Dr. T's security brief
Daniel Tauritz
Study: College Zoombombing Incidents Often Made By Students
Inside Higher Ed 
(2/17, McKenzie) reports that “the Zoombombing trend, where digital disruptors join online meetings and spew hateful comments, play loud music and share lewd content, thankfully seems to have died down in recent months.” Researchers at Binghamton University and Boston University “think they may have found the answer” as to why. A preprint study recently “published by the IEEE Symposium on Security and Privacy found that most attacks on videoconference calls were not the result of people stumbling across meeting invitations online or using a trial-and-error technique known as brute forcing to guess meeting ID numbers, as some cybersecurity experts and analysts suspected.” Rather, the attacks “in early 2020 were inside jobs.” This has “significant ramifications for instructors looking to secure their Zoom classrooms.” The study “suggests that most Zoombombing attacks begin with a legitimate attendee of a meeting inviting others to come and disrupt it, said Jeremy Blackburn, assistant professor of computer science at Binghamton University, who co-authored the study.”
Researcher Hacks Over 35 Tech Firms in Novel Supply Chain Attack
BleepingComputer
Ax Sharma
February 9, 2021
Security researcher Alex Birsan launched a novel software supply chain attack that breached the internal systems of more than 35 major companies, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber. The attack involved uploading malware to open source repositories like PyPI, npm, and RubyGems, which then was distributed downstream automatically into the company's internal applications. The attack did not need action by the victim, unlike traditional typosquatting or brandjacking attacks, instead taking advantage of dependency confusion, a unique design flaw of open-source ecosystems. Birsan explained that "vulnerabilities or design flaws in automated build or installation tools may cause public dependencies to be mistaken for internal dependencies with the exact same name." Birsan has earned more than $130,000 from bug bounty programs and pre-approved penetration testing arrangements for his research.
Big Jump in RDP Attacks as Hackers Target Staff Working From Home
ZDNet
Danny Palmer
February 8, 2021
Researchers at cybersecurity company ESET said Remote Desktop Protocol (RDP) attacks climbed 768% last year as many employees worked from home amid the Covid-19 pandemic. ESET identified 29 billion attempted RDP hacks during 2020, with increased remote work offering malefactors a greater opportunity to infiltrate networks undetected, using legitimate login credentials. ESET's Ondrej Kubovic said RDP ports also can be misconfigured, which "in many cases leads to valuable resources, such as company servers or devices with admin rights, that represent a springboard for further, often network-wide, compromises." Actions that organizations can take to reduce the odds of successful RDP attacks include encouraging users to use strong passwords that are difficult to guess via brute-force attacks, and applying two-factor authentication network-wide. Another approach is to guarantee users are using the latest versions of operating systems and software through patching.
Students, Educators Worry College Surveillance Tools Won’t Disappear After Pandemic
The Chronicle of Higher Education (2/15, Mangan) reports that “the pandemic has prompted many colleges to quickly roll out surveillance tools that could help limit the spread of the virus, or mitigate its effects on learning, as students are sent out of the classroom and into private quarters.” Some students, “required to flash COVID-free badges to enter classrooms or rotate their laptops for online test proctors to scan their bedrooms, have grown weary of feeling watched.” Some are leery of “how the information that’s being collected will be used, whether it could leak out, and whether there’s a process to destroy it when the pandemic is over.” That wariness “isn’t limited to students.” Colleges “scrambling to keep students healthy and educationally on track have erected a mass-surveillance structure that won’t just disappear, and may have lasting effects on the student experience.”
Sweden to Establish National Cybersecurity Center
Computer Weekly
Gerard O'Dwyer
February 8, 2021
Sweden is the latest Nordic country to commission key defense and security agencies to establish a national cybersecurity center (NCSC), in the wake of a string of cyberattacks against major Swedish corporations last year. The NCSC will be set up and run by a coalition of state security organizations led by the Swedish Armed Forces and its signals intelligence arm, the National Defense Radio Establishment (FRA). Sweden's government has allocated 440 million krona ($52.8 million) to meet the NCSC's projected operational costs from 2021 through 2025. Central to the NCSC's mission will be coordinating with public and private entities to prevent, detect, and manage cyberattacks and other information technology incidents. FRA's Björn Lyrvall said many cyberattacks are orchestrated by state actors and criminal organizations, and the NCSC "will strengthen our resilience to defend against cyber threats and protect our society."
AI Can Use the Veins on Your Hand Like Fingerprints to Identify You
New Scientist
Matthew Sparkes
February 12, 2021
Researchers at the University of New South Wales in Australia developed a technique to identify people using the unique pattern of veins on the back of their hands. They used 500 photos of the hands of 35 people to train a neural network to connect the pattern of veins to a particular subject. The model identified the test subjects with an accuracy rate of 99.8%, then identified four new subjects not included in the original dataset with a 96% accuracy rate. Researcher Syed Shah said vein detection is reliable for people of all ethnicities and is less vulnerable to attacks than existing biometric tests using fingerprints or face recognition. Shah said the technique potentially could be adapted for use with smartphones and CCTV cameras.
*May Require Paid Registration
Deepfake Detectors Can Be Defeated, Computer Scientists Show for the First Time
UC San Diego Jacobs School of Engineering
February 8, 2021
Computer scientists at the University of California, San Diego (UCSD) demonstrated for the first time that detectors programmed to spot deepfake videos can be beaten. Presenting at the Winter Conference on Applications of Computer Vision 2021 in January, the researchers explained how they inserted adversarial examples into every video frame, inducing errors in artificial intelligence systems. The method also works after videos are compressed, because the attack algorithm estimates across a set of input transformations how the model ranks images as real or fake, then uses this calculation to alter images so the adversarial image remains effective after compression and decompression. The USCD researchers said, "We show that the current state-of-the-art methods for deepfake detection can be easily bypassed if the adversary has complete or even partial knowledge of the detector."
Doorbell Security Cameras Are Easily Hackable, Researchers Find
Florida Today
Jim Waymer
February 8, 2021
Florida Institute of Technology (FIT) researchers demonstrated that smart home security systems, including doorbells connected to a wireless camera, can be hacked easily. FIT's Terrence O'Connor and Daniel Campos identified flaws in seven models of smart cameras and doorbells made by smart home device vendor Geeni and parent company Merkury Innovations, by reverse-engineering the firmware using cybersecurity firm ReFirm Labs' Binwalk Enterprise Internet of Things devices security tool. The FIT researchers found that hackers only need to figure out the default password the device shipped with in order to gain access. Merkury's Sol Hedaya said updated firmware will be issued this month.
Algorithm May Be the Key to Timely, Inexpensive Cyber Defense
Penn State News
Matt Swayne
February 3, 2021
A team of researchers led by The Pennsylvania State University (Penn State) has developed an adaptive cyber defense against zero-day attacks using machine learning. The new technique offers a powerful, cost-effective alternative to the moving target defense method used to detect and respond to cyberattacks. Reinforcement learning enables the decision maker to learn to make the right choices by choosing actions that maximize rewards. Said Penn State's Peng Liu, "The decision maker learns optimal policies or actions through continuous interactions with an underlying environment, which is partially unknown. So, reinforcement learning is particularly well-suited to defend against zero-day attacks when critical information—the targets of the attacks and the locations of the vulnerabilities—is not available."
Clearview AI's Facial Recognition App Called Illegal in Canada
The New York Times
Kashmir Hill
February 3, 2021
Canadian authorities declared the Clearview AI facial recognition application illegal, with Canada's privacy commissioner Daniel Therrien calling it a tool for mass surveillance. App developer Clearview said it used more than 3 billion photos from social media networks and other public websites to build Clearview AI, currently used by more than 2,400 U.S. law enforcement agencies. Canada's privacy laws mandate obtaining Canadians' consent to use personal data; Clearview claimed it did not require consent to use facial biometric information taken from publicly available photos online. The commissioners balked at the images being used in a manner that the photos' posters had not intended, in a way that could "create the risk of significant harm to those individuals."
*May Require Paid Registration
Lye-Poisoning Attack in Florida Shows Cybersecurity Gaps in Water Systems
NBC News
Kevin Collier
February 9, 2021
Experts said hackers' attempted lye-poisoning of a drinking water reservoir in Oldsmar, FL, last Friday highlights the vulnerability of the U.S. water supply. The hackers logged into a TeamViewer account to remotely access a computer associated with a water treatment plant, and sent instructions to poison the water. The nation's approximately 54,000 drinking water systems operate independently via either local governments or small corporations, using thousands of security setups often run by generalists. Cybersecurity consultant Bryson Bort said installing a computer program that lets users control sensitive industrial systems is very common in industrial systems that lack sufficient security expertise.
Blockchain Transactions Confirm Murky, Interconnected Ransomware Scene
ZDNet
Catalin Cimpanu
February 4, 2021
A study by blockchain investigations firm Chainalysis verified that cybercrime gangs often switch ransomware-as-a-service suppliers as they seek better profits. The modern ransomware ecosystem consists of coders who create and rent out ransomware, sometimes to anyone who subscribes, or to verified clients (affiliates) who typically spread the malware or launch attacks on networks; sometimes affiliates are themselves multiple gangs, executing specialized operations. Chainalysis confirmed this interconnected landscape using cryptographic traces of bitcoin transactions among the ransomware groups. The researchers found evidence of affiliates waging multiple ransomware attacks, while the operators of several campaigns used the same services to launder the stolen funds. Chainalysis said this could actually benefit law enforcement, because "the evidence suggests that the ransomware world is smaller than one may initially think, given the number of unique strains currently operating."