Dr. T's security brief
dtau...@gmail.com
Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says
Associated Press
Alan Suderman
July 14, 2022
The Cyber Safety Review Board said the Log4j software vulnerability discovered last year is "endemic," and could constitute a security risk for another decade. Log4j enables Internet-based hackers to hijack a broad range of systems; the first indications of its exploitation appeared in Microsoft's online game Minecraft. Log4j logs user activity on computers, and is widely employed by commercial software developers. Although the review board has found no signs of "significant" Log4j attacks on critical infrastructure systems, it said future attacks are likely. To alleviate the potential fallout of such attacks, the board recommended universities and community colleges make cybersecurity training mandatory for obtaining computer science degrees and certifications.
You've Been Served Via NFT: Court Gives OK to Sue on Blockchain
Bloomberg
Katharine Gemmell
July 13, 2022
A U.K. court ruling allows legal documents to be served over the blockchain ledger via nonfungible tokens (NFTs). The case was filed by Fabrizio D'Aloia, founder of an online gambling company, against Binance Holdings and other cryptocurrency exchanges after his crypto assets were fraudulently cloned. The exchanges also were deemed responsible for ensuring stolen crypto is not moved or removed from their systems. Legal experts at the law firm Giambrone & Partners LLP said the ruling will enable crypto fraud victims to file suit against unknown fraudsters in the U.K. The lawsuit documents will be airdropped via NFT into two wallets originally used by D'Aloia and later stolen. A similar decision was issued in June by a U.S. court.
*May Require Paid Registration
Apple to Add 'Lockdown' Safeguard on iPhones, iPads, Macs
Associated Press
July 6, 2022
Apple has announced the forthcoming rollout of a "lockdown" option for iPhones, iPads, and Mac computers, in order to shield those products from spyware launched by state-sponsored hackers. The company initially will offer lockdown mode as a test version so security researchers can identify any bugs or vulnerabilities. The feature is designed serve as an emergency button that Apple thinks will be needed by a small number of users. Activating lockdown will limit Web browsing, as well as disabling features like the ability to send attachments and links in texts, and to receive FaceTime calls from new numbers. Apple believes the additional safeguards will be important for activists, journalists, and other targets of hacks orchestrated by well-funded organizations.
Ransomware Switched Programming Languages From Go to Rust
ZDNet
Liam Tung
July 6, 2022
Microsoft security researchers have found new variants of Hive ransomware that were originally written in the Go coding language have been rewritten in Rust. The switch has been underway for a few months, as Hive’s authors appear to be copying tactics from BlackCat ransomware, also written in Rust. Researchers at cyberintelligence firm Group-IB determined the Hive gang had converted its Linux encryptor for targeting VMware ESXi servers to Rust so security researchers would be less able to surveil its ransom discussions with victims. The Microsoft Threat Intelligence Center blogged that the transition also involves more complex file encryption.
NIST Identifies Quantum-Resistant Encryption Algorithms
Nextgov
Alexandra Kelley
July 5, 2022
Officials from the U.S. National Institute of Standards and Technology (NIST) announced the first four quantum-resistant encryption algorithms, dubbed Crystals-Kyber, Crystals-Dilithium, Falcon, and SPHINCS+. The announcement marks the start of the final phase of NIST's research into the development of a post-quantum cryptographic standard to shield digital information against quantum hacking. U.S. Commerce Secretary Gina Raimondo said NIST's achievement means "we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers." NIST director Laurie E. Locascio said this initial slate of quantum-resistant algorithms "will lead to a standard and significantly increase the security of our digital information."
Safer Web Surfing with Method for Detecting Malicious Modes
SPIE Newsroom
July 12, 2022
Scientists at South Korea's Far East and Namseoul universities have proposed a new technique for screening Websites for malicious codes by identifying and analyzing common distribution patterns. The researchers first "crawled" through 500 harmful sites to find such patterns, then focused on the programming methods and scripts used in those malicious codes. They added up how many times each method was used in malicious sites, and devised an equation to ascertain a given site's risk score. The technique is exceptionally accurate and fast, and Namseoul's Won-shik Na said its ability to identify malicious Websites from script patterns means the algorithm's complexity and memory cost is low. The approach also could identify zero-day attacks.
Nearly 1 Million Exposed Misconfigured Kubernetes Instances Could Cause Breaches
InfoSecurity
Alessandro Mascellino
June 28, 2022
Researchers from cybersecurity firm Cyble discovered more than 900,000 exposed Kubernetes (K8s) that could be targets for cyberattacks or malicious scans. The open source systems automate the deployment, scaling, and administration of containerized applications. The researchers attributed the exposure to misconfigurations, often due to the use of default settings. The researchers said that misconfigurations of Kubernetes, like utilizing default container names, not having the Kubernetes Dashboard protected by a secure password, or leaving default service ports open to the public, “can place businesses at risk of data leakage." They recommended companies keep Kubernetes updated to the latest version, and remove debugging tools from production containers.
Researchers Defeat Facial Recognition Systems with Universal Face Mask
Help Net Security
Zeljka Zorz
July 12, 2022
Researchers at Israel's Ben-Gurion University of the Negev (BGU) and Tel Aviv University found that facial recognition (FR) systems may be thwarted by fabric face masks boasting adversarial patterns. The researchers employed a gradient-based optimization process to generate a universal perturbation and mask to falsely classify each wearer as an unknown identity. BGU's Alon Zolfi said, "The perturbation depends on the FR model it was used to attack, which means different patterns will be crafted depending on the different victim models." Zolfi suggested FR models could see through masked face images by training them on images containing adversarial patterns, by teaching them to make predictions based only on the upper area of the face, or by training them to generate lower facial areas based on upper facial areas.
How Daycare Apps Can Spy on Parents, Children
Ruhr-Universität Bochum (Germany)
Julia Weiler
July 7, 2022
German researchers uncovered serious flaws in 42 European and U.S. daycare applications. The researchers analyzed Android apps in the Google Play Store that offer the ability to record children’s development, a messenger function allowing daycare staff to communicate with parents, and administrative daycare management support functions like scheduling. Eight apps were found to have vulnerabilities that could permit hackers to view children's private photos, while 40 others could allow spying on parents and teachers. Some app manufacturers sell users' data to third parties, often Amazon, Facebook, Google, or Microsoft, which use it for targeted advertising. Maximilian Golla of the Max Planck Institute for Security and Privacy noted that children’s data is subject to special protection under Europe’s General Data Protection Regulation and the U.S. Children’s Online Privacy Protection Act; “Unfortunately, we found that many apps fail to guarantee this protection.”
Blockchain Can Secure, Store Genomes
YaleNews
Bill Hathaway
June 29, 2022
The SAMchain technology developed by Yale University scientists leverages blockchain to give users control over their own genomic data. SAMchain guarantees the security of individual genomic information, shielding it against change by others and the occasional corruption of cloud-stored DNA data. The researchers circumvented the problem of storing vast datasets derived from genome sequencing by comparing an individual's DNA against a standard reference genome, then storing only the differences in linked blocks of the blockchain. The blocks are subsequently indexed to enable rapid inquiry, and those differences can be connected to conditions with known genetic risk factors. "We think this will actually make genomic research easier," said former Yale researcher Gamze Gürsoy.
Apple’s Privacy Rules Create Challenges For Its Engineers
The Information 
(4/15, Toonkel, Peers, Subscription Publication) reports in a partially paywalled article, “Privacy is one of the selling points of Apple products. But for employees who develop these products, it can be a pain.” The Information spoke with “more than a dozen former employees” who said that Apple’s focus on user privacy “makes it difficult for Apple to mimic popular features developed by its competitors, which collect more data and have fewer restrictions on employee access to such information.”
dtau...@gmail.com
Zero-Day Used to Infect Chrome Users Could Pose Threat to Edge, Safari Users
Ars Technica
Dan Goodin
July 21, 2022
Researchers at security firm Avast said a cyberattack software vendor exploited a previously undiscovered Chrome vulnerability and two other zero-day attacks in campaigns that infected Mideast journalists and other targets with spyware. The exploit is rooted in memory corruption flaws in Web Real-Time Communications, an open-source project that provides JavaScript programming interfaces to facilitate real-time voice, text, and video communications between Web browsers and devices. Google patched the vulnerability on July 4 after the Avast researchers alerted them to its exploitation in malware attacks against Websites intended to spread to frequent users. The DevilsTongue malware used in these watering hole attacks is sold by the Israel-based company Candiru. Google and Microsoft's patching likely means most Chrome and Edge users are already protected, but Apple's more recent patching means Safari users should ensure their browsers are updated.
Ransomware Attacks Against Higher Ed Increase
Inside Higher Ed
Susan D'Agostino
July 22, 2022
Cybersecurity company Sophos reported a global surge in ransomware attacks against colleges and universities last year. Nearly 75% of ransomware attacks on higher-education institutions were successful, and only 2% of victims retrieved all their data, even after paying the ransom. The higher-education sector had the slowest post-attack recovery time, with 40% of victims taking more than a month to recover, versus the 20% global average. “When one sector improves their defenses, the bad folks go somewhere where the bar is lower and they can get money easily," said Jeremy Epstein, chair of the U.S. technology policy committee of ACM.
Google/Apple Contact-Tracing Apps Susceptible to Digital Attacks
Ohio State News
Tatyana Woodall
July 21, 2022
Contact-tracing applications powered by the Google/Apple Exposure Notification framework (GAEN) are vulnerable to geographically based replay attacks, contend researchers from The Ohio State University (OSU). The attacks involve a third-party that intercepts and exploits a user's broadcasted contact-tracing phone data from one area by repeatedly transmitting it in another remote area. "Because the framework operates as a wireless protocol, anybody can inject some kind of fake [COVID] exposure, and those false encounters could disrupt the public's trust for the [contract-tracing] system," said OSU's Anish Arora.
Touchscreens: Attack from the Charging Socket
Technical University of Darmstadt (Germany)
July 20, 2022
German and Chinese researchers have invented an attack method that targets mobile devices' touchscreens through charging cables and power adapters. The researchers generated false (ghost) touches on multiple touchscreens to manipulate the devices. Anyone who charges a device at a compromised charging station triggers the attack, masked as a normal charging signal. The hacker measures the touchscreen’s sampling frequency through the charging connection to adapt the attack signal. The hacker injects the attack signal into the ground line via the charging line, and this signal, via the USB interface, impacts the power supply and is rendered as a noise signal due to the lack of filtering. The researchers were able to direct ghost touches along the touchscreens' conductive and sensing electrodes without physical contact, while also making the touchscreens unresponsive to real touches.
Air-Gap Attack Uses SATA Cable as an Antenna to Transfer Radio Signals
The Hacker News
Ravie Lakshmanan
July 19, 2022
Mordechai Guri of Israel's Ben Gurion University of the Negev identified a new air-gap attack that leverages Serial Advanced Technology Attachment (SATA) cables as wireless antennas to transmit radio signals in the 6GHz frequency band. The SATAn attack aims to use SATA cables to transfer a small amount of sensitive information wirelessly from air-gapped computers, which are highly secured and physically isolated from other networks, to a receiver over a meter away. Said Guri, "The receiver monitors the 6GHz spectrum for a potential transmission, demodulates the data, decodes it, and sends it to the attacker." To detect the potential for such an attack, external radio frequency monitoring systems could be used to identify anomalous transmissions from the air-gapped system in the 6GHz frequency band.
Chinese-Made GPS Tracker Highly Vulnerable
Associated Press
Frank Bajak
July 19, 2022
Researchers at cybersecurity firm BitSight warn of severe vulnerabilities in a Chinese-made automotive global positioning system (GPS) tracker that is used in 169 nations. The researchers said hackers could exploit flaws in MiCODUS' MV720 GPS tracker to commandeer device-equipped vehicles, and advised users to disable the product until a software patch becomes available. The device has a default password that few users change and a second hard-coded password that works for all devices; vulnerabilities also reside in the software of the Web server used to remotely manage the trackers. BitSight's Pedro Umbelino said malicious actors could remotely sever the fuel line of a moving vehicle, determine the vehicle's location for espionage purposes, or intercept and corrupt location or other data to sabotage operations. The U.S. Cybersecurity and Infrastructure Security Agency said it was unaware of "any active exploitation" of the MV720's vulnerabilities.
'Retbleed' Speculative Execution Attack Affects AMD, Intel CPUs
The Hacker News
Ravie Lakshmanan
July 13, 2022
The "Retbleed" flaw discovered by Johannes Wikner and Kaveh Razavi at ETH Zurich in Switzerland targets older AMD and Intel central processing units as a channel for Spectre-based speculative-execution attacks. Retbleed is engineered to circumvent "return trampoline" (Retpoline) branch target injection countermeasures. "Retbleed aims to hijack a return instruction in the kernel to gain arbitrary speculative code execution in the kernel context," explained Wikner and Razavi. "With sufficient control over registers and/or memory at the victim return instruction, the attacker can leak arbitrary kernel data." To mitigate the potential threat, AMD has unveiled Jmp2Ret, while Intel has recommended employing enhanced Indirect Branch Restricted Speculation, even if Retpoline mitigations are implemented.
Computing Architecture Protects Sensitive Private Data
Columbia Engineering News
Holly Evarts
July 15, 2022
Researchers at Columbia University and the semiconductor IP and software design company Arm have developed a computing architecture to safeguard sensitive private data. These verification technologies in the Arm Confidential Compute Architecture (Arm CCA) are part of the Armv9-A architecture. Said Columbia's Xupeng Li and Jason Nieh, "We've proved, for the first time, that the firmware is correct and secure, resulting in the first demonstration of a confidential computing architecture backed by formally verified firmware." Unlike previous approaches, Arm CCA is able to verify whether software, which must retain control of managing hardware resources, is secure.
'Pulling Back the Curtain' to Reveal Molecular Key to The Wizard of Oz
American Chemical Society
July 20, 2022
Scientists at the University of Texas at Austin and the University of Massachusetts, Lowell have created a molecular encryption key from sequence-defined polymers that are sequentially assembled and decoded, which they believe proves this technique to be sufficiently durable for real-world usage, such as hiding messages in letters and plastic objects. Researchers concealed the 256-character-long binary key in the ink of a letter, which was mailed and used to decrypt a file with text from L. Frank Baum’s The Wizard of Oz. The molecular key can encrypt and decrypt text files when inputted into an algorithm, and the team encoded it within polymer sequences of eight 10-monomer-long oligourethanes.
Smart Chip Senses, Stores, Computes, Secures Data in Low-Power Platform
Penn State News
Mariah Chuprinski
July 19, 2022
Pennsylvania State University (Penn State) scientists have created a smart chip to reduce energy consumption while further securing digital data. Penn State's Saptarshi Das explained current cloud-based encryption is energy-inefficient and prone to data breaches and hacking. The researchers fabricated the cryptographic platform from two-dimensional molybdenum disulfide, incorporating 320 transistors that each feature sensor, storage, and computing units to encrypt data. Machine learning algorithms enabled the team to analyze output patterns and anticipate input information, and Das said the algorithms could not decrypt the data. The researchers also said the energy consumption was lower than that of silicon-based security methods, supporting an all-in-one chip that senses, stores, computes, and communicates information among connected devices.
Open Source Platform Enables Research on Privacy-Preserving ML
University of Michigan News
Zachary Champion
July 19, 2022
University of Michigan (U-M) researchers have open-sourced the largest benchmarking dataset for a privacy-shielding machine learning (ML) method to date. Federated learning trains ML models on end-user devices, rather than transferring private data to central servers. "By training in-situ on data where it is generated, we can train on larger real-world data," said U-M's Fan Lai. "This also allows us to mitigate privacy risks and high communication and storage costs associated with collecting the raw data from end-user devices into the cloud." The FedScale platform can model the behavior of millions of user devices using a few graphic processing units and central processing units, allowing ML model developers to evaluate model performance without large-scale deployments.
dtau...@gmail.com
North Korea-Backed Hackers Have Clever Way to Read Gmail
Ars Technica
Dan Goodin
August 3, 2022
Researchers at security company Volexity have discovered malware dubbed SHARPEXT that the North Korea-sponsored SharpTongue hacker gang is using to read and download email and attachments from victims' Gmail and AOL accounts. Volexity's Steven Adair said SHARPEXT installs an extension for Chrome and Edge browsers "by way of spear phishing and social engineering where the victim is fooled into opening a malicious document." Email services cannot detect the extension, and since the browser will already have been authenticated, the compromise cannot be simply identified and neutralized. Volexity said SHARPEXT has been in use for "well over a year," allowing hackers to compile lists of email addresses to ignore, and to monitor already compromised emails or attachments.
Post-Quantum Encryption Contender Taken Out by Single-Core PC in One Hour
Ars Technica
Dan Goodin
August 2, 2022
Researchers at Belgium's Katholieke Universiteit Leuven (KU Leuven) ruled out an algorithm selected by the U.S. National Institute of Standards and Technology as a potential post-quantum encryption program. The Supersingular Isogeny Key Encapsulation (SIKE) algorithm was thought to be quantum-decryption-proof by avoiding key encapsulation's vulnerabilities through a supersingular isogeny graph. KU Leuven researchers used a single classical computer to break SIKE, which took it just one hour. The team showed SIKE's linchpin, the Supersingular Isogeny Diffie-Hellman (SIDH) protocol, is vulnerable to a variant of a GPST adaptive attack that "exploits the fact that SIDH has auxiliary points and that the degree of the secret isogeny is known," explained Steven Galbraith at New Zealand's University of Auckland.
Newly Found Lightning Framework Offers Many Linux Hacking Capabilities
Ars Technica
Dan Goodin
July 26, 2022
Researchers from security firm Intezer disclosed the Lightning Framework, a previously undocumented modular malware framework for Linux. Installed after an attacker has accessed a target system, Lightning boasts some of the same efficiencies and speed to Linux compromises that the Django Web framework provides for Web development. Lightning "has a plethora of capabilities, and the ability to install multiple types of rootkit, as well as the capability to run plugins,” wrote Intezer's Ryan Robinson. The framework's Lightning.Downloader downloads software while its Lightning.Core core module receives commands when connected to a designated command-and-control server.
Experts Uncover 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers
The Hacker News
Ravie Lakshmanan
July 25, 2022
Researchers at the Kaspersky cybersecurity company have attributed a new Unified Extensible Firmware Interface (UEFI) firmware rootkit called CosmicStrand to unknown Chinese-speaking hackers. The researchers said CosmicStrand resides "in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image." Attacks aim to interfere with the operating system loading process to implement a kernel-level implant into a Windows machine whenever it is booted, and to use this access to launch shellcode that connects to a remote server to retrieve the malware to be deployed on the system. The researchers noted CosmicStrand appears to have been used in the wild since the end of 2016, before UEFI rootkit exploits began to be publicly detailed.
Quantum Encryption Could Support Truly Secure Communication
Silicon Republic
Leigh McGowran
July 27, 2022
A new form of quantum cryptography could eventually support truly secure communication by facilitating quantum key distribution between two devices based on quantum entanglement, according to an international team of scientists. Researchers confined two single ions—a sender and a receiver—in separate traps connected by optical fiber. Entanglement allows the sender and receiver to generate shared outcomes without third-party interference. Researchers said this system could lead to two-party communication that is "fundamentally beyond" an adversary's control and also could ensure private communication with just a few general assumptions about the devices used.
Cyberattack Illuminates Shaky State of Student Privacy
The New York Times
Natasha Singer
July 31, 2022
A cyberattack on student-tracking software provider Illuminate Education highlights the inadequacies of student privacy safeguards. The breach worries cybersecurity and privacy experts because it involved sensitive personal details about students or student data dating back over 10 years. Technology companies and education reformers have pressured schools to adopt software that can catalog and categorize student behavior to help educators identify and assist at-risk students. With hacks on school software vendors increasing, the exposure of such information could have long-term ramifications. Said New Mexico attorney general Hector Balderas, "My concern is there will be bad actors who will exploit a public school setting, especially when they think that the technology protocols are not very robust. And I don't know why Congress isn't terrified yet."
Fiber-Optic Cables Could Be Used to Spy on People a Kilometer Away
New Scientist
Karmela Padavic-Callaghan
July 27, 2022
A device built by researchers at China's Tsinghua University can eavesdrop on people up to 1 km (0.6 mile) away using existing fiber-optic cables. The device detects changes in light triggered when someone speaks near an optical fiber; researchers uttered the phrase, "It's nine-fifteen" near a cable that was transmitting data. About 3 m (9.8 ft.) of the fiber was exposed to the sound, while the remaining 1.1 km (0.68 mile) was spooled in another room where the device was connected. The clarity of the words the device detected could be improved with computer speech enhancement, according to Tsinghua's Bo Wang.
Snapchat Faces Challenges From Privacy Rules
Ad Age (4/21, Sloane) reports that, in its quarterly finances, Snapchat “acknowledged ongoing challenges to direct-response advertising, partly because of changes to privacy and data rules on platforms like Apple iPhones.” Apple app-tracking policies that took effect last year “cut apps off from data that marketers use to track when ads lead a consumer to a sale.” Snapchat Chief Business Officer Jeremi Gorman, said such changes by platforms “put a serious onus on advertisers to adapt.” He added, “We continued to work through platform policy changes, which are primarily impacting direct-response advertising partners, and we believe that we are building effective measurement solutions for advertisers to prove the efficacy of their campaigns.”
Experts Offer Suggestions On Attracting Cybersecurity Talent
The Wall Street Journal (4/20, Rundle, Nash, Subscription Publication) spoke with several cybersecurity and risk executives about new approaches they are using to attract talent. Organizations such as the International Information System Security Certification Consortium, state that the demand for cybersecurity workers is far exceeding the available workforce.
Cyberattacks Pose Large Threat To Colleges As Lincoln College Shutters
Forbes (4/19, Whitford) reports that in December of last year, “a ransom note suddenly appeared in computer printer trays at Lincoln College in Illinois.” The cyber criminals’ “message was clear: they had encrypted many of the rural college’s files and the institution no longer had access to critical enrollment, admissions and fundraising information.” The college “paid the ransom...via its cyber insurance policy, said David Gerlach, president of Lincoln.” Still, it “took months for employees to regain access to all of their systems, at which point college officials realized that enrollment projections for the next academic year were disastrously low.” In late March, Lincoln’s Board of Trustees “voted to close the school after the current spring semester.” Cyberattacks “like the one Lincoln experienced are extremely costly for institutions, and they are becoming more frequent.” Association of Governing Boards of Universities and Colleges CEO Henry Stoever “says more boards of trustees are now realizing the cyberattacks pose a serious risk to their institutions.”
dtau...@gmail.com
Zoom Is Great for Remote Code Execution
PC Magazine
Max Eddy
August 11, 2022
Google Project Zero security researcher Ivan Fratric launched a remote code execution attack by exploiting the technology underlying Zoom and other applications. Fratric's exploit targets bugs in XMPP, an XML-based instant messaging (IM)-like protocol. The method involves embedding pieces of XMPP code, or stanzas, within other XMPP stanzas. The attacker is then able to use a client to smuggle stanzas within legitimate messages, which are accepted and passed on by the intermediate server but interpreted as two stanzas by the victim's IM client. Fratric alerted Zoom, which has issued patches, but Fratric warned that other targets also are vulnerable to XMPP bugs.
APIC Fail: Intel 'Sunny Cove' Chips with SGX Spill Secrets
The Register (UK)
Thomas Claburn
August 9, 2022
An international group of computer scientists discovered an architectural error in certain Intel central processing units (CPUs) affecting the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC). This error could be used to expose private encryption keys and other SGX (Software Guard Extensions) enclave data. The researchers said the ÆPIC Leak is "the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel." An Intel spokesperson said the company "recommends that operating systems and virtual machine monitors enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model specific registers, which mitigates this issue in affected products.”
Can WhatsApp Messages Be Secure and Encrypted, but Traceable?
The Brink (Boston University)
Andrew Thurston
August 10, 2022
Boston University (BU) researchers have created Hecate, an algorithm that can strengthen a secure messaging application's confidentiality and allow moderators to rein in abuse. The app moderator uses Hecate to generate a unique batch of electronic signatures or tokens for each user, which accompany each message the user sends. If the recipient reports that message, the moderator can confirm the sender's token and take action, a process called asymmetric message franking. BU's Mayank Varia said deniability is ensured because the token is encrypted and only useful to the moderator, so "even if the moderator goes rogue, they can't show and convince the rest of the world—they have no digital proof." Varia calls Hecate "the first message franking scheme that simultaneously achieves fast execution on a phone and for the moderator server, support for message forwarding, and compatibility with anonymous communication networks like Signal's sealed sender."
The Hacking of Starlink Terminals Has Begun
Wired
Matt Burgess
August 10, 2022
Lennert Wouters at Belgium's Katholieke Universiteit Leuven hacked SpaceX's Starlink network, a web of more than 3,000 small satellites that enables Internet connections to remote locations on Earth. Wouters exploited vulnerabilities in Starlink's satellite dishes to access the network and run custom code. He stripped down a dish and built an attachable printed circuit board from off-the-shelf-parts, through which he could launch a voltage fault injection attack and circumvent signature verification. Wouters alerted Starlink of the flaws last year, and says although SpaceX has released a firmware update that makes the attack harder, the underlying bug can only be corrected if the company produces a new version of the main chip.
Anti-Tracking Tool Checks If You're Being Followed
Wired
Matt Burgess
August 11, 2022
U.S. Department of Homeland Security agent Matt Edmondson built a Raspberry Pi-powered anti-tracking tool to determine if someone is being tailed. The system scans for nearby wireless devices and alerts the user if it detects the same phone multiple times within a certain period. The tool is protected by a waterproof case, and consists of a Raspberry Pi 3, a device-scanning Wi-Fi card, a portable charger, and a touchscreen to display alerts. The device's Kismet software can detect surrounding smartphones and tablets that are searching for Wi-Fi or Bluetooth connections, and Edmondson wrote code in Python to compile lists of what it detects over time. The tool flashes an onscreen alert if the same device appears twice in the past five to 10 minutes, 10-to-15 minutes, and 15-to-20 minutes.
Deepfakes Expose Vulnerabilities in Facial Recognition Technology
Pennsylvania State University
Jessica Hallman
August 11, 2022
Researchers at Pennsylvania State University and China's Shandong and Zhejiang universities found most application programming interfaces (APIs) using the facial liveness verification detection feature of facial recognition technology do not always identify deepfakes, and those that can are less effective than claimed at detecting deepfakes. The researchers created and used the LiveBugger deepfake-powered attack framework to evaluate six commercial facial liveness verification APIs. LiveBugger tried to deceive the APIs using deepfake images and videos from two separate datasets, and easily bypassed the four most common verification methods. The researchers proposed strengthening the technology's security by eliminating verification that only analyzes a static image of a user's face, and by matching lip movements to a user's voice in dual audio-video analysis schemes.
Tech, Cyber Companies Launch Security Standard to Monitor Hacking Attempts
WSJ Pro Cybersecurity
Kim S. Nash
August 10, 2022
A group of 18 tech and cyber companies hoping to build a common data standard for sharing cybersecurity information launched the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA cybersecurity conference. Products and services that support the OCSF specifications would be able to collate and standardize alerts from different cyber-monitoring tools, network loggers, and other software to simplify and speed up the interpretation of that data. “There's a lot of custom software out there in the security world,” but products that support OCSF would be able to share information in one dashboard without the extra manual labor, said Amazon Web Services' Mark Ryland. The OCSF standard and documentation will be on the GitHub open source repository.
One of 5G's Biggest Features Is a Security Minefield
Wired
Lily Hay Newman
August 9, 2022
5G Internet of Things (IoT) application programming interfaces (APIs) being offered by mobile carriers have security vulnerabilities, according to researchers at Germany's Technical University of Berlin. Researchers analyzed 5G IoT APIs from 10 mobile carriers (seven in Europe, two in the U.S., and one in Asia) and all contained serious vulnerabilities. They determined that weak authentication, missing access controls, and other basic flaws in API setup could expose SIM-card identifiers and secret keys, along with the identity and billing information of the SIM card purchaser. "We found vulnerabilities that could be exploited to access other devices even though they don't belong to us, just by being on the platform,” said the Technical University of Berlin's Altaf Shaik. “It's a big issue."
Thinking Like a Cyber-Attacker to Protect User Data
MIT News
Adam Zewe
August 11, 2022
Researchers at the Massachusetts Institute of Technology (MIT), the University of Illinois at Urbana-Champaign, and the Texas Advanced Computing Center have demonstrated that hackers can exploit computer processors' on-chip interconnect to launch side-channel attacks. The researchers formulated such attacks by reverse-engineering the on-chip interconnect to build an analytical model of traffic flow between the processor cores, then developed two mitigation strategies. One strategy would have the system administrator apply the model to identify the most vulnerable cores, then schedule sensitive software to run on less susceptible cores. The second strategy involves the administrator reserving cores located around a vulnerable program, and running only trusted software on those cores. Neither strategy demands altering the physical hardware, says MIT’s Miles Dai.
Finding Bugs Faster Than Hackers
USC Viterbi School of Engineering
Julia Cohen
August 8, 2022
Researchers at the University of Southern California's Viterbi School of Engineering (USC Viterbi), Arizona State University, Cisco Systems, and French graduate research center EURECOM have proposed a novel automated discovery method for finding bugs in software that hackers could exploit. "Because computer programs are so large and complicated these days, we'd like to automatically detect these vulnerabilities instead of having a human expert analyzing the program to find them," said USC Viterbi's Nicolaas Weideman. The ARBITER technique analyzes software at the binary level, combining static and dynamic vulnerability detection to enhance the static method's precision and the dynamic method's scalability.
Alibaba, ByteDance Share Details of Algorithms with Beijing for First Time
Bloomberg
Jane Zhang
August 15, 2022
In an effort to prevent data abuse that may expose corporate secrets, major Chinese Internet companies including Alibaba Group and ByteDance have, for the first time, provided details of their algorithms to Beijing. The Cyberspace Administration of China (CAC) disclosed 30 algorithms the firms use to collect user data, tailor recommendations, and disseminate content. While the CAC currently requires only basic information, it may demand more details to probe alleged data violations, said Zhai Wei of East China University of Political Science and Law. The list provides short descriptions of how the algorithms function and their product and use cases.
Encrypted One-Touch Human-Machine Interface Technology Reveals User Physiology
UCLA Samueli Newsroom
August 8, 2022
A team of researchers at the University of California, Los Angeles (UCLA) and Stanford University has developed an encrypted, one-touch human-machine interface that can reveal physiological details about users. The cryptographic bio-human-machine interface (CB-HMI) uses hydrogel-coated chemical sensors to collect and identify circulating molecules on the skin through perspiration, and to record heart rate and blood oxygen levels. Said UCLA's Sam Emaminejad, "It also can encrypt the data at the point of collection by leveraging the individual's unique fingerprint as a key, so the collected data remain secure and private." The sensors measure users' ethanol and acetaminophen concentrations. UCLA's Shuyu Lin said the researchers used CB-HMI to develop a medication dispenser that administers "the appropriate amount of acetaminophen depending on current levels in the blood."
White House To Announce Quantum Technology, Cybersecurity Initiative
Reuters (5/4, Renshaw) reports the White House on Wednesday will “announce a slate of measures to support quantum technology in the United States while laying out steps to boost cybersecurity to defend against the next generation of supercomputers.” President Biden will sign an “executive order aimed at strengthening the National Quantum Initiative Advisory Committee, the government’s independent expert advisory body for quantum information science and technology.” The order places the “advisory committee directly under the authority of the White House.” Biden will also sign a “national security memorandum outlining the administration’s plan to address the risks posed by quantum computers to America’s cybersecurity.” The memorandum offers a “road map to federal agencies to update their information technology systems to help defend against complex quantum attacks, establishing goals and milestones” and “establishes a working group between the public and private sectors to generate research and collaborate on quantum resistant standards.”
Musk Suggests End-To-End Encryption For Direct Messages
Forbes (4/30, Winder) reports one “of the most applauded, yet at the same time somewhat controversial,” ideas that Musk has proposed is “the introduction of end-to-end encrypted direct messages to what you might call Twitter 2.0.” In an April 28 tweet, Musk “stated that ‘Twitter DMs should have end-to-end encryption like Signal, so no one can spy on or hack your messages.’ At the time of writing, Musk’s tweet has amassed 1.4 million likes and been retweeted more than 110,000 times.”
Kellogg Community College Cancels Classes After Ransomware Attack
The AP (5/2) reports “a Michigan community college has cancelled classes indefinitely following a ransomware attack over the weekend.” Officials at Battle Creek-based Kellogg Community College “said Sunday in a statement on its website that technology issues caused by the attack continue to affect the school’s systems.” The ransomware attack “was under investigation.” Officials “did not give details about the technology issues.” All five “of the college’s campuses will remain closed with classes canceled until further notice, the school said.” Officials “hope to allow students and staff to return later this week.”
Austin Peay State University Hit With Ransomware Attack. Higher Ed Dive (5/2) reports Austin Peay State University also “reported a ransomware attack last week, which forced the institution to cancel final exams scheduled for Friday before resuming scheduled finals on Monday, according to the university’s latest update.” The university has “also restored several services, allowing students and employees to start using university computers and plug back into its network.”
Connecticut’s Digital Privacy Law Would Regulate Online Data Collection
Adweek (5/2) reports behind a paywall, “The Connecticut General Assembly advanced a privacy bill last week, bringing the Constitution State a step closer to becoming the fifth state in the U.S. to pass legislation regulating how people’s data is collected and shared online.”
dtau...@gmail.com
Algorithm May Help Prevent Power Blackouts from Ransomware Attacks
Purdue University
October 4, 2022
Ransomware-rigged power blackouts may be prevented by an algorithm developed by Purdue University researchers to map out areas of the power grid where utilities should prioritize security. The algorithm would incentivize each security decision-maker to apportion security investments in order to limit the cumulative damage caused by a ransomware attack. The researchers evaluated the algorithm in the context of different types of critical infrastructure in addition to the power industry. They tested the tool in models of previously reported hacks of a smart grid, an industrial control system, an e-commerce platform, and a Web-based telecommunications network. The algorithm enabled the most optimal allocation of security investments for mitigating attacks, the researchers said.
5G Networks Are Worryingly Hackable
IEEE Spectrum
Edd Gent
August 24, 2022
German security researchers determined 5G networks can be hacked, having breached and hijacked live networks in a series of "red teaming" exercises. Poorly configured cloud technology made the exploits possible, they said, and Karsten Nohl at Germany's Security Research Labs cited the failure to implement basic cloud security. He suggested telecommunications companies may be taking shortcuts that could prevent 5G networks' "containers" from functioning properly. The emergence of 5G has escalated demand for virtualization, especially for radio access networks that link end-user devices to the network core. Nohl said 5G networks respond to the greater complexity with more automated network management, which makes exploitation easier.
Experimental Attack Can Steal Data from Air-Gapped Computers
TechCrunch
Carly Page
August 24, 2022
Security researcher Mordechai Guri at Israel's Ben Gurion University identified an experimental exploit for stealing data from Internet-disconnected computers. Guri said the Gairoscope attack uses a smartphone's gyroscope to exfiltrate information from air-gapped computers just "a few meters away." He said an attacker monitoring sounds emanating from the speakers of the air-gapped system could gain data like passwords or login credentials. Guri said these inaudible frequencies generate "tiny mechanical oscillations within the smartphone's gyroscope," which can be rendered as readable data. In addition, he said, attackers could conduct the exploit using a mobile browser, since phone gyroscopes can be accessed using JavaScript. Suggested countermeasures include removing loudspeakers from air-gapped systems to create an audio-less networking environment, and screening resonant frequencies produced by the audio hardware through an audio filter.
Eight-Year-Old Linux Kernel Vulnerability Uncovered
The Hacker News
Ravie Lakshmanan
August 22, 2022
Northwestern University researchers have discovered an eight-year-old vulnerability in the Linux kernel, dubbed DirtyCred, that exploits a previous unknown flaw to escalate user privileges to their maximum. The researchers described DirtyCred as “a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege. Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged." They added that it "is like the dirty pipe that could bypass all the kernel protections, [but] our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of."
Apple Warns of Security Flaw for iPhones, iPads, Macs
Associated Press
August 18, 2022
Apple issued two security reports about a major flaw that hackers could potentially exploit to hijack iPhones, iPads, and Macs by gaining "full admin access." Rachel Tobac at computer security service SocialProof Security said this would allow intruders to masquerade as device owners and run any software in their name. Security experts have recommended that users update affected devices, while researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company cited an anonymous researcher as the flaws' discoverer, without disclosing how or where they were found. Apple has previously conceded the existence of similarly serious flaws, and expressed awareness that such vulnerabilities had been exploited on perhaps a dozen occasions by Strafach's estimates.
Scanning Students' Homes During Remote Testing Is Unconstitutional, Judge Says
Ars Technica
Ashley Belanger
August 23, 2022
An Ohio judge has ruled that scanning students' rooms during remote testing amounts to an invasion of privacy and a violation of the Fourth Amendment's guaranteed protection against unlawful searches. The case was filed by Cleveland State University student Aaron Ogletree, who alleged confidential tax documents were visible during a room scan recording made prior to a chemistry exam, and shared with other students. Said Judge J. Philip Calabrese, "Though schools may routinely employ remote technology to peer into houses without objection from some, most, or nearly all students, it does not follow that others might not object to the virtual intrusion into their homes or that the routine use of a practice such as room scans does not violate a privacy interest that society recognizes as reasonable, both factually and legally."
TikTok Browser Can Track Users' Keystrokes
The New York Times
Paul Mozur; Ryan Mac; Chang Che
August 19, 2022
Privacy researcher Felix Krause found the TikTok video application's Web browser can track users' keystrokes, demonstrating that the Chinese-owned app can monitor users' online behavior. Independent software engineer Jane Manchun Wong said Krause's discovery suggests a TikTok user "might enter their sensitive data such as login credentials on external Websites," adding that the in-app browser could "extract information from the user's external browsing sessions, which some users find overreaching." Researchers said although big technology companies might use such trackers when testing new software, they seldom issue a major commercial app with such features, enabled or not. TikTok refuted Krause's findings, claiming the tracker was for "debugging, troubleshooting, and performance monitoring."
'Hackers Against Conspiracies': Cyber Sleuths Take Aim at Election Disinformation
Politico
Maggie Miller
August 15, 2022
The annual DEF CON hacking conference's "Voting Machine Village," has been a feature since 2017, with attendees attempting to break into registration databases, ballot-casting machines, and other voting equipment to identify vulnerabilities. However, in the wake of the 2020 U.S. presidential election and the resulting false claims of election fraud, the focus of this year's event was how to detect vulnerabilities without fueling election misinformation. Said Harri Hursti, co-founder of the Voting Machine Village, "All the security improvements [have been] hampered by all the false claims, conspiracies—and fighting those." Hursti noted that clips from DEF CON were used in the media after the election to cast doubt on election security. This year's Voting Village featured officials from Maricopa County, AZ, among others, who discussed ongoing, though debunked, conspiracy theories. Hursti explained, "What we try to do is to make certain that the right message gets out."
Oracle Faces Class-Action Lawsuit Over Tracking 5 Billion People
PC Magazine
Matthew Humphries
August 23, 2022
A class-action lawsuit against U.S. multinational technology company Oracle claims it tracks and collects personal information on billions of people, generating over $40 billion in annual revenue as a result. The suit alleges Oracle has breached statutes including the Federal Electronic Communications Privacy Act by collecting without permission data such as names, home addresses, emails, online and physical purchases, physical movements, income, interests and political views, and online activity. The suit's class representatives include Johnny Ryan of the Irish Council for Civil Liberties, who said, "This is a Fortune 500 company on a dangerous mission to track where every person in the world goes, and what they do. We are taking this action to stop Oracle's surveillance machine."
Just 1 of 25 Apps That Track Reproductive Health Protect Users' Data: Report
The Hill
Shirin Ali
August 17, 2022
A study of 25 reproductive health apps and wearable devices by researchers at the Mozilla Foundation found that most have weak privacy protections. The researchers found that these apps generally collect personal information, including phone numbers, emails, home addresses, dates of menstrual cycles, sexual activity, doctors' appointments, and pregnancy symptoms. Of the apps analyzed, 18 were given a "Privacy Not Included" warning label due to vague privacy policies and potential security concerns. Additionally, the study found that most of the apps had vague guidelines regarding data-sharing with law enforcement. Mozilla's Ashley Boyd warned users that many reproductive health apps are "riddled with loopholes and they fail to properly secure intimate data." Only the Euki app was found not to collect any personal information about users, and any information input by users is stored locally on the user's device.
dtau...@gmail.com
Fingertips' Heat Can Be Used to Crack Passwords
Yahoo! News
Dan Barker
October 10, 2022
Researchers at the U.K.'s University of Glasgow warn heat-detecting cameras can help crack passwords up to minute after typing them by identifying the thermal signature of fingertips on keyboards. The researchers created an artificial intelligence-equipped tool that can guess passwords based on thermal images. Measuring the relative intensity of warmer areas enables determination of a password's constituent letters, numbers, or symbols, and estimation of their order of use. The ThermoSecure system solved about 86% of passwords when thermal images were captured within 20 seconds of typing, 76% within 30 seconds, and 62% after 60 seconds. The researchers also learned the system could attack 16-character-long passwords with up to 67% success within 20 seconds; the success rate increased as passwords grew shorter.
Chicago Scientists Testing Unhackable Quantum Internet in Closet
The Washington Post
Jeanne Whalen
October 9, 2022
University of Chicago (UChicago) scientists are testing a hack-proof quantum Internet in a laboratory closet. The equipment in the closet links to a 124-mile fiber-optic network running from the UChicago campus to the U.S. Department of Energy's Argonne National Laboratory and Fermi National Accelerator Laboratory. The researchers rout encryption keys over the network via entangled photons for extraction by colleagues at Argonne; UChicago's David Awschalom said any attempt to intercept keys will alert both sender and receiver. Researchers are testing similar networks in Boston, New York, Maryland, Arizona, Europe, and China. The ultimate goal is to connect these testbeds through fiber and satellite links into a world-spanning quantum Internet.
Sensors Can Tap into Mobile Vibrations to Eavesdrop Remotely
Penn State News
WennersHerron Ashley
October 7, 2022
Pennsylvania State University (Penn State) researchers used a commercial automotive radar sensor and novel processing method to eavesdrop remotely on smartphone conversations by detecting vibrations of the phone's earpiece. The radar operates in the 60- to 64-gigahertz and 77- to 81-gigahertz bands of the millimeter-wave (mmWave) spectrum. The mmSpy approach involves simulating people speaking through the smartphone's earpiece, whose vibrations pervade the phone's frame. The researchers feed vibrational data to machine learning algorithms that reconstruct audio from a foot away with 83% accuracy, and from six feet away with 48% accuracy. Penn State's Suryoday Basak said researchers can filter, augment, or classify keywords as needed once the speech's reconstruction is complete.
Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus
The Hacker News
Ravie Lakshmanan
September 5, 2022
Trend Micro researchers found that cybercriminals took advantage of a vulnerable anti-cheat driver for the Genshin Impact video game to disable antivirus programs with the goal of deploying ransomware. The attackers aimed to use a legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode. The researchers found a compromised endpoint was used to connect to the domain controller via remote desktop protocol and transfer a Windows installer posing as AVG Internet Security that dropped and executed the vulnerable driver. Said the researchers, "Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module."
LastPass, Password Manager with Millions of Users, Is Hacked
The Wall Street Journal
Alyssa Lukpat
August 26, 2022
On Aug. 25, online password manager LastPass reported the theft of some of its source code and proprietary information, but said there is no evidence customer information from its more than 33 million users or encrypted password vaults were accessed. LastPass' Karim Toubba said a developer account had been breached, allowing an unauthorized party to access the company's development environment. The unusual activity was detected two weeks ago, prompting an investigation. Toubba said the company is working with a cybersecurity and forensics firm and has rolled out additional security measures. LastPass stores encrypted login information that users can access online with a master password, but they cannot see customers' data.
Hacking Device Can Secretly Swipe, Tap Smartphone Screen
New Scientist
Jeremy Hsu
August 31, 2022
Separate teams of researchers have developed devices for remotely hacking smartphone touchscreens. Both methods involve placing devices featuring an antenna for transmitting signals and a phone locator under a table. The locator deduces the position and orientation of a touchscreen device placed on the table, then the antenna sends electromagnetic signals imitating electric field disturbances caused by physical touch. The Invisible Finger method created by University of Florida researchers caused both iOS and Android devices to recognize the electromagnetic touches; the GhostTouch technique from scientists at China's Zhejiang University worked with multiple Android devices, but could not crack the iPhone 7 Plus or certain OPPO phone models. The hacks only work with the target device lying face down and positioned close to the antenna.
Hackers Hide Malware in James Webb Telescope Images
BleepingComputer
Bill Toulas
August 30, 2022
Hackers have launched a campaign dubbed GO#WEBBFUSCATOR by threat analysts to spread malware via phishing emails, malicious documents, and James Webb telescope images. Malefactors drop payloads currently not labeled malicious by antivirus engines on the VirusTotal scanning platform, and infiltration begins with a phishing email with an attached document that downloads a template file. The file features an obfuscated VBS macro that auto-executes if macros are enabled in the Office suite, then downloads, decodes, and launches a JPG image of a galactic cluster. Security analytics company Securonix says the malware creates a Domain Name System link to the command and control (C2) server, and sends encrypted queries that "are read in and unencrypted on the C2 server, thus revealing its original contents." Securonix has furnished indicators of compromise, including network and host-based indicators.
Researchers Call Cloudflare a Haven for Misinformation
Time
Chris Stokel-Walker
August 26, 2022
Critics claim content delivery network (CDN) Cloudflare is riddled with misinformation that it and similar companies ignore. Stanford University researchers analyzed services hosting 440 of the most prominent misinformation websites worldwide; although Cloudflare hosts just one in five mainstream Internet sites, it also hosts one in three sites known for hate- or misinformation-peddling. The Stanford researchers found "anecdotally that sites prefer Cloudflare because of its lax acceptable use policies and its free DDoS [distributed denial-of-service] protection services that help protect against vigilante attacks." The researchers identified Amazon, Google, GoDaddy, and Unified Layer as the four most prominent misinformation-hosting CDNs after Cloudflare.
Voting Machine Tampering Points to Concern for Fall Election
Associated Press
Christina A. Cassidy; Colleen Slevin
August 25, 2022
Election officials and security experts in the U.S. are concerned that conspiracy theories related to the 2020 presidential election could encourage interference with, or even attempts to sabotage, voting machines during this fall’s elections. Such concerns were highlighted on the last day of voting in the Pueblo County, CO, June primary, when a poll worker found an error message on a voting machine's screen. Election officials can take measures to ensure unauthorized devices don’t infect voting equipment, by for example, configuring systems to recognize only proprietary devices. In the Pueblo County case, the tamper-evident seal on the voting machine appeared to be disturbed. The case remains under investigation.
Google Cloud Group Creates Web3 Team To Take Advantage Of Crypto Popularity
CNBC (5/6, Novet) reports, “Google’s cloud unit is forming a team to build services for developers running blockchain applications as the company tries to capitalize on the surging popularity of crypto and related projects.” Google intends to “offer back-end services to developers interested in composing their own Web3 software as the company battles for market share in cloud infrastructure against Alibaba, Amazon and Microsoft.” In an interview with CNBC, Google Cloud’s Vice President Amit Zavery said, “We’re not trying to be part of that cryptocurrency wave directly. We’re providing technologies for companies to use and take advantage of the distributed nature of Web3 in their current businesses and enterprises.”
Engadget (5/6, Holt) reports, “The company is hoping to make Google Cloud Platform the primary destination for those who want to run Web3 apps.” The Web3 movement aims to make “the web decentralized and shifting power away from major companies like Google, Amazon and Meta. Still, Web3 developers need to host their apps and services somewhere, and Google wants to be their first choice.”
SiliconANGLE (5/6, Wheatley) reports that the Web3 team “will reportedly be led by James Tromans, a technical director at Google Cloud who joined the division in 2019. ... The Web3 team is set to include Google employees who have been ‘peripherally involved in Web3 internally and on their own.’” Google Cloud Head of Strategy for Digital Assets Richard Widmann stated that the company intends to “recruit a ‘slew of people with blockchain expertise.’”
dtau...@gmail.com
Anonymous Data Doesn't Mean Private
Illinois Institute of Technology
Casey Moffitt
October 6, 2022
Illinois Institute of Technology (Illinois Tech) researchers used machine learning and artificial intelligence algorithms to exfiltrate personal information from anonymous cellphone data. The neural-network model estimated the gender and age of individual users via their private communications by tapping data from a Latin American cellphone company. The algorithm guessed individuals' gender with 67% accuracy and age with 78% accuracy, which significantly outperformed current models. Researchers employed commonly accessible computing equipment to extract this information, and although the dataset they used was not publicly available, malefactors could compile a similar dataset by capturing data through public Wi-Fi hotspots or by targeting service providers' computing infrastructure, said Illinois Tech's Vijay K. Gurbani.
Computer Experts Urge Georgia to Replace Voting Machines
Associated Press
Kate Brumback
September 9, 2022
In a Sept. 8 letter to Georgia's State Election Board and Secretary of State Brad Raffensperger, a group of 13 computer and election security experts said they should replace the state's Dominion Voting Systems touchscreen voting machines with hand-marked paper ballots prior to the November midterm elections. The letter cited "serious threats" from a breach of voting equipment in Coffee County, which remains under investigation. A documented incident that occurred in January 2021 reportedly involved unauthorized copying of election equipment in the county. The letter said the copying and sharing of election data and software from Coffee County "increases both the risk of undetected cyber-attacks on Georgia, and the risk of accusations of fraud and election manipulation."
Stealthy Shikitega Malware Targets Linux Systems, IoT Devices
The Hacker News
Ravie Lakshmanan
September 7, 2022
Researchers at AT&T Alien Labs have identified a Linux malware that can compromise endpoints and Internet of Things devices via a multi-stage infection chain. After the Shikitega malware is deployed, the attack chain downloads and executes the Metasploit's "Mettle" meterpreter to, among other things, escalate its privileges and launch the Monero cryptocurrency miner. It remains unclear how the initial compromise occurs, but Shikitega can download next-stage payloads from a command-and-control server and execute them directly in memory. The use of a polymorphic encoder makes it harder for antivirus engines to detect the malware. Said AT&T Alien Labs' Ofer Caspi, "Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload."
Chrome Patches Sixth High-Severity Zero-Day This Year
Ars Technica
Dan Goodin
September 6, 2022
Google engineers have published an emergency update for the Chrome browser to correct a high-severity zero-day flaw that can be exploited with available code. Google said the vulnerability (CVE-2022-3075) stems from "insufficient data validation in Mojo," a Chrome component for messaging across inter- and intra-process boundaries between the browser and the operating system. "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company explained, without disclosing whether hackers are exploiting the vulnerability or just possess exploit code. Engineers also updated Microsoft's Edge browser, based on the same Chromium engine as Chrome, to fix the same bug. The Mojo exploit marks the sixth zero-day vulnerability Chrome has encountered this year.
Collaborative ML That Preserves Privacy
MIT News
Adam Zewe
September 7, 2022
Researchers at the Massachusetts Institute of Technology (MIT) and MIT-originated startup DynamoFL have enhanced federated learning to better train a privacy-preserving machine learning model. Federated learning involves hundreds or thousands of users training their own model with their own data on their own device, then transferring the models to a central server that pools them into a better model. The researchers' FedLTN system improves the accuracy of the combined model while shrinking its size, which accelerates communication between users and the central server while ensuring each user receives a model tailored for their environment. FedLTN follows the lottery ticket hypothesis, positing that within large neural network models are smaller subnetworks that can realize the same performance. The researchers reduced model size by nearly an order of magnitude versus other methods, yielding four- to six-fold lower communication costs for individual users, and boosting model accuracy 10%.
Low-Cost Solution Viable for Self-Driving Cars to Spot Hacked GPS
University of Alabama
September 6, 2022
University of Alabama (UA) researchers have developed a cost-effective system that uses existing software code and sensors in self-driving vehicles to prevent GPS signal spoofing, which could send cargo or people to the wrong destination. The researchers developed an algorithm that relies on the vehicle's built-in sensors to detect a change in location in real time and to return the vehicle to the correct route. The researchers used data from the Honda Research Institute Driving Dataset to simulate how self-driving vehicles would respond to a spoofed GPS signal, finding the models to be accurate in detecting spoofs. Said UA's Sagar Dasgupta, "We think this will be one of the security modules in the next generation of self-driving vehicles."
Apps Used as Alternatives to Prison in U.S. Found to Have Privacy Flaws
New Scientist
Jeremy Hsu
September 3, 2022
University of Washington researchers have discovered privacy flaws in smartphone monitoring apps used in the U.S. to track people waiting for immigration court dates, those in juvenile detention systems, and those on parole or probation. Of the 16 Android monitoring apps studied, the researchers found that seven either did not link to a privacy policy or linked to generic privacy policies, in violation of the Google Play Store's user data policies. One app used by U.S. Immigration and Customs Enforcement, BI SmartLINK, required "dangerous permissions" (to access the device’s camera, obtain its precise location, make telephone calls without user permission, and record audio), but did not disclose that it in its privacy policy.
Hacker Shows Off Method To Unlock Tesla Models, Start Engine
Bloomberg (5/16, Murphy) reveals that Sultan Qasim Khan, Principal Security Consultant at NCG Group, demonstrated how to unlock Tesla Model Y and S EVs and start their engines remotely. Khan revealed that “by redirecting communications between a car owner’s mobile phone, or key fob, and the car, outsiders can fool the entry system into thinking the owner is located physically near the vehicle.”
MITRE Developing Space Cyber Lab
Via Satellite (5/13) reports, “MITRE, the federal contractor that runs R&D labs for the U.S. government, is developing a space cyber lab where real satellite hardware and software can be tested to ensure security.” The move is “one of a host of new measures that space companies are adopting.”
STMicroelectronics Partners With Microsoft To Streamline Development Secure IoT Devices
Street Insider (5/11) reports STMicroelectronics has “revealed details of its collaboration with Microsoft, an ST Authorized partner, to strengthen the security of emerging Internet-of-Things (IoT) applications.” The “intensive engineering project has produced a TF-M based, Azure IoT cloud reference implementation that leverages the hardened security features of the STM32U5 complemented with the hardened key store of an STSAFE-A110 secure element.”
dtau...@gmail.com
15-Year-Old Python Bug Allows Code Execution in 350k Projects
BleepingComputer
Ionut Ilascu
September 21, 2022
An unpatched 15-year-old bug in the Python programming language could affect more than 350,000 open-source repositories, and could lead to code execution. The path traversal vulnerability, disclosed in 2007, resides in the Python tarfile package, and can allow hackers to overwrite arbitrary files. The flaw exists because the code in the extract function in Python's tarfile module trusts data in the TarInfo object "and joins the path that is passed to the extract function and the name in the TarInfo object." Analyst Charles McFarland at extended detection and response solutions provider Trellix rediscovered the bug while probing another security issue. No reports indicate the bug has been exploited in attacks, although it remains a threat in the software supply chain.
Spoofing Cyberattack Can Make Cameras See Things that Are Not There
New Scientist
David Hambling
September 26, 2022
Using radio waves, Sebastian Köhler at the U.K.'s University of Oxford and colleagues were able to trick image-recognition systems into seeing nonexistent things. Digital cameras include sensors that render light as electrical impulses, and post-transducer signals can create the false impression of actual images. The researchers fooled a barcode scanner from 0.5 meters (1.6 feet) away, adding noise to photos the scanner captured and inducing failure 99% of the time. Köhler said his team has introduced shapes in such attacks like readable text, while more refined exploits to deceive object-recognition software into seeing unreal things also are feasible. "An attack from tens of meters is possible with reasonably sized hardware," Köhler said.
Deepfake Audio Has a Tell
Ars Technica
Logan Blue; Patrick Traynor
September 20, 2022
Researchers at the University of Florida can detect audio deepfakes by measuring acoustic and fluid dynamic distinctions between organic and synthetic voice samples. The researchers inverted techniques used to replicate the sounds a person makes to acoustically model their vocal tract, in order to approximate the speaker's tract during a segment of speech. Using the process to analyze deepfaked audio samples, on the other hand, can result in model vocal tract shapes that do not appear in people. "By estimating the anatomy responsible for creating the observed speech, it's possible to identify whether the audio was generated by a person or a computer," the researchers explain.
We Can Train Big Neural Networks on Small Devices
IEEE Spectrum
Matthew Hutson
September 20, 2022
A new training method expands small devices' capabilities to train large neural networks, while potentially helping to protect privacy. The University of California, Berkeley's Shishir Patil and colleagues integrated offloading and rematerialization techniques using suboptimal heuristics to reduce memory requirements for training via the private optimal energy training (POET) system. Users feed POET a device's technical details and data on the architecture of a neural network they want to train, specifying memory and time budgets; the system generates a training process that minimizes energy usage. Defining the problem as a mixed integer linear programming challenge was critical to POET's effectiveness. Testing showed the system could slash memory usage by about 80% without significantly increasing energy consumption.
Clearview AI Now in Public Defenders' Hands
The New York Times
Kashmir Hill
September 18, 2022
Software company Clearview AI has started providing its facial recognition tool to public defenders after it cleared a man in Florida of vehicular homicide. The man's attorney used the tool to mine a database of 20 billion faces, and tracked down an individual who was able to corroborate his client's innocence. Clearview now offers free 30-day trials of its software to public defenders and government-contracted lawyers representing indigent clients. Yet critics are doubtful because the technology, mainly used by law enforcement agencies for criminal investigations, is mired in ethical and legal issues. Civil liberties advocates believe Clearview's database of photos collected without consent breaches privacy, an issue compounded by skepticism about automated facial recognition's accuracy and little transparency about its use by law enforcement.
Protecting Privacy, Safety in Encrypted Messaging
Cornell University Chronicle
Tom Fleischman
September 12, 2022
Cornell Tech and University of Maryland researchers have created a mechanism for preserving anonymity in encrypted messaging while blocking unwanted or abusive messages. The Orca protocol would have recipients register an anonymized blocklist with the messaging platform; senders would assemble messages that the platform can confirm as originating from someone not on the blocklist. Confirmation is realized through group signatures, which allow users to sign messages anonymously on behalf of a group. Said Cornell Tech’s Nirvan Tyagi, “Increased privacy can harm the ability to do certain types of abuse mitigation and accountability. The question is, can we make that tradeoff a little less costly with even better cryptography? And in some cases, we can.”
Off-the-Shelf Crypto-Detectors Give False Sense of Data Security
William & Mary News
Joseph McClain
September 13, 2022
William & Mary's Amit Seal Ami said off-the-shelf crypto-application programming interface (API) misuse detectors can give developers a false sense of data security if they contain unknown flaws. Ami, a Ph.D. candidate in William & Mary’s Department of Computer Science and the lead student author of the paper “Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques,” worked with colleagues to develop the MASC framework to assess the practical performance of certain crypto-API detectors by modifying known and established flaws, then analyzing the mutations using the detectors under evaluation. Ami said the framework uncovered somewhat obvious and extremely obvious vulnerabilities that the detectors had missed.
'Digital Mask' Could Protect Patients' Privacy in Medical Records
University of Cambridge (U.K.)
Craig Brierley
September 15, 2022
U.K. and Chinese researchers have created a "digital mask" that allows facial images to be stored in medical records while protecting personal biometric information from extraction. The researchers used three-dimensional (3D) reconstruction and deep learning algorithms to delete identifiable features from facial images while preserving disease-related attributes. The digital mask inputs a video of a patient's face and outputs a video based on the algorithm and 3D reconstruction, leaving out as much of the patient's personal biometric information as possible, and thwarting identification. Patrick Yu-Wai-Man at the U.K.'s University of Cambridge said digital masking "offers a pragmatic approach to safeguarding patient privacy while still allowing the information to be useful to clinicians.”
Experts Cite Progress On Federal Cybersecurity
The Hill (5/22, Kagubare) reports that following a period of “multiple devastating cyberattacks, experts are applauding the progress made by the White House in the year since President Biden signed an executive order aimed to strengthen federal cybersecurity.” They are “particularly impressed” with the improvements to “make it easier for the government and the private sector to share threat information.” Chris Wysopal, chief technology officer at Veracode, “added that the Cybersecurity and Infrastructure Security Agency (CISA) has been frequently sharing threat intelligence and issuing guidance on the best cybersecurity practices to adopt, including implementing multi-factor authentication and using encryption.” Through the agency’s Joint Cyber Defense Collaborative (JCDC), CISA has “partnered with numerous companies in the private sector to push forward that effort, which includes implementing nationwide cyber defense strategies, sharing information and other steps to mitigate the risks of cyberattacks.”
Ransomware Payments Up 70 Percent In 2021 Over Previous Year
In his Cybersecurity 202 newsletter, The Washington Post ’s (5/20, Marks) Joseph Marks wrote that ransomware payments were up 70 percent in 2021 compared to the previous year. Despite increased awareness of the threat and a greater government focus on stopping hackers who use ransomware, Marks wrote that data “suggests ransomware attacks have held steady or are increasing and many of the likeliest victims, including schools and small businesses, are no better protected than they were one year ago.”
dtau...@gmail.com
U.S. Makes 'Dramatic Change' in Technology for Nuclear Code System
The Wall Street Journal
Daniella Cheslow
October 14, 2022
An exhibit of recently retired equipment at the reopened U.S. National Security Agency's National Cryptologic Museum highlights a technological upgrade to the nation's nuclear command and control (C&C) system. Museum director Vince Houghton said the servers and machines that once generated nuclear codes are on display due to "a dramatic change" in the technology. The exhibit includes the DEC Alpha server that produced secret keys a president would use to launch a nuclear attack, and the MP37 machine that manufactured the Sealed Authenticator System cards with launch codes used to confirm orders from Strategic Command to local commanders. The Pentagon's Navy Lt. Cmdr. Tim Gorman confirmed ongoing initiatives to modernize the nuclear C&C system to ensure it is "resilient and effective," without specifying details.
Intel Confirms Alder Lake BIOS Source Code Leak
Tom's Hardware
Paul Alcorn
October 9, 2022
Intel confirmed that a third party leaked its Alder Lake BIOS source code to 4chan and Github. The leak involved 6GB files featuring tools and code for building and optimizing BIOS/UEFI images. Said an Intel spokesperson, "We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure. This code is covered under our bug bounty program within the Project Circuit Breaker campaign, and we encourage any researchers who may identify potential vulnerabilities to bring them our attention through this program." The GitHub repository containing the files, which has been taken down, reportedly was created by an employee of China's LC Future Center.
Microsoft Exchange 0-Day Attack Threatens 220,000 Servers
Ars Technica
Dan Goodin
September 30, 2022
Microsoft researchers said numerous servers have been compromised and approximately 220,000 additional servers worldwide are threatened by two critical vulnerabilities in its Exchange application. One is a server-side request forgery vulnerability, and the other enables remote code execution via PowerShell. The unpatched flaws were identified in August by researchers at the Vietnamese security firm GTSC, who found that an Exchange vulnerability was exploited to infect customer networks with malicious webshells. The GTSC researchers said, "After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim's system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system." Microsoft is working on a patch for the new vulnerabilities.
Chaos IoT Malware Taps Go to Harvest Windows, Linux for DDoS Attacks
ZDNet
Liam Tung
September 29, 2022
U.S. Internet infrastructure firm Lumen's cybersecurity division Black Lotus Labs found cross-platform malware is proliferating on Linux and Windows systems to harvest resources for distributed denial-of-service (DDoS) attacks. The Chaos malware was written in Google's Go coding language, and supports multiple chip architectures to operate on routers, Internet of Things devices, smartphones, and enterprise servers. Chaos leverages established, unpatched flaws in firewall devices to infiltrate networks. Lumen suggests Chinese actors created the malware, and has discovered roughly 100 samples that enable operators to profile host environments, transmit remote commands to devices, add additional capabilities, spread throughout networks by guessing Secure Shell private keys, and launch DDoS attacks.
WhatsApp Fixes Security Bugs That Put Android Phone Data at Risk
TechCrunch
Carly Page
September 27, 2022
WhatsApp disclosed details of a "critical"-rated security vulnerability that could allow hackers to plant malware on an Android smartphone remotely during a video call. The integer overflow bug occurs when an application attempts a computational process but has no room in its allotted memory, causing data to leak and to overwrite other memory segments with potentially malicious code. Security research company Malwarebytes said the bug resides in WhatsApp's Video Call Handler, which if activated would allow attackers to hijack a target's app. WhatsApp's Joshua Breckman said the company has seen "no evidence of exploitation" of the bug. WhatsApp also reported a second bug with a "high" severity rating that could allow hackers to run malware on a victim's iOS device through malicious video files; the company says it has patched both flaws.
Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery
BleepingComputer
Bill Toulas
September 26, 2022
Threat intelligence company Cluster25 suspects a Russia-affiliated hack group has begun using a new code execution technique that exploits mouse movement in Microsoft PowerPoint presentations to trigger malware. Attackers lure victims with a PowerPoint file allegedly associated with the Organization for Economic Cooperation and Development (OECD); in the file are slides with English and French instructions for using the Interpretation option in Zoom videoconferencing applications; hovering the mouse over a hyperlink when opening the lure document in presentation mode activates the malicious PowerShell script. Cluster25 said hackers have used the exploit to deliver Graphite malware as recently as Sept. 9. Graphite is designed to allow attackers to load other malware into system memory.
Bitcoin Has Emitted 200 Million Tons of CO2 Since Launch
New Scientist
Matthew Sparkes
September 28, 2022
Researchers at the U.K.'s University of Cambridge estimated bitcoin miners have discharged nearly 200 million tons of carbon dioxide into the atmosphere since the cryptocurrency's launch 13 years ago. The Cambridge Bitcoin Electricity Consumption Index (CBECI) factors in cryptocurrency mining volumes for every country worldwide, and a model that covers energy consumption and power of bitcoin-mining hardware, current bitcoin prices, and the point at which certain equipment becomes profitable to operate in various situations. The researchers calculated that 199.65 million tons of carbon emissions could be attributed to the Bitcoin network by September, of which 92% transpired in the past four years.
Report: US Government Lacks Capacity To Deter Ransomware Attacks
The Washington Post (5/24, Marks) reports “a 10-month investigation by Democratic staffers on the Senate Homeland Security Committee” has concluded in a new report released Tuesday that the US government remains “largely in the dark when it comes to the scale of ransomware attacks pummeling schools, local governments and businesses.” The Post adds the report “cites an estimate by the Cybersecurity and Infrastructure Security Agency (CISA) that only about one-quarter of ransomware attacks are ever reported in a way that comes to the government’s attention.” Senate Homeland Security Chair Gary Peters said, “My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them.”
States, Localities Waiting For Federal Cybersecurity Bill
Roll Call (5/24, Ratnam) reports legislation passed by the House last week would “ensure that federal cybersecurity experts assist their state and local government counterparts in protecting networks” and “provides security tools, helps states draft policies and procedures, conducts cybersecurity exercises and shares threat information through collaborative channels.” The bill already passed the Senate, and President Biden is “expected to sign it.” In addition to security “assistance, information sharing and training, states also are awaiting financial assistance from Washington to boost their cybersecurity efforts,” and CISA has yet to “announce guidelines on how states can apply for the grant money, [Doug Robinson, executive director of the National Association of State Chief Information Officers] said.” The law mandates that “80 percent of the money that states receive through the grant program must go to local governments such as counties, cities and towns,” with the first wave of funding to “help state chief information officers work with local partners to assess the vulnerability of computer networks.”
Remote Learning Applications Shared Children’s Data
The Washington Post (5/24) reports “millions of children had their online behaviors and personal information tracked by the apps and websites they used for school during the pandemic, according” to advocacy group Human Rights Watch. International investigation “that raises concerns about the impact remote learning had on children’s privacy online.” The educational tools “were recommended by school districts and offered interactive math and reading lessons to children as young as prekindergarten” However, “many of them also collected students’ information and shared it with marketers and data brokers, who could then build data profiles used to target the children with ads that follow them around the Web.” Those findings “come from the most comprehensive study to date on the technology that children and parents relied on for nearly two years as basic education shifted from schools to homes.”
Report: Virtual Learning Apps Tracked, Shared Students’ Data, Online Activities With Advertisers
CNN Business (5/26, Kelly, Business) reported Human Rights Watch, “an international advocacy organization, this week published the findings of an investigation conducted from March 2021 to August 2021 that looked into the educational services, including online learning tools, used by students all over the world when school districts shifted to remote learning.” Of the 164 products “reviewed across 49 countries, Human Rights Watch found 146 (89%) appeared to engage in data practices that ‘risked or infringed on children’s rights.’” These practices “included monitoring or having the ability to monitor children without the students’ or parents’ consent, and collecting a range of personal data, according to the report, such as their identity, location, their online activity and behaviors, and information about their family and friends.”
WPost: Comprehensive Privacy Law Needed To Combat Child Surveillance. The Washington Post (5/30) said in an editorial that a “new report from Human Rights Watch reveals the startling extent to which the educational tools students used during the pandemic collected and shared their information.” The analysis “discovered that almost 90 percent of the products vacuumed up students’ activities, locations and even sometimes their keystrokes, passing this trove of knowledge on to firms that exploit them for profit.” The findings “show how the globe has settled on a default position of constant surveillance.” The “solution is a comprehensive federal privacy law that applies to everyone. Sens. Maria Cantwell (D-Wash.) and Roger Wicker (R-Miss.), whose Commerce Committee has long been working on a bipartisan bill, should overcome their remaining differences to complete the job.”
dtau...@gmail.com
Thousands of GitHub Repositories Deliver Fake PoC Exploits with Malware
BleepingComputer
Bill Toulas
October 23, 2022
Researchers at the Leiden Institute of Advanced Computer Science in the Netherlands discovered thousands of GitHub repositories offering fake proof-of-concept (PoC) exploits for various vulnerabilities, including malware. The researchers analyzed slightly more than 47,300 repositories promoting exploits for vulnerabilities disclosed between 2017 and 2021 using Internet Protocol (IP) address analysis, binary analysis, and hexadecimal and Base64 analysis. Over 2,800 of 150,734 unique IPs extracted matched blocklist entries, 1,522 were labeled malicious in antivirus scans on Virus Total, and 1,069 of them were in the AbuseIPDB database. The researchers designated 4,893 of 47,313 tested repositories malicious, with most focusing on vulnerabilities from 2020. The researchers advised software testers to thoroughly vet the PoCs they download, and to run as many checks as possible before execution.
Starlink's Signal Hacked for Use as GPS Alternative |
Japan Steps Up Push to Get Public Buy-in to Digital IDs
Associated Press
Yuri Kageyama
October 24, 2022
Japan's government is urging the public to sign up for digital IDs, warning they could lose access to public health insurance otherwise. The government is asking people to apply for plastic My Number cards featuring microchips and photos, and to use them with drivers' licenses and public health insurance plans. Many Japanese fear the misuse or theft of this information. Music copyright business professional Saeko Fujimori said the card's microchip raises the risk of fraud, adding, "If a machine is reading all the information, that can lead to mistakes in the medical sector, too." The National Confederation of Trade Unions' Koichi Kurosawa said digitalization would be more appealing if it streamlined and shortened labor, adding that many Japanese workplaces are seeing the opposite effect, and people "are worried it will lead to tighter surveillance."
South Korea Aims to Boost Economy with Digital IDs on Blockchain
Bloomberg
Sam Kim
October 16, 2022
South Korea intends to offer its citizens a blockchain-secured digital identity in order to improve economic growth. The nation will launch digital IDs in 2024, expecting 45 million citizens to be using them within two years. The IDs will be embedded into mobile devices like smartphones. Suh Bo Ram, director-general of South Korea's digital-government bureau, said a decentralized identity framework will prevent the government from accessing data on individual phones, including whose digital IDs are used, how they are used, and where. Hwang Seogwon at South Korea's Science and Technology Policy Institute said although digital IDs can be highly beneficial economically, "there has to be more risk assessment technologically to make sure the danger doesn't outweigh the benefits."
'Deepfakes' of Celebrities Appearing in Ads
The Wall Street Journal
Patrick Coffee
October 25, 2022
Deepfakes of celebrities have started to appear in ads, with and without their consent. Experts say the growing use of deepfake software could change the marketing industry significantly while raising new legal and ethical issues, making it difficult for celebrities to rein in unauthorized digital reproductions and brand manipulation. U.S. legislative efforts to contain deepfakes include criminalization of their use in revenge porn in Virginia, and a Texas ban on their use in political campaigns. However, experts cite a lack of legislation addressing deepfake usage in commercials, and anticipate as a result deepfakes will become increasingly popular in advertising.
Targeted Billboard Ads Are a Privacy Nightmare
Gizmodo
Mack DeGeurin
October 13, 2022
A report from the U.K. civil liberties group Big Brother Watch highlights privacy concerns related to targeted digital advertising on physical billboards. These billboards use facial recognition software to generate ads personalized to passers-by. Big Brother Watch's Jake Hurfurt calling the practice "some of the most intrusive advertising surveillance we've ever seen in the U.K." The report raised concerns about the mass collection of user data, including precise GPS location, gender and age demographics, and behavioral data, which it said "is being gathered not just to work out if an ad campaign was successful, but to alter how people experience reality without their explicit consent, all in an attempt to make more sale."
Texas AG Sues Google For Collecting Biometric Data Without Consent
Reuters (10/20, Bartz, Shepardson) reports that on Thursday, the Texas Attorney General’s office announced it has filed a lawsuit against Google “for allegedly collecting biometric data of millions of Texans without obtaining proper consent.” According to the complaint, “companies operating in Texas have been barred for more than a decade from collecting people’s faces, voices or other biometric data without advanced, informed consent.” However, the complaint continued, “Google has, since at least 2015, collected biometric data from innumerable Texans and used their faces and their voices to serve Google’s commercial ends.” For its part, “Google said it would fight the lawsuit, saying that users of the services had the option to turn off the biometric collection feature.”
dtau...@gmail.com
Security Loophole Allows Attackers to Use Wi-Fi to See Through Walls
University of Waterloo (Canada)
November 3, 2022
A drone-powered device developed by researchers at Canada's University of Waterloo can see through walls by accessing Wi-Fi networks. The Wi-Peep device can fly close to a building and identify all Wi-Fi-enabled devices inside using the building's Wi-Fi network by taking advantage of the "polite Wi-Fi" loophole, in which smart devices automatically respond to contact attempts from any device within range. Comprised of a store-bought drone and $20 of hardware, Wi-Peep can pinpoint the location of a device within one meter by measuring response times to the messages it sends to devices while in flight. Said Waterloo's Ali Abedi, "We need to fix the Polite Wi-Fi loophole so that our devices do not respond to strangers. We hope our work will inform the design of next-generation protocols."
Colleges Go Offbeat for Cybersecurity Training
Inside Higher Ed
Susan D'Agostino
November 3, 2022
As colleges work to guard against cyberattacks, the University of Notre Dame has taken a different approach to cybersecurity awareness training in the form of a cybersecurity festival. Notre Dame's Chas Grundy said the festival was designed "to reach people's hearts and minds in a way that would stick and draw them into it as a counterpart to mandatory training." The festival featured activities like cybersecurity strongman games, a "go phish" activity in which participants were asked to identify the signs of a phishing email, and a lock-picking workshop. Stanford University hosted a similar festival, which featured lock-picking and hacking activities focused on safe cloud computing practices.
“Scam Rappers” Using TikTok, Spotify To Rap Instructions On How To Commit Cybercrimes
Bloomberg (11/2, Stone) reports a new generation of artists called “scam rappers” are using TikTok and Spotify to rap “specific instructions on how to carry out cybercrimes” from credit card scams to business email compromise. Scam rap is “a subgenre of hip hop where the lyrics are usually focused on how to commit identity theft, often including specific tips on how to use Instagram and Telegram for social engineering.” According to the article, “the phenomenon underscores the normalization of internet crime: Even if artists are overhyping their involvement in any actual felonies – like musicians do all the time – they’re also broadcasting details about the $7 billion cybercrime business to an audience of millions, propelling hard-to-grasp technical details into recommendation algorithms.”
FSA Official Encourages Higher Ed Institutions To Report Cyberattacks
EdScoop (11/2, McKenzie) reports, “Higher education institutions should report cyberattacks and data breaches the moment they’re discovered, Devin Bhatt, acting chief information security office for the U.S. Department of Education’s Federal Student Aid office, told a conference this week.” Bhatt said during the Educause 2022 conference’s virtual programming on Wednesday that institutions will not be fined for neglecting to report suspected data breaches or cyberattacks to the FDA, some institutions still are reluctant to come forward as they fear they will be penalized. Bhatt said, “Please, please, please notify us as soon as possible. We’re not here to punish anybody, we’re here to help you, we’re here to serve the institutions of higher education and students.” Bhatt said that during fiscal year 2022, FSA received 409 incident reports, down from 460 reports last year. However, “the number of ransomware incidents increased from 126 to 130.”
Analysis Discusses Privacy Concerns With Meta’s Metaverse Plan
In an analysis for The Washington Post (11/1) Naomi Nix writes, “If Meta’s dream of the metaverse comes true, regulators will face a whole new set of privacy concerns Lately, Meta CEO Mark Zuckerberg has been offering a rosy picture about the future success of his company’s big bet on transforming human communication through immersive virtual worlds known as the metaverse. In response to dismal financial results last quarter, Zuckerberg told investors that the company’s new $1,500 virtual reality powered headset, Quest Pro, would help employees get their work done better than they ever could through ordinary computers.” She continues, “What Zuckerberg didn’t say was that policy watchers and industry representatives are already grappling with thorny ethical and regulatory issues that would arise if services such as Quest Pro do take off in popularity.” Nix adds, “Among the trickiest questions facing Meta and other companies is what they do with the intimate information they collect about users and their interactions in these immersive virtual spaces.”
Some TikTok Users Are Receiving Checks Over Data Privacy Violations Following Settlement
CNBC (10/28, Sauer) reported that “this week, TikTok users across the country who created videos on the app before September 30, 2021, began receiving payments between $27.84 and $167.04 following a $92 million class-action data privacy settlement with the social media platform.” The largest checks “went to short- and long-term residents of Illinois, where TikTok was sued for violating the state’s strict biometric data laws by collecting and implementing facial recognition data into its algorithms without user consent.” More checks “from privacy lawsuits are likely on their way.” Last month, a judge “approved a $100 million settlement against Google, with 420,000 Illinois residents set to receive about $150 each.” In August, some Snapchat users “received notice to submit a claim by November 5 to take part in a similar $35 million lawsuit against the company.” Sandwich chain Pret A Manger and photography company Shutterfly “have also settled similar lawsuits over the past 13 months.”
Crypto Markets Fall After Celsius Freezes Withdrawals
The Washington Post (6/13) reports that “embattled cryptocurrency bank” Celsius’ decision to freeze withdrawals “by its nearly 2 million users rattled crypto markets Monday and underscored fears that some of the sector’s largest companies are on shaky financial ground.” In a statement late Sunday, the company said, “Due to extreme market conditions, today we are announcing that Celsius is pausing all withdrawals, Swap, and transfers between accounts. ... We are taking this action today to put Celsius in a better position to honor, over time, its withdrawal obligations.” Celsius offered no timetable “for when withdrawals would be restored.”
Trial Of Test Limits Of Anti-Hacking Law
The New York Times (6/8, Conger) reports that former Amazon software engineer Paige Thompson, “accused of stealing customers’ personal information from Capital One is standing trial in a case that will test the power of American anti-hacking law.” In 2019, she downloaded “personal information belonging to more than 100 million Capital One customers, the Justice Department said.” The data came from credit card applications and “included 140,000 Social Security numbers and 80,000 bank account numbers.” She faces ten counts of “computer fraud, wire fraud and identity theft in a federal trial that began on Tuesday in Seattle.” The Times writes the trial will raise “questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law.” Prosecutors “said Ms. Thompson had planned to use the information she gathered for identity theft, and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency.” But her lawyers have “argued that Ms. Thompson’s discovery of flaws in Capital One’s data storage system reflected the same practices used by legitimate security researchers and should not be considered criminal activity.”
Cantwell To Convene Classified Briefing On Semiconductors
Reuters (6/8, Shepardson) cites “sources” who say that Sen. Maria Cantwell (D-WA) on Thursday “will convene a classified briefing with Pentagon officials and Intel Corp’s chief executive for lawmakers negotiating a compromise measure to provide $52 billion in subsidies for U.S. semiconductor manufacturing.” The briefing “will look at threats to national security-critical supply chains, with a focus on semiconductors, officials said, and will review their importance for defense systems and critical infrastructure.” Among those expected to take part are Commerce Secretary Raimondo, “Deputy Under Secretary of Defense for Research and Engineering David Honey and U.S. Air Force Chief Scientist Victoria Coleman, sources said. Intel CEO Patrick Gelsinger is also expected to participate.”
Gillibrand, Lummis Propose Bill To Regulate Cryptocurrencies And Digital Assets
The AP (6/7, Hussein) reports Sens. Kirsten Gillibrand (D-NY) and Cynthia Lummis (R-WY) on Tuesday proposed “wide-ranging bipartisan legislation” to “regulate cryptocurrencies and other digital assets following a series of high-profile busts and failures.” The AP says that the Responsible Financial Innovation Act “proposes legal definitions of digital assets and virtual currencies; would require the IRS to adopt guidance on merchant acceptance of digital assets and charitable contributions; and would make a distinction between digital assets that are commodities or securities, which has not been done,” but it is “unclear” whether the bill “can clear Congress, especially at a time of heightened partisanship ahead of midterm elections.”
However, the Washington Post (6/7, Newmyer) reports the bill “would deliver a win for the sector by empowering its preferred regulator, the Commodity Futures Trading Commission (CFTC), over the Securities and Exchange Commission.” The Post says that by “giving primary responsibility for crypto oversight to the CFTC, the relatively small agency tasked with regulating a swath of financial markets, from grain futures to more complex products, the bill...sidelines the SEC, whose chair, Gary Gensler, has taken an aggressive posture toward crypto interests.” In addition, Roll Call (6/7, Wynn, Weiss) reports the bill “creates an advisory committee made up of industry, federal and state regulators among others to develop guiding principles and advise lawmakers.” A Wall Street Journal (6/7, Kiernan, Subscription Publication) article headlined “Senators To Propose Industry-Friendly Cryptocurrency Bill” provides similar coverage.
dtau...@gmail.com
Hacking the Metaverse
Louisiana State University
November 8, 2022
Louisiana State University (LSU)'s Abe Baggili and colleagues tested the security of immersive virtual reality (VR) and X-reality (XR) systems for weaknesses. The researchers hacked a popular XR application used to watch movies with others in a virtual room, and found they could hijack a user's VR headset, view their screen, activate their microphone, and install a virus on their computer invisibly. The virus infected other users who interacted with the compromised user, while the researchers also could enter the virtual room to eavesdrop. They notified the app's developer, which accepted their recommendations. Former LSU researcher Martin Vondrácek said the team open-sourced its hacking software, example exploits, and vulnerability signatures "to improve the state of the art of vulnerability detection and prevention in VR."
5G-Enabled Malware Classification System for Next-Generation Cybersecurity
Newswise
November 8, 2022
A multinational team of scientists led by Gwanggil Jeon at South Korea's Incheon National University created an artificial intelligence-based malware detection system for 5G-enabled Industrial Internet of Things systems. The system uses grayscale image visualization with a deep learning network to analyze malware, then applies a convolutional neural network framework to categorize malware attacks. The researchers integrate the system with 5G to enable low latency and high-throughput sharing of real-time data and diagnostics. The new model improved on conventional system architectures, achieving 97% accuracy on the benchmark dataset thanks to the system's ability to extract complementary discriminative properties by integrating multiple layers of data.
AI Model Can Help Prevent Data Breaches
Imperial College London (U.K.)
Gemma Ralton
November 8, 2022
The QuerySnout artificial intelligence (AI) algorithm designed by researchers at the U.K.'s Imperial College London (ICL) can check privacy-safeguarding systems for potential breaches. QuerySnout can automatically identify attacks on query-based systems (QBS) used by analysts to search data and retrieve aggregate information. The model learns which questions to ask the QBS to obtain answers, then learns to integrate the answers automatically to detect potential privacy bugs. QuerySnout uses machine learning to produce a query-based attack that combines answers in order to expose specific private data, following an evolutionary search to find the correct query sets. ICL's Ana-Maria Cretu said, " QuerySnout finds more powerful attacks than those currently known on real-world systems. This means our AI model is better than humans at finding these attacks."
Resignations Of Twitter Privacy, Compliance Chiefs Prompt FTC Warning
Reuters (11/10, Paul, Dave) reports Twitter owner Elon Musk “on Thursday raised the possibility of the social media platform going bankrupt, capping a chaotic day that included a warning” from the Federal Trade Commission and the exit of Twitter Trust and Safety Head Yoel Roth. Reuters continues, “The billionaire on his first mass call with employees said that he could not rule out bankruptcy...two weeks after buying it for $44 billion – a deal that credit experts say has left Twitter’s finances in a precarious position. Earlier in the day, in his first company-wide email, Musk warned that Twitter would not be able to ‘survive the upcoming economic downturn’ if it fails to boost subscription revenue to offset falling advertising income.” Bloomberg (11/10, Wagner) reports Musk also banned remote work for his employees “unless he personally approved it. ... The new rules, which kick in immediately, will expect employees to be in the office for at least 40 hours per week, he added.”
Meanwhile, Roth’s resignation and those of Chief Privacy Officer Damien Kieran and Chief Compliance Officer Marianne Fogarty drew the attention of the FTC. The Washington Post (11/10, A1, Menn, Zakrzewski, Siddiqui, Tiku, Harwell) reports the departures “prompted a rare warning” from the agency, “which has emerged as the government’s top Silicon Valley watchdog. It marked the second time in two days that a federal official has expressed concern about the chaotic developments at the company, coming less than 24 hours after President Biden said Musk’s relationships with other countries deserved scrutiny.” The agency “said that it was ‘tracking the developments at Twitter with deep concern’ and that it was prepared to take action to ensure the company was complying with a settlement known as a consent order, which requires Twitter to comply with certain privacy and security requirements because of allegations of past data misuse.”
As Top Security Officials Leave, Musk Ends Twitter’s Work From Home Policy. The Guardian (UK) (11/10) reports, “Elon Musk has scrapped Twitter’s work from home policy and ordered its staff back to the office, days after firing 3,700 employees.” An email seen by The Guardian contends “that working from home would no longer be allowed except in special circumstances, with such cases personally vetted by Musk.” Musk also told staff in the email that the platform’s “road ahead is arduous and will require intense work to succeed.” This comes on the heel of mass layoffs that “have raised concern about the company’s ability to maintain security on the platform and comply with government regulations.” Employees now are “being encouraged to ‘self-certify’ the platform is running in compliance with privacy laws, according to a report from the Verge on Thursday. Breaking these laws could result in billions of dollars in fines.”
WPost: CISA Adopting “Hands-off Approach” To Twitter Election Disinformation
The Washington Post (11/7) reports the Cybersecurity and Infrastructure Security Agency “says it’s taking a hands-off approach when it comes to false claims about the election process on Twitter.” CISA spokesperson Michael Feldman told the Post “the agency isn’t flagging any election-related disinformation to Twitter or any social media platform.” Feldman’s comments come “after an Intercept report last week detailed communications between the government and tech companies, prompting criticism from conservatives and raising concerns among some civil rights advocates.” Instead, Feldman “said, state and local officials can flag potential disinformation about their elections to the Center for Internet Security (CIS), a nonprofit which may then pass it on to social media platforms ‘who, as always, make their own decisions according to their own policies,’ he wrote in an email.”
FCC Commissioner Seeks TikTok’s Removal From Apple, Google App Stores
CNBC (6/29, Cheng) reports FCC Commissioner Brendan Carr “said he has asked Apple and Google to remove TikTok from their app stores over China-related data security concerns.” Carr shared via Twitter a “letter to Apple CEO Tim Cook and Alphabet CEO Sundar Pichai” that cited “reports and other developments that made TikTok non-compliant with the two companies’ app store policies.” Carr wrote, “At its core, TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data.” Carr’s letter, dated June 24 “on FCC letterhead, said if the Apple and Alphabet do not remove TikTok from their app stores, they should provide statements to him by July 8.” The statements should explain “the basis for your company’s conclusion that the surreptitious access of private and sensitive U.S. user data by persons located in Beijing, coupled with TikTok’s pattern of misleading representations and conduct, does not run afoul of any of your app store policies,” he added.
The Washington Post (6/29, Gregg) reports Carr also argued in his letter, “It is clear that TikTok poses an unacceptable national security risk due to its extensive data being combined with Beijing’s apparently unchecked access to that data.” However, The New York Times (6/29, McCabe) reports Carr’s request is “unlikely to gain traction because the F.C.C. does not regulate the app stores and the commission’s agenda is largely set by its Democratic chairwoman” but shows the “sustained pressure on Chinese tech companies from officials in Washington.” The Biden Administration has considered “other measures to keep American data away from China but has not publicly pushed TikTok to cut ties with its Chinese owner.”
Roe V Wade Overturn Sparks Fears Of Data Weaponization
The Hill (6/24, Klar) reports Rep. Sara Jacobs (D-CA), with Sen. Ron Wyden (D-OR) and Sen. Mazie Hirono (D-HI), introduced a bill called the “My Body, My Data Act” that would ban the retention of user health data without consent. Following the overturn of Roe v. Wade, there are growing fears that search and locational data could be weaponized by states that outlaw abortion. The bill has 43 House cosponsors and 10 in the Senate.
Ars Technica (6/24, Brodkin) reported four Democratic senators have called on the “Federal Trade Commission to ‘investigate Apple and Google for engaging in unfair and deceptive practices by enabling the collection and sale of hundreds of millions of mobile phone users’ personal data,’” They wrote, “The FTC should investigate Apple and Google’s role in transforming online advertising into an intense system of surveillance that incentivizes and facilitates the unrestrained collection and constant sale of Americans’ personal data. ... These companies have failed to inform consumers of the privacy and security dangers involved in using those products. It is beyond time to bring an end to the privacy harms forced on consumers by these companies.”
Suggestions For Tech Companies To Protect User Data. CNBC (6/24, Feiner) reports with legal changes following the overturn of Roe v. Wade, tech companies will likely find themselves “ordered by a court to hand over certain types of data, like location information of users at an abortion clinic, search histories or text messages.” National Advocates for Pregnant Women Deputy Executive Director Dana Sussman suggests that, as local prosecutors have limited resources, the more difficult that companies can make it to access “digital footprint” data the more it will limit cases. The Electronic Frontier Foundation “suggests companies cut down on behavioral tracking, pare down the types of data they collect to only what’s necessary and encrypt data by default so it’s not easily read by others.”
House Subcommittee Advances Bipartisan Privacy Bill
The Wall Street Journal (6/23, McKinnon, Subscription Publication) reports that on Thursday, a subcommittee of the House Energy and Commerce Committee voted to advance the American Data Privacy and Protection Act with no dissent. Reuters (6/23, Bartz) reports, “The bill would require companies like Alphabet’s...Google and Meta’s Facebook, along with a long list of others, to only collect personal data that is necessary to provide services. Sensitive information like Social Security numbers would get even more protection.” However, Reuters continues, “The fate of the bill is uncertain given that it faces criticism from powerful Senate Democrats, including Senator Maria Cantwell who doesn’t believe the bill’s enforcement is strong enough.”
Tech Executives Want More Cyber Threat Intel
The Hill (6/22, Kagubare) reports technology leaders testifying on Wednesday “before a House subcommittee on cyber told lawmakers that more coordination is needed between the public and the private sector to identify security threats, including cyber, that stem from emerging technologies like quantum computing and artificial intelligence.” Ron Green, executive vice president and chief security officer at Mastercard, “said that partnership should incentivize the government to share threat intelligence to the private sector so that both sectors are able to mitigate cybersecurity risks posed by U.S. adversaries both at home and abroad.” Green, who was joined by “three other tech leaders, made his remarks during a House Homeland Security subpanel that touched on the intersection between emerging technologies and security risks.”
CISA Plans To Hire Official To Boost Cyber Workforce
NextGov (6/21, Baksh) reports CISA is searching for “an official to ensure its recruitment efforts reflect its operational priorities and coordinate with the private sector and other agencies to address the infamous shortage of cyber personnel across the country. ‘Move urgently to hire a Chief People Officer responsible for working with the director and senior leadership to advance a unified approach to talent acquisition,’ CISA’s Cybersecurity Advisory Committee, or CSAC, wrote in draft recommendations, adding, ‘The CSAC strongly supports CISA’s current plans to do this.’ The committee is set to vote on the draft recommendations and present them to CISA Director Jen Easterly during their quarterly meeting Wednesday. The agency on Friday shared the draft recommendations with registered attendees, emphasizing they won’t be final until after the vote.”
SEC Chair Warns Investors To Beware Promised Crypto Returns That Seem “Too Good To Be True”
Reuters (6/14) reports SEC Chair Gensler “said on Tuesday that investors should beware promised returns from crypto lending platforms and products that seem ‘too good to be true.’” Speaking during an industry event, Gensler said, “We’ve seen again that lending platforms are operating a little like banks. They’re saying to investors ‘Give us your crypto. We’ll give you a big return 7% or 4.5% return.’ How does somebody offer (such large percentage of returns) in the market today and not give a lot of disclosure? ... I caution the public. If it seems too good to be true, it just may well be too good to be true.” Bloomberg (6/14, Beyoud) says Gensler “didn’t mention any lenders by name. Since taking over in April 2021, he’s taken a tough line on crypto products that may fall under the agency’s purview and the platforms that they trade on.”
Bitcoin Stabilizes After Falling To 18-Month Low. Reuters (6/14, Wilson, Howcroft, Lang) reports that Bitcoin stabilized Tuesday “after earlier hitting a new 18-month low, as major crypto lender Celsius Network’s freezing of withdrawals and the prospect of sharp U.S. interest rate rises shook the volatile asset class.” The cryptocurrency “fell 15% on Monday, its sharpest one-day drop since March 2020. It has shed about half its value this year and over 20% since Friday alone. Since its record high of $69,000 in November, it has slumped nearly 70%.” The Wall Street Journal (6/14, Subscription Publication) provides similar coverage.
Coinbase Laying Off 18 Percent Of Its Workforce. The Washington Post (6/14) reports Coinbase “said Tuesday it was laying off nearly one-fifth of its work force, a sobering sign that the challenges of the once blazingly hot industry go beyond those of troubled bank Celsius to the very heart of the crypto-investment world.” In an email to employees, chief executive Brian Armstrong “said the company would cut 18 percent of its workforce. The cuts will affect roughly 1,100 of its approximately 6,100 employees, he said. All were terminated immediately but will be given at least 14 weeks of severance.” According to the New York Times (6/14, A1, Yaffe-Bellany, Griffith), “The pullback in the crypto ecosystem illustrates the precariousness of the structure built around these risky and unregulated digital assets.” Another New York Times (6/14, Simonetti) article and Wall Street Journal (6/14, A1, Becker, Ostroff, Subscription Publication) provide similar coverage.
Crypto Industry Fears Market Crisis Could Spark New Regulations. Politico (6/14, Smith-Meyer, Sutton) says the decision by Celsius Network, one of the biggest lenders in the crypto market, to suspend withdrawals and crypto trading functions has done little to quiet uncertainty “in a market downturn that has seen the value of the whole market drop by two-thirds since its $3 trillion peak in early November. ... The ongoing crisis has raised new fears that market regulators could put the kibosh on the nascent crypto lending businesses that have positioned themselves as alternatives to traditional banks.”
Roll Call (6/14, Feltman) reports that the SEC “said last month that it will add 20 enforcement positions dedicated to crypto, boosting the total enforcement staff focused on digital assets to 50. Those tracking the development say the agency will delve deep, looking for violations among a crop of startup ventures.” Experts say more enforcement is coming “and the SEC has plenty of potential targets, including non-fungible tokens, stablecoins and platforms that might come under the agency’s authority if they trade digital tokens that are securities.”
dtau...@gmail.com
Study Uncovers Threat to Security, Privacy of Bluetooth Devices
Ohio State News
Tatyana Woodall
November 17, 2022
Ohio State University's Yue Zhang and Zhiqiang Lin found a vulnerability that could allow Bluetooth-using mobile devices to be exploited to track users' locations. The exploit taps a flaw in an idle Bluetooth Low Energy (BLE) protocol, which transmits a signal advertising its MAC address to other Bluetooth devices every 20 seconds. Said Zhang, "By broadcasting a MAC address to the device's location, an attacker may not physically be able to see you, but they would know that you're in the area." The researchers used their Bluetooth Address Tracking strategy to infiltrate more than 50 Bluetooth devices, then designed the Securing Address for BLE countermeasure, which adds an unpredictable sequence number to the randomized address to prevent each MAC address from being used more than once.
Researchers Demonstrate How to Trigger Pathogen Release with Music
UCI News
November 17, 2022
University of California, Irvine (UCI) researchers demonstrated an exploit to hack a negative pressure room and release the pathogens it contains. The researchers said the sound of a particular frequency possibly couched in a popular song can disrupt the function of airflow control mechanisms in biocontainment facilities. "Someone could play a piece of music loaded on their smartphone or get it to transmit from a television or other audio device in or near a negative pressure room," explained UCI's Mohammad Al Faruque. "If that music is embedded with a tone that matches the resonant frequency of the pressure controls of one of these spaces, it could cause a malfunction and a leak of deadly microbes.”
Deepfake Detector Can Spot Real/Fake Video from Blood Flow
ZDNet
Jada Jones
November 17, 2022
Semiconductor giant Intel claims its FakeCatcher technology can detect whether videos are genuine or deepfakes with 96% accuracy in real time. According to the company, the technology evaluates "what makes us human—'blood flow' in the pixels of a video." Intel explained FakeCatcher can spot color changes in a person’s veins based on how blood circulates throughout the body. The technology collects signals of blood flow from the face, which algorithms measure to determine the video's authenticity.
Telehealth Sites Put Addiction Patient Data at Risk
Wired
Lindsey Ellefson
November 16, 2022
A review of a dozen major substance-use-focused mobile health websites by the Opioid Policy Institute and Legal Action Center found such sites often leave addiction patient data vulnerable. Researchers analyzed the sites at four timepoints between March 2021 to July 2022 using The Markup news nonprofit's Blacklight privacy tool. Each site featured technologies that collect, identify, and share user data with third parties, as well as ad trackers whose average number "generally" increased over the study period. All but one site used third-party session cookies to identify and track visitors across other websites, while four sites used session recording to monitor visitor behavior. Experts warn such practices could run afoul of the Health Insurance Portability and Accountability Act and 42 CFR Part 2, which assure confidentiality of treatment records, and protect patients seeking treatment for substance use disorders from having their treatment histories exploited.
Cyber Vulnerability in Networks Used by Spacecraft, Aircraft, Energy Generation Systems
University of Michigan News
Zachary Champion
November 15, 2022
Researchers at the University of Michigan and the U.S. National Aeronautics and Space Administration (NASA) discovered a cyberattack that exploits networks used by aircraft, spacecraft, energy generation systems, and industrial control systems. The PCspooF exploit targets the time-triggered ethernet (TTE) system, which lowers costs in high-risk settings by allowing mission-critical and less-critical devices to operate on the same network hardware. PCspoof mimics switches in TTE networks to send out malicious synchronization messages masked by electromagnetic interference. The disruption gradually causes time-sensitive messages to be dropped or delayed, with potentially disastrous effects. The researchers said the exploit can be prevented by replacing copper Ethernet cables with fiber-optic cables, or by deploying optical isolators between switches and untrusted devices.
Hard-to-Crack Hardware
King Abdullah University of Science and Technology (Saudi Arabia)
November 14, 2022
A team of researchers at Saudi Arabia's King Abdullah University of Science and Technology (KAUST) has created an integrated circuit logic lock that could advance cyberattack-resistant electronic devices. The researchers based the logic lock on a magnetic tunnel junction (MTJ), which uses spintronics to function. The MTJ's electronic output relies on the spin alignment of the electrons inside it, and only generates the correct output for the circuit when it receives the appropriate key signal input. KAUST's Yehia Massoud said, "With the advancement in fabrication methods, the possibility of using emerging spintronic device structures in the chip design has increased. These properties make spintronic devices a potential choice for exploring hardware security."
Italy Outlaws Facial Recognition Tech, Except to Fight Crime
Reuters
Elvira Pollina; Federico Maccioni
November 14, 2022
Italy has banned the use of facial recognition technology and "smart glasses," except when such technologies play a role in judicial investigations or the fight against crime. The country's Data Protection Agency issued a rebuke to two municipalities experimenting with the technologies, and said facial recognition systems using biometric data will not be allowed until a specific law is adopted, or at least until the end of next year. Under EU and Italian law, the processing of personal data by public bodies using video devices is generally allowed on public interest grounds, and when linked to the activity of public authorities. However, the agency noted, municipalities that want to use such devices will have to secure "urban security" agreements with central government representatives.
Open Source Software Has Never Been More Important
TechRadar
Craig Hale
November 13, 2022
GitHub’s Octoverse 2022 report on the state of open source software found that 90% of Fortune 100 companies use open source software (OSS) in some capacity. There have been 413 million OSS contributions to GitHub from the platform’s 94 million users this year alone, the company noted. The report found that commercially backed OSS projects are increasing, and that around a third of Fortune 100 companies now have an open source program office to coordinate their OSS strategies. However, as the Synopsis Open Source Security and Risk Analysis Report for 2022 found, despite a steady 3% year-on-year decrease in vulnerabilities, more than 80% of the codebases analyzed were still found with at least one vulnerability, with 88% of the codebases investigated showing no signs of update in the past two years.
Ransomware Gangs Shift Tactics, Making Crimes Harder to Track
Bloomberg
Jack Gillum
November 11, 2022
Research by Recorded Future Inc.'s Allan Liska found that more ransomware gangs are using their own or stolen computer code in an effort to make it harder to monitor their activity. Liska said, "In the last year, ransomware has become a race to bottom among ransomware groups," with gangs "stealing from each other, lying even more than usual to victims, and creating havoc among investigators and law enforcement.” This comes amid an increase in the number of smaller hacking groups, which Liska said may be concerned about being targeted as part of a larger group. Recently, hackers tied to the Netwalker and REvil extortion groups pleaded guilty, and a dual Russian and Canadian national was charged on allegations of working with the LockBit ransomware gang.
Another Reason to Hate Unwanted Ads
Georgia Tech News Center
November 10, 2022
Researchers from the Georgia Institute of Technology (Georgia Tech), University of Illinois Chicago, and New York University found that the process used by third-party advertisers to target online users can be viewed or manipulated using a target's email address. They found that once a user’s email address is uncovered, the information being collected by any third-party advertiser observing a specific user’s targeted ad stream can be tapped into, allowing insight into an individual’s browsing history. Said Paul Pearce of Georgia Tech, “Our work shows the way that information is passed to the ad networks is both insecure and hard to verify. If an attacker knows a victim’s email address, they can lie to the ad network pretending to be a user, leading to very real privacy problems.”
Blockchain Game Could Help Create Metaverse No One Owns
MIT Technology Review
Mike Orcutt
November 10, 2022
The sci-fi-themed online game Dark Forest operates on a blockchain, meaning no one can manipulate its outcome. Dark Forest was conceived by pseudonymous programmer "Gubsheep," who characterizes it as a "massively multiplayer strategy game that takes place in an infinite, procedurally generated universe." The game uses cryptographic zero-knowledge proofs to hide opposing players from each other as they engage in empire-building. New players are confronted with a mostly hidden universe that becomes visible through exploration; when players move, they send a validating proof to the blockchain without exposing their coordinates. Some players envision Dark Forest as the first step toward metaverses driven by decentralized networks rather than company servers.
Improving Security for Smart Systems
WSU Insider
Tina Hilding
November 7, 2022
Washington State University (WSU) researchers have developed a statistical analysis technique for complex sensor data that can strengthen decision-making algorithms' resilience and error tolerance. Hackers can cause small perturbations in smart sensors' data that human monitors overlook, leading to prediction and decision-making failures. The WSU researchers enhanced their algorithm with a security layer that can prevent failures by looking for potential disturbances and determining their statistical likelihood. They used the algorithm with health-monitoring wearables to account for actual data disturbances, improving accuracy by 50% compared to standard machine learning algorithms that need clean data. WSU's Jana Doppa called the achievement "an important and novel contribution in the area of security of machine learning systems."
US Advisory Panel Warns of “Serious Threat” From Chinese Cyber Capabilities
NextGov (11/15, Graham) reports China’s focus on enhancing “its cyber capabilities over the past decade ‘poses a formidable threat to the United States in cyberspace today,’ according to a report released on Tuesday by a congressional advisory commission.” The US-China Economic and Security Review Commission’s “2022 Annual Report to Congress” assessed a “range of threats to the U.S. economy and national security, including Beijing’s cyber warfare and espionage capabilities.” The report also called on Congress to require the Treasury Department to restrict investment in Chinese firms involved in “cyber-enabled intelligence collection or theft of intellectual property sponsored by the People’s Republic of China against U.S.-based persons.”
Democrats Seek Answers From Musk On Twitter Safety, Privacy. Politico (11/12, Kern) reports Democrats “want answers” from Elon Musk on what is he doing to “safeguard data and privacy” on Twitter after his takeover. Rep. Jan Schakowsky (D-IL) said Musk “should be held personally liable because he purchased Twitter, took it private, and made the conscious decision to violate the 2011 consent decree in which Twitter pledged, unequivocally, to protect consumer data.” Similarly, Sen. Ed Markey (D-MA) said the FTC “has an obligation to make sure Twitter and its leadership are abiding by their responsibilities under the law and agreements with regulators.”
Crypto Exchange FTX Files For Bankruptcy, Bankman-Fried Resigns As CEO
The New York Times (11/11, A1, Yaffe-Bellany) reported FTX “announced that it was filing for bankruptcy” on Friday, just days after CEO Sam Bankman-Fried “took to Twitter to reassure his customers” that the cryptocurrency exchange’s “assets are fine.” The announcement “sent shock waves through an industry struggling to gain mainstream credibility and sparked government investigations that could lead to more damaging revelations or even criminal charges.” The Times adds that as a result, the “prices of the leading cryptocurrencies, Bitcoin and Ether, have plummeted.” Meanwhile, the Washington Post (11/11, A1) reported Bankman-Fried on Friday resigned as CEO of FTX amid probes from the “Justice Department, Securities and Exchange Commission and CFTC.”
White House Monitoring FTX Bankruptcy As Company Declares Possible Hack. Bloomberg (11/12, Sink) reported a White House official on Friday said the Administration is closely monitoring the collapse of cryptocurrency exchange FTX, “adding that Americans risked getting harmed without proper oversight of cryptocurrencies.” The company’s bankruptcy “dealt another blow to the cryptocurrency industry, which has seen severe volatility and bankruptcies of other high-profile firms.” Meanwhile, the New York Times (11/12, Yaffe-Bellany) reported FTX “said on Saturday that it was investigating ‘unauthorized transactions’ flowing from its accounts” after its bankruptcy filing, suggesting that the transfer of $515 million “may have been the result of a hack or theft.”
Hospitals Warned Of Cybersecurity Risks With Use Of Third-Party Analytics Tools
Patient safety nonprofit ECRI “recently issued an alert warning hospitals about the cybersecurity risks associated with the use of third-party analytics tools,” according to MedCity News (11/8, Adams). The group warned providers installing “this software on their websites and patient portals” could lead to exposing patient data. These “exposed patient data may be misused to tailor advertisements based on consumers’ medical conditions.”
Google Research Unveils AI Projects As Concerns Are Raised About Regulation Of Data Security
Google Research unveiled over a dozen AI incubator projects to address a wide variety of issues at a media event on Wednesday, including a maternal health/ultrasound AI system and a screening system to detect diabetic retinopathy, Axios (11/3, A. Kingson) reports. Recently, concerns over privacy rights, misinformation, and control of consumer data have become a key issue which “prompted the White House to issue a preliminary ‘AI Bill of Rights,’ encouraging technologists to build safeguards into their products.” But, although “Google published its principles of AI development in 2018 and other tech companies have done the same, there’s little-to-no government regulation.” As progress on AI continues, “companies such as Google” are “positioned to serve as moral arbiters and standard-setters.”
White House Largely Working On Its Crypto-Policy Framework Without Congress
Forbes (11/3, Brett) reports the Biden Administration “wants to implement a strategy for digital assets to preserve the government’s ability to set monetary policy, regulate financial markets, ensure consumer protection and protect against illicit use of digital assets. Notably, much of this is being done without consideration for legislative efforts in Congress focused on the industry, none of which are expected to pass this year.” The White House has been “attempting to align interagency efforts following the March 9 release of Executive Order 14067 on the Responsible Development of Digital Assets.” The White House, Financial Services Oversight Committee, Treasury, and Federal Reserve “were previously engaged in discussions on rules for digital assets.” The piece quotes Treasury Secretary Janet Yellen as saying in September, “We recommend that agencies continue to rigorously pursue their enforcement efforts focused on the crypto-asset sector. Agencies should use existing authorities to issue additional supervisory guidance and rules to address current and emerging risks.”
Campus Tech Leaders Experiment With Festivals, Unconventional Strategies To Highlight Importance Of Cybersecurity
Inside Higher Ed (11/3) reports on “an increasing number of cyberattacks against colleges since 2020.” Such attacks “have more often succeeded against higher ed than other sectors, including business, health care and financial services.” Though college information technology offices “have long worked behind the scenes to bolster institutional defenses, their countermeasure efforts, such as installing network threat detection and risk-mitigation systems, are often invisible.” Meanwhile, “students and faculty and staff members – end users – who remain unaware of security threats pose significant risks.” Mandatory cybersecurity-awareness training “helps but is often top-down and requires email nudges from managers, according to Chas Grundy, IT strategy and transformation director at the University of Notre Dame.” This year, Notre Dame “decided to do something different: a cybersecurity festival intended ‘to reach people’s hearts and minds in a way that would stick and draw them into it as a counterpart to mandatory training,’ Grundy said.” Notre Dame is “one of several institutions experimenting with unconventional cybersecurity awareness training in the form of festivals, art installations and role-playing games.”
Space Force Assesses Cybersecurity Threats
Space News (7/7, Subscription Publication) reports that Space Force Space Operations Command commander Lt. Gen. Stephen Whiting has identified cyber and malware attacks as an issue of concern for the US Space Force. Whiting said Thursday on the Space Policy Show that cyber security risks have “been on my mind recently: cyber security and how we measure risk in the cyber domain.” Whiting also said, “We’ve invested in cyber defenses. We have a cyber workforce who is thinking about defensive cyber.”
Automotive Industry Racing Against Cybersecurity Threats As Vehicles Get More Connected
Security Magazine (7/5, Nosibor) reports that the “IoT revolution is unlocking tremendous innovation and potential for automakers, but it’s also opening car doors, hoods, and trunks to a new wave of cybersecurity threats.” Over the course of the past three years, the auto industry “suffered a 225% increase in cyberattacks,” including data privacy breaches, “digital car break-ins, thefts, and control system accesses.” The auto “supply chain’s complexity and fast-changing nature presents unique challenges for both automakers and suppliers, including special considerations when managing connectivity solutions such as sensors, driverless systems, in-car computers, and other electronics.” These new connected vehicles “need to be protected like the computing platforms they have become.” Security Mag reports that without appropriate cybersecurity, “features ranging from simple charging ports to entire autopilot systems are vulnerable to manipulation from inside or outside the vehicle;” therefore, OEMs and suppliers “must make security a primary, consistent and thorough consideration throughout product development and lifecycle management processes.”
Google Announces New Privacy Protections For Users’ Abortion Information
“Google will automatically purge information about users who visit abortion clinics or other places that could trigger legal problems now that the U.S. Supreme Court has opened the door for states to ban the termination of pregnancies,” the AP (7/2, Lieb) reported. The company “also cited counseling centers, fertility centers, addiction treatment facilities, weight loss clinics, and cosmetic surgery clinics as other destinations that will be erased from users’ location histories” under the new privacy protections announced Friday.
In addition to Google’s data, “period-tracking apps have been the target of some of the loudest calls for privacy protections, and the most visible corporate response,” STAT (7/2, Palmer, Ross, Aguilar, Ravindranath) reported. Some apps are working to create anonymous versions of their app for users. Geoffrey Fowler in a Washington Post (7/1, Fowler) column urged Big Tech companies to delete intimate information that may put users at risk as abortion bans expand.
Web Searches, Text Messages About Abortion Could Be Used In Prosecution, Privacy Experts Say. The Washington Post (7/3, A1, Zakrzewski, Verma, Parker) reports that since the Supreme Court’s ruling on Dobbs v. Jackson Women’s Health Organization, privacy experts warn that authorities could use online research or text messages as evidence against pregnant women who seek illegal abortions or providers who aid them. The Post says, “Despite mounting concerns that the intricate web of data collected by fertility apps, tech companies and data brokers might be used to prove a violation of abortion restrictions, in practice, police and prosecutors have turned to more easily accessible data – gleaned from text messages and search history on phones and computers. These digital records of ordinary lives are sometimes turned over voluntarily or obtained with a warrant, and have provided a gold mine for law enforcement.” The Post discusses related prosecutions in Mississippi and Indiana.
dtau...@gmail.com
Hackers Strand Vanuatu's Government
BBC News
Frances Mao
November 19, 2022
A suspected cyberattack has disabled the Pacific island nation of Vanuatu's government since Nov. 4, crippling the websites of its parliament, police, and prime minister's office. The hack also has hobbled the email system, intranet, and online databases of schools, hospitals, and other emergency services, as well as all government services and departments. Locals said the attack has basically impacted anyone with a gov.vu email or domain, while The Sydney Morning Herald reported the hackers are demanding a ransom from the government. Experts think the system's vulnerability was rooted in its likely centralization and hosting on the government's servers. Vanuatu has vowed to upgrade the system, and requested Australia aid in its network rebuilding.
Smart Home Hubs Leave Users Vulnerable to Hackers
UGA Today
Leigh Beeson
November 15, 2022
The ChatterHub system developed by University of Georgia (UGA) researchers can expose smart home hub users to hackers by revealing the activity of various hubs nearly 90% of the time. UGA's Kyu Lee said, "We were able to use machine learning technology to figure out what much of the activity is without even having to decrypt the information." Lee said the information smart hubs send to individual devices can be deciphered by "using patterns, the size of the packet, and the timing of the packet." Hackers can acquire this information without positioning ChatterHub close to the hub, nor do they require prior knowledge of the types of smart devices to which it is connected or the hub's manufacturer to breach the system remotely.
Google Announces Settlement With 40 States Over Privacy, Tracking Allegations
The AP (11/14, Collins) reports that Google “has agreed to a $391.5 million settlement with 40 states to resolve an investigation into how the company tracked users’ locations, state attorneys general announced Monday.” The states’ investigation “was sparked by a 2018 Associated Press story, which found that Google continued to track people’s location data even after they opted out of such tracking by disabling a feature the company called ‘location history.’” The attorneys general “called the settlement a historic win for consumers, and the largest multistate settlement in U.S history dealing with privacy.”
Regulators Launch Probe Into Crypto-Exchange FTX Following Its Collapse
Reuters (11/14, Ranganathan) reports that a number of regulators “opened probes following last week’s spectacular collapse of crypto exchange FTX and rival exchanges sought to reassure jittery investors of their own stability, weighing on cryptocurrencies on Monday.” The implosion “of FTX, once a darling of the crypto industry with a $32 billion valuation as of January, has spurred investigations by the U.S. Justice Department, the Securities and Exchange Commission and Commodity Futures Trading Commission.” The SEC probe “is also targeting FTX executives, their knowledge of the handling of customer funds and any potential breaking of securities laws.”
House Committee Advances Data Privacy Bill
The Hill (7/20, Klar) reports the House Energy and Commerce Committee “advanced a comprehensive data privacy bill in a 53-2 bipartisan vote Wednesday, pushing forward legislation that aims to set a national standard for how tech companies collect and use Americans’ data.” While the vote on the American Data Privacy and Protection Act (ADPPA) “is a significant step forward after years of delay in lawmakers taking action on a federal data privacy law,” there are “still hang ups that could complicate the proposal moving forward.” The Wall Street Journal (7/20, McKinnon, Subscription Publication) says a group of state attorneys general this week expressed concern that the measure could supersede more stringent privacy standards adopted by the states and future protections states might adopt.
Biden Administration Announces Cybersecurity Workforce Push
CNN (7/19, Fung) reports the Biden Administration is pushing “to fill hundreds of thousands of cybersecurity jobs in the United States as part of a bid to close a talent shortage US officials describe as both a national security challenge and an economic opportunity.” On Tuesday, the Administration “announced a multi-agency plan to create hundreds of registered apprenticeship programs with the private sector to flesh out the nation’s cybersecurity workforce – and defend against a rising tide of data breaches, ransomware attacks and other hacking incidents.” In a 120-day stretcht, the US government “will work with employers to establish apprenticeship programs in the cybersecurity industry, said Labor Secretary Marty Walsh, vowing to launch the joint program with the Department of Commerce ‘in as little as 48 hours.’”
Survey Shows Surge In Education Sector Ransomware Attacks
Cybersecurity Dive (7/14) reports “the education sector got hit with even more ransomware attacks in 2021, impacting almost two-thirds of higher education organizations, Sophos concluded in a new survey.” Ransomware attacks “hit more than half of the lower-education organizations surveyed and almost two-thirds of higher education institutions.” This marks a jump “from the 44% of respondents combined across lower and higher education that reported ransomware attacks in 2020, but it’s consistent with an upward trend in ransomware attacks across all sectors.”
Amazon Shared Ring Video Footage With Police Without Users’ Consent
The AP (7/13, Hadero) reports that Sen. Edward Markey (D-MA) shared a letter in which Amazon said it “provided Ring doorbell footage to law enforcement 11 times this year without the user’s permission.” Amazon Vice President for Public Policy Brian Huseman wrote that when Ring believes there was an imminent danger of death or serious physical injury to a person it “reserves the right to respond immediately to urgent law enforcement requests for information.” Such decisions are based on information provided by police. The AP predicts the revelation is “bound to raise more privacy and civil liberty concerns about its video-sharing agreements with police departments.” Reuters (7/13) reports Amazon says 2,161 law enforcement agencies are on its Neighbors Public Safety Service, “which allows police and others to ask Ring owners for footage.”
Axios (7/13, Harding McGill) reports Markey said in a statement, “Increasing law enforcement reliance on private surveillance creates a crisis of accountability, and I am particularly concerned that biometric surveillance could become central to the growing web of surveillance systems that Amazon and other powerful tech companies are responsible for.”
Gizmodo (7/13) reports Ring rejected Markey’s request “to introduce privacy-enhancing changes to its flagship doorbell video camera after product testing showed the device capable of recording conversations well beyond the doorsteps of its many millions of customers.” Markey asked that audio not be recorded by default. Politico (7/13, Ng) reports that the revelation is expected to “heighten Congressional scrutiny” of Amazon.
FTC To Scrutinize Companies’ Data Collection Efforts For Abortion Patient Privacy Violations
On Monday, the FTC warned it will “investigate or sue companies that use Americans’ digital data in unfair or deceptive ways,” CNN (7/12, Fung) reports. The agency will particularly “scrutinize corporate claims that Americans’ data has been or will be ‘anonymized,’ in light of substantial research showing that it can be trivial to reverse-engineer a person’s identity from anonymized datasets.” The agency’s “warning is a reminder that digital information ostensibly collected for one purpose may wind up being used for others through the country’s sprawling and loosely regulated data economy, in which personal data is constantly bought and sold, or chopped up and repackaged with other information.”
Google Cloud Executive Discusses Cybersecurity Philosophy
ZDNet (7/11, Palmer) reports that Google Cloud director of risk and compliance Jeanette Manfra’s role “is to help many more businesses improve their cybersecurity posture through cloud computing. That starts with taking the cybersecurity strategy that Google uses to secure its own networks and applying it to the cloud services used by customers and individual users.” Manfra is quoted saying, “We’re partnering with a lot of organisations looking to fight ransomware, everything from policy organisations looking to identify criminals to those looking at how can you collectively build tools, how can you better understand the threat across the ecosystem globally.”
dtau...@gmail.com
Google Moves to Block Invasive Spanish Spyware Framework
Wired
Lily Hay Newman
November 30, 2022
Google's Threat Analysis Group announced action to block Heliconia, a suspected Spanish hacking tool that can spy on desktop computers by exploiting flaws in Chrome, Windows Defender, and Firefox. Anonymous submissions to Google's Chrome bug reporting program indicated the vulnerabilities could be leveraged to deploy spyware on target devices, including Windows and Linux systems. Google said the evidence indicates Barcelona-based technology company Variston IT was Heliconia's developer. Google, Microsoft, and Mozilla corrected the bugs in 2021 and 2022, while Google said no instances of current exploitation are evident. However, the bug submissions contained evidence suggesting the framework was likely being used to abuse the vulnerabilities starting in 2018 and 2019.
Websites Have Way More Trackers Now
TechRadar
Sead Fadilpasic
November 29, 2022
Analysts at Panama-based virtual private network company NordVPN found the average website has 48 trackers monitoring visitors' activity and recording their private data, elevating the risk of identity theft. The analysts calculated the number of trackers across the 100 most popular websites in 25 countries. The heaviest users are social media websites, each of which contain 160 trackers on average; health sites feature an average of 46 trackers each, while digital media sites have an average of 28 trackers, and adult content and government sites have one and four trackers per site, respectively. Most trackers are owned by recognizable third parties including Google, Facebook, and Adobe, which frequently use the collected data for marketing purposes. NordVPN's Daniel Markuson said website trackers are fewer in countries with strong data-protection laws.
Apple Says Your iPhone's Usage Data is Anonymous, but Tests Find That's Not True
Gizmodo
Thomas Germain
November 21, 2022
Researchers at software company Mysk found Apple is collecting personally identifiable information from iPhones, despite the company’s promises that the devices' usage data is anonymous. The researchers analyzed iPhone data sent to Apple, which includes a permanent, immutable ID number called a Directory Services Identifier (DSID) directly tied to the user's name. "It's one-to-one to your identity," explained Mysk's Tommy Mysk. "All these detailed analytics are going to be linked directly to you. And that's a problem, because there's no way to switch it off." The researchers said DSID collection contradicts Apple's data analytics privacy policy, which states that no collected data identifies users personally.
Attackers Bypass Coinbase, MetaMask 2FA via TeamViewer
BleepingComputer
Bill Toulas
November 21, 2022
Anti-phishing company PIXM found scammers are waging a phishing campaign to pilfer cryptocurrency by accessing the Coinbase, MetaMask, Crypto.com, and KuCoin exchanges through the circumvention of two-factor authentication (2FA) safeguards. The attackers exploit the Microsoft Azure Web Apps service to host a network of phishing websites that entice victims to enter. When victims visit one of the phishing sites, a scammer-controlled customer support chat window leads them through a defrauding process. The attack involves a fake form followed by a prompt, then progresses to a prompt requesting the 2FA code for accessing the account. The hackers persuade victims to download and install a "TeamViewer" remote access app to bypass authentication.
Businesses Hope to Cut Cyber Turnover by Encouraging Volunteer Work
The Wall Street Journal
Catherine Stupp
November 26, 2022
Businesses are nudging their cyber employees to volunteer at nonprofits, which managers say can improve retention of in-demand specialists despite high turnover. Last year, the Switzerland-based CyberPeace Institute launched an initiative to recruit corporate professionals to teach cybersecurity to nonprofits that cannot afford their own experts. The institute's Fabien Leimgruber said the work involves providing nonprofits advice on cybersecurity-related technical, legal, or marketing issues, and breach response. For example, Janet Roberts at Swiss insurer Zurich Insurance Group partnered with Zurich threat-intelligence experts to organize a training session for technology employees with privileged system access. CyberPeace's Stéphane Duguin said companies that promote cyber-volunteerism distinguish themselves "when it comes to attracting cyber talent and retaining talent."
Digital Trends Highlights URL Hijacking As Latest Cybersecurity Threat
Digital Trends (10/24, Truly) reports a typo in “a domain name can lead to cybersecurity attacks, the latest in the ongoing barrage of malware.” This kind of “URL hijacking or ‘typosquatting’” is a “social engineering technique...built upon the knowledge that it’s easy to hit the incorrect key and end up visiting the wrong website.” According to Digital Trends, “With very little effort, a hacker can copy images, fonts, and text to construct a malware website that looks like PayPal, Google Wallet, Microsoft Visual Studio, MetaMask, and other popular websites.”
GAO Report Says Administration Must Do Better Job Protecting K-12 Schools Against Cyberattacks
A report released Monday by the US General Accountability Office found the Education and Homeland Security departments “still have much catching up to do against the continued ransomware threat against public school districts nationwide,” StateScoop (10/24, Freed) reports. The GAO “found that ransomware attacks against K-12 schools cost between three days to three weeks of lost learning and that recovery times can take two to nine months.” As the number of incidents continue to mount, “the federal government is still not providing sufficient resources to help educators combat the threat, according to the GAO.” While both departments “offer technical services and written materials, they have fallen short in taking steps seen in other critical infrastructure areas, like forming a coordinating council of agency, industry and local-level representatives.”
Report: Ransomware Attacks Increase Against Colleges
Inside Higher Ed (7/22) reported “colleges and universities worldwide experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report from Sophos, a global cybersecurity leader.” The survey “included 5,600 IT professionals, including 410 from higher education, across 31 countries.” Though most of the education victims “succeeded in retrieving some of their data, few retrieved all of it, even after paying the ransom.” Nearly three-quarters (74 percent) of ransomware attacks “on higher ed institutions succeeded.” Hackers’ efforts “in other sectors were not as fruitful, including in business, health care and financial services, where respectively 68 percent, 61 percent and 57 percent of attacks succeeded.” For this reason, “cybercriminals may view colleges and universities as soft targets for ransomware attacks, given their above-average success rate in encrypting higher education institutions’ data.”