Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says
Associated Press
Alan Suderman
July 14, 2022
The Cyber Safety Review Board said the Log4j software vulnerability discovered last year is "endemic," and could constitute a security risk for another decade. Log4j enables Internet-based hackers to hijack a broad range of systems; the first indications of its exploitation appeared in Microsoft's online game Minecraft. Log4j logs user activity on computers, and is widely employed by commercial software developers. Although the review board has found no signs of "significant" Log4j attacks on critical infrastructure systems, it said future attacks are likely. To alleviate the potential fallout of such attacks, the board recommended universities and community colleges make cybersecurity training mandatory for obtaining computer science degrees and certifications.
You've Been Served Via NFT: Court Gives OK to Sue on Blockchain
Bloomberg
Katharine Gemmell
July 13, 2022
A U.K. court ruling allows legal documents to be served over the blockchain ledger via nonfungible tokens (NFTs). The case was filed by Fabrizio D'Aloia, founder of an online gambling company, against Binance Holdings and other cryptocurrency exchanges after his crypto assets were fraudulently cloned. The exchanges also were deemed responsible for ensuring stolen crypto is not moved or removed from their systems. Legal experts at the law firm Giambrone & Partners LLP said the ruling will enable crypto fraud victims to file suit against unknown fraudsters in the U.K. The lawsuit documents will be airdropped via NFT into two wallets originally used by D'Aloia and later stolen. A similar decision was issued in June by a U.S. court.
*May Require Paid Registration
Apple to Add 'Lockdown' Safeguard on iPhones, iPads, Macs
Associated Press
July 6, 2022
Apple has announced the forthcoming rollout of a "lockdown" option for iPhones, iPads, and Mac computers, in order to shield those products from spyware launched by state-sponsored hackers. The company initially will offer lockdown mode as a test version so security researchers can identify any bugs or vulnerabilities. The feature is designed serve as an emergency button that Apple thinks will be needed by a small number of users. Activating lockdown will limit Web browsing, as well as disabling features like the ability to send attachments and links in texts, and to receive FaceTime calls from new numbers. Apple believes the additional safeguards will be important for activists, journalists, and other targets of hacks orchestrated by well-funded organizations.
Ransomware Switched Programming Languages From Go to Rust
ZDNet
Liam Tung
July 6, 2022
Microsoft security researchers have found new variants of Hive ransomware that were originally written in the Go coding language have been rewritten in Rust. The switch has been underway for a few months, as Hive’s authors appear to be copying tactics from BlackCat ransomware, also written in Rust. Researchers at cyberintelligence firm Group-IB determined the Hive gang had converted its Linux encryptor for targeting VMware ESXi servers to Rust so security researchers would be less able to surveil its ransom discussions with victims. The Microsoft Threat Intelligence Center blogged that the transition also involves more complex file encryption.
NIST Identifies Quantum-Resistant Encryption Algorithms
Nextgov
Alexandra Kelley
July 5, 2022
Officials from the U.S. National Institute of Standards and Technology (NIST) announced the first four quantum-resistant encryption algorithms, dubbed Crystals-Kyber, Crystals-Dilithium, Falcon, and SPHINCS+. The announcement marks the start of the final phase of NIST's research into the development of a post-quantum cryptographic standard to shield digital information against quantum hacking. U.S. Commerce Secretary Gina Raimondo said NIST's achievement means "we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers." NIST director Laurie E. Locascio said this initial slate of quantum-resistant algorithms "will lead to a standard and significantly increase the security of our digital information."
Safer Web Surfing with Method for Detecting Malicious Modes
SPIE Newsroom
July 12, 2022
Scientists at South Korea's Far East and Namseoul universities have proposed a new technique for screening Websites for malicious codes by identifying and analyzing common distribution patterns. The researchers first "crawled" through 500 harmful sites to find such patterns, then focused on the programming methods and scripts used in those malicious codes. They added up how many times each method was used in malicious sites, and devised an equation to ascertain a given site's risk score. The technique is exceptionally accurate and fast, and Namseoul's Won-shik Na said its ability to identify malicious Websites from script patterns means the algorithm's complexity and memory cost is low. The approach also could identify zero-day attacks.
Nearly 1 Million Exposed Misconfigured Kubernetes Instances Could Cause Breaches
InfoSecurity
Alessandro Mascellino
June 28, 2022
Researchers from cybersecurity firm Cyble discovered more than 900,000 exposed Kubernetes (K8s) that could be targets for cyberattacks or malicious scans. The open source systems automate the deployment, scaling, and administration of containerized applications. The researchers attributed the exposure to misconfigurations, often due to the use of default settings. The researchers said that misconfigurations of Kubernetes, like utilizing default container names, not having the Kubernetes Dashboard protected by a secure password, or leaving default service ports open to the public, “can place businesses at risk of data leakage." They recommended companies keep Kubernetes updated to the latest version, and remove debugging tools from production containers.
Researchers Defeat Facial Recognition Systems with Universal Face Mask
Help Net Security
Zeljka Zorz
July 12, 2022
Researchers at Israel's Ben-Gurion University of the Negev (BGU) and Tel Aviv University found that facial recognition (FR) systems may be thwarted by fabric face masks boasting adversarial patterns. The researchers employed a gradient-based optimization process to generate a universal perturbation and mask to falsely classify each wearer as an unknown identity. BGU's Alon Zolfi said, "The perturbation depends on the FR model it was used to attack, which means different patterns will be crafted depending on the different victim models." Zolfi suggested FR models could see through masked face images by training them on images containing adversarial patterns, by teaching them to make predictions based only on the upper area of the face, or by training them to generate lower facial areas based on upper facial areas.
How Daycare Apps Can Spy on Parents, Children
Ruhr-Universität Bochum (Germany)
Julia Weiler
July 7, 2022
German researchers uncovered serious flaws in 42 European and U.S. daycare applications. The researchers analyzed Android apps in the Google Play Store that offer the ability to record children’s development, a messenger function allowing daycare staff to communicate with parents, and administrative daycare management support functions like scheduling. Eight apps were found to have vulnerabilities that could permit hackers to view children's private photos, while 40 others could allow spying on parents and teachers. Some app manufacturers sell users' data to third parties, often Amazon, Facebook, Google, or Microsoft, which use it for targeted advertising. Maximilian Golla of the Max Planck Institute for Security and Privacy noted that children’s data is subject to special protection under Europe’s General Data Protection Regulation and the U.S. Children’s Online Privacy Protection Act; “Unfortunately, we found that many apps fail to guarantee this protection.”
Blockchain Can Secure, Store Genomes
YaleNews
Bill Hathaway
June 29, 2022
The SAMchain technology developed by Yale University scientists leverages blockchain to give users control over their own genomic data. SAMchain guarantees the security of individual genomic information, shielding it against change by others and the occasional corruption of cloud-stored DNA data. The researchers circumvented the problem of storing vast datasets derived from genome sequencing by comparing an individual's DNA against a standard reference genome, then storing only the differences in linked blocks of the blockchain. The blocks are subsequently indexed to enable rapid inquiry, and those differences can be connected to conditions with known genetic risk factors. "We think this will actually make genomic research easier," said former Yale researcher Gamze Gürsoy.
The Information (4/15, Toonkel, Peers, Subscription Publication) reports in a partially paywalled article, “Privacy is one of the selling points of Apple products. But for employees who develop these products, it can be a pain.” The Information spoke with “more than a dozen former employees” who said that Apple’s focus on user privacy “makes it difficult for Apple to mimic popular features developed by its competitors, which collect more data and have fewer restrictions on employee access to such information.”
Zero-Day Used to Infect Chrome Users Could Pose Threat to Edge, Safari Users
Ars Technica
Dan Goodin
July 21, 2022
Researchers at security firm Avast said a cyberattack software vendor exploited a previously undiscovered Chrome vulnerability and two other zero-day attacks in campaigns that infected Mideast journalists and other targets with spyware. The exploit is rooted in memory corruption flaws in Web Real-Time Communications, an open-source project that provides JavaScript programming interfaces to facilitate real-time voice, text, and video communications between Web browsers and devices. Google patched the vulnerability on July 4 after the Avast researchers alerted them to its exploitation in malware attacks against Websites intended to spread to frequent users. The DevilsTongue malware used in these watering hole attacks is sold by the Israel-based company Candiru. Google and Microsoft's patching likely means most Chrome and Edge users are already protected, but Apple's more recent patching means Safari users should ensure their browsers are updated.
Ransomware Attacks Against Higher Ed Increase
Inside Higher Ed
Susan D'Agostino
July 22, 2022
Cybersecurity company Sophos reported a global surge in ransomware attacks against colleges and universities last year. Nearly 75% of ransomware attacks on higher-education institutions were successful, and only 2% of victims retrieved all their data, even after paying the ransom. The higher-education sector had the slowest post-attack recovery time, with 40% of victims taking more than a month to recover, versus the 20% global average. “When one sector improves their defenses, the bad folks go somewhere where the bar is lower and they can get money easily," said Jeremy Epstein, chair of the U.S. technology policy committee of ACM.
Google/Apple Contact-Tracing Apps Susceptible to Digital Attacks
Ohio State News
Tatyana Woodall
July 21, 2022
Contact-tracing applications powered by the Google/Apple Exposure Notification framework (GAEN) are vulnerable to geographically based replay attacks, contend researchers from The Ohio State University (OSU). The attacks involve a third-party that intercepts and exploits a user's broadcasted contact-tracing phone data from one area by repeatedly transmitting it in another remote area. "Because the framework operates as a wireless protocol, anybody can inject some kind of fake [COVID] exposure, and those false encounters could disrupt the public's trust for the [contract-tracing] system," said OSU's Anish Arora.
Touchscreens: Attack from the Charging Socket
Technical University of Darmstadt (Germany)
July 20, 2022
German and Chinese researchers have invented an attack method that targets mobile devices' touchscreens through charging cables and power adapters. The researchers generated false (ghost) touches on multiple touchscreens to manipulate the devices. Anyone who charges a device at a compromised charging station triggers the attack, masked as a normal charging signal. The hacker measures the touchscreen’s sampling frequency through the charging connection to adapt the attack signal. The hacker injects the attack signal into the ground line via the charging line, and this signal, via the USB interface, impacts the power supply and is rendered as a noise signal due to the lack of filtering. The researchers were able to direct ghost touches along the touchscreens' conductive and sensing electrodes without physical contact, while also making the touchscreens unresponsive to real touches.
Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals
The Hacker News
Ravie Lakshmanan
July 19, 2022
Mordechai Guri of Israel's Ben Gurion University of the Negev identified a new air-gap attack that leverages Serial Advanced Technology Attachment (SATA) cables as wireless antennas to transmit radio signals in the 6GHz frequency band. The SATAn attack aims to use SATA cables to transfer a small amount of sensitive information wirelessly from air-gapped computers, which are highly secured and physically isolated from other networks, to a receiver over a meter away. Said Guri, "The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker." To detect the potential for such an attack, external radio frequency monitoring systems could be used to identify anomalous transmissions from the air-gapped system in the 6GHz frequency band.
Chinese-Made GPS Tracker Highly Vulnerable
Associated Press
Frank Bajak
July 19, 2022
Researchers at cybersecurity firm BitSight warn of severe vulnerabilities in a Chinese-made automotive global positioning system (GPS) tracker that is used in 169 nations. The researchers said hackers could exploit flaws in MiCODUS' MV720 GPS tracker to commandeer device-equipped vehicles, and advised users to disable the product until a software patch becomes available. The device has a default password that few users change and a second hard-coded password that works for all devices; vulnerabilities also reside in the software of the Web server used to remotely manage the trackers. BitSight's Pedro Umbelino said malicious actors could remotely sever the fuel line of a moving vehicle, determine the vehicle's location for espionage purposes, or intercept and corrupt location or other data to sabotage operations. The U.S. Cybersecurity and Infrastructure Security Agency said it was unaware of "any active exploitation" of the MV720's vulnerabilities.
'Retbleed' Speculative Execution Attack Affects AMD, Intel CPUs
The Hacker News
Ravie Lakshmanan
July 13, 2022
The "Retbleed" flaw discovered by Johannes Wikner and Kaveh Razavi at ETH Zurich in Switzerland targets older AMD and Intel central processing units as a channel for Spectre-based speculative-execution attacks. Retbleed is engineered to circumvent "return trampoline" (Retpoline) branch target injection countermeasures. "Retbleed aims to hijack a return instruction in the kernel to gain arbitrary speculative code execution in the kernel context," explained Wikner and Razavi. "With sufficient control over registers and/or memory at the victim return instruction, the attacker can leak arbitrary kernel data." To mitigate the potential threat, AMD has unveiled Jmp2Ret, while Intel has recommended employing enhanced Indirect Branch Restricted Speculation, even if Retpoline mitigations are implemented.
Computing Architecture Protects Sensitive Private Data
Columbia Engineering News
Holly Evarts
July 15, 2022
Researchers at Columbia University and the semiconductor IP and software design company Arm have developed a computing architecture to safeguard sensitive private data. These verification technologies in the Arm Confidential Compute Architecture (Arm CCA) are part of the Armv9-A architecture. Said Columbia's Xupeng Li and Jason Nieh, "We've proved, for the first time, that the firmware is correct and secure, resulting in the first demonstration of a confidential computing architecture backed by formally verified firmware." Unlike previous approaches, Arm CCA is able to verify whether software, which must retain control of managing hardware resources, is secure.
'Pulling Back the Curtain' to Reveal Molecular Key to The Wizard of Oz
American Chemical Society
July 20, 2022
Scientists at the University of Texas at Austin and the University of Massachusetts, Lowell have created a molecular encryption key from sequence-defined polymers that are sequentially assembled and decoded, which they believe proves this technique to be sufficiently durable for real-world usage, such as hiding messages in letters and plastic objects. Researchers concealed the 256-character-long binary key in the ink of a letter, which was mailed and used to decrypt a file with text from L. Frank Baum’s The Wizard of Oz. The molecular key can encrypt and decrypt text files when inputted into an algorithm, and the team encoded it within polymer sequences of eight 10-monomer-long oligourethanes.
Smart Chip Senses, Stores, Computes, Secures Data in Low-Power Platform
Penn State News
Mariah Chuprinski
July 19, 2022
Pennsylvania State University (Penn State) scientists have created a smart chip to reduce energy consumption while further securing digital data. Penn State's Saptarshi Das explained current cloud-based encryption is energy-inefficient and prone to data breaches and hacking. The researchers fabricated the cryptographic platform from two-dimensional molybdenum disulfide, incorporating 320 transistors that each feature sensor, storage, and computing units to encrypt data. Machine learning algorithms enabled the team to analyze output patterns and anticipate input information, and Das said the algorithms could not decrypt the data. The researchers also said the energy consumption was lower than that of silicon-based security methods, supporting an all-in-one chip that senses, stores, computes, and communicates information among connected devices.
Open Source Platform Enables Research on Privacy-Preserving ML
University of Michigan News
Zachary Champion
July 19, 2022
University of Michigan (U-M) researchers have open-sourced the largest benchmarking dataset for a privacy-shielding machine learning (ML) method to date. Federated learning trains ML models on end-user devices, rather than transferring private data to central servers. "By training in-situ on data where it is generated, we can train on larger real-world data," said U-M's Fan Lai. "This also allows us to mitigate privacy risks and high communication and storage costs associated with collecting the raw data from end-user devices into the cloud." The FedScale platform can model the behavior of millions of user devices using a few graphic processing units and central processing units, allowing ML model developers to evaluate model performance without large-scale deployments.
North Korea-Backed Hackers Have Clever Way to Read Gmail
Ars Technica
Dan Goodin
August 3, 2022
Researchers at security company Volexity have discovered malware dubbed SHARPEXT that the North Korea-sponsored SharpTongue hacker gang is using to read and download email and attachments from victims' Gmail and AOL accounts. Volexity's Steven Adair said SHARPEXT installs an extension for Chrome and Edge browsers "by way of spear phishing and social engineering where the victim is fooled into opening a malicious document." Email services cannot detect the extension, and since the browser will already have been authenticated, the compromise cannot be simply identified and neutralized. Volexity said SHARPEXT has been in use for "well over a year," allowing hackers to compile lists of email addresses to ignore, and to monitor already compromised emails or attachments.
Post-Quantum Encryption Contender Taken Out by Single-Core PC in One Hour
Ars Technica
Dan Goodin
August 2, 2022
Researchers at Belgium's Katholieke Universiteit Leuven (KU Leuven) ruled out an algorithm selected by the U.S. National Institute of Standards and Technology as a potential post-quantum encryption program. The Supersingular Isogeny Key Encapsulation (SIKE) algorithm was thought to be quantum-decryption-proof by avoiding key encapsulation's vulnerabilities through a supersingular isogeny graph. KU Leuven researchers used a single classical computer to break SIKE, which took it just one hour. The team showed SIKE's linchpin, the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, is vulnerable to a variant of a GPST adaptive attack that "exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known," explained Steven Galbraith at New Zealand's University of Auckland.
Newly Found Lightning Framework Offers Many Linux Hacking Capabilities
Ars Technica
Dan Goodin
July 26, 2022
Researchers from security firm Intezer disclosed the Lightning Framework, a previously undocumented modular malware framework for Linux. Installed after an attacker has accessed a target system, Lightning boasts some of the same efficiencies and speed to Linux compromises that the Django Web framework provides for Web development. Lightning "has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins,” wrote Intezer's Ryan Robinson. The framework's Lightning.Downloader downloads software while its Lightning.Core core module receives commands when connected to a designated command-and-control server.
Experts Uncover 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers
The Hacker News
Ravie Lakshmanan
July 25, 2022
Researchers at the Kaspersky cybersecurity company have attributed a new Unified Extensible Firmware Interface (UEFI) firmware rootkit called CosmicStrand to unknown Chinese-speaking hackers. The researchers said CosmicStrand resides "in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image." Attacks aim to interfere with the operating system loading process to implement a kernel-level implant into a Windows machine whenever it is booted, and to use this access to launch shellcode that connects to a remote server to retrieve the malware to be deployed on the system. The researchers noted CosmicStrand appears to have been used in the wild since the end of 2016, before UEFI rootkit exploits began to be publicly detailed.
Quantum Encryption Could Support Truly Secure Communication
Silicon Republic
Leigh McGowran
July 27, 2022
A new form of quantum cryptography could eventually support truly secure communication by facilitating quantum key distribution between two devices based on quantum entanglement, according to an international team of scientists. Researchers confined two single ions—a sender and a receiver—in separate traps connected by optical fiber. Entanglement allows the sender and receiver to generate shared outcomes without third-party interference. Researchers said this system could lead to two-party communication that is "fundamentally beyond" an adversary's control and also could ensure private communication with just a few general assumptions about the devices used.
Cyberattack Illuminates Shaky State of Student Privacy
The New York Times
Natasha Singer
July 31, 2022
A cyberattack on student-tracking software provider Illuminate Education highlights the inadequacies of student privacy safeguards. The breach worries cybersecurity and privacy experts because it involved sensitive personal details about students or student data dating back over 10 years. Technology companies and education reformers have pressured schools to adopt software that can catalog and categorize student behavior to help educators identify and assist at-risk students. With hacks on school software vendors increasing, the exposure of such information could have long-term ramifications. Said New Mexico attorney general Hector Balderas, "My concern is there will be bad actors who will exploit a public school setting, especially when they think that the technology protocols are not very robust. And I don't know why Congress isn't terrified yet."
Fiber-Optic Cables Could Be Used to Spy on People a Kilometer Away
New Scientist
Karmela Padavic-Callaghan
July 27, 2022
A device built by researchers at China's Tsinghua University can eavesdrop on people up to 1 km (0.6 mile) away using existing fiber-optic cables. The device detects changes in light triggered when someone speaks near an optical fiber; researchers uttered the phrase, "It's nine-fifteen" near a cable that was transmitting data. About 3 m (9.8 ft.) of the fiber was exposed to the sound, while the remaining 1.1 km (0.68 mile) was spooled in another room where the device was connected. The clarity of the words the device detected could be improved with computer speech enhancement, according to Tsinghua's Bo Wang.
Ad Age (4/21, Sloane) reports that, in its quarterly finances, Snapchat “acknowledged ongoing challenges to direct-response advertising, partly because of changes to privacy and data rules on platforms like Apple iPhones.” Apple app-tracking policies that took effect last year “cut apps off from data that marketers use to track when ads lead a consumer to a sale.” Snapchat Chief Business Officer Jeremi Gorman, said such changes by platforms “put a serious onus on advertisers to adapt.” He added, “We continued to work through platform policy changes, which are primarily impacting direct-response advertising partners, and we believe that we are building effective measurement solutions for advertisers to prove the efficacy of their campaigns.”
The Wall Street Journal (4/20, Rundle, Nash, Subscription Publication) spoke with several cybersecurity and risk executives about new approaches they are using to attract talent. Organizations such as the International Information System Security Certification Consortium, state that the demand for cybersecurity workers is far exceeding the available workforce.
Forbes (4/19, Whitford) reports that in December of last year, “a ransom note suddenly appeared in computer printer trays at Lincoln College in Illinois.” The cyber criminals’ “message was clear: they had encrypted many of the rural college’s files and the institution no longer had access to critical enrollment, admissions and fundraising information.” The college “paid the ransom...via its cyber insurance policy, said David Gerlach, president of Lincoln.” Still, it “took months for employees to regain access to all of their systems, at which point college officials realized that enrollment projections for the next academic year were disastrously low.” In late March, Lincoln’s Board of Trustees “voted to close the school after the current spring semester.” Cyberattacks “like the one Lincoln experienced are extremely costly for institutions, and they are becoming more frequent.” Association of Governing Boards of Universities and Colleges CEO Henry Stoever “says more boards of trustees are now realizing the cyberattacks pose a serious risk to their institutions.”
Zoom Is Great for Remote Code Execution
PC Magazine
Max Eddy
August 11, 2022
Google Project Zero security researcher Ivan Fratric launched a remote code execution attack by exploiting the technology underlying Zoom and other applications. Fratric's exploit targets bugs in XMPP, an XML-based instant messaging (IM)-like protocol. The method involves embedding pieces of XMPP code, or stanzas, within other XMPP stanzas. The attacker is then able to use a client to smuggle stanzas within legitimate messages, which are accepted and passed on by the intermediate server but interpreted as two stanzas by the victim's IM client. Fratric alerted Zoom, which has issued patches, but Fratric warned that other targets also are vulnerable to XMPP bugs.
APIC Fail: Intel 'Sunny Cove' Chips with SGX Spill Secrets
The Register (UK)
Thomas Claburn
August 9, 2022
An international group of computer scientists discovered an architectural error in certain Intel central processing units (CPUs) affecting the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC). This error could be used to expose private encryption keys and other SGX (Software Guard Extensions) enclave data. The researchers said the ÆPIC Leak is "the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel." An Intel spokesperson said the company "recommends that operating systems and virtual machine monitors enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model specific registers, which mitigates this issue in affected products.”
Can WhatsApp Messages Be Secure and Encrypted, but Traceable?
The Brink (Boston University)
Andrew Thurston
August 10, 2022
Boston University (BU) researchers have created Hecate, an algorithm that can strengthen a secure messaging application's confidentiality and allow moderators to rein in abuse. The app moderator uses Hecate to generate a unique batch of electronic signatures or tokens for each user, which accompany each message the user sends. If the recipient reports that message, the moderator can confirm the sender's token and take action, a process called asymmetric message franking. BU's Mayank Varia said deniability is ensured because the token is encrypted and only useful to the moderator, so "even if the moderator goes rogue, they can't show and convince the rest of the world—they have no digital proof." Varia calls Hecate "the first message franking scheme that simultaneously achieves fast execution on a phone and for the moderator server, support for message forwarding, and compatibility with anonymous communication networks like Signal's sealed sender."
The Hacking of Starlink Terminals Has Begun
Wired
Matt Burgess
August 10, 2022
Lennert Wouters at Belgium's Katholieke Universiteit Leuven hacked SpaceX's Starlink network, a web of more than 3,000 small satellites that enables Internet connections to remote locations on Earth. Wouters exploited vulnerabilities in Starlink's satellite dishes to access the network and run custom code. He stripped down a dish and built an attachable printed circuit board from off-the-shelf-parts, through which he could launch a voltage fault injection attack and circumvent signature verification. Wouters alerted Starlink of the flaws last year, and says although SpaceX has released a firmware update that makes the attack harder, the underlying bug can only be corrected if the company produces a new version of the main chip.
Anti-Tracking Tool Checks If You're Being Followed
Wired
Matt Burgess
August 11, 2022
U.S. Department of Homeland Security agent Matt Edmondson built a Raspberry Pi-powered anti-tracking tool to determine if someone is being tailed. The system scans for nearby wireless devices and alerts the user if it detects the same phone multiple times within a certain period. The tool is protected by a waterproof case, and consists of a Raspberry Pi 3, a device-scanning Wi-Fi card, a portable charger, and a touchscreen to display alerts. The device's Kismet software can detect surrounding smartphones and tablets that are searching for Wi-Fi or Bluetooth connections, and Edmondson wrote code in Python to compile lists of what it detects over time. The tool flashes an onscreen alert if the same device appears twice in the past five to 10 minutes, 10-to-15 minutes, and 15-to-20 minutes.
Deepfakes Expose Vulnerabilities in Facial Recognition Technology
Pennsylvania State University
Jessica Hallman
August 11, 2022
Researchers at Pennsylvania State University and China's Shandong and Zhejiang universities found most application programming interfaces (APIs) using the facial liveness verification detection feature of facial recognition technology do not always identify deepfakes, and those that can are less effective than claimed at detecting deepfakes. The researchers created and used the LiveBugger deepfake-powered attack framework to evaluate six commercial facial liveness verification APIs. LiveBugger tried to deceive the APIs using deepfake images and videos from two separate datasets, and easily bypassed the four most common verification methods. The researchers proposed strengthening the technology's security by eliminating verification that only analyzes a static image of a user's face, and by matching lip movements to a user's voice in dual audio-video analysis schemes.
Tech, Cyber Companies Launch Security Standard to Monitor Hacking Attempts
WSJ Pro Cybersecurity
Kim S. Nash
August 10, 2022
A group of 18 tech and cyber companies hoping to build a common data standard for sharing cybersecurity information launched the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA cybersecurity conference. Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber-monitoring tools, network loggers, and other software to simplify and speed up the interpretation of that data. “There's a lot of custom software out there in the security world,” but products that support OCSF would be able to share information in one dashboard without the extra manual labor, said Amazon Web Services' Mark Ryland. The OCSF standard and documentation will be on the GitHub open source repository.
One of 5G's Biggest Features Is a Security Minefield
Wired
Lily Hay Newman
August 9, 2022
5G Internet of Things (IoT) application programming interfaces (APIs) being offered by mobile carriers have security vulnerabilities, according to researchers at Germany's Technical University of Berlin. Researchers analyzed 5G IoT APIs from 10 mobile carriers (seven in Europe, two in the U.S., and one in Asia) and all contained serious vulnerabilities. They determined that weak authentication, missing access controls, and other basic flaws in API setup could expose SIM-card identifiers and secret keys, along with the identity and billing information of the SIM card purchaser. "We found vulnerabilities that could be exploited to access other devices even though they don't belong to us, just by being on the platform,” said the Technical University of Berlin's Altaf Shaik. “It's a big issue."
Thinking Like a Cyber-Attacker to Protect User Data
MIT News
Adam Zewe
August 11, 2022
Researchers at the Massachusetts Institute of Technology (MIT), the University of Illinois at Urbana-Champaign, and the Texas Advanced Computing Center have demonstrated that hackers can exploit computer processors' on-chip interconnect to launch side-channel attacks. The researchers formulated such attacks by reverse-engineering the on-chip interconnect to build an analytical model of traffic flow between the processor cores, then developed two mitigation strategies. One strategy would have the system administrator apply the model to identify the most vulnerable cores, then schedule sensitive software to run on less susceptible cores. The second strategy involves the administrator reserving cores located around a vulnerable program, and running only trusted software on those cores. Neither strategy demands altering the physical hardware, says MIT’s Miles Dai.
Finding Bugs Faster Than Hackers
USC Viterbi School of Engineering
Julia Cohen
August 8, 2022
Researchers at the University of Southern California's Viterbi School of Engineering (USC Viterbi), Arizona State University, Cisco Systems, and French graduate research center EURECOM have proposed a novel automated discovery method for finding bugs in software that hackers could exploit. "Because computer programs are so large and complicated these days, we'd like to automatically detect these vulnerabilities instead of having a human expert analyzing the program to find them," said USC Viterbi's Nicolaas Weideman. The ARBITER technique analyzes software at the binary level, combining static and dynamic vulnerability detection to enhance the static method's precision and the dynamic method's scalability.
Alibaba, ByteDance Share Details of Algorithms with Beijing for First Time
Bloomberg
Jane Zhang
August 15, 2022
In an effort to prevent data abuse that may expose corporate secrets, major Chinese Internet companies including Alibaba Group and ByteDance have, for the first time, provided details of their algorithms to Beijing. The Cyberspace Administration of China (CAC) disclosed 30 algorithms the firms use to collect user data, tailor recommendations, and disseminate content. While the CAC currently requires only basic information, it may demand more details to probe alleged data violations, said Zhai Wei of East China University of Political Science and Law. The list provides short descriptions of how the algorithms function and their product and use cases.
Encrypted One-Touch Human-Machine Interface Technology Reveals User Physiology
UCLA Samueli Newsroom
August 8, 2022
A team of researchers at the University of California, Los Angeles (UCLA) and Stanford University has developed an encrypted, one-touch human-machine interface that can reveal physiological details about users. The cryptographic bio-human-machine interface (CB-HMI) uses hydrogel-coated chemical sensors to collect and identify circulating molecules on the skin through perspiration, and to record heart rate and blood oxygen levels. Said UCLA's Sam Emaminejad, "It also can encrypt the data at the point of collection by leveraging the individual's unique fingerprint as a key, so the collected data remain secure and private." The sensors measure users' ethanol and acetaminophen concentrations. UCLA's Shuyu Lin said the researchers used CB-HMI to develop a medication dispenser that administers "the appropriate amount of acetaminophen depending on current levels in the blood."
Reuters (5/4, Renshaw) reports the White House on Wednesday will “announce a slate of measures to support quantum technology in the United States while laying out steps to boost cybersecurity to defend against the next generation of supercomputers.” President Biden will sign an “executive order aimed at strengthening the National Quantum Initiative Advisory Committee, the government’s independent expert advisory body for quantum information science and technology.” The order places the “advisory committee directly under the authority of the White House.” Biden will also sign a “national security memorandum outlining the administration’s plan to address the risks posed by quantum computers to America’s cybersecurity.” The memorandum offers a “road map to federal agencies to update their information technology systems to help defend against complex quantum attacks, establishing goals and milestones” and “establishes a working group between the public and private sectors to generate research and collaborate on quantum resistant standards.”
Musk Suggests End-To-End Encryption For Direct Messages
Forbes (4/30, Winder) reports one “of the most applauded, yet at the same time somewhat controversial,” ideas that Musk has proposed is “the introduction of end-to-end encrypted direct messages to what you might call Twitter 2.0.” In an April 28 tweet, Musk “stated that ‘Twitter DMs should have end-to-end encryption like Signal, so no one can spy on or hack your messages.’ At the time of writing, Musk’s tweet has amassed 1.4 million likes and been retweeted more than 110,000 times.”
The AP (5/2) reports “a Michigan community college has cancelled classes indefinitely following a ransomware attack over the weekend.” Officials at Battle Creek-based Kellogg Community College “said Sunday in a statement on its website that technology issues caused by the attack continue to affect the school’s systems.” The ransomware attack “was under investigation.” Officials “did not give details about the technology issues.” All five “of the college’s campuses will remain closed with classes canceled until further notice, the school said.” Officials “hope to allow students and staff to return later this week.”
Austin Peay State University Hit With Ransomware Attack. Higher Ed Dive (5/2) reports Austin Peay State University also “reported a ransomware attack last week, which forced the institution to cancel final exams scheduled for Friday before resuming scheduled finals on Monday, according to the university’s latest update.” The university has “also restored several services, allowing students and employees to start using university computers and plug back into its network.”
Adweek (5/2) reports behind a paywall, “The Connecticut General Assembly advanced a privacy bill last week, bringing the Constitution State a step closer to becoming the fifth state in the U.S. to pass legislation regulating how people’s data is collected and shared online.”
Algorithm May Help Prevent Power Blackouts from Ransomware Attacks
Purdue University
October 4, 2022
Ransomware-rigged power blackouts may be prevented by an algorithm developed by Purdue University researchers to map out areas of the power grid where utilities should prioritize security. The algorithm would incentivize each security decision-maker to apportion security investments in order to limit the cumulative damage caused by a ransomware attack. The researchers evaluated the algorithm in the context of different types of critical infrastructure in addition to the power industry. They tested the tool in models of previously reported hacks of a smart grid, an industrial control system, an e-commerce platform, and a Web-based telecommunications network. The algorithm enabled the most optimal allocation of security investments for mitigating attacks, the researchers said.
5G Networks Are Worryingly Hackable
IEEE Spectrum
Edd Gent
August 24, 2022
German security researchers determined 5G networks can be hacked, having breached and hijacked live networks in a series of "red teaming" exercises. Poorly configured cloud technology made the exploits possible, they said, and Karsten Nohl at Germany's Security Research Labs cited the failure to implement basic cloud security. He suggested telecommunications companies may be taking shortcuts that could prevent 5G networks' "containers" from functioning properly. The emergence of 5G has escalated demand for virtualization, especially for radio access networks that link end-user devices to the network core. Nohl said 5G networks respond to the greater complexity with more automated network management, which makes exploitation easier.
Experimental Attack Can Steal Data from Air-Gapped Computers
TechCrunch
Carly Page
August 24, 2022
Security researcher Mordechai Guri at Israel's Ben Gurion University identified an experimental exploit for stealing data from Internet-disconnected computers. Guri said the Gairoscope attack uses a smartphone's gyroscope to exfiltrate information from air-gapped computers just "a few meters away." He said an attacker monitoring sounds emanating from the speakers of the air-gapped system could gain data like passwords or login credentials. Guri said these inaudible frequencies generate "tiny mechanical oscillations within the smartphone's gyroscope," which can be rendered as readable data. In addition, he said, attackers could conduct the exploit using a mobile browser, since phone gyroscopes can be accessed using JavaScript. Suggested countermeasures include removing loudspeakers from air-gapped systems to create an audio-less networking environment, and screening resonant frequencies produced by the audio hardware through an audio filter.
Eight-Year-Old Linux Kernel Vulnerability Uncovered
The Hacker News
Ravie Lakshmanan
August 22, 2022
Northwestern University researchers have discovered an eight-year-old vulnerability in the Linux kernel, dubbed DirtyCred, that exploits a previous unknown flaw to escalate user privileges to their maximum. The researchers described DirtyCred as “a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged." They added that it "is like the dirty pipe that could bypass all the kernel protections, [but] our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of."
Apple Warns of Security Flaw for iPhones, iPads, Macs
Associated Press
August 18, 2022
Apple issued two security reports about a major flaw that hackers could potentially exploit to hijack iPhones, iPads, and Macs by gaining "full admin access." Rachel Tobac at computer security service SocialProof Security said this would allow intruders to masquerade as device owners and run any software in their name. Security experts have recommended that users update affected devices, while researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company cited an anonymous researcher as the flaws' discoverer, without disclosing how or where they were found. Apple has previously conceded the existence of similarly serious flaws, and expressed awareness that such vulnerabilities had been exploited on perhaps a dozen occasions by Strafach's estimates.
Scanning Students' Homes During Remote Testing Is Unconstitutional, Judge Says
Ars Technica
Ashley Belanger
August 23, 2022
An Ohio judge has ruled that scanning students' rooms during remote testing amounts to an invasion of privacy and a violation of the Fourth Amendment's guaranteed protection against unlawful searches. The case was filed by Cleveland State University student Aaron Ogletree, who alleged confidential tax documents were visible during a room scan recording made prior to a chemistry exam, and shared with other students. Said Judge J. Philip Calabrese, "Though schools may routinely employ remote technology to peer into houses without objection from some, most, or nearly all students, it does not follow that others might not object to the virtual intrusion into their homes or that the routine use of a practice such as room scans does not violate a privacy interest that society recognizes as reasonable, both factually and legally."
TikTok Browser Can Track Users' Keystrokes
The New York Times
Paul Mozur; Ryan Mac; Chang Che
August 19, 2022
Privacy researcher Felix Krause found the TikTok video application's Web browser can track users' keystrokes, demonstrating that the Chinese-owned app can monitor users' online behavior. Independent software engineer Jane Manchun Wong said Krause's discovery suggests a TikTok user "might enter their sensitive data such as login credentials on external Websites," adding that the in-app browser could "extract information from the user's external browsing sessions, which some users find overreaching." Researchers said although big technology companies might use such trackers when testing new software, they seldom issue a major commercial app with such features, enabled or not. TikTok refuted Krause's findings, claiming the tracker was for "debugging, troubleshooting, and performance monitoring."
'Hackers Against Conspiracies': Cyber Sleuths Take Aim at Election Disinformation
Politico
Maggie Miller
August 15, 2022
The annual DEF CON hacking conference's "Voting Machine Village," has been a feature since 2017, with attendees attempting to break into registration databases, ballot-casting machines, and other voting equipment to identify vulnerabilities. However, in the wake of the 2020 U.S. presidential election and the resulting false claims of election fraud, the focus of this year's event was how to detect vulnerabilities without fueling election misinformation. Said Harri Hursti, co-founder of the Voting Machine Village, "All the security improvements [have been] hampered by all the false claims, conspiracies—and fighting those." Hursti noted that clips from DEF CON were used in the media after the election to cast doubt on election security. This year's Voting Village featured officials from Maricopa County, AZ, among others, who discussed ongoing, though debunked, conspiracy theories. Hursti explained, "What we try to do is to make certain that the right message gets out."
Oracle Faces Class-Action Lawsuit Over Tracking 5 Billion People
PC Magazine
Matthew Humphries
August 23, 2022
A class-action lawsuit against U.S. multinational technology company Oracle claims it tracks and collects personal information on billions of people, generating over $40 billion in annual revenue as a result. The suit alleges Oracle has breached statutes including the Federal Electronic Communications Privacy Act by collecting without permission data such as names, home addresses, emails, online and physical purchases, physical movements, income, interests and political views, and online activity. The suit's class representatives include Johnny Ryan of the Irish Council for Civil Liberties, who said, "This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle's surveillance machine."
Just 1 of 25 Apps That Track Reproductive Health Protect Users' Data: Report
The Hill
Shirin Ali
August 17, 2022
A study of 25 reproductive health apps and wearable devices by researchers at the Mozilla Foundation found that most have weak privacy protections. The researchers found that these apps generally collect personal information, including phone numbers, emails, home addresses, dates of menstrual cycles, sexual activity, doctors' appointments, and pregnancy symptoms. Of the apps analyzed, 18 were given a "Privacy Not Included" warning label due to vague privacy policies and potential security concerns. Additionally, the study found that most of the apps had vague guidelines regarding data-sharing with law enforcement. Mozilla's Ashley Boyd warned users that many reproductive health apps are "riddled with loopholes and they fail to properly secure intimate data." Only the Euki app was found not to collect any personal information about users, and any information input by users is stored locally on the user's device.
Fingertips' Heat Can Be Used to Crack Passwords
Yahoo! News
Dan Barker
October 10, 2022
Researchers at the U.K.'s University of Glasgow warn heat-detecting cameras can help crack passwords up to minute after typing them by identifying the thermal signature of fingertips on keyboards. The researchers created an artificial intelligence-equipped tool that can guess passwords based on thermal images. Measuring the relative intensity of warmer areas enables determination of a password's constituent letters, numbers, or symbols, and estimation of their order of use. The ThermoSecure system solved about 86% of passwords when thermal images were captured within 20 seconds of typing, 76% within 30 seconds, and 62% after 60 seconds. The researchers also learned the system could attack 16-character-long passwords with up to 67% success within 20 seconds; the success rate increased as passwords grew shorter.
Chicago Scientists Testing Unhackable Quantum Internet in Closet
The Washington Post
Jeanne Whalen
October 9, 2022
University of Chicago (UChicago) scientists are testing a hack-proof quantum Internet in a laboratory closet. The equipment in the closet links to a 124-mile fiber-optic network running from the UChicago campus to the U.S. Department of Energy's Argonne National Laboratory and Fermi National Accelerator Laboratory. The researchers rout encryption keys over the network via entangled photons for extraction by colleagues at Argonne; UChicago's David Awschalom said any attempt to intercept keys will alert both sender and receiver. Researchers are testing similar networks in Boston, New York, Maryland, Arizona, Europe, and China. The ultimate goal is to connect these testbeds through fiber and satellite links into a world-spanning quantum Internet.
Sensors Can Tap into Mobile Vibrations to Eavesdrop Remotely
Penn State News
WennersHerron Ashley
October 7, 2022
Pennsylvania State University (Penn State) researchers used a commercial automotive radar sensor and novel processing method to eavesdrop remotely on smartphone conversations by detecting vibrations of the phone's earpiece. The radar operates in the 60- to 64-gigahertz and 77- to 81-gigahertz bands of the millimeter-wave (mmWave) spectrum. The mmSpy approach involves simulating people speaking through the smartphone's earpiece, whose vibrations pervade the phone's frame. The researchers feed vibrational data to machine learning algorithms that reconstruct audio from a foot away with 83% accuracy, and from six feet away with 48% accuracy. Penn State's Suryoday Basak said researchers can filter, augment, or classify keywords as needed once the speech's reconstruction is complete.
Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus
The Hacker News
Ravie Lakshmanan
September 5, 2022
Trend Micro researchers found that cybercriminals took advantage of a vulnerable anti-cheat driver for the Genshin Impact video game to disable antivirus programs with the goal of deploying ransomware. The attackers aimed to use a legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode. The researchers found a compromised endpoint was used to connect to the domain controller via remote desktop protocol and transfer a Windows installer posing as AVG Internet Security that dropped and executed the vulnerable driver. Said the researchers, "Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module."
LastPass, Password Manager with Millions of Users, Is Hacked
The Wall Street Journal
Alyssa Lukpat
August 26, 2022
On Aug. 25, online password manager LastPass reported the theft of some of its source code and proprietary information, but said there is no evidence customer information from its more than 33 million users or encrypted password vaults were accessed. LastPass' Karim Toubba said a developer account had been breached, allowing an unauthorized party to access the company's development environment. The unusual activity was detected two weeks ago, prompting an investigation. Toubba said the company is working with a cybersecurity and forensics firm and has rolled out additional security measures. LastPass stores encrypted login information that users can access online with a master password, but they cannot see customers' data.
Hacking Device Can Secretly Swipe, Tap Smartphone Screen
New Scientist
Jeremy Hsu
August 31, 2022
Separate teams of researchers have developed devices for remotely hacking smartphone touchscreens. Both methods involve placing devices featuring an antenna for transmitting signals and a phone locator under a table. The locator deduces the position and orientation of a touchscreen device placed on the table, then the antenna sends electromagnetic signals imitating electric field disturbances caused by physical touch. The Invisible Finger method created by University of Florida researchers caused both iOS and Android devices to recognize the electromagnetic touches; the GhostTouch technique from scientists at China's Zhejiang University worked with multiple Android devices, but could not crack the iPhone 7 Plus or certain OPPO phone models. The hacks only work with the target device lying face down and positioned close to the antenna.
Hackers Hide Malware in James Webb Telescope Images
BleepingComputer
Bill Toulas
August 30, 2022
Hackers have launched a campaign dubbed GO#WEBBFUSCATOR by threat analysts to spread malware via phishing emails, malicious documents, and James Webb telescope images. Malefactors drop payloads currently not labeled malicious by antivirus engines on the VirusTotal scanning platform, and infiltration begins with a phishing email with an attached document that downloads a template file. The file features an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite, then downloads, decodes, and launches a JPG image of a galactic cluster. Security analytics company Securonix says the malware creates a Domain Name System link to the command and control (C2) server, and sends encrypted queries that "are read in and unencrypted on the C2 server, thus revealing its original contents." Securonix has furnished indicators of compromise, including network and host-based indicators.
Researchers Call Cloudflare a Haven for Misinformation
Time
Chris Stokel-Walker
August 26, 2022
Critics claim content delivery network (CDN) Cloudflare is riddled with misinformation that it and similar companies ignore. Stanford University researchers analyzed services hosting 440 of the most prominent misinformation websites worldwide; although Cloudflare hosts just one in five mainstream Internet sites, it also hosts one in three sites known for hate- or misinformation-peddling. The Stanford researchers found "anecdotally that sites prefer Cloudflare because of its lax acceptable use policies and its free DDoS [distributed denial-of-service] protection services that help protect against vigilante attacks." The researchers identified Amazon, Google, GoDaddy, and Unified Layer as the four most prominent misinformation-hosting CDNs after Cloudflare.
Voting Machine Tampering Points to Concern for Fall Election
Associated Press
Christina A. Cassidy; Colleen Slevin
August 25, 2022
Election officials and security experts in the U.S. are concerned that conspiracy theories related to the 2020 presidential election could encourage interference with, or even attempts to sabotage, voting machines during this fall’s elections. Such concerns were highlighted on the last day of voting in the Pueblo County, CO, June primary, when a poll worker found an error message on a voting machine's screen. Election officials can take measures to ensure unauthorized devices don’t infect voting equipment, by for example, configuring systems to recognize only proprietary devices. In the Pueblo County case, the tamper-evident seal on the voting machine appeared to be disturbed. The case remains under investigation.
CNBC (5/6, Novet) reports, “Google’s cloud unit is forming a team to build services for developers running blockchain applications as the company tries to capitalize on the surging popularity of crypto and related projects.” Google intends to “offer back-end services to developers interested in composing their own Web3 software as the company battles for market share in cloud infrastructure against Alibaba, Amazon and Microsoft.” In an interview with CNBC, Google Cloud’s Vice President Amit Zavery said, “We’re not trying to be part of that cryptocurrency wave directly. We’re providing technologies for companies to use and take advantage of the distributed nature of Web3 in their current businesses and enterprises.”
Engadget (5/6, Holt) reports, “The company is hoping to make Google Cloud Platform the primary destination for those who want to run Web3 apps.” The Web3 movement aims to make “the web decentralized and shifting power away from major companies like Google, Amazon and Meta. Still, Web3 developers need to host their apps and services somewhere, and Google wants to be their first choice.”
SiliconANGLE (5/6, Wheatley) reports that the Web3 team “will reportedly be led by James Tromans, a technical director at Google Cloud who joined the division in 2019. ... The Web3 team is set to include Google employees who have been ‘peripherally involved in Web3 internally and on their own.’” Google Cloud Head of Strategy for Digital Assets Richard Widmann stated that the company intends to “recruit a ‘slew of people with blockchain expertise.’”
Anonymous Data Doesn't Mean Private
Illinois Institute of Technology
Casey Moffitt
October 6, 2022
Illinois Institute of Technology (Illinois Tech) researchers used machine learning and artificial intelligence algorithms to exfiltrate personal information from anonymous cellphone data. The neural-network model estimated the gender and age of individual users via their private communications by tapping data from a Latin American cellphone company. The algorithm guessed individuals' gender with 67% accuracy and age with 78% accuracy, which significantly outperformed current models. Researchers employed commonly accessible computing equipment to extract this information, and although the dataset they used was not publicly available, malefactors could compile a similar dataset by capturing data through public Wi-Fi hotspots or by targeting service providers' computing infrastructure, said Illinois Tech's Vijay K. Gurbani.
Computer Experts Urge Georgia to Replace Voting Machines
Associated Press
Kate Brumback
September 9, 2022
In a Sept. 8 letter to Georgia's State Election Board and Secretary of State Brad Raffensperger, a group of 13 computer and election security experts said they should replace the state's Dominion Voting Systems touchscreen voting machines with hand-marked paper ballots prior to the November midterm elections. The letter cited "serious threats" from a breach of voting equipment in Coffee County, which remains under investigation. A documented incident that occurred in January 2021 reportedly involved unauthorized copying of election equipment in the county. The letter said the copying and sharing of election data and software from Coffee County "increases both the risk of undetected cyber-attacks on Georgia, and the risk of accusations of fraud and election manipulation."
Stealthy Shikitega Malware Targets Linux Systems, IoT Devices
The Hacker News
Ravie Lakshmanan
September 7, 2022
Researchers at AT&T Alien Labs have identified a Linux malware that can compromise endpoints and Internet of Things devices via a multi-stage infection chain. After the Shikitega malware is deployed, the attack chain downloads and executes the Metasploit's "Mettle" meterpreter to, among other things, escalate its privileges and launch the Monero cryptocurrency miner. It remains unclear how the initial compromise occurs, but Shikitega can download next-stage payloads from a command-and-control server and execute them directly in memory. The use of a polymorphic encoder makes it harder for antivirus engines to detect the malware. Said AT&T Alien Labs' Ofer Caspi, "Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload."
Chrome Patches Sixth High-Severity Zero-Day This Year
Ars Technica
Dan Goodin
September 6, 2022
Google engineers have published an emergency update for the Chrome browser to correct a high-severity zero-day flaw that can be exploited with available code. Google said the vulnerability (CVE-2022-3075) stems from "insufficient data validation in Mojo," a Chrome component for messaging across inter- and intra-process boundaries between the browser and the operating system. "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company explained, without disclosing whether hackers are exploiting the vulnerability or just possess exploit code. Engineers also updated Microsoft's Edge browser, based on the same Chromium engine as Chrome, to fix the same bug. The Mojo exploit marks the sixth zero-day vulnerability Chrome has encountered this year.
Collaborative ML That Preserves Privacy
MIT News
Adam Zewe
September 7, 2022
Researchers at the Massachusetts Institute of Technology (MIT) and MIT-originated startup DynamoFL have enhanced federated learning to better train a privacy-preserving machine learning model. Federated learning involves hundreds or thousands of users training their own model with their own data on their own device, then transferring the models to a central server that pools them into a better model. The researchers' FedLTN system improves the accuracy of the combined model while shrinking its size, which accelerates communication between users and the central server while ensuring each user receives a model tailored for their environment. FedLTN follows the lottery ticket hypothesis, positing that within large neural network models are smaller subnetworks that can realize the same performance. The researchers reduced model size by nearly an order of magnitude versus other methods, yielding four- to six-fold lower communication costs for individual users, and boosting model accuracy 10%.
Low-Cost Solution Viable for Self-Driving Cars to Spot Hacked GPS
University of Alabama
September 6, 2022
University of Alabama (UA) researchers have developed a cost-effective system that uses existing software code and sensors in self-driving vehicles to prevent GPS signal spoofing, which could send cargo or people to the wrong destination. The researchers developed an algorithm that relies on the vehicle's built-in sensors to detect a change in location in real time and to return the vehicle to the correct route. The researchers used data from the Honda Research Institute Driving Dataset to simulate how self-driving vehicles would respond to a spoofed GPS signal, finding the models to be accurate in detecting spoofs. Said UA's Sagar Dasgupta, "We think this will be one of the security modules in the next generation of self-driving vehicles."
Apps Used as Alternatives to Prison in U.S. Found to Have Privacy Flaws
New Scientist
Jeremy Hsu
September 3, 2022
University of Washington researchers have discovered privacy flaws in smartphone monitoring apps used in the U.S. to track people waiting for immigration court dates, those in juvenile detention systems, and those on parole or probation. Of the 16 Android monitoring apps studied, the researchers found that seven either did not link to a privacy policy or linked to generic privacy policies, in violation of the Google Play Store's user data policies. One app used by U.S. Immigration and Customs Enforcement, BI SmartLINK, required "dangerous permissions" (to access the device’s camera, obtain its precise location, make telephone calls without user permission, and record audio), but did not disclose that it in its privacy policy.
Bloomberg (5/16, Murphy) reveals that Sultan Qasim Khan, Principal Security Consultant at NCG Group, demonstrated how to unlock Tesla Model Y and S EVs and start their engines remotely. Khan revealed that “by redirecting communications between a car owner’s mobile phone, or key fob, and the car, outsiders can fool the entry system into thinking the owner is located physically near the vehicle.”
Via Satellite (5/13) reports, “MITRE, the federal contractor that runs R&D labs for the U.S. government, is developing a space cyber lab where real satellite hardware and software can be tested to ensure security.” The move is “one of a host of new measures that space companies are adopting.”
Street Insider (5/11) reports STMicroelectronics has “revealed details of its collaboration with Microsoft, an ST Authorized partner, to strengthen the security of emerging Internet-of-Things (IoT) applications.” The “intensive engineering project has produced a TF-M based, Azure IoT cloud reference implementation that leverages the hardened security features of the STM32U5 complemented with the hardened key store of an STSAFE-A110 secure element.”
15-Year-Old Python Bug Allows Code Execution in 350k Projects
BleepingComputer
Ionut Ilascu
September 21, 2022
An unpatched 15-year-old bug in the Python programming language could affect more than 350,000 open-source repositories, and could lead to code execution. The path traversal vulnerability, disclosed in 2007, resides in the Python tarfile package, and can allow hackers to overwrite arbitrary files. The flaw exists because the code in the extract function in Python's tarfile module trusts data in the TarInfo object "and joins the path that is passed to the extract function and the name in the TarInfo object." Analyst Charles McFarland at extended detection and response solutions provider Trellix rediscovered the bug while probing another security issue. No reports indicate the bug has been exploited in attacks, although it remains a threat in the software supply chain.
Spoofing Cyberattack Can Make Cameras See Things that Are Not There
New Scientist
David Hambling
September 26, 2022
Using radio waves, Sebastian Köhler at the U.K.'s University of Oxford and colleagues were able to trick image-recognition systems into seeing nonexistent things. Digital cameras include sensors that render light as electrical impulses, and post-transducer signals can create the false impression of actual images. The researchers fooled a barcode scanner from 0.5 meters (1.6 feet) away, adding noise to photos the scanner captured and inducing failure 99% of the time. Köhler said his team has introduced shapes in such attacks like readable text, while more refined exploits to deceive object-recognition software into seeing unreal things also are feasible. "An attack from tens of meters is possible with reasonably sized hardware," Köhler said.
Deepfake Audio Has a Tell
Ars Technica
Logan Blue; Patrick Traynor
September 20, 2022
Researchers at the University of Florida can detect audio deepfakes by measuring acoustic and fluid dynamic distinctions between organic and synthetic voice samples. The researchers inverted techniques used to replicate the sounds a person makes to acoustically model their vocal tract, in order to approximate the speaker's tract during a segment of speech. Using the process to analyze deepfaked audio samples, on the other hand, can result in model vocal tract shapes that do not appear in people. "By estimating the anatomy responsible for creating the observed speech, it's possible to identify whether the audio was generated by a person or a computer," the researchers explain.
We Can Train Big Neural Networks on Small Devices
IEEE Spectrum
Matthew Hutson
September 20, 2022
A new training method expands small devices' capabilities to train large neural networks, while potentially helping to protect privacy. The University of California, Berkeley's Shishir Patil and colleagues integrated offloading and rematerialization techniques using suboptimal heuristics to reduce memory requirements for training via the private optimal energy training (POET) system. Users feed POET a device's technical details and data on the architecture of a neural network they want to train, specifying memory and time budgets; the system generates a training process that minimizes energy usage. Defining the problem as a mixed integer linear programming challenge was critical to POET's effectiveness. Testing showed the system could slash memory usage by about 80% without significantly increasing energy consumption.
Clearview AI Now in Public Defenders' Hands
The New York Times
Kashmir Hill
September 18, 2022
Software company Clearview AI has started providing its facial recognition tool to public defenders after it cleared a man in Florida of vehicular homicide. The man's attorney used the tool to mine a database of 20 billion faces, and tracked down an individual who was able to corroborate his client's innocence. Clearview now offers free 30-day trials of its software to public defenders and government-contracted lawyers representing indigent clients. Yet critics are doubtful because the technology, mainly used by law enforcement agencies for criminal investigations, is mired in ethical and legal issues. Civil liberties advocates believe Clearview's database of photos collected without consent breaches privacy, an issue compounded by skepticism about automated facial recognition's accuracy and little transparency about its use by law enforcement.
Protecting Privacy, Safety in Encrypted Messaging
Cornell University Chronicle
Tom Fleischman
September 12, 2022
Cornell Tech and University of Maryland researchers have created a mechanism for preserving anonymity in encrypted messaging while blocking unwanted or abusive messages. The Orca protocol would have recipients register an anonymized blocklist with the messaging platform; senders would assemble messages that the platform can confirm as originating from someone not on the blocklist. Confirmation is realized through group signatures, which allow users to sign messages anonymously on behalf of a group. Said Cornell Tech’s Nirvan Tyagi, “Increased privacy can harm the ability to do certain types of abuse mitigation and accountability. The question is, can we make that tradeoff a little less costly with even better cryptography? And in some cases, we can.”
Off-the-Shelf Crypto-Detectors Give False Sense of Data Security
William & Mary News
Joseph McClain
September 13, 2022
William & Mary's Amit Seal Ami said off-the-shelf crypto-application programming interface (API) misuse detectors can give developers a false sense of data security if they contain unknown flaws. Ami, a Ph.D. candidate in William & Mary’s Department of Computer Science and the lead student author of the paper “Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques,” worked with colleagues to develop the MASC framework to assess the practical performance of certain crypto-API detectors by modifying known and established flaws, then analyzing the mutations using the detectors under evaluation. Ami said the framework uncovered somewhat obvious and extremely obvious vulnerabilities that the detectors had missed.
'Digital Mask' Could Protect Patients' Privacy in Medical Records
University of Cambridge (U.K.)
Craig Brierley
September 15, 2022
U.K. and Chinese researchers have created a "digital mask" that allows facial images to be stored in medical records while protecting personal biometric information from extraction. The researchers used three-dimensional (3D) reconstruction and deep learning algorithms to delete identifiable features from facial images while preserving disease-related attributes. The digital mask inputs a video of a patient's face and outputs a video based on the algorithm and 3D reconstruction, leaving out as much of the patient's personal biometric information as possible, and thwarting identification. Patrick Yu-Wai-Man at the U.K.'s University of Cambridge said digital masking "offers a pragmatic approach to safeguarding patient privacy while still allowing the information to be useful to clinicians.”