry; they found a hacker had infiltrated the institute's network via a remote desktop server connected to the Internet, and deployed a persistent backdoor to easily access the network. The hacker re-entered several days later, disabled operating anti-malware services, spread the Tycoon ransomware module across the network, and set off the file-encrypting payload. BlackBerry's Eric Milam and Claudiu Teodorescu reported witnessing about a dozen "highly targeted" Tycoon infections in the past six months, implying that the hackers choose their victims carefully.
MSU Continues To Investigate Data Breach, Will Not Pay Bounty
The Detroit Free Press (6/3) reports Michigan State University does not intend to pay ransom to hackers “threatening to publish students’ personal records and university financial documents” obtained in a data breach last week. Speaking on the university’s response to the attack, MSU Police Chief Kelly Roudebush said, “Paying cyber-intrusion ransoms perpetuates these crimes and provides an opportunity for the group to live another day and prey upon another victim.” WILX-TV Lansing, MI (6/3, 10) reports MSU Chief Information Officer Melissa Woo said, “The safety and security of our IT systems and the people who use them are of paramount importance to MSU. It is why MSU continues to work diligently to strengthen and improve our information security systems and share best practices with our campus community.”
Inside Higher Ed (6/4) carries similar coverage.
National Security Agency Exposes Tool Used by Russian Hackers |
IoT Labels Will Help Consumers Figure Out Which Devices Are Spying on Them
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
May 27, 2020
Carnegie Mellon University CyLab Security and Privacy Institute researchers have developed a prototype security and privacy "nutrition label" for Internet of Things (IoT) devices, to inform consumers if those devices are used to monitor and collect information on them. The label includes a primary layer for display on a device's box, offering such information as the type of data the device collects, for what purpose, and with whom the data is shared. Scanning a quick response code on this layer allows consumers to access a secondary layer online for information like how long the device retains data, and how often it is shared. The researchers created the label in consultation with industrial, governmental, and academic security and privacy experts, along with an IoT label generator for manufacturers. CyLab's Pardis Emami-Naeini said, "The display of this information should be concise and understandable, akin to a nutrition label on food products."
Harvard Professor Receives Prize for Contributions to Theoretical Computer Science
HPCwire
June 2, 2020
The ACM Special Interest Group on Algorithms and Computation Theory and the IEEE Computer Society Technical Committee on the Mathematical Foundations of Computing have named Harvard University professor Cynthia Dwork to receive the 2020 Donald E. Knuth Prize for contributions to theoretical computer science. Dwork’s research is credited with having had a transformative effect on distributed systems, cryptography, data privacy, and fairness in algorithmic decision-making. Dwork also is known for introducing and developing differential privacy, and for her accomplishments in nonmalleability, lattice-based encryption, concurrent composition, and proofs of work. Her foundational contributions to distributed systems include work on consensus, while her achievements in algorithmic fairness include formalization of the "treat like alike" principle.
Blockchain to the Rescue of Small Publishers
QUT News
June 2, 2020
Researchers at Queen's University of Technology (QUT) in Australia and publisher Tiny Owl Workshop have developed a blockchain system for digital rights management and royalty distribution to facilitate new commercial opportunities for small publishers. The system uses open source blockchain technology to manage IP agreements and royalty payments, track purchases with a custom digital ledger, and monitor physical book sales via a Print and Electronic tracking system, in conjunction with a “marketing bellyband” containing a QR code. "This code gives purchasers of physical book copies a free download of one digital bundle from the ‘Education Edition’, linking physical book purchases in bookstores to online downloads; and providing a ledger of where customer transactions originate from," says QUT’s Mark Ryan.
Daniel Tauritz
Billions of Smart Home Devices Open to Attack
Tom's Guide
Nicholas Fearn
June 9, 2020
Security professional Yunus Cadirci discovered a vulnerability in the Universal Plug and Play (UPnP) networking protocol that could expose billions of smart home devices to cyberattack. As explained on a dedicated website, the CallStranger bug's use for exflitration mainly impacts corporate networks, while the network-scanning and DDoS exploits target consumer Internet of Things devices. Cadirci thinks the flaw could affect billions of devices, as it extends to Windows devices, Xboxes, and most TVs and routers. Since he reported CallStranger to UPnP maintainer Open Connectivity Foundation, the group has published updates for the protocol. Cadirci recommends consumers disable UPnP on their home Wi-Fi router, and he has posted a Python script on GitHub to let users scan their local network for susceptible devices.
Plundering of Crypto Keys From Ultrasecure SGX Sends Intel Scrambling Again |
Vulnerabilities in Popular Open Source Projects Doubled in 2019
ZDNet
Catalin Cimpanu
June 8, 2020
An analysis of the top 54 open source projects by RiskSense found an increase in the number of security vulnerabilities in these tools, from 421 in 2018 to 968 in 2019. Between 2015 and March 2020, RiskSense discovered 2,694 bugs in open source tools like Jenkins, MongoDB, Elasticsearch, Chef, GitLab, Spark, and Puppet. The company noted that it took 54 days on average for bugs found in these tools to be reported to the National Vulnerability Database. RiskSense found that although other open source projects had fewer bugs, those bugs were sometimes easier to weaponize, as with Vagrant virtualization software and the Alfresco content management system.
Exploit Code for Wormable Flaw on Unpatched Windows Devices Published Online |
DARPA Launches Contest For Hackers To Crack New Generation Of Super-Secure Hardware
The Washington Post (6/8, Marks) reports in the Cybersecurity 202 column that Defense Advanced Research Projects Agency (DARPA), the Pentagon’s top research agency, “thinks it has developed a new generation of technology that will make voting machines, medical databases and other critical digital systems far more secure against hackers.” DARPA is launching a contest “for ethical hackers to try to break into that technology before it goes public.” DARPA is “offering the hackers cash prizes for any flaws they find using a program called a ‘bug bounty.’” The new technology is based “on re-engineering hardware, such as computer chips and circuits, so that the typical methods hackers use to undermine the software that runs on them become impossible.”
Battling Anti-Encryption Drive, Tech Companies Pledge New Child Abuse Disclosures
Reuters
Katie Paul
June 11, 2020
Technology firms including Facebook, Google, and Microsoft, facing a growing push to restrict encryption in consumer technologies, have vowed to improve and standardize their yearly disclosures on online child abuse. The Technology Coalition, which coordinates industry action around child sexual exploitation, said its 18 member companies would set up a "multi-million" dollar fund to research patterns of abuse and build preventive technologies. Child welfare proponents say known images of child sexual abuse have ballooned in recent years as predators have increasingly employed social networks to lure victims and share images. The National Center for Missing and Exploited Children estimated Facebook generated more than 90% of U.S. child sexual abuse reports online in 2019. Meanwhile, the EARN IT Act unveiled in March by lawmakers would require tech companies to follow best practices to "earn" legal immunity from content posted on their platforms.
Encrypted Messaging App Signal Adds Facial Recognition Protection for Protesters
CNet
Alexandra Garrett
June 4, 2020
Signal is introducing a blur tool to hide faces in photos before sharing them. The encrypted messaging app said the tool, which automatically detects and blurs faces in pictures, is intended to protect the identities of protesters demonstrating against police brutality. The tool also can be used the manually blur out tattoos, logos, street signs, and badges, among other things. Use of the app could potentially protect protesters from facial recognition tools increasingly used by law enforcement despite its inaccuracies, particularly among ethnic groups, women, and young people. Signal said an updated version of the app featuring the new tool will be available soon.
Report Details New Cyber Threats to Elections From Covid-19
The Hill
Maggie Miller
June 5, 2020
A report compiled by New York University's Brennan Center for Justice outlines a wide range of cyber threats stemming from voting changes prompted by Covid-19. Such threats include attempts to target election officials working on unsecured networks at home, recovering from voter registration system outages, and securing online ballot request systems. Report co-author Lawrence Norden said election officials already dealing with cyber threats now face additional challenges due to the pandemic. Election-security upgrades come with funding challenges because of Covid-19 disruptions, and the Brennan Center calculates $4 billion must be appropriated to make needed changes. Said Norden, "There is no question that what Congress can do, and really has to do very soon, is provide more money to states and localities so they can invest in election security over the next few months."
Cisco's Warning: Critical Flaw in IOS Routers Allows 'Complete System Compromise'
ZDNet
Liam Tung
June 4, 2020
Cisco has released information on four security flaws impacting router equipment that uses its IOS XE and IOS networking software. One flaw involves the authorization controls for the Cisco IOx application hosting infrastructure in Cisco IOS XE, which could allow a non-credentialed remote attacker to execute Cisco IOx application-programming-interface commands without proper authorization. Another flaw is a command-injection bug in Cisco's implementation of the inter-virtual machine (VM) channel of Cisco IOS Software for Cisco 809 and 829 Industrial Integrated Services Routers and Cisco 1000 Series Connected Grid Routers. The software inadequately validates signaling packets routed to the Virtual Device Server (VDS), which could allow attackers to send malware to an affected device, hijack VDS, and completely compromise the system. The two remaining bugs involve a vulnerability in Cisco's 800 Series industrial routers, through which hackers could remotely execute arbitrary code or cause it to crash and reload. Cisco says it has delivered updates to address the critical flaws affecting its industrial routers.
Cybercriminals Find New Way To Extort Universities
Inside Higher Ed (6/11, McKenzie) reports “cybercriminals have found a new way to extort universities – stealing sensitive information and then threatening to share it on the dark web unless a bounty is paid.” In the last two weeks, Michigan State University, the University of California, San Francisco, and Columbia College Chicago have all been “targeted using malicious software known as NetWalker and given a deadline of six days to pay.” None of the institutions have “shared how much ransom was requested.”
In Anti-Piracy Work, Blocking Websites More Effective When Multiple Sites Are Targeted
Carnegie Mellon University Heinz College
June 2, 2020
Researchers at Carnegie Mellon and Chapman universities analyzed British anti-piracy efforts and found that blocking websites is more effective when targeting multiple channels. The investigators examined Internet service providers' blocking of a single dominant site in 2012, blocking of 19 piracy sites in 2013, and blocking of 53 video piracy sites in 2014. The single-site blockage in 2012 caused no increase in the use of legal sites, but did cause users to more often visit unblocked piracy sites and virtual private network sites. However, blocking multiple sites in 2013 and 2014 caused a decline in piracy, and boosted use of legal subscription sites by 7% to 12%. The researchers suggested the multiple-site-blocking strategy was more effective due to higher search and learning costs associated with piracy.
Penn State Researchers Evaluate 2020 Census Data Privacy Changes
Penn State News
Kristie Auman-Bauer; Melissa Krug
May 29, 2020
The U.S. Census Bureau has proposed using differential privacy as a new method to protect the identities of individuals when publishing public data. A Penn State University-led research team found that when differential privacy was used on census data, it produced dramatic changes in population counts for racial and ethnic minorities compared to traditional methods. The researchers focused on mortality rate estimates because they are an essential population-level metric for which data is collected and disseminated at the national level; mortality rates also are a critical indicator of population health. The team examined changes in mortality rates resulting from two disclosure avoidance systems by metropolitan classifications. Said Penn State researcher Alexis Santos, "We discovered that by using differential privacy, there were both instances of under- and over-counting of the population."
Daniel Tauritz
Massive Spying on Users of Google's Chrome Shows New Security Weakness
Reuters
Joseph Menn
June 18, 2020
Awake Security researchers said they had identified a spyware effort that attacked users through 32 million downloads of add-ons to Google's Chrome Web browser. Google said it has removed more than 70 of the malicious extensions from the official Chrome Web Store. Awake's Gary Golomb said it was the farthest-reaching malicious Chrome store campaign identified to date, based on the number of downloads. The extensions were designed to avoid detection by antivirus and security software that evaluates the reputations of Web domains, and to connect to a series of websites and transmitting information when someone used the browser to surf the Web on a home computer. It is unclear who was behind the malware campaign, as its developers used fictitious contact information when they submitted the extensions to Google.
Adding Noise for Completely Secure Communication
University of Basel
June 12, 2020
Researchers at Switzerland’s University of Basel and ETH Zurich have established the theoretical foundations for 100% secure communication, ensuring protection not just against quantum computers, but also in instances where the communication devices' operational mechanisms and trustworthiness are unknown. The protocol adds artificial noise to information about the cryptographic key, guaranteeing eavesdroppers receive so little actual data as to render the protocol unbreakable. The University of Basel's Nicolas Sangouard said, "Since the first small-scale quantum computers are now available, we urgently need new solutions for protecting privacy. Our work represents a significant step toward the next milestone in secure communications."
DARPA Invites Hackers to Break Hardware to Make It More Secure |
Spies Can Eavesdrop by Watching a Light Bulb's Vibrations
Wired
Andy Greenberg
June 12, 2020
Researchers at Israel’s Ben-Gurion University of the Negev and Weizmann Institute of Science have developed a long-distance eavesdropping method that exploits vibrations on the glass surface of a light bulb's interior. The lamphone technique allows anyone with a laptop, a telescope, and an electro-optical sensor to pick up sound with sufficient clarity to discern conversations or even recognize a piece of music, by measuring small changes in light output from the bulb caused by sound vibrations. Said Ben-Gurion’s Ben Nassi, "Any sound in the room can be recovered from the room with no requirement to hack anything and no device in the room. You just need line of sight to a hanging bulb, and this is it."
Norway Pulls Its Coronavirus Contact Tracing App After Privacy Watchdog's Warning
TechCrunch
Natasha Lomas
June 15, 2020
Norway has suspended use of a coronavirus contact tracing application to allow changes to be made, after the Norwegian Data Protection Authority (DPA) said it presents a disproportionate threat to user privacy. The Smittestopp app tracks Bluetooth signals to estimate a user’s proximity to others to calculate exposure risk to Covid-19, while also tracking and continuously uploading each user’s location from real-time global-positioning system data. The DPA’s Bjorn Erik Thon said the Norwegian Institute of Public Health (FHI) “has not demonstrated that it is strictly necessary to use location data for infection detection.” Another troublesome aspect of the app, according to Luca Tosoni of the University of Oslo, was that app users “are currently unable to consent only to the use of their data for infection tracking purposes, without consenting to their data being used also for research purposes.”
Inside the NBA's Plan to Use Smart Technology, Big Data to Keep Players Safe From Coronavirus
CNBC
Jessica Golden
June 17, 2020
The NBA plans to use smart technologies to protect players and staff from the coronavirus as 22 teams prepare to play games at Disney's Wide World of Sports complex in Orlando. In addition to subjecting players to extensive testing, quarantining them from their families, and imposing strict rules for social behavior, each will be given a "smart" ring, a Disney MagicBand, an individual pulse oximeter, and a smart thermometer. Oura's titanium rings can measure body temperature, respiratory functions, and heart rate and predict Covid-19 symptoms up to three days in advance with 90% accuracy. The MagicBand will act as a hotel room key, allow players to check in at security checkpoints and coronavirus screenings, and help with contact tracing. The league also is considering a small device that will set off an audio alert when the wearer is within six feet of another person for longer than five seconds.
Daniel Tauritz
This Dangerous Keylogger Could Change the Entire Malware Space
TechRadar
Anthony Spadafora
June 15, 2020
Cofense Intelligence, a developer of “intelligent phishing defense solutions,” is raising concerns about a new keylogger because of how quickly the malware is updated. According to Cofense, the creator of the Mass Logger keylogger, NYANxCAT, has been quickly adding features in response to customer feedback, with 13 updates seen over a recent three-week period. Cofense detected a campaign that delivered an encrypted Mass Logger binary using an attached GuLoader executable. Cofense also found NYANxCAT has incorporated advanced features into Mass Logger, such as its USB spreading capability and a function that allows cybercriminals to search for files with a specific file extension and exfiltrate them. NYANxCAT indicated in patch notes that new targets were added for the keylogger's credential stealing functionality, and measures were taken to reduce automated detection. Cofense said network admins should keep an eye out for FTP sessions or emails sent from local networks that do not conform to their organization's standards.
Intel Tiger Lake Processors Will Thwart Future Spectre, Meltdown Attacks
TechRadar
Carly Page
June 15, 2020
Intel said its Tiger Lake central processing units will feature hardware-based security that foils Spectre- and Meltdown-like malware attacks. The laptop processors will incorporate Control-Flow Enforcement Technology (CET), which guards against the misuse of legitimate code through control-flow hijacking attacks, according to the chip maker. CET, co-developed by Intel and Microsoft, offers Shadow Stack (SS) and Indirect Branch Tracking (IBT). SS uses a copy of a program's intended execution flow to block unauthorized changes to an application's intended execution order, to defend against return-oriented programming attacks. IBT defends against jump/call-oriented programming attacks. CET will be available in mobile processors that use the Tiger Lake microarchitecture, as well as in future Intel desktop and server platforms.
Researchers Develop Tool to Protect Children's Online Privacy
UT Dallas News Center
Kim Horner
June 23, 2020
Researchers at the University of Texas at Dallas (UT Dallas), the Georgia Institute of Technology, New York University, and Intel have developed a tool that can determine whether mobile applications for children comply with the federal Children's Online Privacy Protection Act (COPPA). The researchers used their COPPA Tracking by Checking Hardware-Level Activity (COPPTCHA) tool to determine that 72 of 100 mobile apps for children that they examined violated COPPA. COPPTCHA accesses a device's special-purpose register, a temporary data-storage site within a microprocessor that tracks its activities, and detects the signature of an app transmitting data. The tool was found to be 99% accurate in assessing apps' COPPA compliance; it found many popular game apps for young children exposed users' Android IDs, Android advertising IDs, and device descriptions. UT Dallas' Kanad Basu said apps that violate COPPA pose privacy risks that could enable bad actors to ascertain a child's identity and location.
USC Researchers Develop State-of-the-Art Biometric Security Systems
USC Viterbi School of Engineering
Rishbha Bhagi
June 15, 2020
Researchers at the University of Southern California's Information Sciences Institute have developed state-of-the-art biometric security systems for iris, face, and fingerprint recognition, under the auspices of the Biometric Authentication with Timeless Learner project. The system analyzes a biometric sample using multispectral data by shining light-emitting diode (LED) lights with different wavelengths on the sample. Machine learning algorithms analyze the collected data to differentiate between actual and spoofed biometrics. Tests performed by the John Hopkins Applied Physics Laboratory showed that the fingerprint and iris recognition systems were respectively 99.08% and 99.36% accurate in detecting spoofs, while the facial recognition system was 100% accurate.
Lack Of Specific Rules For Satellite Operators Could Lead To Vulnerable 5G Network
Breaking Defense (6/12, Hitchens) reported that as “satellite operators scramble to join the 5G revolution, there is growing concern that weakness in US regulatory standards for cybersecurity could mean commercial networks could be full of holes for hackers to exploit.” This means the US military could have to rely “on providers of space-based Internet connectivity who are not practicing good cyber hygiene.” Part of the issue is that “regulations governing commercial sat operators issued by the Commerce Department and the Federal Communications Commission (FCC) lack specific requirements for cybersecurity, including for encrypting satellite uplinks and telemetry.”
Chinese Scientists Make Progress In Secure Satellite Transmission Using Quantum Entanglement
The New York Times (6/15, Broad) reports that a team of 24 Chinese scientists published a study in the journal Nature, in which they “report new progress in building what appears to be the first unbreakable information link between an orbiting craft and its terrestrial controllers, raising the odds that Beijing may one day possess a super-secure global communications network.” The method “enlists quantum entanglement,” which “posits that a pair of widely separated subatomic particles can still seem instantaneously linked.” The Chinese authors “now show that they have increased its efficiency and reduced error rates enough to use quantum entanglement for the relay of cryptographic keys.” The team claimed in the report that the system “produces a secure channel that is resistant to attacks.”
New Study Proposes Government Actions To Boost Security For Internet Of Things
Politico (6/15, Starks) reports in the Morning Cybersecurity column that the Atlantic Council “said in a report published today that securing the internet of things will require stronger FTC enforcement authority, a clearer baseline set of security standards, international cooperation and a labeling system.” The paper “proposes an approach focused on applying ‘strategic upward pressure’ on IoT products’ supply chains.” The paper “says that by ‘applying regulatory pressure on the distributor to sell products that adhere to a specified set of design and manufacturing standards,’ the US government can create a ripple effect that leads to compliant companies crowding out noncompliant ones, thus encouraging noncompliant firms to pressure suppliers to improve their components’ security.”