Dr. T's security brief
dtau...@gmail.com
Apple Joins Opposition to Encrypted Message App Scanning
BBC News
Chris Vallance
June 27, 2023
Technology giant Apple has taken issue with authority accorded by the U.K.'s Online Safety Bill to communications regulator Ofcom, allowing it to coerce encrypted messaging applications to scan for child abuse content. The company, which said the measure should be revised to shield encryption, joined 80 other organizations and tech experts that have urged Technology Minister Chloe Smith to reconsider the bill's powers. The U.K. government, police, and some child protection charities claim end-to-encryption prevents law enforcement and tech companies from detecting the exchange of child sexual abuse material. Apple countered that the technology safeguards the privacy of journalists and others, and "also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches."
How Secure Are Voice Authentication Systems?
University of Waterloo (Canada)
June 27, 2023
Computer scientists at Canada's University of Waterloo have developed an attack that can bypass voice authentication security systems after six attempts. They created a program able to remove the markers in deepfake audio so it is indistinguishable from authentic audio. Although their success rate against Amazon Connect's voice authentication system ranged from just 10% in a four-second attack to more than 40% in an attack of less than 30 seconds, their success rate was 99% after six attempts on less-sophisticated systems. University of Waterloo's Urs Hengartner said, "By demonstrating the insecurity of voice authentication, we hope that companies relying on voice authentication as their only authentication factor will consider deploying additional or stronger authentication measures."
Barred from Grocery Stores by Facial Recognition
The New York Times
Adam Satariano; Kashmir Hill
June 28, 2023
The use of facial recognition by private businesses is on the rise, with close to 400 retailers in Britain using Facewatch to alert them to return visits by shoplifters, problem customers, and legal adversaries. For a monthly cost starting at £250 pounds (US$320), the system allows retailers to upload images of alleged offenders from security footage, adding them to a watchlist shared among nearby stores. Facewatch, which licenses Real Networks and Amazon's facial recognition software, checks people's biometric information as they walk into the store against a database of flagged individuals and sends smartphone alerts to retailers if there is a match. Big Brother Watch's Madeleine Stone said Facewatch is "normalizing airport-style security checks for everyday activities like buying a pint of milk."
*May Require Paid Registration
AI Fake Victims Disrupt Criminal Business Model
The Lighthouse (Macquarie University, Australia)
Fran Molloy
June 26, 2023
The Apate multilingual chatbot created by cybersecurity experts at Australia's Macquarie University could masquerade as intended victims of scam callers as part of an effort to undermine their profitability. Apate uses authentic-sounding voice clones to engage in dialogue and "scam the scammers." The researchers analyzed bogus phone calls to extract scammers' social engineering methods, identifying scam "scripts" via machine learning and natural language processing before training Apate to compose its own conversations. Macquarie's Dali Kaafar said these systems "can fool scammers into thinking they are talking to viable scam victims, so they spend time attempting to scam the bots."
A Bridge Between Different Cryptocurrencies
TU Wein (Austria)
June 26, 2023
A decentralized protocol developed by researchers at Austria's Vienna University of Technology (TU Wien) and the decentralized multi-blockchain token system Pantos could allow for the efficient, secure exchange of one cryptocurrency for another. The new protocol, Glimpse, can be integrated into existing crypto software to facilitate cross-currency transactions. TU Wien's Zeta Avarikioti said the protocol "has to prove that the amount was actually transferred by only using a relatively small amount of data. If large parts of a blockchain were needed for this, with hundreds of gigabytes of data, it would be completely impractical.” Further, TU Wien's Lukas Aumayr said, "Glimpse can be used to express crypto-loans within smart contracts, as well as other exciting decentralized financial instruments such as asset migrations, and wrapping and unwrapping of tokens."
Google Backs Creation of Cybersecurity Clinics with $20-Million Donation
Associated Press
Glenn Gamboa
June 22, 2023
Google CEO Sundar Pichai pledged $20 million to support and expand the Consortium of Cybersecurity Clinics, which introduces college students to cybersecurity careers while helping small government offices, rural hospitals, and nonprofits with cyber defenses and threat assessments. This follows Google's May rollout of the Google Cybersecurity Certificate Program to prepare participants for entry-level cybersecurity jobs, and its partnership with universities in New York to develop cybersecurity learning and career opportunities. Google.org's Justin Steele said of the cybersecurity clinics, "Those students get hands-on experience, and they get to increase their marketability for all of these open jobs in cybersecurity. We get to diversify the field of cybersecurity by training these students, and we get to protect critical U.S. infrastructure."
Food Producers Band Together in Face of Cyber Threats
WSJ Pro Cybersecurity
James Rundle
June 15, 2023
Executives of U.S. food and agriculture companies say they are collaboratively formalizing information-sharing to fortify themselves against escalating cybersecurity threats. Last month, the Information Technology-Information Sharing and Analysis Center (IT-ISAC), which tracks threats across multiple industries, launched its own dedicated information-sharing platform. Technology is an integral component of food production, with farmers using distributed networks, remote sensors, edge-computing devices, and heavy equipment that are often insecure and vulnerable to hackers. IT-ISAC's Scott Algeier, executive director of the new Food and Ag-ISAC, said, "We're tracking threat actors. We have playbooks that we've developed and our members provide input on that, help track the adversaries, their tactics, techniques, and procedures, how they move around, how you can stop them."
*May Require Paid Registration
Bot Detection Software Not as Accurate as It Seems
MIT Sloan School of Management
Dylan Walsh
June 12, 2023
Massachusetts Institute of Technology (MIT) researchers found the accuracy of third-party bot-detection models may be lower than reported due to limitations in their training data. The researchers applied a commercially available machine learning model to a Twitter dataset from a repository hosted by Indiana University, which sorted bots from people with 99% accuracy. Deeper analysis showed models trained to perform well on one dataset did not necessarily outperform random guessing on a different dataset, suggesting general-purpose models trained on such data may be vulnerable to error in real-world scenarios. The researchers also learned relatively simple algorithms yielded accuracy similar to that of more complex models for many datasets.
Federal Agencies Hit In Global Cyberattack, But Attribution Varies
Reuters 
(6/15, Siddiqui, Satter) reports the Department of Energy is among “several other federal agencies” that were hit in “a global hacking campaign that exploited a vulnerability in widely used file-transfer software, officials said on Thursday.” Data was “compromised” at two sites when hackers “gained access through a security flaw in MOVEit Transfer, the department said in a statement.” A DOE official “said those entities were the DOE contractor Oak Ridge Associated Universities, and the Waste Isolation Pilot Plant – the New Mexico-based facility for disposal of defense-related nuclear waste.” Shell, the University System of Georgia, Johns Hopkins University, “and the Johns Hopkins Health System were also hit, all three groups said in separate statements.” The Russia-linked extortion group Cl0p, which has “claimed credit for the MOVEit hack, earlier said in a statement that it would not exploit any data taken from government agencies, and that it had erased all such data.” Politico (6/15, Sakellariadis) reports approximately a dozen US agencies “have active contracts with MOVEit, according to the federal data procurement system.”
CNN (6/15, Lyngaas) reports CISA is “providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, told CNN, adding, “We are working urgently to understand impacts and ensure timely remediation.” CNN says the news “adds to a growing tally of victims of a sprawling hacking campaign that began two weeks ago” and “mounts pressure on federal officials who have pledged to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.”
However, USA Today (6/15, Meyer) reports the cybersecurity firm Mandiant posted “new research and findings Thursday saying that suspected state-backed hackers in China had used a vulnerability in commonly used email security technology, Barracuda ESG appliances, to penetrate the networks of potentially hundreds of public and private sector organizations around the world.” Nearly a third of “the victims were foreign ministries and other government agencies, the Mandiant report said.” Mandiant CTO Charles Carmakal told the outlet in a statement, “In the (current) Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations,” in some instances stealing the “emails of prominent employees dealing in matters of interest to the Chinese government.” The AP (6/15, Bajak) reports Carmakal called it the “broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021.”
More States Are Working To Mitigate Cybersecurity Risks For K-12 Schools
K-12 Dive (6/22, Merod) reports that due to growing cybersecurity concerns, “states are stepping up to mitigate risks for increasingly vulnerable school districts.” For example, in May, Minnesota “approved education spending legislation that includes one-time funding of $24.3 million in grants that school districts or charter schools can apply for to address cybersecurity needs.” While states “are not often providing this level of direct funding to help districts address cybersecurity, there are state leaders looking to use their roles to help reduce cybersecurity risks for schools, said Julia Fallon, executive director of the State Educational Technology Directors Association.” An example of this “is in Connecticut where the state gives schools software to mitigate distributed denial of service, or DDoS, Fallon added.”
UC Board Of Regents Sues Insurance Firms Over Cyber Insurance After UCLA Health Breach
The Wall Street Journal (6/28, Rundle, Subscription Publication) reports the University of California’s regents board has filed a lawsuit against several insurance firms operating associated with the Lloyd’s of London insurance marketplace. They claim that the firms refused to honor cyber policies nearly 10 years after a cyberattack on the University of California at Los Angeles Health system breached data on around 4.5 million current and former patients. After settling a lawsuit by victims in 2015, the system claims the insurers refused to recoup the expenses.