Dr. T's security brief
Daniel Tauritz
Secure Communication with Light Particles
Technical University of Darmstadt (Germany)
May 25, 2022
Researchers at Germany's Technical University of Darmstadt and telecommunications company Deutsche Telekom have developed an eavesdropping-proof communication network based on quantum key distribution. The system facilitates quantum key exchange, providing several parties with a common random number to encrypt/decrypt messages that third parties cannot decode. The system distributes photons to users from a central source in order to calculate the random number and the digital key; quantum entanglement ensures the key's security. The scheme employs a protocol in which quantum information is encoded in the photons' phase and arrival times, protecting it from environmental disruptions. The resulting quantum network is scalable in terms of user numbers, and requires no trusted nodes to be resilient.
'Tough to Forge' Digital Driver's License Actually Easy to Forge
Ars Technica
Dan Goodin
May 24, 2022
Security researchers have found that the supposedly hard-to-counterfeit digital driver's licenses (DDLs) in use in New South Wales, Australia, actually can be easily altered. Introduced in 2019, DDLs are used with an iOS or Android application that displays each holder's identity and age, and permits authentication. Researcher Noah Farmer found the DDL can be cracked by brute-forcing the four-digit personal identification number that encrypts the data, which can take less than an hour using publicly available scripts and a commodity computer. Once a hacker accesses encrypted DDL data, brute force enables them to read and alter anything stored on the file. Farmer aired the flaws in a blog post last week; it is not clear how, or if, Service NSW, which issued the digital driver’s licenses, plans to respond.
Countermeasure Against Unwanted Wireless Surveillance
Ruhr-Universität Bochum (Germany)
Annika Gödde
May 24, 2022
Researchers from Germany's Max Planck Institute for Security and Privacy, Ruhr-Universität Bochum, and the Cologne University of Applied Sciences have developed a system to protect privacy in wireless communications based on intelligent reflective surfaces (IRS). To prevent passive eavesdroppers from obtaining sensitive data transmitted via wireless communications through intercepted high-frequency signals, the team created IRS, which distributes many reflective elements over a surface and electronically adjusts the reflective behavior of each. Their IRShield solution uses an algorithm to create a random IRS configuration that disguises the wireless channels used so attackers are unable to read information about movements in the room from the signal. In testing, the researchers found IRShield was able to thwart 95% of such attacks.
Researchers Find Backdoor in WordPress Plugin for Schools
Ars Technica
Dan Goodin
May 20, 2022
Researchers at website security service Jetpack warned that WordPress's School Management Pro plugin contains a backdoor that enables hackers to take full control of sites using the package, which is sold to schools. The researchers said the website operation-management plugin has had the backdoor since at least version 8.9, which a third-party site said was issued last August. The researchers confirmed the backdoor via a proof-of-concept exploit, after WordPress.com support team members disclosed heavily obfuscated code on several sites that used the plugin. The backdoor, said the researchers, "allows any attacker to execute arbitrary PHP code on the site with the plugin installed." Users of the plugin should update it right away, and scan their sites for signs any new backdoors may have been added.
Report Spotlights Scale of Adtech's 'Biggest Breach'
TechCrunch
Natasha Lomas
May 16, 2022
The U.K.'s Irish Council for Civil Liberties (ICCL) released an analysis suggesting Google and other technology giants are processing and passing people's data billions of times a day through the real-time bidding (RTB) system. The ICCL described the surveillance-based ad auction system as "the biggest data breach ever recorded," tracking and sharing "what people view online and their real-world location 294 billion times in the U.S. and 197 billion times in Europe every day." Collectively, the organization calculated, U.S. Internet users' online behavior and locations are tracked and shared 107 trillion times annually, while Europeans' data is exposed 71 trillion times annually. These findings raise unsettling issues for European regulators, as Europe's General Data Protection Regulation was supposed to rein in adtech tracking and profiling.
iPhone Malware Runs Even When Device Is Off
Ars Technica
Dan Goodin
May 16, 2022
Academics at Germany's Technical University of Darmstadt (TU Darmstadt) created malware that exploits the continued operation of iPhone's Bluetooth chip, even when the device is off. The low-power mode (LPM)-targeting malware can allow attackers to track the phone’s location, or to run new features when the handset is deactivated. "Since LPM support is based on the iPhone's hardware, it cannot be removed with system updates," the researchers explained. "Thus, it has a long-lasting effect on the overall iOS security model." Real-world exploitation of these findings is limited since infections require a jailbroken iPhone, the researchers said, adding that other malware could target iOS' always-on feature.
Bluetooth Hack Can Unlock Tesla, Devices
Ars Technica
Dan Goodin
May 18, 2022
Sultan Qasim Khan at U.K.-based security firm NCC Group has devised an exploit for unlocking Teslas and countless other devices by hacking the Bluetooth Low Energy (BLE) standard. The simplest form of this relay attack involves two hackers who share data through an open Internet connection, and are respectively close to the Tesla and the authenticating phone. Attacker 1 captures the authenticating request from the Tesla and sends it to Attacker 2, who forwards the request to the phone and records and sends the phone-transmitted credential to Attacker 1, who then can unlock the car. The hack thwarts countermeasures like encrypting phone-transmitted credentials, and Khan said practically any BLE device that authenticates on proximity alone is susceptible.
Scientists Learn to Kill Cyberattacks in Less Than a Second
Cardiff University News (U.K.)
May 19, 2022
Researchers at Cardiff University in the U.K. and European aerospace company Airbus have developed a technique for automatically detecting and neutralizing cyberattacks in under a second. The method is based on monitoring and forecasting malware's behavior, rather than on analyzing its code structure. The team built a virtual model representing commonly used laptops, and they tested the detection method on it using thousands of malware samples. The approach prevented the corruption of up to 92% of computer files, and wiped out the malware in an average 0.3 seconds. Airbus' Matilda Rhode said, "This is an important step towards an automated real-time detection system that would not only benefit our laptops and computers, but also our smart speakers, thermostats, cars, and refrigerators as the 'Internet of Things' becomes more prevalent."
Differential Privacy the Correct Choice for 2020 U.S. Census
Columbia Engineering News
Holly Evarts
May 19, 2022
A study of the mathematical concept of differential privacy (DP) by Columbia University computer scientists concluded the U.S. Census Bureau's move to DP as a de-identification mechanism for the 2020 Census was appropriate. DP maintains the privacy of an individual's personal data by injecting random changes into the data. There had been concerns that such "noise" would result in artificial deflation of reported minority populations, and a subsequent loss in funding. The researchers found DP offers a stronger privacy guarantee, while swapping puts a disproportionate privacy burden on minority groups. Even when implemented with sufficient privacy, the researchers found swapping generally less accurate than DP.
Experts Say US Oil And Gas Industry Particularly Vulnerable To Cyberattacks
The Hill 
(3/20, Kagubare) reported, “As U.S. industries gear up for possible Russian cyberattacks amid the war in Ukraine, experts say the oil and gas industry is particularly vulnerable because it is not subject to government mandated cybersecurity standards and investments.” Unlike the heavily-regulated power sector, “the oil and gas industry is lagging behind in part because industry lobbyists pushed back against stricter regulations, said Peter Lund, a cyber expert and chief technology officer at Industrial Defender.”
Ransomware Group Uses Microsoft Flaws, AI Images In Campaign Of Cyberattacks
Bloomberg (3/17, Turton) reports Google found that a group of “ransomware hackers used a variety of techniques to try breaching hundreds of companies last year, exploiting a vulnerability in Microsoft Corp.’s Windows and using artificial intelligence technology to create fake LinkedIn profiles.” Google said in a blog post, “Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and health care, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.” Google said the group’s level of human interaction, supported by the fake LinkedIn profiles, set it apart from other Ransomware hackers.
SpaceX To Prioritize Cybersecurity. The Washington Times (3/7, Lovelace) reported that SpaceX “is shifting its focus toward cyber as Russian signal jamming and security concerns have disrupted the satellite internet services the company is working to provide to Ukraine.”
US Government Warns Of Potential Cyber Attacks. NextGov (3/8) reports that the US intelligence community’s 2022 Annual Threat Assessment Report and other national security officials have warned Russian cyber attacks associated with the war in Ukraine could impact other countries. US Cyber Command commander and National Security Agency Director Gen. Paul Nakasone said, “We have to be prepared for the Russians and any other threat that would try to put us at risk in cyberspace. In terms of Russia, they have conducted several attacks in Ukraine – three or four upon which we’ve watched and we’ve tracked very carefully.” The Annual Threat Assesment Report names China as the most significant cyber threat to the United States, and also names Russia a “top cyber threat” that is “focused on improving its ability to target critical infrastructure.”
President Signs Executive Order Initiating Broad Federal Look At Cryptocurrencies
The AP (3/9, Hussein) reports that on Wednesday, President Biden “signed an executive order on government oversight of cryptocurrency that urges the Federal Reserve to explore whether the central bank should jump in and create its own digital currency.” The AP says the Administration “views the explosive popularity of cryptocurrency as an opportunity to examine the risks and benefits of digital assets, said a senior administration official who previewed the order Tuesday.” The New York Times (3/9, Rogers, Livni) says that the move comes amid an “increasing number of countries exploring central bank digital currencies” and among a “desire to maintain American technological leadership.” The Wall Street Journal (3/9, Duehren, Subscription Publication) reports a senior Administration official said, “This is not a niche issue anymore, and it’s profoundly important that we have the right tools to mitigate the risks to consumers and to investors and frankly to the entire financial system.”
The Washington Post (3/9, Newmyer) reports Treasury Secretary Yellen said in a statement, “As we take on this important work, we’ll be guided by consumer and investor protection groups, market participants, and other leading experts. Treasury will work to promote a fairer, more inclusive, and more efficient financial system, while building on our ongoing work to counter illicit finance, and prevent risks to financial stability and national security.”
Reuters (3/9, Shalal, Johnson) reports the order “will require the Treasury Department, the Commerce Department and other key agencies to prepare reports on ‘the future of money’ and the role cryptocurrencies will play.” The order “is part of an effort to promote responsible innovation but mitigates the risk to consumers, investors and businesses, Brian Deese, director of the National Economic Council, and Jake Sullivan, White House national security adviser, said in a statement.”
Democrats Divided Over Cryptocurrency
Politico (3/15, Warmbrodt) reports that questions concerning “how to police digital currency and whether to support its adoption are driving a rift not just between” Democrats’ “liberal and centrist wings but also among progressives who often see eye-to-eye on financial regulation.” Sen. Elizabeth Warren (D-MA) “has emerged as one of the party’s most vocal cryptocurrency critics, warning that it exposes consumers to danger, is ripe for financial crimes and is an environmental threat because of its electricity usage. But a new generation of progressives – and a number of other senior Democrats – are embracing the startup industry” and are “arguing against regulations that could stifle what proponents say is a new avenue for financial inclusion and a breakthrough alternative to traditional banks.” Politico says the “lack of consensus among Democrats means it’s unlikely Congress will act anytime soon to pass major legislation laying out the direction of regulation of the new market.”
Daniel Tauritz
Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch
Wired
Lily Hay Newman
June 3, 2022
A zero-day flaw in Microsoft's Support Diagnostic Tool that researchers said could be exploited to remotely hijack targeted devices remains unpatched. Hackers can pass malicious Word documents through the Follina vulnerability using a remote template that retrieves a malicious HTML file and enables execution of Powershell commands within Windows. Tom Hegel at security company SentinelOne said, "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it." Hackers have been seen exploiting Follina through malicious documents, but Hegel warned less-documented exploits, including manipulating HTML content in network traffic, also remain unpatched. Microsoft proposed disabling a protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block the flaw’s exploitation; incident responders are urging more action.
Voting Software Vulnerable in Some States
Associated Press
Kate Brumback
June 1, 2022
The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state election officials that Dominion Voting Systems' electronic voting machines contain software flaws that could be exploited if left unpatched. Although there is no evidence the machines have been hacked to change election results, the advisory discloses nine vulnerabilities, and recommends safeguards to prevent or detect exploitation. Despite CISA executive director Brandon Wales' statement that "states' standard election security procedures would detect exploitation of these vulnerabilities, and in many cases would prevent attempts entirely," the advisory seems to suggest those efforts are inadequate. Advised mitigation strategies include application of continued and enhanced "defensive measures to reduce the risk of exploitation of these vulnerabilities" prior to every election. CISA also urged aggressive pre- and post-election testing on the machines, post-election audits, and having voters confirm the human-readable portion on printed ballots.
Hackers Steal WhatsApp Accounts Using Call Forwarding Trick
BleepingComputer
Ionut Ilascu
May 31, 2022
Rahul Sasi at digital risk protection company CloudSEK published details of a call forwarding hack for WhatsApp accounts. Sasi said a hacker must persuade the victim to call a number that begins with a Man Machine Interface (MMI) code that facilitates call forwarding; a different MMI code can forward calls to a terminal to a different number, or when the line is busy or reception is lacking. Once the victim is fooled into forwarding calls to their number, the hacker initiates WhatsApp registration on their device, opting to receive a one-time password via voice call. They can then register the victim's WhatsApp account on their device, and enable two-factor authentication (2FA) to block legitimate owners from their account. Activating 2FA in WhatsApp can prevent this exploit.
Tech Experts Urge Washington to Resist Crypto Industry's Influence
Financial Times
Scott Chipolina
May 31, 2022
A coalition of 26 leading computer scientists and academics has submitted a letter to U.S. lawmakers urging a crackdown on cryptocurrency investments and blockchain technology. The letter calls on major Senate figures "to resist pressure from digital asset industry financiers, lobbyists, and boosters to create a regulatory safe haven for these risky, flawed, and unproven digital financial instruments." Signatory Bruce Schneier at Harvard University said blockchain, contrary to advocates' assurances, is insecure and not decentralized. Events like the recent implosion of the TerraUSD stablecoin have rekindled worries about crypto's financial stability, while letter signatory and former Microsoft engineer Miguel de Icaza argued, "The computational power [of blockchain] is equivalent to what you could do in a centralized way with a $100 computer."
*May Require Paid Registration
Popular Python, PHP Libraries Hijacked to Steal AWS Keys
BleepingComputer
Ax Sharma
May 24, 2022
A Reddit user reported a software supply chain attack breached the Python Package Index (PyPI) module "ctx" this month to steal environment variables, exfiltrating data like Amazon Web Services keys and uploading them to a server on the Heroku cloud platform. Ethical hacker Somdev Sangwan also warned of an identical attack involving altered versions of a "phpass" fork published to the PHP/Composer package repository Packagist. The ctx module is downloaded more than 20,000 times a week, while the PHPass framework has been downloaded over 2.5 million times on the Packagist library. Ctx lets developers manipulate dictionary objects, and although PyPI has removed the tainted versions, copies retrieved from the Sonatype security research team's malware archives found malware in all versions. The PyPI and PHP packages contain the same logic and Heroku endpoints, suggesting a common hijacker.
AI Could Prevent Eavesdropping
Science
Matthew Hutson
May 31, 2022
Neural Voice Camouflage technology can help to prevent eavesdropping by producing custom background noise, which thwarts artificial intelligence (AI) that captures and transcribes recorded voices. The solution uses machine learning to alter audio so the AI, but not people, misinterpret sounds. Columbia University researchers trained a neural network on hours of recorded speech so it can constantly process two-second clips of audio, masking what it predicts will be spoken next. The researchers overlaid their system's output onto recorded speech as it fed into an automatic speech recognition (ASR) system; their technology boosted the ASR software's word error rate from 11.3% to 80.2%. Said Columbia University’s Mia Chiquier, “Artificial intelligence collects data about our voice, our faces, and our actions. We need a new generation of technology that respects our privacy.”
Peekaboo! A System to Guarantee Smart Home Privacy
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
May 31, 2022
Researchers at Carnegie Mellon University's CyLab Security and Privacy Institute have developed a privacy-sensitive architecture for smart home applications. Peekaboo accepts requests from developers to share certain pieces of data, and guarantees only the minimum data needed to satisfy the requests is exchanged. The architecture has developers first declare all the data they intend to gather and under what conditions, where that data is being sent, and its granularity; an in-home hub then arbitrates between all devices in the home and the outside Internet. CyLab's HaoJian Jin said, "The Peekaboo protocol will allow users to manage privacy preferences for all of their devices in a centralized manner through the hub. Imagine not just a privacy nutrition label for an individual device, but a privacy nutrition label for an entire home."
Ed Tech Wrongfully Tracked Schoolchildren During Pandemic: Human Rights Watch
ZDNet
Julian Bingley
May 26, 2022
A Human Rights Watch (HRW) study of 164 government-endorsed education technology products used by students during the COVID-19 pandemic found that 146 of those products endangered children's privacy by collecting and selling their contact, keystroke, and location data to ad tech companies. The study found that 199 third-party companies received such personal data, even though just 35 vendors had disclosed that data would be collected for behavioral advertising. Overall, HRW said the privacy of about 41 million students and teachers was endangered by these products. In Australia, the study found Minecraft Education Edition, Cisco's Webex, Education Perfect, Microsoft Teams, Zoom, Webex, and Adobe Connect were among the programs able to track students.
Reno Trusting the Blockchain with Building Records
Gizmodo
Lucas Ropek
June 2, 2022
Reno, NV, has launched a blockchain-based program for storing records in order to improve "clarity and transparency" in record-keeping. The Web portal will let residents more easily engage with the city's government, and the site records interactions using blockchain software. The platform initially will be used to enhance access to Reno's Historic Registry records system, so users can file requests for repairs or modifications to historic buildings; the portal will record and validate the requests, along with the government's responses. The program is built on the STRATO application from the BlockApps software company. The city said in a press release that STRATO is "purpose-built for permanent record-keeping and is not a significant source of energy usage or greenhouse gas emissions."
Tim Hortons App Tracked Too Much Personal Information Without Adequate Consent
CBC (Canada)
Nojoud Al Mallees
June 1, 2022
An investigation by the Office of the Privacy Commissioner of Canada, working with similar agencies in British Columbia, Quebec, and Alberta, found a mobile application used by fast food chain Tim Hortons unnecessarily tracked extensive amounts of personal data without adequate consent from users. The investigation determined the company collected location data for targeted advertising and product promotion, but did not use it for those purposes. The chain was using third-party service provider Radar to track this data, which had few contractual protections while being processed; Tim Hortons stopped collecting the data in August 2020. Canada’s privacy commissioner Daniel Therrien said the extensive nature of the location tracking ecosystem “heightens the risk of mass surveillance."
AI Poses Unique Risk For Cybersecurity At Financial Institutions
The Wall Street Journal (3/22, Vanderford, Subscription Publication) reports cybersecurity experts are warning that US banks are uniquely exposed to Russia-linked cyberattacks, particularly as related to vulnerabilities in their AI systems. According to Andrew Burt, a former Policy Adviser to the head of the cyber division of the FBI, AI systems are vulnerable to their complex analytic systems and the outsized role they are now playing in financial services at various institutions. Machine learning programs are particularly at risk due to the relative infancy of the field and the complex roles they play in financial services, according to experts.
Politico (3/22, Davidson, Weaver) reports the Treasury Department, “which is in regular contact with Wall Street on cybersecurity issues, has increased its meetings with financial firms since the Russian invasion began,” according to a source. “Those sit-downs include classified briefings and tabletop exercises, with an eye toward gaming out how officials in the sector and in the government would respond and coordinate in the event of a major cyberattack on the U.S. financial infrastructure.”
Okta Announces Cybersecurity Breach By Hackers
Reuters (3/22) reports Okta Chief Security Officer David Bradbury announced in a blog that hackers were able to breach the computer of a third-party customer support engineer in mid-January, but “the potential impact to Okta customers is limited to the access that support engineers have.” Bradbury added, “There are no corrective actions that need to be taken by our customers,” but he acknowledged that some of the company’s customers “may have been impacted” and Okta is attempting to identify those customers. Reuters mentions FedEx and Moody’s among the prominent companies using Okta’s services, and FedEx said in a statement, “we currently have no indication that our environment has been accessed or compromised.” Independent security researcher Bill Demirkapi questioned Okta’s response, saying, “In my opinion, it looks like they’re trying to downplay the attack as much as possible, going as far as directly contradicting themselves in their own statements,” and Phobos Group founder Dan Tentler warned Okta customers to “be very vigilant right now.”
CNN (3/23, Lyngaas) reports, “A January cybersecurity incident at popular identity authentication provider Okta may have affected hundreds of the firm’s clients, Okta acknowledged late Tuesday amid an ongoing investigation of the breach. ‘[W]e have concluded that a small percentage of customers – approximately 2.5% – have potentially been impacted and whose data may have been viewed or acted upon,’ Okta chief security officer David Bradbury said in a statement.”
Additional coverage was provided by USA Today (3/22, Molina), the New York Post (3/22), and the Daily Mail (UK) (3/22).
President Warns Of Potential Russian Cyberattacks
The AP (3/21, Suderman) reports that in an address to CEOs of the Business Roundtable on Monday, President Biden “urged U.S. companies to make sure their digital doors are locked tight because of ‘evolving intelligence’ that Russia is considering launching cyberattacks against critical infrastructure targets.” Biden “told the business leaders they have a ‘patriotic obligation’ to harden their systems against such attacks. He said federal assistance is available, should they want it, but that the decision is theirs alone.”
Reuters (3/21, Shakil) reports that in a statement earlier on Monday, Biden warned there was “evolving intelligence” that the Russian government was considering options for potential cyberattacks. The President said, “I urge our private sector partners to harden your cyber defenses immediately,” adding everyone needed “to do their part to meet one of the defining threats of our time.” CNN (3/21, Vazquez, Judd, Lyngaas) reports Biden said his team would “continue to use every tool to deter, disrupt, and if necessary, respond to cyber attacks against critical infrastructure,” but added that “the federal government can’t defend against this threat alone.” US officials “have been warning the private sector for months about the possibility of Russian retaliatory hacking over sanctions against the Kremlin.” The US departments of Energy, Treasury and Homeland Security, “among others, have briefed big electric utilities and banks on Russian hacking capabilities, and urged businesses to lower their thresholds for reporting suspicious activity.”
Bloomberg (3/21) says that while the White House “provided few details about the nature of the threat, the president’s message underscored the continuing threat in cyberspace for U.S. businesses and organizations.” Politico (3/21) says the statement is significant because it “came under the president’s own name. It also referred to new intelligence about attacks being planned instead of potential Russian cyber activities.”
Biden Administration Asks Companies To Report Cyberattacks
The New York Times (3/23, Conger) reports, “The Biden administration is warning American businesses in increasingly stark terms about Russian cyberattacks, providing thousands of companies with briefings on the threats to critical infrastructure and urging companies to comply with a new law that will require them to report any hacks,” but “some details of the law remain unclear, leaving executives with questions about what the legislation means for them.” In a statement this week, Biden “encouraged private companies to strengthen their defenses. Administration officials are particularly concerned about attacks targeting critical sectors like utility companies and hospital systems. The new law was included in the spending package that Mr. Biden signed last week. Under the law, companies will be required to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of discovering a hack,” and “they must also alert the agency within 24 hours of paying ransom to attackers who hold their data hostage.”
Health Data Of Nearly 50M People In US Breached Last Year, Analysis Finds
The Hill (3/23, Beals) reports, “The health data of almost 50 million Americans was breached last year, according to a Politico analysis of data from the Department of Health and Human Services.” Healthcare “organizations in every state except South Dakota reported data breaches in 2021,” and “half of states, as well as Washington, D.C., saw more than 1 in 10 of their residents have their health information accessed without authorization, Politico found.”
Daniel Tauritz
Intel, AMD Hertzbleed CPU Vulnerability Uses Boost Speed to Steal Crypto Keys
Tom's Hardware
Paul Alcorn
June 14, 2022
Researchers from Intel, the University of Texas at Austin, the University of Illinois at Urbana-Champaign, and the University of Washington have identified the "Hertzbleed" bug, which affects Intel and AMD central processing units (CPUs), among others. The flaw facilitates side-channel attacks that can compromise AES cryptographic keys by measuring the CPU's boost frequency/power. Attackers monitor the power signature of any given cryptographic workload, which varies due to the CPU's dynamic boost clock frequency adjustments, and can render that information as power data in order to steal the keys. Although Hertzbleed has only been demonstrated in Intel and AMD silicon, it could theoretically affect virtually all modern CPUs because it works by observing the power algorithms underlying the Dynamic Voltage Frequency Scaling method common to today's processors. Intel's remedy includes patches for any code that is vulnerable to enabling a power side-channel attack, but some countermeasures can impact performance.
How DOJ Took the Malware Fight into Your Computer
Politico
Eric Geller
June 13, 2022
With botnets or armies of hacked computers posing significant threats to Internet security, the U.S. Department of Justice (DOJ) increasingly is being allowed to delete malware from Americans' computers without their knowledge or authorization. In April, for example, federal prosecutors obtained court orders permitting them to access hacked servers used to control a Russian intelligence agency's botnet and erase the malware they found there. The prosecutors had indicated that direct intervention was necessary, given that government warnings to affected users did not solve the problems. However, DOJ officials said such action is considered a last resort. Said deputy assistant attorney general for national security Adam Hickey, “You can understand why we should be appropriately cautious before we touch any private computer system, much less the system of an innocent third party.”
Researchers Uncover 'Unpatchable' Flaw in Apple M1 Chips
TechCrunch
Carly Page
June 10, 2022
Massachusetts Institute of Technology researchers found Apple's M1 chips contain an "unpatchable" hardware bug that could allow hackers to slip past its last line of defense. The flaw is rooted in pointer authentication codes (PACs) designed to block attackers from injecting malicious code into a device's memory, safeguarding against buffer overflow exploits. The researchers' "Pacman" exploit combines memory corruption and speculative execution attacks to bypass the security feature without a trace, making software patches unworkable. The attack speculatively "guesses" lines of computation to leak PAC verification results, while a hardware side-channel shows whether the guess was right. "If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices, in the coming years," the researchers warned.
Stacking the Deck for Computer Security
Penn State News
WennersHerron Ashley J.
June 17, 2022
An international team of researchers led by Pennsylvania State University (Penn State) has created a more reliable safeguard for data on the stack than a prior classification technique called Safe Stack. Penn State's Trent Jaeger said the DATAGUARD system "improves security through a more comprehensive and accurate safety analysis that proves a larger number of stack objects are safe from memory errors, while ensuring that no unsafe stack objects are mistakenly classified as safe." The system validates stack objects that are safe from spatial, type, and temporal memory errors, via static analysis and symbolic execution. Tests showed DATAGUARD spotted and removed 6.3% of objects wrongly labeled safe by the Safe Stack technique, and found 65% of objects labeled "unsafe" by Safe Stack actually were safe.
Ethereum Mining Is Going Away
Bloomberg
Olga Kharif; David Pan
June 16, 2022
Ethereum mining could end soon due to "the Merge," leaving as many as 1 million miners out of a source of income. The Merge (expected to occur in August, though it has been pushed back several times already) involves a shift from the proof-of-work model, which uses a significant amount of computing power and energy, to the proof-of-stake model to record transactions. The alternative model will slash the Ethereum network’s power consumption by about 99%, but also will put miners out of work. Following the Merge, some Ethereum miners plan to mine other coins that require graphics processing units, like Ethereum Classic or Ravencoin, or to use their equipment for rendering (an aspect of digital video production) or machine learning tasks.
Stronger Security for Smart Devices
MIT News
Adam Zewe
June 14, 2022
Massachusetts Institute of Technology researchers demonstrated two security techniques that block power and electromagnetic side-channel attacks targeting analog-to-digital (ADC) converters in smart devices. The countermeasures involve adding randomization to ADC conversion, which in one case uses a random number generator to decide when each capacitor switches, complicating the correlation of power supplies with output data. That method also keeps the comparator in constant operation, preventing hackers from ascertaining when each conversion stage begins and ends. The second technique employs two comparators and an algorithm to randomly establish two thresholds rather than one, creating millions of ways an ADC could reach a digital output.
Physics-Based Cryptocurrency Transmits Energy Through Blockchain
Lawrence Livermore National Laboratory
Anne M. Stark
June 13, 2022
Researchers at the U.S. Department of Energy's Lawrence Livermore National Laboratory (LLNL) have developed E-Stablecoin, a physics-based cryptocurrency that connects electrical energy with blockchain technology. LLNL's Maxwell Murialdo and Jon Belof said the energy-information link supports the generation of a cryptocurrency token directly backed by and convertible into one kilowatt-hour of electricity, making E-Stablecoin the first digital token to be collateralized by a physical asset. Said Belof, "Through thermodynamic reversibility—to the extent that it is allowed by a modern understanding of statistical mechanics—we envision a future blockchain that is not only rooted in real-life assets like energy usage, but also is a more responsible steward of our natural resources in support of the economy."
California Community Colleges May Receive $100M To Bolster Cybersecurity Amid Application Fraud
Higher Ed Dive (4/6) reports that California’s community college system “may soon receive $100 million to bolster cybersecurity after tens of thousands of fake student applications flooded campuses last year in a suspected effort to fraudulently obtain student aid.” Lawmakers “considered the funding, which is part of Gov. Gavin Newsom’s budget proposal, during a committee hearing Tuesday about the state’s higher education funding for fiscal 2023.” Although they “didn’t vote on the issue, no one voiced any opposition.” The proposal “would allocate $25 million in annual funding, which could be used for hiring staff to combat cyberattacks and contracting with consultants to assess cybersecurity efforts.” The remaining $75 million “would be one-time funding for initiatives such as assessing system vulnerabilities and purchasing software to detect fraudulent applications.”
Decline Of Third-Party Tracking May Give More Advantage To Most Popular Sites
The New York Times (4/6, Chen, Wakabayashi) reports on “another type of internet tracking” that is “reinforcing the power of some of tech’s biggest titans.” While third-party tracking “is being scaled back or blocked by Apple and Google” yet, it is now being replaced by “‘first party’ tracking” wherein “companies are still gathering information on what people are doing on their specific site or app, with users’ consent.” This data, says the Times, “tilts the playing field toward large digital ecosystems such as Google, Snap, TikTok, Amazon and Pinterest,” while “smaller brands have to turn to those platforms if they want to advertise to find new customers.” But, “Google and Apple said the shift was not a way to strengthen their own standings.”
NYTimes Examines How Much Information iOS Apps Track. The New York Times (3/31) publishes a follow-up to its review of 250 iOS apps from “late 2020” that “found that most of them were tracking and sharing a lot of information about anyone using them.” The Times says, “A year later, some apps behave a little better, and some of the worst offenders have seen a drop in the number of downloads, but the changes haven’t been revolutionary.” The Times explains how apps can track various user activities and shows how users can block some of these tracking features using Apple’s privacy settings.
Google Argues Microsoft’s Leadership In Government Security Creates Vulnerability
NBC News (3/31, Collier) reports Google Director of Risk and Compliance Jeanette Manfra “said Thursday that the government’s reliance on Microsoft – one of Google’s top business rivals – is an ongoing security threat,” based on a survey commissioned by Google. In a blog post published Thursday, Manfra said the survey “found that a majority of federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability.” Manfra told NBC, “Overreliance on any single vendor is usually not a great idea. You have an attack on one product that the majority of the government is depending on to do their job, you have a significant risk in how the government can continue to function.” Microsoft CVP Frank Shaw responded in an emailed statement, criticizing Google for conducting the study and calling it “unhelpful.”
VentureBeat (3/31, Alspach) spoke with security industry executives who said the study suggests “that the battle for customers in cybersecurity is heating up between the two cloud giants.” Tenable CEO Amit Yoran told VentureBeat that Google is “taking a direct shot at Microsoft,” adding that this “doesn’t seem like a random survey, especially considering Google’s acquisition of Mandiant.” Netenrich Principal Threat Hunter John Bambenek said, “The poll itself is a transparent attempt to create a marketing message against Microsoft. ... While that means taking its conclusions with a grain of salt, it also means they are taking an aggressive approach to displace Microsoft using techniques more often seen in political campaigns.”
University Of Arizona’s CAST Debuts Student Chapter Of Women In Cybersecurity
In a profile for Women’s History Month, the Sierra Vista (AZ) Herald (3/29, Hom) focuses “on the field of education and how two professors at the University of Arizona are helping women break down barriers to enter the field of cybersecurity by establishing the first student chapter of the national organization Women in Cybersecurity at the UA.” Dr. Dalal Alharthi, “assistant professor of practice in cyber operations at the College of Applied Sciences and Technology (CAST), said she founded the student chapter of” Women in Cybersecurity (WiCyS) “to help address gender disparity in the field.” She “said there are four student officers in the student organization: President Stephanie Tognotti, Vice President Lindsey Hinz, Secretary Sadie Rose Belton and Marketing Chair Sara Robinson-Camarena.” Alharthi “plans to provide students involved in the chapter access to technical workshops, mentorships and career networking opportunities as well as ways to give back to the upcoming generation with outreach programs.”
dtau...@gmail.com
Bluetooth Signals Can Be Used to Identify, Track Smartphones
UC San Diego News Center
Ioana Patringenaru
June 8, 2022
Engineers at the University of California, San Diego (UCSD) have demonstrated an exploit that taps Bluetooth beacon signals emitted by smartphones to track individuals. The researchers showed the signals bear a unique fingerprint, which UCSD's Nishant Bhaskar said poses a serious threat "as it is a frequent and constant wireless signal emitted from all our personal mobile devices." The fingerprint stems from manufacturing flaws in hardware that are unique to each device, which generate novel Bluetooth distortions that attackers could use to bypass anti-tracking measures. Experiments validated the feasibility of using the exploit in real-world settings, although the researchers noted it requires attackers to possess significant expertise.
Tesla Hack Gives Thieves Their Own Personal Key
Ars Technica
Dan Goodin
June 8, 2022
Austrian security researcher Martin Herfurt has demonstrated that electric vehicle company Tesla's updated near-field communication key card can be hacked. The update allows the car to automatically start within 130 seconds of being unlocked, and enables new keys to be accepted without authentication or indication from the in-vehicle display. Although the Tesla app disallows keys to be enrolled unless connected to the owner's account, Herfurt found the car shares messages with any nearby Bluetooth Low Energy device. He crafted an app that speaks the same language the Tesla app uses to communicate with Tesla vehicles. A malicious proof-of-concept version allows thieves to secretly enroll their own keys during the 130-second interval, then exchange VCSec messages that enroll the key.
Radio Waves for the Detection of Hardware Tampering
Ruhr-Universität Bochum (Germany)
June 7, 2022
Scientists at Germany's Ruhr-Universität Bochum (RUB), the Max Planck Institute for Security and Privacy, and information technology company PHYSEC have developed a technique that uses radio waves to monitor hardware for tampering. The radio waves can be used to detect the slightest changes in ambient conditions via a system with a sender and a receiver antenna. The transmitter emits a special signal that is reflected by walls and computer components; these reflected signals have a unique signature when they reach the receiver, which even the smallest of tampering can disrupt. RUB's Johannes Tobisch said the antennas should be placed "as close as possible to the components that require a high degree of protection," because the source of tampering is easier to identify when it is closer to the receiving antenna.
Keeping Web-Browsing Data Safe From Hackers
MIT News
Adam Zewe
June 9, 2022
Massachusetts Institute of Technology researchers analyzed a website-fingerprinting attack in order to develop new defenses. Previous research showed the machine learning-assisted cyberattack tallies how many times the computer accesses memory as it loads a website, then identifies the site. The researchers learned the attack's underlying mechanisms were misidentified, and stripping all memory accesses made the exploit just as effective, if not more so. The researchers formulated two countermeasures: a browser extension that generates frequent interrupts to complicating the attacker's ability to decode signals and reduce attack accuracy from 96% to 62%, and altering the timer to return values that are near but not actual time, which slashes the attack’s accuracy to 1%.
How 'Trustless' Is Bitcoin, Really?
The New York Times
Siobhan Roberts
June 6, 2022
Rice University's Alyssa Blackburn and colleagues have dissected the anonymity of bitcoin, reporting in a paper that "information leakage erodes the once-impenetrable blocks, carving out a new landscape of socioeconomic data." The researchers aggregated multiple leakages and bitcoin addresses, determining 64 key agents mined most of the existing bitcoin in the first two years since the cryptocurrency's launch. Blackburn devised hacks for this period, and tapped human lapses like insecure user behavior, operational features innate to bitcoin's software, and methods for connecting pseudonymous addresses. She said very few people serve as network arbiters, "which is not the ethos of decentralized trustless crypto." Blackburn also noted that the concentration of resources undercut the network's security, with a miner's computing resources found to be commensurate to their mining income.
Making Blockchain Stop Wasting Energy by Getting It to Manage Energy
Apple, Meta Provided User Data To Hackers After “Forged Legal Requests”Bloomberg
Hackers Steal Over $500 Million In Crypto From Axie Infinity GameThe Wall Street Journal |
Bill Would Launch A Large-scale Test Of Digital Dollars
The Verge (3/28) reports, “A US lawmaker has proposed a large-scale trial of government-backed digital cash. The Electronic Currency and Secure Hardware (ECASH) Act, introduced by Rep. Stephen Lynch (D-MA), would direct the Secretary of the Treasury to publicly test an ‘electronic version’ of the US dollar.” The piece says that “while the bill’s odds of passing likely remain low, it demonstrates governments’ increasing interest in launching alternatives to cryptocurrency.”
Expert Discusses Best Ways To Communicate About A School Cyberattack
K-12 Dive (3/24) reports that that “with schools becoming increasingly vulnerable to cyberattacks, a recent report by nonprofit K12 Security Information Exchange called for greater public disclosure of these incidents to help inform research, policymaking and cyber defense tools.” Mellissa Braham, associate director of the National School Public Relations Association, “said it’s key to know how to prepare public communications before, during and after a school cyberattack.” While cyberattacks “are not new, Braham said awareness is increasing about these incidents and how to best communicate them to the public.” To start, “districts should consider if families and staff already know what a school day will look like in case schools are shut down or a student data system is hacked, she said.” If not, Braham “said, now is the time to develop a plan for communicating that information, similar to a plan for handling weather-related emergencies.”
Many Business Leaders Confused By Warnings Of Russian Cyberattacks
Bloomberg (3/24, Manson) reports that one day after President Biden “issued a stark warning that a Russian cyberattack ‘is coming,’ members of his administration hosted a three-hour call with about 13,000 people representing businesses, public agencies and other organizations to discuss the potential threat.” The conversation “highlighted the struggle the Biden administration faces in safeguarding the country against a possible wave of state-sponsored hacking.” US officials “appealed for callers to lower the bar for reporting cyber threats, even down to anomalous phishing attempts,” but “many businesses betrayed confusion about basic cybersecurity tools and incident reporting procedures, a recording of the call shows. Other representatives said they wanted the administration to share more information.” Bloomberg notes that “most U.S. critical infrastructure – such things as telecommunications, energy and food production – is in private hands, and operating companies aren’t yet compelled to share such information with the government; cybersecurity regulations tend to be patchy or nonexistent.”
dtau...@gmail.com
Tech Behind Crypto Could Save Luxury Brands Billions
CNN
Rebecca Cairns
June 27, 2022
Luxury brands are using blockchain technology to shield their products from counterfeiting. Luxury brand conglomerate LVMH partnered with fashion company Prada and jewelry conglomerate Cartier on the Aura Blockchain Consortium, a nonprofit platform that generates digital twins for designer products. The consortium employs blockchain to produce digital product identifiers for more than 20 brands, including more than 17 million registered products, according to general secretary Daniela Ott. The software, which amasses a ledger of data like material type and source, where and when products were made, and how many were fabricated, provides customers a digital certificate of authentication that cannot be counterfeited, Ott said.
Seventy-Five Percent of the World's Top Websites Allow Bad Passwords
New Scientist
Jeremy Hsu
June 23, 2022
Princeton University's Arvind Narayanan and colleagues found 75% of 120 top-ranked English-language websites permit weak passwords, while over half also allow 40 of the most common leaked and easily guessed passwords. The researchers manually checked those 40 passwords on each site, choosing 20 from a randomized sampling of the 100,000 most frequently used passwords detected in data breaches, as well as the first 20 passwords guessed by a password cracker. Just 15 sites blocked all 40 tested passwords, including Google, Adobe, Twitch, GitHub, and Grammarly. Only 23 of the 120 sites provide strength meters that encourage users to create sufficiently strong passwords, while 54 sites still follow poorly rated password composition policies.
CISA Warns Over Software Flaws in Industrial Control Systems
ZDNet
Liam Tung
June 23, 2022
The U.S. Cybersecurity and Infrastructure Agency (CISA) has warned organizations to check for recently reported flaws in operational technology (OT) devices that should be partitioned from the Internet. Researchers from the Forescout cybersecurity software company detected 56 vulnerabilities impacting industrial control systems, bugs that include insecure engineering protocols or firmware updates, weak cryptography or cracked authentication schemes, and remote code execution via native functionality. CISA's advisories detail missing authentication and privilege escalation flaws in software from Japan's JTEKT, three bugs harming products from U.S. vendor Phoenix Contact, and one affecting devices from Germany's Siemens. Forescout said its disclosure was intended to illustrate how commonplace vulnerabilities are in critical infrastructure hardware.
Instagram Rolls Out Age Verification, but Not to Keep Children Off App
The Washington Post
Tatum Hunter
June 23, 2022
Photo- and video-sharing platform Instagram has started using age verification tools to prevent account holders under 18 years old from changing their ages to over 18 (although users could still use false birth dates when setting up accounts). Erica Finkle with Instagram parent Meta said the new tools aim to ensure teen accounts reflect users’ actual ages and receive the right protections, rather than keeping the underage off the platform. Users can submit some accepted form of personal identification as proof of age, which Meta said it will store securely and delete within 30 days; they also can ask three adult Instagram friends to vouch for their age, or they can submit a video selfie from which digital identity company Yoti's artificial intelligence will guess their age.
Strava App Flaw Revealed Runs of Israeli Officials at Secret Bases
BBC News
David Gritten
June 22, 2022
Israel-based disinformation monitor FakeReporter disclosed a flaw in American Internet service Strava's fitness application that allowed a suspicious party to identify and track Israeli security personnel at secret military bases. The app tracks a user's exercise activity via data like global positioning system coordinates, taken from their mobile phone or wearable fitness device. People can upload their running and cycling times and compare their performances with others following the same routes. The suspicious individual was able to upload fake running "segments" to compromise the identities and past routes of others active in the area, even with the most secure privacy settings activated. Data on roughly 100 individuals who exercised at six bases was accessible, although Strava said it had corrected the vulnerability.
Hijacked-Journal Tracker Helps Researchers to Spot Scam Websites
Nature
Holly Else
June 22, 2022
Researchers can check whether a journal website has been cloned onto a scam site before submitting their work through the Retraction Watch hijacked journal checker. Anna Abalkina at Germany's Free University of Berlin and scientific-misconduct blog Retraction Watch built the online spreadsheet, which will be updated as more hijacked journals are detected. Abalkina said addressing the problem is critical because research databases often import articles from the Scopus citation database, which can accidentally include non-peer-reviewed research posing as legitimate work. Mehdi Dadkhah at Iran's Ferdowsi University of Mashhad said although the hijacked-journal checker will prevent some scientists from being exploited by cybercriminals, many will be unaware of the tool or even of hijacked journals.
DARPA Report Finds Vulnerabilities in Blockchain Tech, Non-Secure Crypto Transactions
Nextgov
Alexandra Kelley
June 21, 2022
Researchers at cybersecurity consulting firm Trail of Bits vetted the security of blockchain software's distributed ledger technologies for the U.S. Defense Advanced Research Projects Agency (DARPA). The researchers found some technologies can be altered, jeopardizing the data stored within the proof-of-work blockchain. The team explained the system's "immutability can be broken not by exploiting cryptographic vulnerabilities, but instead by subverting the properties of a blockchain's implementations, networking, and consensus protocol." For example, if just one node in the blockchain ledger network lacks proper security protocols or is operated by a bad actor, the data routed through the blockchain can be hacked or changed. Meanwhile, the corruption of a third party within the network route between nodes means actors can potentially disrupt ledger transactions, because all bitcoin protocol traffic is unencrypted.
Microsoft Stops Selling Emotion-Reading Tech, Limits Face Recognition
Reuters
Paresh Dave
June 21, 2022
Microsoft said it would stop selling technology that guesses emotional states from facial images, and would restrict access to its facial recognition technology. The announcement came as cloud providers are trying to self-regulate sensitive technologies to keep U.S. and EU lawmakers from enacting legal strictures. In one year, Microsoft said, its current customers will lose access to artificial intelligence tools that claim to infer emotion, gender, age, smile, facial hair, hair, and makeup. The company also said customers now will need to obtain approval in order to use its facial recognition services, and asked clients to not use it in situations that might compromise privacy or in which the technology might struggle (like identifying minors), but did not outright ban the use of its technology for those applications.
US Government Says In Alert That Hackers Have Displayed Ability To Hijack Critical Infrastructure
Reuters (4/13, Bing, Satter) reports that advanced hackers “have demonstrated the ability to take control of an array of devices that help run power stations and manufacturing plants, the U.S. government said in an alert issued on Wednesday, sounding the alarm over the potential for cyber spies to harm critical infrastructure.” The U.S. Cybersecurity and Infrastructure Security Agency “said in a joint advisory with other government agencies that the hackers’ malicious software could affect a type of device called programmable logic controllers made by Schneider Electric and OMRON Corp.” The controllers “are common across a variety of industries – from gas to food production – but Robert Lee, the chief executive of cybersecurity firm Dragos, which helped uncover the malware, said researchers believed the hackers’ intended targets were liquified natural gas and electric facilities.”
Technology Companies Including Microsoft Disrupt “Prolific Cybercrime Gang.” CNN (4/13, Lyngaas) reports technology companies including Microsoft “have tried to disrupt a cybercriminal group whose malicious software has been used in ransomware attacks and other hacks around the world, the companies said Wednesday.” The effort included a “court order from the US District Court for the Northern District of Georgia that allowed Microsoft (MSFT) to seize 65 internet domains used by the hacking group behind widely used malware known as ZLoader, Microsoft said.” Microsoft also said it had identified a person involved in the hacking and referred them to law enforcement. Other cybersecurity firms “involved in the takedown included US companies Lumen and Palo Alto Networks, and Slovakia-based ESET.”
Lawmakers Seek To Further Safeguard Critical Infrastructure
Roll Call (4/12, Ratnam) reports lawmakers “are looking to boost the U.S. government’s ability to safeguard from devastating cyberattacks on vital infrastructure sectors such as water supplies, electric utilities and pipeline operators.” According to Roll Call, “The effort comes on the heels of a new law Congress passed as part of the fiscal 2022 omnibus spending bill that requires operators of critical infrastructure to report any cyberattacks they suffer to the Cybersecurity and Infrastructure Security Agency.”
Apple’s Privacy Changes Expected To Wipe Almost $16B In Revenues From YouTube, Meta, Snap, Twitter
Insider (4/11, O'Reilly) reports the “fallout from Apple’s major privacy update is expected to continue well past the first year of its rollout, with a new analysis estimating the change could dent Meta, YouTube, Snap, and Twitter’s revenues by almost $16 billion in total this year.” Insider adds, “New analysis from data management company Lotame, shared exclusively with Insider, estimates that Facebook owner Meta will continue to feel the biggest brunt of Apple’s privacy changes in 2022. Lotame estimates that the change will cause a $12.8 billion hit to Meta’s 2022 revenue, or 9.7%. ... Lotame estimates that ‘modest impact’ will hit YouTube to the tune of $2.2 billion, or 6.5% of its revenue in 2022.”
Yellen Says Regulation Of Cryptocurrency Is Needed
The AP (4/7, Hussein) reports that Treasury Secretary Yellen “says more government regulation is needed to police the proliferation of cryptocurrency and ward off fraudulent or illicit transactions.” In remarks Thursday at American University, Yellen said, “Taxpayers should receive the same type of tax reporting on digital asset transactions that they receive for transactions in stocks and bonds, so that they have the information they need to report their income to the IRS.” Yellen’s remarks were her first about cryptocurrency “since President Joe Biden signed an executive order on digital assets in March.”