Dr. T's security brief
Daniel Tauritz
IRS Wants to Scan Your Face
The Washington Post
Drew Harwell
January 27, 2022
By this summer, Americans wanting to access their Internal Revenue Service records online will be required to submit a facial video to private contractor ID.me to confirm their identity. ID.me requires facial scans plus copies of identifying paperwork, then employs facial recognition software to determine whether a person's "video selfie" and official photo match. Privacy advocates are concerned, as no federal law exists regulating such information's use or sharing. Glitches and delays that have kept users from important benefits also plague the system. Researchers contend ID.me has exaggerated the abilities of its face-scanning technology, which could wrongly label people frauds. "We're just skipping right to the use of a technology that has clearly been shown to be dangerous and has issues with accuracy, disproportionate impact, privacy, and civil liberties," said the Electronic Privacy Information Center's Jeramie D. Scott.
*May Require Paid Registration
Booby-Trapped Sites Delivered Potent Backdoor Trojan to macOS Users
Ars Technica
Dan Goodin
January 25, 2022
Researchers at Slovak Internet security company ESET have uncovered macOS malware installed by exploits that were almost impossible for most users to detect or halt once the user visits a malicious Website. The DazzleSpy malware is a full-featured backdoor trojan written from scratch to enable hackers to monitor and control infiltrated Macs. ESET's Marc-Etienne M.Léveillé said the malware’s refinement and the apparent absence of a corresponding version for Windows suggests its creators are targeting Macs exclusively. He added that on unpatched systems, DazzleSpy would start running with administrative privileges without the victim realizing. Threat analysis researchers at Google who first discovered DazzleSpy's exploits said the hackers are likely state-financed, "with access to their own software engineering team based on the quality of the payload code." Apple said it has patched the flaws exploited in this attack.
Software Is Crammed Full of Bugs. This 'Exciting' Project Could Banish Most of Them
ZDNet
Liam Tung
January 25, 2022
Chip designer Arm has released a prototype development board based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture. The Morello board, developed with researchers at the U.K.’s University of Cambridge and Microsoft, among others, could pave the way for new CPU designs that eliminate memory-related security flaws stemming from code written in programming languages like C and C++. Google's Ben Laurie said CHERI's software compartmentalization is similar to process isolation in software for current operating systems. Said Microsoft's Saar Amar, "There are billions of lines of C and C++ code in widespread use, and CHERI's strong source-level compatibility provides a path to achieving the goals of high-performance memory safety without requiring a ground-up rewrite."
How AI Can Identify People Even in Anonymized Datasets
ScienceNews
Nikk Ogasa
January 25, 2022
Artificial intelligence (AI) can identify people in anonymized datasets by studying patterns in their weekly social interactions, according to researchers at the U.K.'s Imperial College London and University of Oxford. The researchers structured mobile phone interaction data on 43,606 anonymous phone service subscribers into web-shaped configurations of nodes representing the user and their contacts, connected with strings threaded with interaction data. When shown the interaction web of a known individual, the AI sifted the anonymized dataset for the most similar-looking web, and was able to correctly identify the target more than half of the time. When supplied the target and contacts' interaction data collected 20 weeks after the anonymous dataset, the AI correctly identified users 24.3% of the time, suggesting social behavior remains identifiable for long durations.
Researchers Develop Silk-Based Digital Security Device
Gwangju Institute of Science and Technology (South Korea)
January 24, 2022
Researchers at South Korea's Gwangju Institute of Science and Technology (GIST) have utilized natural silk fibers from domesticated silkworms to build an environmentally friendly digital security system. The physical unclonable function (PUF) device leverages the diffraction of light through silk's natural microholes to produce a digital security key. GIST's Young Min Song said an image sensor captures the refracted light, "giving rise to a unique pattern of light" that is converted into a digital format. The researchers incorporated PUF-based tags into a portable lens-free optical PUF (LOP-PUF) module. The researchers said faking the LOP-PUF module's authentication key would take such a long time (5x1041 years) that they consider the device practically unbreachable.
More Than Half of Medical Devices Have Critical Vulnerabilities
ZDNet
Allison Murray
January 20, 2022
Medical cybersecurity platform Cynerio's 2022 State of Healthcare IoT Device Security Report estimates 53% of connected medical devices in hospitals have critical flaws, including a third of bedside devices. Cynerio analyzed more than 10 million medical devices at over 300 global hospitals and medical facilities and found, among other things, that 73% of infusion pumps, constituting 38% of hospital Internet of Things (IoT) inventory, possess some type of vulnerability. Cynerio warns hacked medical devices would affect hospital service availability, data confidentiality, and patient safety. Said Cynerio's Daniel Brodie, “Hospitals and health systems don't need more data—they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security providers, it's time for all of us to step up."
Hackers Exploit Log4Shell to Infect VMware Horizon Servers
PC Magazine (U.K.)
Nathaniel Mott
January 17, 2022
Researchers at security software company Huntress Labs have found hackers are exploiting the Log4Shell vulnerabilities disclosed last month on servers running VMware Horizon to deploy the Cobalt Strike command and control framework. Hackers can access networks through the Log4Shell vulnerabilities, and Cobalt Strike can help them maintain access in order to poach more information, penetrate additional machines, and potentially avoid detection. VMware recommends Horizon users update their systems to new versions with patches for the Log4Shell flaws. Huntress advised companies with compromised servers to restore their systems from a backup produced before Dec. 25, 2021.
Researchers Develop CAPTCHA Solver to Aid Dark Web Research
BleepingComputer
Bill Toulas
January 14, 2022
Researchers at the Universities of Arizona, Georgia, and South Florida have devised a machine learning-based CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) solver to plumb the dark web. The system interprets rasterized images, which differs from other analyses that also utilized generative adversarial networks. The solver differentiates letters and numbers by studying them individually, denoising each character image, identifying borders between letters, and partitioning content into individual characters; it thwarts countermeasures by using samples extracted across multiple local regions to spot refined features like lines and edges. The authors have published the solver's final version on GitHub, without releasing its training dataset.
Microsoft Discloses Malware Attack on Ukraine Government Networks
Associated Press
Frank Bajak
January 16, 2022
Microsoft reports malware disguised as ransomware has been found on dozens of computer systems at an unspecified number of Ukrainian government, nonprofit, and information technology organizations even as the threat looms of a Russian invasion of Ukraine. In a technical post, Microsoft said the malware "executes when an associated device is powered down." Oleh Derevianko of cybersecurity firm ISSP said hackers entered the government networks through a shared software supplier. Meanwhile, Serhiy Demedyuk of Ukraine's National Security and Defense Council said a defacement attack that took about 70 government Websites temporarily offline could be attributed to "hacker groups linked to Russia's intelligence services."
Security Flaws Seen in China's Mandatory Olympics App for Athletes
The New York Times
Paul Mozur; Cade Metz
January 18, 2022
Canada's University of Toronto-based cybersecurity watchdog Citizen Lab has detailed encryption flaws in the mandatory smartphone application China created for Winter Olympics athletes. Portions of the MY2022 app that will transmit coronavirus test results, travel information, and other personal data did not confirm the signature used in encrypted transfers, or failed to encrypt metadata. The Citizen Lab researchers suspect the flaws are unintentional, since the government will already be receiving data from the app, making in-transit data interception unnecessary. The Beijing Organizing Committee reportedly has not responded to Citizen Lab's disclosure of the flaws, and a January update has not resolved the issues.
*May Require Paid Registration
dtau...@gmail.com
Digital Warfare Tech at Sea Helping U.S. Foes Evade Sanctions
Associated Press
Joshua Goodman
February 3, 2022
Some governments are bypassing U.S. sanctions on transporting foreign oil and other contraband by sea by using digital military technology to “hide” their ships. Israeli maritime intelligence company Windward reported detecting more than 200 vessels since January 2020 involved in over 350 incidents in which they appear to have electronically falsified their global positioning system (GPS) location. Windward uses technology that detects digital tracks inconsistent with actual vessel movements, including hairpin turns at breakneck speed. Researchers from Global Fishing Watch, which uses satellite data and machine learning to monitor commercial fishing activity, had findings similar to Windward’s.
European Oil Port Terminals Hit by Cyberattack
France 24
February 3, 2022
Major oil terminals at some of Western Europe's biggest ports have been hit by a cyberattack, as energy prices in Europe soar amid tensions with gas supplier Russia. In Belgium, authorities are investigating the hacking of oil facilities in the country's maritime entryways, including Antwerp, Europe's second biggest port, while German prosecutors are investigating a cyberattack targeting oil facilities in what was described as a possible ransomware strike. German newspaper Handelsblatt said an initial report from German security services identifies the BlackCat ransomware as the tool used in the cyberattack in Germany. BlackCat emerged in mid-November 2021 as a software tool that allows hackers to seize control of target systems. Experts note that BlackCat is programmed jn the Russian language.
Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub
Dark Reading
Jai Vijayan
January 26, 2022
Researchers at AT&T’s Alien Labs reported that the authors of the BotenaGo malware have uploaded its source code to GitHub, making it easy for other criminals to use the malware in their own attack campaigns, or to develop new variants. BotenaGo, first identified in November by Alien Labs researchers, contains exploits for more than 30 vulnerabilities in routers and Internet of Things (IoT) devices from multiple vendors including Linksys, D-Link, Netgear, and ZTE. Alien Labs' Ofer Caspi said, "Antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors," with just three out of 60 AV vendors currently capable of detecting the malware.
Bug Lurking for 12 Years Gives Attackers Root on Most Major Linux Distros
Ars Technica
Dan Goodin
January 25, 2022
Polkit, a system-wide privilege manager for Unix-like operating systems, contains a 12-year-old memory-corruption vulnerability that grants attackers root privileges on systems running most major Linux distributions, warn researchers at security firm Qualys. Users can execute commands with high privileges using Polkit's pkexec component, followed by the command; people with limited system control can exploit the PwnKit flaw in pkexec to escalate privileges all the way to root. According to Qualys' Bharat Jogi, "The most likely attack scenario is from an internal threat where a malicious user can escalate from no privileges whatsoever to full root privileges. From an external threat perspective, if an attacker has been able to gain foothold on a system via another vulnerability or a password breach, that attacker can then escalate to full root privileges through this vulnerability." A separate source released proof-of-concept exploit code; researchers warn PwnKit's exploitation in the wild is inevitable.
Quantum Computers a Million Times Too Small to Hack Bitcoin
New Scientist
Matthew Sparkes
January 25, 2022
Researchers at the U.K.'s University of Sussex found current quantum computers would have to become about 1 million times larger to crack bitcoin. Sussex's Mark Webber said a bitcoin transaction's cryptographic key is only vulnerable for “a finite window of time” amounting to “10 minutes to an hour, maybe a day.” Webber and colleagues calculated that breaking bitcoin encryption during a period of 10 minutes would require a 1.9-billion quantum bit (qubit) system; cracking it in an hour would need 317 million qubits. IBM's record-breaking superconducting quantum computer has just 127 qubits. Webber thinks it could take a decade to realize a quantum system of sufficient size to hack bitcoin.
Hackers Prey on Public Schools, Adding Stress Amid Pandemic
Associated Press
Cedar Attanasio
January 31, 2022
Cyberattacks are a growing threat to U.S. public schools, as evidenced by an attack on a New Mexico middle school that canceled classes for two days. The ransomware attack blocked the district's student database and locked teachers out of class rosters and grades. These attacks come as schools are increasingly dependent on technology and more educators are sick or in quarantine amid the pandemic. The Virginia-based non-profit K12 Security Information Exchange has tracked more than 1,200 cybersecurity incidents at public school districts nationwide since 2016. These include 209 ransomware attacks, 53 "denial of service" attacks, 156 "Zoombombings," and more than 110 phishing attacks. Brett Callow of anti-virus software maker Emsisoft said that last year, ransomware gangs increasingly targeted smaller school districts, possibly because larger districts boosted their cybersecurity spending.
Researchers Use GPU Fingerprinting to Track Users Online
BleepingComputer
Bill Toulas
January 30, 2022
Scientists at French, Israeli, and Australian universities have investigated the use of graphical processing units (GPUs) to track people online with unique fingerprints. The team harnessed 2,550 devices with 1,605 distinct central processing units to demonstrate that their DrawnApart system, which uses the Web Graphics Library application programming interface (API) present on all modern Web browsers, can tally the number and speed of the GPU's execution units, measure the time needed to complete vertex renders, and perform other tasks. The process generates traces that 176 measurements extracted from 16 points can use to produce a fingerprint, and boosts the median tracking duration of a targeted user to 67% when employed with cutting-edge tracking algorithms.
U.N. Testing Technology That Processes Data Confidentially
The Economist
January 29, 2022
The U.N.'s Privacy-Enhancing Technologies (PETs) Laboratory enables national statistics offices, academic researchers, and companies to collaboratively test PETs in order to identify and remediate technical and administrative glitches. Its first project sought anomalies in import and export data from national statistical offices in the U.S., the U.K., Canada, Italy, and the Netherlands. One test evaluated secure multiparty computation, in which the data to be analyzed is encrypted by keepers and remains on-premises; findings sent back to the original inquirer do not include the information on which answers are based, and the results are processed by a differential privacy PET to inhibit reverse engineering. A second test rated trusted execution environments, and both processes detected anomalies.
Researchers Develop Automated Approach to Extract Security Policies From Software
UTSA Today
Valerie Bustamante Johnson
January 31, 2022
University of Texas at San Antonio (UTSA) researchers have devised a machine learning (ML) model that could train software to extract security policies automatically. The model executes predictions using access control classification, named entity recognition, and access type classification. Access control classification helps the software determine if user stories feature access control information; named entity recognition identifies actors and data objects within the story; and access type classification learns the relationship between the two. UTSA's Ram Krishnan said the team used a dataset of 1,600 user stories to create a learning model based on the transformers ML technique. "We were able to extract security policies with good accuracy and visualize the results to help stakeholders better refine user stories and maintain an overview of the system's access control," he said.
dtau...@gmail.com
Flaws Discovered in Cisco's Network Operating System for Switches
The Hacker News
Ravie Lakshmanan
February 24, 2022
Technology conglomerate Cisco has issued software patches to correct four security flaws that hackers could exploit to commandeer affected systems. The most critical patch fixes a command injection flaw in the NX-API feature of Cisco NX-OS software, stemming from insufficient input validation of user-supplied data. Cisco warned, "A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system." Other bugs the patches target include two high-severity denial-of-service (DoS) vulnerabilities in NX-OS in the Cisco Fabric Services Over IP and Bidirectional Forwarding Detection traffic functions. The fourth patch corrects a DoS flaw in the Cisco Discovery Protocol service of Cisco FXOS Software and Cisco NX-OS Software, which could "allow an unauthenticated, adjacent attacker to cause the service to restart, resulting in a denial of service condition."
IRS Allows Taxpayers to Forgo Facial Recognition Amid Blowback
The New York Times
Alan Rappeport
February 21, 2022
The Internal Revenue Service (IRS) has walked back a requirement for taxpayers to use facial recognition to access their online accounts amid negative feedback, and pledged to switch to a completely different identity verification system next year. This follows the agency's decision to "transition away" from using the ID.me third-party service to authenticate people creating accounts by using facial recognition to confirm their identities. Activists and lawmakers said using video selfies in this capacity was an invasion of privacy. The IRS will permit taxpayers to opt out of ID.me's biometric authentication in favor of live, virtual interviews with company representatives. The agency said it now plans to use Login.gov, which millions of Americans already use to confirm their identities for access to certain federal Websites, for account authentication.
Deep Learning Toolbox Now Apparently Includes Ground-Up Glass
IEEE Spectrum
Charles Q. Choi
February 18, 2022
Scientists in China, Hong Kong, and Singapore suggest ground-up pieces of glass could help in securely encrypting facial images via a new optical cryptosystem. The system transmits facial-image data through the glass, producing speckles with apparently random scattered patches of light and dark recorded by camera as a secret message. The researchers said the process generates keys 17.2 billion bits long; they trained a deep learning neural network to decrypt messages by feeding it 19,800 facial images before and after being sent through a given set of ground glass. Preliminary tests showed the network could decrypt the images with over 98% accuracy. Hong Kong Polytechnic University's Puxiang Lai described the system as "fast, low-cost, and easy to integrate with other systems."
Toward a Stronger Defense of Personal Data
MIT News
Adam Zewe
February 18, 2022
Saurav Maji and colleagues at the Massachusetts Institute of Technology (MIT) have designed an integrated circuit chip that can thwart power side-channel attacks with less energy expenditure than common security methods. The chip is based on threshold computing, which splits data into random components for individual processing by the neural network before assembling the final result. Maji said information leakage from the device is always random, and can never expose any side-channel data. An optimization function reduces computing power by cutting the amount of multiplication needed to process data, and shields the network by encrypting the model's parameters.
Tech Companies Face a Fresh Crisis: Hiring
The New York Times
Susan Dominus
February 16, 2022
Recruiters for technology companies are finding it difficult to connect with potential candidates despite the high demand for tech workers. Research indicates unemployment rates for tech workers are about 1.7%, and 0.2% for those with experience in cybersecurity, versus 4% for the general economy. As a result, recruiters often must inform tech executives that candidates have multiple, and sometimes better, offers. They also have to tell executives that they may have to hire someone with slightly less experience. Ryan Sutton of staffing firm Robert Half said to clients looking for software designers, "If you are not going to offer remote work, if you're not going to offer at least hybrid, we can't help you."
Researchers Discover Security Vulnerabilities in VR Headsets
Rutgers Today
Emily Everson Layden
February 10, 2022
Rutgers University-New Brunswick scientists determined that hackers could exploit voice-command features on popular augmented reality/virtual reality (AR/VR) headsets to launch eavesdropping attacks. The Face-Mic attack harnesses the headsets' built-in motion sensors to record speech-associated facial dynamics to steal sensitive information communicated through voice command. The researchers analyzed three types of vibrations recorded by AR/VR headsets' motion sensors: speech-associated facial movements, bone-transmitted vibrations, and vibrations in the air. The researchers found bone-borne vibrations can carry gender, identity, and speech information, and that the headsets’ motion sensors do not require permission to access.
French Watchdog Says Google Analytics Poses Data Privacy Risks
Reuters
Mathieu Rosemain
February 10, 2022
France's data privacy regulator CNIL (Commission nationale de l'informatique et des libertés) warns the Google Analytics service risks the exposure of French Website users' data to U.S. intelligence services. In a decision involving an unnamed French Website manager, the CNIL said Google failed to sufficiently protect data privacy rights under EU rules in transferring data between Europe and the U.S. Google’s security measures “are not sufficient to exclude the accessibility of this data to U.S. intelligence services," the watchdog declared. "There is therefore a risk for French Website users who use this service and whose data is exported." Google, which did not comment on the CNIL warning, previously asserted Google Analytics does not track people online, and that organizations using it can control the data they collect.
Fingerprinting the IoT
Carnegie Mellon University College of Engineering News
Madison Brewer
February 9, 2022
Carnegie Mellon University (CMU) researchers strengthened the security of Internet of Things (IoT) devices by making them more resilient against exploitation through their development of radio-frequency fingerprinting (RFF). RFF can be used to identify specific IoT devices by detecting hardware variations that produce unique radio wave signatures. CMU's Jiachen Xu used power amplifiers to foil RFF exploits by changing the IoT signal's features, and a convolutional neural network classified incoming signals as safe or unsafe by assessing the RFF in the processed signal. The researchers also proved Bayesian neural networks could identify and classify RFF quickly and accurately, without requiring excessive computational power.
NFTs Offer Method to Control Personal Health Information
Baylor College of Medicine
Molly Chiu
February 3, 2022
Nonfungible tokens (NFTs) could be re-engineered to help patients control access to their personal health information, according to an international team of researchers led by Baylor College of Medicine bioethicists. The researchers propose using NFT digital contracts to allow patients to specify who may access their personal health information, and permit them to monitor how it is shared. "NFTs could be used to democratize health data and help individuals regain control and participate more in decisions about who can see and use their health information," said Baylor's Kristin Kostick-Quenet. The researchers acknowledged NFTs' complexity and susceptibility to data security flaws, privacy issues, and disagreements over intellectual property rights, as areas warranting further inquiry.
Apple Warns American Innovation and Choice Online Act Would Hurt Efforts To Protect User Privacy
The Wall Street Journal 
(1/18, Subscription Publication) reports that ahead of a Senate Judiciary Committee hearing to debate the American Innovation and Choice Online Act this week, Apple on Tuesday argued the legislation would hurt its efforts to protect user privacy from unscrupulous apps.
Legislators In Massachusetts Looks To Push Back Implementation Of Right To Repair Law
Ars Technica (1/17) reported lawmakers in Massachusetts have introduced “two bills seek to tweak” the state’s Right to Repair law “in the hopes of getting OEMs to comply.” Ars Technica reported, “Massachusetts Attorney General Maura Healy has held off on enforcing the new provisions of the law due to an ongoing federal lawsuit brought by a coalition of automakers who claim that the current law is incompatible with widely accepted cybersecurity practices (a view shared by a horrified-sounding National Highway Traffic Safety Administration).” One of the bills would push back the date the legislation comes into force so that the “connected car provisions only come into effect for MY2025,” while the other bill would also require “OEMs to put a notice in owners manuals that explain what the connected or telematics platform is and what data gets collected, stored, or transmitted.”
Cyber Researcher Discovers Tesla Hijack Vulnerability
Bloomberg (1/13, Robertson, Raymunt) reports German cybersecurity researcher David Colombo, “performing a security audit for a French company,” discovered a software program on “the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle. The data included a full history of where the car had been driven and its precise location at that moment.” The researcher “realized that he could push commands to Tesla vehicles whose owners were using the program. That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features.” Colombo “said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more.” The flaws aren’t in Tesla’s “vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.”
dtau...@gmail.com
Attackers Can Force Amazon Echos to Hack Themselves with Self-Issued Commands
Ars Technica
Dan Goodin
March 6, 2022
Researchers at the U.K.'s Royal Holloway University and Italy's University of Catania have authored a hack for hijacking Amazon Echo smart speakers and making them control other smart appliances, using the speaker to issue voice commands. They said the device will follow these commands, provided the speech contains the device wake word (typically "Alexa" or "Echo"), followed by a permissible command. Verbal confirmation of commands is easily bypassed by adding "yes" about six seconds after issuing the directive, while attackers also can exploit the full voice vulnerability, which enables Echos to make self-issued commands without temporarily reducing device volume. The Alexa vs. Alexa hack demands just a few seconds of proximity to a target device while it is activated, so an attacker can utter a verbal order to couple with an attacker's Bluetooth-enabled device.
Malware Now Using Nvidia's Stolen Code Signing Certificates
BleepingComputer
Lawrence Abrams
March 5, 2022
Computer systems design services company Nvidia has verified that hacker extortion group Lapsus$ stole employee credentials and proprietary data. The gang claimed to have stolen as much as a terabyte of data, and started leaking it after Nvidia rejected its demands. The leak includes two code-signing certificates used by developers to sign drivers and executables; security researchers determined they were being used to sign malware and other tools used by malefactors. Although both certificates have expired, Windows will still permit a driver signed with the certificates to be loaded in the operating system. Microsoft's David Weston tweeted that admins may configure Windows Defender Application Control policies to limit which Nvidia drivers can be loaded.
Ukraine Asked for Donations in Crypto. Then Things Got Weird.
The Washington Post
Nitasha Tiku; Jeremy B. Merrill
March 4, 2022
U.K. blockchain analytics firm Elliptic says Ukraine's government raised over $42 million in cryptocurrency in less than a week through crowdfunding. Kyiv-based crypto exchange Kuna.io says some donations have already been converted into traditional currency, mainly euros, and used to buy non-lethal equipment like drones and bulletproof vests. Western crypto advocates view this as an opportunity to test the argument that blockchain can advance open societies. They claim crypto has allowed Ukraine to raise money outside of governmental constraints or those of Silicon Valley technology platforms, while offering transparency on how contributions are spent. Skeptics are concerned such initiatives could encourage illegal activity, or could motivate authoritarian regimes to attempt similar efforts.
Researchers Can Steal Data During Homomorphic Encryption
NC State University News
Matt Shipman
March 2, 2022
Researchers at North Carolina State University (NC State) and Turkey's Dokuz Eylul University have cracked next-generation homomorphic encryption via side-channel attacks. Homomorphic encryption renders data unreadable to third parties, while still permitting third parties and third-party technologies to perform operations using the data. NC State's Aydin Aysu said the process consumes much computing power, and the researchers were able to read data during encryption by monitoring power consumption in the data encoder using Microsoft's SEAL Homomorphic Encryption Library. "We were able to do this with a single power measurement," Aysu noted, and the team confirmed the flaw in the library up through least version 3.6.
Conti Ransomware Source Code Leaked by Ukrainian Researcher
BleepingComputer
Lawrence Abrams
March 1, 2022
A Ukrainian researcher has exposed a wealth of content on the Conti cybercrime gang, including their ransomware's source code, after they sided with Russia on the Ukraine incursion. Known on Twitter as @ContiLeaks, the researcher leaked 393 JavaScript Object Notation files containing roughly 60,000 internal messages from the Conti and Ryuk ransomware group's private Extensible Messaging and Presence Protocol chat server. ContiLeaks then released more damaging material: the most exciting disclosure was a password-protected archive featuring the source code for the Conti ransomware encryptor, decryptor, and builder. Another researcher cracked the password, making the ransomware source code accessible to everyone.
As Tanks Rolled Into Ukraine, So Did Malware. Then Microsoft Entered the War.
The New York Times
David E. Sanger; Julian E. Barnes; Kate Conger
March 1, 2022
U.S. technology companies are helping to defend Ukraine against cyberattacks orchestrated alongside the Russian invasion. Shortly before the military incursion began, Microsoft's Threat Intelligence Center responded to previously unseen "wiper" malware targeting Ukraine's government ministries and financial institutions; the center dissected the malware, informed Ukraine's cyberdefense forces, and updated Microsoft's virus detection systems to block the code within hours. Meanwhile, Meta said it had locked down Facebook accounts of Ukrainian military officials and public figures when hackers attempted to spread disinformation through them. Corporate-government partnerships are being tested in the effort to analyze and counter Russia's cyberoffensive tactics, with tech companies a primary source of actionable intelligence.
The Benefits of Peripheral Vision for Machines
MIT News
Adam Zewe
March 2, 2022
Massachusetts Institute of Technology (MIT) scientists have demonstrated a computer-vision model that perceives visual representations similar to human peripheral vision. The researchers investigating why adversarially trained neural networks are robust against image manipulation tasked study participants with distinguishing original images from noise-synthesized versions generated by a "normal" machine learning model, an adversarially robust model, and one called Texforms that accounts for certain aspects of human peripheral processing. MIT's Arturo Deza said the inability to tell original images apart from the adversarially robust model or the Texforms model implies that the former captures some peripheral vision aspects. Thomas Wallis at Germany's Technical University of Darmstadt said the researchers "propose that the same mechanism of learning to ignore some visual input changes in the periphery may be why robust images look the way they do, and why training on robust images reduces adversarial susceptibility."
Meta Said To Explore Selling Assets From Cryptocurrency Project
Bloomberg (1/25, Baker, Hamilton, Kharif) cites anonymous sources in reporting that “The controversial cryptocurrency project that Mark Zuckerberg once defended in front of Congress is unraveling after regulatory pressure” According to the sources, the “Diem Association, a cryptocurrency initiative once known as Libra backed by Meta Platforms,” is considering “a sale of its assets as a way to return capital to its investor members.” The sources said Diem is speaking with “investment bankers about how best to sell its intellectual property and find a new home for the engineers who developed the technology, cashing out whatever value remains in its once-ambitious Diem coin venture.”
Teen Tesla Hacker Accessed Owners’ Email Addresses To Warn Them
Bloomberg (1/24, Ludlow, Chang) reveals David Colombo, the German 19-year-old cybersecurity researcher who remotely hacked several Teslas through a third-party flaw, hacked the car owners’ email addresses to inform them they are at risk. Colombo said the defect was with a Tesla application program interface (API), as Colombo also shared the information with Tesla. Colombo told Bloomberg Television, “once I was able to figure out the endpoint, I was indeed able to carry the email address associated with the Tesla API key, the digital car key… You should not be able to carry sensitive information like an email address using access that is already expired or revoked.”
Google Forms Blockchain Group
Bloomberg (1/19, Bergen) reports Google is establishing “a group dedicated to the blockchain and related technologies under a newly appointed executive who has spent more than a decade on the company’s core business of search advertising.” Google Engineering VP Shivakumar Venkataraman “is now running a unit focused on ‘blockchain and other next-gen distributed computing and data storage technologies,’ according to an email viewed by Bloomberg News.” Venkataraman “will become a ‘founding leader’ of Labs, a business division in which Google houses its various virtual and augmented reality efforts, according to the email.” Although it “has offered some cloud services to companies working on blockchain technology,” Google “hasn’t launched public projects in the area where some rivals, such as Meta Platforms Inc. and Twitter Inc., have devoted considerable resources.”
US Officials Concerned By Threat Posed By Inadvertent Vulnerabilities In Crowd-Sourced Software
Bloomberg (1/19) reports public officials remain concerned about “new security concerns around open source software after a critical security flaw with Log4j was revealed in November.” US cyber officials say the Log4j flaw in the volunteer-led project “remains a pressing concern, even if they can’t point to widespread hacks resulting from the vulnerability.” CISA head Jen Easterly said, “The scale and potential impact of this makes it incredibly serious.” Boaz Gelbord, chief security officer of Akamai Technologies Inc., “says the tech industry should offer more financial assistance to open source projects, and perform security reviews to search for vulnerabilities, because the incredible complexity and automation of modern software can make it difficult for people to understand fully how any system works.”
Democrats Seek Energy Usage Information From Cryptomining Companies
The Hill (1/27, Budryk) reports that a group of eight House and Senate Democrats “on Thursday wrote to major cryptocurrency-mining companies for information on their energy usage and its potential effects on climate change.” the lawmakers, “noted that estimates of the power consumption associated with bitcoin increased more than threefold between 2019 and 2021. The energy consumption is roughly equivalent to that of Washington state or the entire nation of Denmark, according to a September 2021 analysis by The New York Times.” Copies of the letter went to “six mining companies, including Riot Blockchain, Marathon Digital Holdings, Stronghold Digital Mining, Bitdeer, Bitfury Group and Bit Digital.”