Dr. T's security brief

[Daniel Tauritz]

The Police Can Probably Break Into Your Phone
The New York Times
Jack Nicas
October 21, 2020

In an analysis of public records, Washington DC-based nonprofit Upturn found law enforcement officials regularly break into encrypted smartphones, and police in all U.S. states have phone-hacking tools. The New York Times confirmed authorities have used these tools in a growing range of cases; records suggested hundreds of thousands of phones have been searched over the past five years. Phone-hacking tools typically exploit security flaws to strip a phone's limit on passcode attempts, then enter passcodes until the phone unlocks; police often use tools from Atlanta-based Grayshift and Sun's Israeli unit Cellebrite to crack phones. The spread of these products has encouraged police to search phones even for minor offenses, and Upturn's Logan Koepke worries about the lack of oversight or transparency.
 

Full Article

*May Require Paid Registration

 

 

Google Warns of 'BleedingTooth' Bluetooth Flaw in Linux Kernel
ZDNet
Liam Tung
October 14, 2020

Google has shared details of a high-severity flaw affecting the Bluetooth stack in Linux kernel versions below Linux 5.9 that support BlueZ on the Google Security Research Repository on GitHub. An Intel advisory recommends updating the Linux kernel to version 5.9 or later, because "Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access." BlueZ, the official Linux Bluetooth stack, is rolling out Linux kernel fixes for the high-severity flaw, CVE-2020-12351, and for two medium-severity flaws, CVE-2020-12352 and CVE-2020-24490. Google has published a proof-of-concept exploit code for the BleedingTooth vulnerability.

Full Article

 

 

Experts: Florida Voting Machines Ripe for Foreign Hackers
Government Technology
John Pacenti
October 16, 2020

Computer scientists have expressed concerns about the security of voting machines used in 49 Florida counties. Although election officials claim the machines are not vulnerable to remote hacking because they are never connected to the Internet, the DS200 voting tabulator uses a wireless connection to transmit results. Finnish computer scientist Harri Hursti said the machine features software that operates like a cellphone and uses Internet Protocol when connecting to the wireless network. Princeton University's Andrew Appel said a hacker could penetrate a border router from the Internet or by walking near a polling place with a Stingray, a portable device that can capture data by mimicking a cellphone tower.

Full Article

 

 

Hackers Smell Blood as Schools Grapple with Virtual Instruction
The Wall Street Journal
David Uberti
October 19, 2020

Hackers are attacking U.S. schools struggling with virtual education amid the Covid-19 pandemic, launching ransomware and other attacks against school district networks. Doug Levin at consulting firm EdTech Strategies said at least 289 U.S. districts have suffered cyberattacks in 2020, with a spike in publicly reported attacks in August and September following a lull in the pandemic's early months. Although large school districts have strengthened their cybersecurity in recent years as digitalized instruction has increased, smaller districts lack personnel to police their networks. Reps. Doris Matsui (D-CA) and Jim Langevin (D-RI) have proposed legislation to fortify K-12 cybersecurity by tracking incidents at the federal level and establishing a $400-million grant program for schools.

Full Article

*May Require Paid Registration

 

 

Court Orders Seizure of Ransomware Botnet Controls as U.S. Election Nears
Reuters
Joseph Menn; Chris Bing
October 12, 2020

Microsoft on Monday said it had seized via federal court order Internet Protocol (IP) addresses that had been directing activity on computers infected with Trickbot malware. Microsoft warned that Trickbot has infected a number of public government agencies, which could suffer worse damage if the operators encrypt files or install programs that interfere with voter registration records or the display and public disclosure of election results. Microsoft worked with companies including security firm ESET to disassemble Trickbot installations and trace them to their command IP addresses, and invoked copyright law to secure the court order. Said Microsoft’s Tom Burt, “Ransomware is one of the largest threats to the upcoming election.”

Full Article

 

 

FBI/DHS: Government Systems Face Threat From Zerologon Exploits
Ars Technica
Dan Goodin
October 9, 2020

The U.S. Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency have detected attackers exploiting a Windows vulnerability (Zerologon) against state and local governments, in some cases threatening election systems. Members of unspecific advanced persistent threats are using Zerologon to grant hackers who already have infiltrated susceptible networks access to domain controllers, which allocate new accounts and manage current ones. To gain initial access, attackers are exploiting flaws in firewalls, virtual private networks, and other products from companies like Juniper, Pulse Secure, Citrix, and Palo Alto Networks. Patches were issued for all the identified vulnerabilities, but FBI and DHS warned not everyone has installed them.

Full Article

 

 

Computers Aboard Airliners Could Become Vulnerable to Hacking, Watchdog Says Bloomberg Alan Levin October 9, 2020 A report from the U.S. Government Accountability Office (GAO) takes aim at the Federal Aviation Administration (FAA) for failing to prioritize cyber risks, develop a cybersecurity training program, or test potentially vulnerable systems. Computer systems in commercial aircraft have become more sophisticated, with wireless networks, seat-back entertainment, position broadcasts, and devices that automatically transmit data to the ground. The GAO acknowledged FAA and airplane manufacturers have added "extensive" protections to those systems and that there have not been reports of successful cyberattacks, but noted "the increasing connections between airplanes and other systems, combined with the evolving cyber threat landscape, could lead to increasing risks for future flight safety." Said the report, "Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplane[s]." Full Article

 

Finally: A Usable, Secure Password Policy Backed by Science
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
October 20, 2020

The passwords research group in Carnegie Mellon University (CMU)'s CyLab Security and Privacy Institute has developed a passwords policy with hard scientific backing that balances security and usability. The researchers applied a state-of-the-art neural network-powered password-strength meter to evaluate combinations of minimum-length requirements, character-class requirements, minimum-strength requirements, and password blocklists. CMU's Nicolas Christin said, "We found that a policy requiring both a minimum strength and a minimum length of 12 characters achieved a good balance between security and usability." The researchers said minimum-strength policies can be flexibly designed for a desired security level, and are easier to implement with real-time requirements feedback in high-security environments.
 

Full Article

 

 

The Contest to Protect Almost Everything on the Internet
The Wall Street Journal
Sara Castellanos
October 7, 2020

Hundreds of the world's leading cryptographers are participating in a competition overseen by the U.S. National Institute of Standards and Technology to develop new encryption standards for protecting online data against classical and quantum-computing cyberattacks. The contest aims to replace commonly used public-key cryptography methods by 2023, including the popular RSA approach, whose basis on integer factorization makes it vulnerable to quantum computers. Cryptographers warn that hackers could already be harvesting massive amounts of data to decrypt, in anticipation of quantum computers. Among the most promising contest submissions are algorithms based on mathematical lattices, which can resemble geometric shapes with more than 1,000 dimensions.

Full Article

*May Require Paid Registration

 

 

U.S., U.K., Other Countries Warn Tech Firms Encryption Creates 'Severe Risks' to Public Safety
CNBC
Sam Shead
October 12, 2020

Lawmakers from countries within the Five Eyes intelligence-sharing alliance (U.S., U.K., Canada, Australia, and New Zealand) warned technology companies that unbreakable encryption "creates severe risks to public safety" and serves as a barrier to investigations by law enforcement agencies. Ministers from alliance countries, as well as India and Japan, signed a statement urging the tech industry to develop a solution that allows law enforcement access to tightly encrypted messages. The Five Eyes nations acknowledged some forms of encryption are crucial for guarding personal data, privacy, intellectual property, trade secrets, and cybersecurity. They said their ultimate goal is a government-industry solution that allows users to communicate privately and securely, while also permitting law enforcement and tech companies to monitor criminal activity.

Full Article

 

 

U.S. Moves to Protect Technologies Considered Critical to National Security
The Wall Street Journal
Katy Stech Ferek; Gordon Lubold
October 15, 2020

The U.S. National Security Council on Thursday issued guidelines to protect technologies crucial to national security, including artificial intelligence, quantum information science, and semiconductors. A senior White House official said the report directs federal agencies to prevent these technologies from falling into the hands of foreign adversaries. The effort intends to encourage government departments and agencies to rally around U.S. researchers, academics, and private-sector players that convert ideas into security-fortifying innovations. The guidelines recommend measures for shielding 20 specified technologies by pushing the private sector to consider the national security ramifications of projects involving critical technology. They also call for a strong export control system that regulates which technologies can be sent abroad.

Full Article

*May Require Paid Registration

 

 

Undocumented Backdoor That Covertly Takes Snapshots Found in Kids' Smartwatch
Ars Technica
Dan Goodin
October 12, 2020

Researchers at Norwegian security company Mnemonic found an undocumented backdoor in the X4 smartwatch marketed by children's watch vendor Xplora. Mnemonic's Harrison Sand and Erlend Leiknes said an encrypted text message can activate the backdoor, while commands exist for clandestinely reporting the watch's location in real time, recording and sending snapshots to an Xplora server, and making phone calls that transmit all sounds within earshot. Moreover, 19 applications pre-installed on the watch are crafted by China-based security firm Qihoo 360, while Qihoo 360 subsidiary 360 Kids Guard jointly designed the X4 with Xplora and fabricates its hardware. Exploiting the backdoor requires knowing both the phone number assigned to the watch and the unique encryption key hardwired into each device. Xplora said it has developed a patch for the X4 following the Mnemonic researchers' alert.

Full Article

 

 

 

China's Quiet Experiment Let Millions View Long-Banned Websites
Bloomberg
Colum Murphy; Coco Liu; Yuan Gao
October 12, 2020

China allowed millions of its citizens access to long-banned foreign websites like YouTube and Instagram in a two-week experiment of the Tuber mobile browser application. The app, backed by government-associated 360 Security Technology, appeared in late September, permitting access to the sites without an illegal virtual private network. The trial suggests China's government is testing ways to let its Internet users into once-prohibited zones, although the app was withdrawn without explanation on Saturday. State-allowed apps like Tuber signal a possible compromise, in which user activity is tracked and content screened, while permitting academics, corporations, and citizens to share information.

Full Article

 

 

In Singapore, Facial Recognition Getting Woven Into Everyday Life
NBC News
Aloysius Low
October 12, 2020

Singaporeans will be able to access government and other services through a facial recognition feature in its SingPass national identity program. SingPass Face Verification lets users securely log in to their government services accounts at public kiosks and on home computers, tablets, and mobile phones just using their faces. Singapore's Government Technology Agency said the data collected via facial recognition is "purpose-driven," solely for a specific transaction, and deleted after 30 days. The technology allegedly prevents login attempts using photos, masks, and deepfakes, as well as repelling replay attacks, which use a recording of a person's face to attempt authentication.

Full Article

 

 

Brazil Sees First Lawsuit After Introduction of Data Protection Regulations ZDNet Angelica Mari October 9, 2020 Brazil has concluded its first lawsuit for violations of General Data Protection Regulations, with real estate firm Cyrela ordered to pay a customer 10,000 reais ($1,759) for sharing their personal details with partners without authorization. The regulations ban illicit or abusive processing of personal data from a specific individual or group to support business decisions, public policies, or the performance of a government agency. Individual courts are authorized to interpret what can be deemed as non-compliance with data protection statutes. Cyrela said in a statement that "it has hired the best professionals available to roll out a far-reaching program to comply with the General Data Protection Regulations, including training for all staff and suppliers." Full Article

 

[Daniel Tauritz]

FDA Unveils New Scoring System For Medical Device Vulnerabilities

HealthIT Security  (10/29, Davis) reports, “The FDA recently unveiled a new scoring system for assessing medical device vulnerabilities, an update from its previous system that was initially designed for commercial devices and didn’t account for patient safety, a move Elad Luz, head of research for CyberMDX, explained will better reflect the severity and characteristics of security flaws.” The article adds, “Awareness around medical device security has grown rapidly in recent years, given the FDA’s efforts to bridge the gap between device manufacturers and providers, which can bolster patient safety.”

 

North Carolina Community College Continues To Investigate Cyberattack

The AP  (10/28) reports that “a data breach at a North Carolina community college may have affected many of its current and former students.” The Greensboro News & Records “reported Tuesday that Guilford Technical Community College was hit with a ransomware cyberattack in mid-September.” The college “said it’s investigating the cyberattack ‘to determine what happened and to remediate impacted systems.’” State agencies, “cybersecurity experts and the Federal Bureau of Investigation have provided assistance.”

 

 

Hacker Releases Georgia County Election Data After Ransom Not Paid
The Wall Street Journal
Tawnell D. Hobbs
October 28, 2020

A computer hacker publicly released election-related files from Hall County, GA, after county officials failed to pay a ransom. The hacker labeled the released data as "example files," which generally are used to encourage ransom payment before more-compromising information is made public. A review of the DoppelPaymer ransomware group's website shows the hacked files contain voter names and registration numbers and an election-equipment inventory, among other things. The county announced the ransomware attack on Oct. 7, but has not commented about the amount of ransom demanded. Said Brett Callow of cybersecurity firm Emsisoft, "What, if any, other data the criminals obtained during the attack is something only they and, perhaps, Hall County know.”

Full Article

*May Require Paid Registration

 

 

Researchers Extract Secret Key Used to Encrypt Intel CPU Code
Ars Technica
Dan Goodin
October 28, 2020

An independent researcher, working with two researchers from security firm Positive Technologies, extracted the secret key that encrypts updates to Intel central processing units (CPUs). Hackers who got their hands on the key would be able to decrypt updates Intel issues to plug security holes or update other aspects of chip operation. Independent researcher Maxim Goryachy said, "At the moment, it is quite difficult to assess the security impact” of being able to obtain such a key. Added Positive Technologies' Mark Ermolov, "For now, there's only one but very important consequence: independent analysis of a microcode patch that was impossible until now."

Full Article

 

 

FBI Warns Ransomware Assault Threatens U.S. Healthcare System
Associated Press
Frank Bajak
October 29, 2020

The U.S. Federal Bureau of Investigation, Department of Homeland Security, and Department of Health and Human Services issued a joint alert this week that they had "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers" in an effort to cause "data theft and disruption of healthcare services." The alert came amid a spike in cases of Covid-19 nationwide. At least five U.S. hospitals were hit by the ransomware attacks this week. Attacks by an Eastern European criminal gang involved the Ryuk strain of ransomware, which Microsoft has been working to counter. Hold Security's Alex Holden said the cybercriminals are demanding ransoms of more than $10 million per target, and have discussed plans on the dark web to attack more than 400 hospitals, clinics, and other medical facilities.

Full Article

 

 

Cybersecurity Company Finds Hacker Selling Info on 186 Million U.S. Voters
NBC News
Ken Dilanian
October 21, 2020

Cybersecurity company Trustwave says it discovered a hacker selling personally identifying information on 245 million Americans, including voter registration data for 186 million. Trustwave found the hacker, calling himself Greenmoon2019, by trawling "dark web" forums for threat information; the firm used fictitious identities to induce Greenmoon2019 to provide more information, including a bitcoin wallet for collecting payment. The hacker also used other stolen data to pair email addresses with voter rolls and sell it as a package. Trustwave has turned these findings over to the U.S. Federal Bureau of Investigation. Trustwave's Ziv Mador said, "In the wrong hands, this voter and consumer data can easily be used for geotargeted disinformation campaigns over social media, email phishing, and text and phone scams before, during, and after the [presidential] election, especially if results are contested."

Full Article

 

 

National Guard Called in to Thwart Cyberattack in Louisiana Weeks Before Election
Reuters
Christopher Bing
October 23, 2020

The Louisiana National Guard has been called in to investigate a series of cyberattacks aimed at small government offices across the state, highlighting risks facing local governments as they approach the U.S. presidential election. The attacks follow the pattern of a similar case in Washington State, in which hackers infected government offices with a type of malware known for deploying ransomware. Experts investigating the Louisiana incidents found a remote access trojan previously linked to a group associated with the North Korean government; however, that tool had been publicized in a computer virus repository, making attribution difficult. While staff at several government offices in Louisiana were compromised by the latest cyberattack, it was stopped in its early stages before significant harm was done, according to insiders.

Full Article

 

[Daniel Tauritz]

'Sneakernet' Helps Election Officials Process Results
The Wall Street Journal
Jared Council; Sara Castellanos; John McCormick
November 3, 2020

U.S. election officials used voting machines and other devices linked to the "sneakernet"—a system for transmitting electronic data by physically conveying it from place to place—to process results from Tuesday's elections. Much of the tabulating, reporting, and auditing process is digitized, dependent on specialized software and computers not connected to the Internet, to thwart hacking. Voting data from scanned paper ballots is extracted onto flash drives hand-carried to central locations to tabulate and report results. The drives also are used to send total vote tallies to a central, Internet-connected computer. Election experts said the sneakernet is a much safer means for sharing data than online. Said Barbara Simons, chair of the board of directors at nonprofit Verified Voting and former ACM president, “We can’t trust computers alone. We need hand-marked paper ballots, systems for voters with disabilities, a strong chain of custody, and postelection ballot audits.”

Full Article

*May Require Paid Registration

 

 

World's Fastest Open-Source Intrusion Detection Is Here

Carnegie Mellon University CyLab Security and Privacy Institute Daniel Tkacik

November 5, 2020 Researchers in Carnegie Mellon University's CyLab Security and Privacy Institute have developed an open source intrusion detection system that achieves speeds of 100 gigabits per second on a single server. The team programmed a field-programmable gate array (FPGA) for intrusion detection, and crafted algorithms that cannot run on traditional processors. CyLab's Justine Sherry said the server’s five cores are necessary because the FPGA processes an average 95% of data packets when placed in a network, with the remaining 5% shunted to central processing units when the array is overwhelmed. The system consumes 38 times less power than hundreds of processing cores would in executing the same tasks.   Full Article

 

Tech Companies Face Criticism From Students, Faculty For Methods Trying Detect Cheating Amid Pandemic

Business Insider  (11/1, Sonnemaker) reports that when the pandemic forced colleges “to rapidly transition to online classes this spring, there was a lot to figure out, especially around technology.” Schools scrambled “to combat Zoom-bombing, to help students with accessibility needs, and to prevent students without high-speed internet from falling behind.” As exams rolled around, schools faced another challenge: cheating. Universities “turned to digital exam monitoring software like Proctorio. Proctorio claims to identify ‘suspicious behavior’ by monitoring a student’s webcam, microphone, keyboard, and other computer activity during a test and then uses an algorithm to look for ‘abnormalities’ between the student and their classmates, which the software then flags for the teacher to review.” Students, faculty, and others “have spoken out on a laundry list of issues, accusing Proctorio and similar tools of being invasions of privacy.”

 

Federal Law Offers Protections To Personal Data Submitted For Financial Aid

US News & World Report  (11/2) reports amid falling consumer confidence in personal data security, “applying for college financial aid often requires families to submit an incredible amount of personal information online – including tax details and Social Security numbers.” The article describes the protections in place for information “submitted on the Free Application for Federal Student Aid, or FAFSA. Financial data and student information provided to the U.S. Department of Education and higher education institutions are subject to numerous restrictions. The Gramm-Leach-Bliley Act, for example, protects the security and confidentiality of customer financial information, and the Family Educational Rights and Privacy Act, or FERPA, protects the privacy of student education records.” The article notes that the protections are imperfect, meaning that some breaches occur.

 

 

Software Can Spy on What You Type in Video Calls by Tracking Your Arms
New Scientist
Chris Stokel-Walker
October 30, 2020

Researchers at the University of Texas at San Antonio developed a model that can track the movement of the shoulders and arms of a person typing during a video call, to determine what they are typing. The person's movements are mapped onto a keyboard using optical flow, and the results are cross-referenced against a dictionary of commonly typed words. The model correctly identified the word being typed 75% of the time, though its success rate varies based on a user's typing skills. For instance, the model correctly identified 83% of words typed by those who "peck" at the keyboard. Further, 3.4% more words were recovered on Skype calls than on Zoom calls, possibly due to the way each app compresses video. The university's Murtuza Jadliwala said users can protect their privacy by blurring their backgrounds, skipping frames in the video, and pixelating their shoulders and arms.

Full Article

*May Require Paid Registration

Tricking Fake News Detectors With Malicious User Comments Penn State News Jordan Ford October 30, 2020 Researchers at the Pennsylvania State University (Penn State) have demonstrated how fake news detectors, like those used by Twitter and Facebook, can be manipulated through user comments. The researchers found that adversaries are able to use random accounts on social media to post malicious comments to flag real stories as fake news or promote fake stories as real news. This involves attacking the detector itself, rather than the story's content or source. The framework developed by the researchers to generate, optimize, and add malicious comments to articles successfully tricked five of the leading neural network-based fake news detectors more than 93% of the time. Penn State's Thai Le said the research "highlights the importance of having robust fake news detection models that can defend against adversarial attacks." Full Article   Researchers Develop Sentence Rewriting Technique to Fool Text Classifiers VentureBeat Kyle Wiggers October 27, 2020 Researchers at the Massachusetts Institute of Technology (MIT) created a framework to rewrite sentences specifically to attack text classifiers and trigger misclassification. Attacks on text classifiers could hurt industries like home lending, which relies on artificial intelligence (AI) for document processing. The conditional BERT sampling (CBS) framework, which feeds sentences from an AI language model to RewritingSampler, has a higher attack success rate than existing word-level methods. The CBS framework and RewritingSampler iteratively sample and replace words in a seed sentence for a given number of times, using the sum of word embeddings to maintain the sentence's literal meaning. The system could be misused for attacks, but also may be used to test the robustness of models and to improve their generalization via adversarial training.   Full Article   Australian, Korean Researchers Warn of Loopholes in AI Security Systems ZDNet Aimee Chanthadavong October 23, 2020 Researchers at Australia's Commonwealth Scientific and Industrial Research Organization's Data61, the Australian Cyber Security Cooperative Research Center, and South Korea's Sungkyunkwan University warn that certain objects could be used as triggers to permit a subject to digitally disappear from artificial intelligence (AI) security systems. The researchers tested the popular YOLO object-detection camera, and found the camera could detect a subject initially, but putting a red beanie on it allowed it to be undetected by the camera. Data61's Sharif Abuadbba cited the adversarial nature of AI models, which pose a security risk if they are not trained to detect all possible scenarios. Abuadbba said, "If you're a sensitive organization, you need to generate your own dataset that you trust and train it under supervision ... the other option is to be selective from where you take those models." Full Article

 

Tool Simplifies Data Sharing, Preserves Privacy Carnegie Mellon University College of Engineering Daniel Tkacik October 28, 2020 Researchers in the CyLab of Carnegie Mellon University (CMU) and IBM have come up with a tool for creating synthesized data that simplifies data sharing while maintaining privacy. The DoppelGANger tool employs generative adversarial networks (GANs), which apply machine learning to synthesize datasets with the same statistics as training data. Models trained with DoppelGANger-generated synthetic data had up to 43% greater accuracy than models trained on synthetic data from rival tools, the researchers found. CMU's Vyas Sekar said, "We believe that future organizations will need to flexibly utilize all available data to be able to react to an increasingly data-driven and automated attack landscape. In that sense, any tools that facilitate data sharing are going to be essential.” Full Article

 

[Daniel Tauritz]

DNS Cache Poisoning Ready for Comeback UC Riverside News Holly Ober November 11, 2020 Computer security researchers at the University of California, Riverside (UC Riverside) and China's Tsinghua University found critical security flaws that could lead to a resurgence of Domain Name System (DNS) cache poisoning attacks. The exploit derandomizes the source port and works on all cache layers in the DNS infrastructure, including forwarders and resolvers. The research team confirmed this finding by using a device that spoofs Internet Protocol (IP) addresses and a computer that can trigger a request out of a DNS forwarder or resolver; it exploited a novel network side channel to execute the attack. The team, which has demonstrated the exploit against popular public DNS servers, recommended the use of additional randomness and cryptographic solutions to combat it. Full Article

 

Double Patterns Could Advance Android Device Security
George Washington University
November 9, 2020

George Washington University (GWU) researchers found using multiple patterns to unlock an Android phone provides greater security than the single-pattern method, and in some cases may offer better security than four- and six-digit personal identification number unlocking used on Apple devices. The double-pattern implementation technique involves the user selecting two concurrent unlock patterns that are input in quick succession. A survey of more than 600 mobile device users found that double patterns significantly enhance the security of pattern locks against throttled attacks. Said GWU’s Adam J. Aviv, “Using two patterns to unlock an Android phone appears to provide a huge benefit for security, with little to no impact on usability.”

Full Article

 

 

Tool Detects Unsafe Security Practices in Android Apps Columbia Engineering November 9, 2020 The CRYLOGGER tool developed by Columbia Engineering computer scientists can analyze how thousands of Android applications use cryptography without requiring access to their underlying code. The open source tool can determine when an app uses cryptography incorrectly by running the app, rather than analyzing its code. CRYLOGGER's analysis of 1,780 Android apps found nearly all had code or used libraries that did not strictly comply with security standards. Columbia Engineering's Luca Carloni said, "We believe that CRYLOGGER's technique of analyzing thousands of Android applications by running them and collecting information that can be later analyzed offline could also be used in other security domains." Full Article

 

UCLA, UW Computer Scientists Develop Indistinguishability Obfuscation Protocol

Quanta Magazine  (11/10) reports computer scientists have long “wondered if there is any secure, all-encompassing way to obfuscate computer programs, allowing people to use them without figuring out their internal secrets.” Until now, “all attempts to build practical obfuscators have failed.” But on August 18, Aayush Jain, a UCLA graduate student, Amit Sahai, Jain’s adviser, and Huijia Lin of the University of Washington posted a paper online that showed “for the first time how to build indistinguishability obfuscation (iO) using only ‘standard’ security assumptions.” A cryptographic protocol is “only as secure as its assumptions, and previous attempts at iO were built on untested and ultimately shaky foundations. The new protocol, by contrast, depends on security assumptions that have been widely used and studied in the past.” The protocol, from a theoretical standpoint, “provides an instant way to build an array of cryptographic tools that were previously out of reach.”

 

 

IoT Security Is a Mess. These Guidelines Could Help Fix That
ZDNet
Danny Palmer
November 10, 2020

New guidelines from the European Union Agency for Cybersecurity (ENISA) specify recommendations for strengthening Internet of Things (IoT) security throughout product development. The Guidelines for Securing the IoT-Secure Supply Chain for IoT urge further integration of cybersecurity expertise within all organizational layers so supply-chain participants can identify potential risks before they become serious. ENISA also recommends adopting "Security by Design" across the IoT development cycle, with emphasis on careful planning and risk management. Moreover, the guidelines advise organizations to nurture better relationships throughout product development and deployment, in order to close security loopholes that may emerge when communication between participants is lacking. ENISA’s Juhan Lepassaar said, "Securing the supply chain of ICT products and services should be a prerequisite for their further adoption, particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT.”

Full Article

 

[Daniel Tauritz]

'Most Secure' U.S. Election Not Without Problems
Government Technology
Lucas Ropek
November 16, 2020

Although federal officials declared the 2020 presidential election the "most secure in American history," there were still technical problems. Alleged software glitches caused mistakes in vote tabulation for both presidential and local races in certain counties, while some communities suffered temporary miscounts due to clerical errors. Threats of foreign interference appear to have been countered by greater vigilance and stronger cyberdefenses by watchdogs like the Cybersecurity and Infrastructure Security Agency, and multi-stakeholder collaboration and information sharing. However, disinformation and misinformation have continued to fuel polarization of the electorate. Former ACM president Barbara Simons urges greater transparency and committed investment in auditable machinery as top priorities, along with curtailing the use of paperless voting machines.
 

Full Article

 

 

Blockchain Voting Risks Undetectable Nation-Scale Failures: MIT Researchers
ZDNet
Stilgherrian
November 16, 2020

A study by Massachusetts Institute of Technology (MIT) researchers labelled assertions that Internet- and blockchain-based voting would boost election security "misleading," adding that they would "greatly increase the risk of undetectable, nation-scale election failures." The MIT team analyzed previous research on the security risks of online and offline voting systems, and found blockchain solutions are vulnerable to scenarios where election results might have been erroneously or deliberately changed. The MIT researchers proposed five minimal election security mandates: ballot secrecy to deter intimidation or vote-buying; software independence to verify results with something like a paper trail; voter-verifiable ballots, where voters themselves witness that their vote has been correctly recorded; contestability, where someone who spots an error can persuade others that the error is real; and an auditing process.

Full Article

 

 

U.S. Senate Passes Bill to Secure Internet-Connected Devices Against Cyber Vulnerabilities
The Hill
Maggie Miller
November 18, 2020

The U.S. Senate this week unanimously passed the bipartisan Internet of Things Cybersecurity Improvement Act to strengthen the cybersecurity of Internet-connected devices. The legislation mandates that all Internet-connected devices purchased by the federal government must comply with minimum security recommendations from the National Institute of Standards and Technology. Public-sector providers of such devices also must alert federal agencies of any device vulnerabilities that could expose the government to cyberattack. Bill co-sponsor Sen. Cory Gardner (R-CO) said, "Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things landscape continues to expand. We need to make sure these devices are secure from malicious cyberattacks as they continue to transform our society and add countless new entry points into our networks." The legislation was passed unanimously by the House in September and now heads to President Trump for a signature.
 

Full Article

 

PLATYPUS: Vulnerabilities Discovered in Intel Processors
Graz University of Technology (Austria)
Christoph Reid
November 10, 2020

Security researchers from Austria's Graz University of Technology, Germany's Helmholtz Center for Information Security, and the U.K.'s University of Birmingham discovered new "PLATYPUS" side-channel attack vulnerabilities in Intel processors. The investigators exploited the Running Average Power Limit (RAPL) interface built into Intel and AMD central processing units for monitoring and regulating energy consumption. RAPL is configured to log consumption even without administrative rights, allowing readout of measured values without authorization. The team also exploited Intel's security function Software Guard Extensions (SGX) functionality, which shunts data and critical programs to a secure enclave. The researchers made the processor execute certain commands tens of thousands of times within an SGX enclave, while RAPL measured their power consumption; fluctuations in the measured values enabled reconstruction of data and cryptographic keys. The team notified Intel and AMD about the vulnerabilities, and the companies have developed corrective updates.

Full Article

 

 

Computer Scientists Launch Counteroffensive Against Video Game Cheaters
UT Dallas News Center
Kim Horner
November 13, 2020

University of Texas at Dallas (UT Dallas) computer scientists developed a countermeasure against video game cheaters. Previous research depended on decrypted game logs to spot cheating after the fact, while the UT Dallas team's approach analyzes encrypted data traffic to and from a central server in real time. Twenty UT Dallas students downloaded the Counter-Strike game and three software cheats. Researchers monitoring their data traffic identified patterns indicating cheating; that data was fed to a machine learning model to train it to predict cheating. The researchers said they have adjusted their model to work on larger populations of gamers.

Full Article