Dr. T's security brief
Daniel Tauritz
DNSpooq Lets Attackers Poison DNS Cache Records
ZDNet
Catalin Cimpanu
January 19, 2021
Researchers in Israeli boutique cybersecurity consultancy JSOF have disclosed seven vulnerabilities that affect Dnsmasq, a domain name system (DNS) forwarding client for *NIX-based operating systems. The vulnerabilities involve DNSpooq software in millions of devices sold worldwide, including networking gear like routers, access points, firewalls, and VPNs from numerous companies. The researchers say the vulnerabilities could be combined to poison DNS cache entries recorded by Dnsmasq servers, allowing attackers to redirect users to clones of legitimate websites. Four of the vulnerabilities are buffer overflows in the Dnsmasq code that could result in remote code execution scenarios, and the remainder enable DNS cache poisoning. The researchers advise users to apply security updates released by the Dnsmasq project.
Booting Hackers a Complex Chore
Associated Press
Frank Bajak
January 19, 2021
Cybersecurity firm FireEye said an assessment of the effects of a seven-month-old cyberespionage campaign attributed to Russia, and removing participating hackers, is in the early stages. The company released a tool and a white paper to help potential targets screen cloud-based installations of Microsoft 365 for intrusions and continued hacker activity. FireEye's Matthew McWhirter said the goal is to prevent attackers from breaking in again, while the firm's Charles Carmakal suggested there are many more victims than those publicized so far. Carmakal said hackers tended to target users with access to high-value data and high-level network administrators, to determine which measures were being implemented to try to boot them off.
How Law Enforcement Gets Around Your Smartphone's Encryption
Wired
Lily Hay Newman
January 15, 2021
Analysis by Johns Hopkins University (JHU) cryptographers revealed encryption-circumventing schemes that law enforcement agencies use to access information in Android and iOS smartphones. JHU's Maximilian Zinkus said iOS has infrastructure for hierarchical encryption, yet little is actually used. The researchers found vulnerabilities in the iPhone's After First Unlock security, triggered after users unlock their phone the first time after a reboot; encryption keys begin getting stored in quick access memory even as the phone is locked, at which point a hacker could find and exploit iOS bugs to grab keys that are accessible in memory, and decrypt big chunks of data from the device. Reports from Israeli law enforcement contractor Cellebrite and U.S. forensic access firm Grayshift indicated most smartphone access tools probably operate in this manner. Android phones lack a Complete Lock mechanism after first unlock, meaning forensic tools can steal even more decryption keys, and compromise more data.
Fake Collaboration Apps Steal Data as Staff Struggle with Home-Working Security
ZDNet
Danny Palmer
January 19, 2021
According to cybersecurity company Wandera's Cloud Security Report 2021, malware attacks increasingly targeted remote workers last year, with 52% of organizations suffering such hacks, versus 37% in 2019. Remote workers often are deceived into downloading malware from phishing emails. Wandera's Michael Covington said many such applications purport to offer collaboration functions, but really steal private data or fool users into granting access to a device’s camera and microphone for eavesdropping. More than a third of users of malware-compromised devices continued to access corporate emails, while 10% continued to access cloud services, both potentially providing attackers greater network access than they had initially obtained by compromising one remote device. Said Covington, "Continuously engaging with workers on the sign-in mechanisms they should use, the incident reporting they should follow, and the applications that are approved for work will help everyone do their part to protect the business and its assets."
Researchers Propose Porcupine, a Compiler for Homomorphic Encryption
VentureBeat
Kyle Wiggers
January 22, 2021
A synthesizing compiler for homomorphic encryption (HE) created by researchers at Facebook and New York and Stanford universities can translate a plain-text, unencrypted codebase into encrypted code on the fly. The compiler, Porcupine, reportedly can accelerate HE up to 51% over heuristic-driven, hand-optimized code. Porcupine can convert a reference of a plain-text code into HE code that performs the same computation, by internally modeling instruction noise, latency, behavior, and HE program semantics with the Quill component. Quill lets Porcupine reason about and seek kernels that are verifiably correct while minimizing latency and noise accrual, yielding a suite that automates and optimizes the mapping and scheduling of plain text to HE code. According to the researchers, "Porcupine abstracts away the details of constructing correct HE computation so that application designers can concentrate on other design considerations."
Paper Cards, Digital Codes Target Vaccination Chaos
IEEE Spectrum
Jeremy Hsu
January 25, 2021
A coalition led by the Massachusetts Institute of Technology (MIT) has introduced an augmented vaccination card that works with or without online apps to ease the Covid-19 inoculation process. The card would feature quick response codes that can be applied as stickers to existing cards already circulated by the U.S. Centers for Disease Control and Prevention. These codes would incorporate encrypted data necessary for each vaccination stage that can be scanned by the relevant authorities—without storing personally identifiable information in central databases to protect privacy. The MIT team thinks the card could accelerate the process by removing paperwork needed to check on vaccination eligibility and status at pharmacies and clinics. MIT's Sanjay Sarma said, "The beauty of this is you let the logistics people do the logistics, and you let the issuing authority give you your coupon independently, and each can do it in a decoupled way."
Women Primed to Fill Cybersecurity Talent Gap
Financial Times
Alice Kantor
January 25, 2021
Cybersecurity analysts are in great demand thanks to the surge in remote work due to the pandemic. A survey by the International Information System Security Certification Consortium found 3.1 million cybersecurity analysts are needed worldwide, with 22% of companies having faced a substantial shortfall of dedicated cybersecurity staff from April to June 2020. Cyberanalyst Jane Frankland said hiring more women can help narrow the talent gap, as they comprise just 25% of the sector's workforce. The U.K. government and other organizations are striving to remedy women's historic underrepresentation, but Emily Stapf at financial services group PricewaterhouseCoopers said retention is the key obstacle. Stapf said hiring and retaining women could help cybersecurity's role evolve from asset protection to a corporate value-add, because "many women have a risk management mindset, think differently about balancing tasks, and are able to sort through the noise to identify a threat."
Biden White House Website Hides Secret Invitation for Coders
Fox Business
Lucas Manfredi
January 20, 2021
The Biden administration is seeking skilled coders to apply for roles within the U.S. Digital Service (USDS). The Biden White House's newly updated website has a message hidden deep in its HTML source code: "If you're reading this, we need your help building back better. https://usds.gov/apply." USDS, created by President Barack Obama in 2014, aims to change the federal government's approach to technology and create better services by bringing together the best designers, engineers, product managers, and digital policy experts. Among other things, the agency has worked to improve HealthCare.gov, modernize the U.S. Department of Homeland Security's immigration system, help the U.S. Department of Education roll out the College Scorecard, and identify security vulnerabilities in the U.S. Department of Defense's website. USDS also aims to improve how the government buys technology and hires technical talent.
Estonia Leads World in Making Digital Voting Reality
Financial Times
Patrick Mulholland
January 25, 2021
Estonia's i-Voting online voting system was used to cast more than 40% of ballots in its March 2019 parliamentary elections. Anett Numa at the e-Estonia innovation hub said the system's success relies on having a pre-established digital infrastructure, without which people would lack trust in accessing public services online. I-Voting was developed partly to grow participation and keep young people engaged with politics, as roughly 200,000 Estonians live abroad. Numa said i-Voting has not boosted voter turnout, but rather offers an additional avenue for voter engagement. The system uses encryption to address cybersecurity issues, allowing voters to cast ballots across a platform that routes to a central database following authentication.
*May Require Paid Registration
Quantum Internet Signals Beamed Between Drones a Kilometer Apart
New Scientist
Matthew Sparkes
January 15, 2021
Researchers at China's Nanjing University have sent entangled photons between two 35-kilogram drones located a kilometer apart, a development that could pave the way for quantum encryption. The study marks the first time photon entanglement has been transmitted between moving devices. The pair of entangled photons was created using a laser on board one drone by splitting a single photon with a crystal. The receivers and transmitters were lined up using motorized devices on each drone, and a short piece of fiber-optic cable was used to focus and steer the photons through a relay drone. Imperial College London's Myungshik Kim said it is important that researchers were able to engineer complex optics into moving drones given even small rotational differences can make it hard to maintain quantum connections.
Hackers Have Leaked the Covid-19 Vaccine Data They Stole in a Cyberattack
ZDNet
Danny Palmer
January 13, 2021
The European Medicines Agency (EMA) disclosed that information about Covid-19 medicines and vaccines, stolen as part of a cyberattack announced last month, has been leaked on the Internet. The hackers breached an undisclosed IT application and targeted data related to Covid-19 medicines and vaccines. The EMA's work and regulatory network were not impacted by the breach, and Covid-19 vaccine approval and distribution has not been disrupted. The EMA said, "Necessary action is being taken by the law enforcement authorities. The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access.”
Daniel Tauritz
More Exploitable Flaws Found in SolarWinds Software, Says Cybersecurity Firm
NBC News
Ken Dilanian
February 3, 2021
Cybersecurity firm Trustwave has discovered three more "critical" flaws in software produced by SolarWinds, the company exploited in what U.S. officials last year called a massive breach of U.S. government and corporate sites by Russian intelligence. Trustwave said the bugs could have allowed hackers to compromise the networks of SolarWinds clients, and theoretically expose consumer data to corporate and government secrets. SolarWinds said it has issued patches for the vulnerabilities, while Trustwave's Ziv Mador said the incident supports the contention that vendors should continually run penetration testing on their products. Said Mador, "In nearly 100% of the applications we test, we find vulnerabilities. Some severe, some mild."
High-Performance Computers Under Siege by Newly Discovered Backdoor
Ars Technica
Dan Goodin
February 2, 2021
Researchers at Slovak security firm Eset said a newly discovered backdoor allows hackers to remotely execute arbitrary commands on some high-performance computer networks. The Kobalos backdoor operates on Linux, FreeBSD, and Solaris, and code artifacts imply it may have previously run on AIX and the Windows 3.11 and Windows 95 platforms. Once installed, Kobalos infiltrates the file system of the target network and facilitates access to a remote terminal that allows intruders to run commands; infected systems also can become proxies connecting to other compromised servers, which can be linked to compromise a final target. Kobalos was released no later than 2019, and the group behind it was active throughout 2020. Eset researchers wrote that the backdoor's features and network evasion methods indicate those behind Kobalos “are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems."
NIST Offers Tools to Help Defend Against State-Sponsored Hackers
U.S. National Institute of Standards and Technology
February 2, 2021
The U.S. National Institute of Standards and Technology (NIST) has published a toolkit (SP 800-172) to shield controlled unclassified information (CUI) from advanced persistent threats by state-sponsored hackers. The recommendations cover elements of nonfederal systems that process, store, or transmit CUI, or that supply protection for such components. The safeguards apply only to CUI associated with a critical program or high-value asset. NIST's Ron Ross said, "Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation, and intellectual property, the revelation of which could compromise our economy and national security."
'Cyber Trauma' Leaves Online Victims With Psychological Scars
Financial Times
Antonia Cundy
January 25, 2021
The U.K. Office for National Statistics found that incidents of fraud and computer misuse in England and Wales jumped from 4.84 million in June 2019 to 5.94 million in June 2020. Many online crimes involve cyberstalking and online harassment in addition to financial losses, resulting in lasting psychological scars to victims. Law enforcement often is unable to help these victims, either due to a lack of resources or the electronic trail falling outside national jurisdiction. Said The Cyber Helpline's Rory Innes, "There's a shortage of cybersecurity professionals in the U.K. and the global market. And the pace of change [of cybercrimes] has been really fast ... It's relatively difficult to take a police officer or someone non-technical and make them understand this space."