Dr. T's security brief
Daniel Tauritz
How WhatsApp, Signal & Co. Threaten Privacy |
Security Researchers Slam Voatz Brief to the Supreme Court on Anti-Hacking Law
CyberScoop
Sean Lyngaas
September 14, 2020
Cybersecurity specialists criticized an amicus brief filed by mobile voting company Voatz to the U.S. Supreme Court, which could have implications for the Computer Fraud and Abuse Act (CFAA). They refuted Voatz's contention that the CFAA should only allow researchers with clear permission to audit computer systems for flaws, warning that the brief "fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure." In their open letter to the high court, the experts said a broad interpretation of the law would further discourage research, "even when there exists a societal obligation to perform such research." The signatories added that the fate of transparent research into critical systems like voting software and medical devices is at stake. A Voatz spokesperson said the firm does not advocate curtailing research, saying "it's better to work collaboratively with the organization as bad actors disguise themselves as good actors on a regular basis."
House Approves Bill to Secure Internet-Connected Federal Devices Against Cyberthreats
The Hill
Maggie Miller
September 14, 2020
The U.S. House of Representatives on Monday passed the Internet of Things (IoT) Cybersecurity Improvement Act, to enhance the security of federal Internet-connected devices by having them comply with minimum security recommendations from the National Institute of Standards and Technology. The devices' private-sector providers also would be obligated to alert agencies if their products are found to have security flaws that could leave the government vulnerable to cyberattacks. Rep. Carolyn Maloney (D-NY) said the bill is intended to address a lack of national standards to ensure IoT device security. The legislation also has been proposed in the Senate, where it awaits a vote.
3D Printing Poses a "Grave and Growing Threat" to Privacy, Experts Warn
University of Exeter
September 8, 2020
Researchers at Durham University and the University of Exeter in the U.K. warn that three-dimensional (3D) printing technology poses a "grave and growing threat" to individual privacy and that governments and companies are unaware of these privacy issues. Said Exeter's James Griffin, "Every physical product that is 3D-printed has the potential to be tracked in a way that has never occurred before." The study is based on 30 in-depth interviews with representatives of Chinese 3D printing companies, most of whom believed the tracking technology incorporated into 3D printing would be used to handle piracy or copyright issues, and not for invading users’ privacy. The researchers called for a voluntary code of conduct that would encourage self-regulation of 3D printing and watermarking, and a specific software component that can isolate and protect private information collected from a watermark.
Facebook's EU-U.S. Data Transfer Mechanism 'Cannot Be Used', Irish Regulator Says
Reuters
Conor Humphries; Neha Malara
September 9, 2020
Ireland's Data Protection Commission has decreed Facebook's key mechanism for transferring data from the European Union (EU) to the U.S. "cannot in practice be used," although the Court of Justice of the EU (CJEU) previously deemed it valid. Although the CJEU ruled in July that Privacy Shield, the EU-U.S. transatlantic data transfer agreement, was invalid because of concerns of U.S. surveillance of Europeans' private data when used commercially, it backed the validity of Facebook's Standard Contractual Clauses (SCCs). However, the court said under SCCs, privacy regulators must suspend or ban transfers outside the bloc if data protection in other countries cannot be guaranteed. Facebook said it will continue transferring data in compliance with the July CJEU ruling, while also deploying "robust" data-privacy safeguards that include "industry standard encryption and security measures, and comprehensive policies governing how we respond to legal requests for data."
With Election Cybersecurity Experts in Short Supply, Some States Call In the National Guard
NBC News
Kevin Collier; Courtney Kube; Rich Gardella
September 11, 2020
Some U.S. states are asking the National Guard to dispatch cybersecurity experts to fortify their voting systems ahead of the general election in November. Such aid is particularly critical in rural areas and small jurisdictions that may lack specialists, which are deemed most susceptible to hackers. Some fear hackers could invalidate the 2020 election by attacking Internet-connected sites that play crucial roles in the electoral process. The North Carolina National Guard's Cyber Security Response Force has assessed cybersecurity in more than 30 counties in the state, and responded to 35 hacks since 2018. The National Guard's George R. Haynes said more guardsmen have been trained as cyberspecialists as the U.S. Department of Defense has increased its cybertraining.
Millions of WordPress Sites Are Being Probed, Attacked With Recent Plugin Bug
ZDNet
Catalin Cimpanu
September 6, 2020
Defiant Inc., which produces the Wordfence Web firewall, reported that millions of WordPress sites have been attacked by hackers exploiting a zero-day vulnerability in the "File Manager" WordPress plugin. The zero-day vulnerability enables attackers to upload malicious files on a site running an older version of the plugin. Defiant's Ram Gall said the firm had blocked attacks against more than 1.7 million sites since the attacks were first detected on Sept. 1. However, given that WordPress is installed on hundreds of millions of sites, Gall said the true scale of the attacks likely is much larger. The File Manager developer team has created and released a patch for the zero-day vulnerability.
Computer Hackers Attack Fairfax County School System
The Washington Post
Joe Heim
September 11, 2020
Fairfax County (VA) Public School District spokesperson Lucy Caldwell said hackers have attacked the school district's computers, installing ransomware on certain systems. The MAZE hacker group posted on its website that it had penetrated the district’s site with ransomware, posting a zip file of stolen data to prove it. The district said it is coordinating with its security experts and the U.S. Federal Bureau of Investigation to gauge the breach’s impact on its data, and it will alert affected parties based on its findings. This is the district’s second major computer problem this year, following a badly flawed rollout of its online learning system in April, which forced the district to stop classes for several days while it dealt with glitches, privacy breaches, and online harassment.
*May Require Paid Registration
Privacy, Blockchain, and IoT—Can We Keep Control of Our Own Identities?
University of South Australia
September 10, 2020
Research from Australia’s University of South Australia (UniSA) and Charles Sturt University has found privacy issues innate to current blockchain platforms, suggesting the technology requires further refinement for consideration of privacy rights and expectations. Blockchains use details of previous transactions to confirm future transactions by embedding this information within the data chain; each block is uneditable to maintain system viability. UniSA's Kirsten Wahlstrom said encryption can conceal, but not erase, this cloud-based ledger, in violation of the European Court of Justice's ruling that European citizens have the right to be forgotten. Wahlstrom said, "The crucial first step is for the industry to develop a clear definition of what 'privacy' actually is—what we are trying to protect and why—and then agree [on] standards to ensure those requirements are met across the board."
Smart Device Hacks Up Since the Pandemic Started |
Daniel Tauritz
TIME Magazine Article
How Signal Became the Private Messaging App for an Age of Fear and Distrust |
By Billy Perrigo |
A Self-Erasing Chip for Security, Anti-Counterfeit Tech
University of Michigan News
September 24, 2020
University of Michigan researchers have developed self-erasing chips based on a material that temporarily stores energy, changing the color of light it emits. The chips are assembled from a three-atom-thick layer of semiconductor material deposited on a thin strip of azobenzene-based molecules, which shrink under ultraviolet light; those molecules tug on the semiconductor so it emits longer wavelengths of light. The stretched azobenzene naturally releases its stored energy, losing stored data, over the course of about seven days in no light, or it can be erased on demand with a pulse of blue light. A self-erasing bar code printed on the chip within a device could flag whether someone had opened it to install a spying device.
Hacker Accessed Network of U.S. Agency, Downloaded Data
Bloomberg
Andrew Martin; Alyza Sebenius
September 24, 2020
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) on Thursday disclosed that an unnamed federal agency had been the victim of a cyberattack in which a hacker accessed its network. The intruder implanted malware that avoided the agency's safeguards, and infiltrated the network by using valid access credentials for multiple users' Microsoft 365 and domain administrator accounts. CISA said the hacker was able to browse directories, copy at least one file, and exfiltrate data. The agency added that the hacker may have acquired the credentials by exploiting a known flaw in Pulse Secure virtual private network servers. CISA learned of the attack through an intrusion detection system that monitors federal civilian agencies.
Iranian Hackers Found Way Into Encrypted Apps, Researchers Say
The New York Times
Ronen Bergman; Farnaz Fassihi
September 18, 2020
Reports from Check Point Software Technologies and the Miaan Group human rights organization indicate Iranian hackers have been operating a massive cyberespionage campaign, using surveillance tools that can thwart encrypted instant-messaging systems. Researchers said hackers have penetrated supposedly secure mobile phones and computers, overcoming protections in encrypted applications like Telegram, and even accessing data on WhatsApp. The most common exploit involves sending malware-laced documents and apps to targets. Miaan said the malefactors' apparent goal is to steal data on Iranian opposition groups in Europe and the U.S., and to spy on Iranians who use mobile apps to organize protests.
PAN-OS Vulnerabilities Add to a Torrid Year for Enterprise Software Bugs
Woman Becomes First Healthcare Cyberattack Death |
The Phish Scale: NIST-Developed Method Helps IT Staff See Why Users Click on Fraudulent Emails
NIST
September 17, 2020
Researchers at the U.S. National Institute of Standards and Technology (NIST) have developed the Phish Scale, which could help organizations better train their employees to avoid being deceived by seemingly trustworthy emails. The scale is designed to help information security officers better comprehend click-rate data, in order to gauge phishing training programs' effectiveness more accurately. NIST's Michelle Steves said, "The Phish Scale is intended to help provide a deeper understanding of whether a particular phishing email is harder or easier for a particular target audience to detect." The scale employs a rating system based on message content in a phishing email, highlighting five elements rated on a 5-point scale associated with the scenario's premise. Trainers use the overall score to analyze their data and rank the phishing exercise's difficulty level as low, medium, or high.
Cyber Threat to Disrupt Start of U.K. University Term
BBC News
Sean Coughlan
September 17, 2020
The U.K.'s National Cyber Security Center (NCSC) is warning colleges and universities that increasing numbers of cyberattacks threaten to disrupt the start of the Fall term. The NCSC advisory follows a series of ransomware attacks against academic institutions, which are often followed by a note demanding payment for recovery of frozen or stolen data. For example, colleges in Yorkshire and a higher education school in Lancashire were targeted by cyberattacks in August, as Newcastle and Northumbria universities were this month. The warning emphasizes the risk to online systems for remote working, as more academic staff are working from home amid the Covid-19 pandemic. Universities UK, which represents 139 universities in that nation, said it is collaborating with the NCSC to produce "robust guidance on cybersecurity" for issuance later this academic year.
House Passes Legislation to Boost Election Security Research
The Hill
Maggie Miller
September 16, 2020
The U.S House of Representatives on Wednesday passed the Election Technology Research Act, which would establish and fund a Center of Excellence in Election Systems at the National Institute of Standards and Technology (NIST). This center would test the security and accessibility of election-related hardware. The legislation also authorizes NIST and the National Science Foundation to research further securing election technology, focusing on and addressing cybersecurity and other issues to ensure the safety and reliability of election systems. Said Rep. Zoe Lofgren (D-CA), "This research will help to inform our efforts to modernize voting systems and strengthen election practices." The timing for consideration of the legislation in the Senate is unclear.
Raccoon Attack Allows Hackers to Break TLS Encryption 'Under Certain Conditions' |
Daniel Tauritz
Dark Web “Hacker University” Offers “Cybercrime Degrees For $125”
Forbes 
(9/28, Winder) writes a newly published report “into the new economy of the dark web from cybersecurity-as-a-service specialist Armor’s Threat Resistance Unit (TRU)” detailed a “a hacker university selling cybercrime courses to dark web degree students.” Using a handful of “free courses to tempt the would-be cybercrime mastermind, HackTown has an enrollment fee of $125 (£97), opening the doors to all other courses.” HackTown operators say that by taking the courses, “you will gain the knowledge and skills needed to hack an individual or company successfully.”
Hacker Releases Information on Las Vegas-Area Students After Officials Don’t Pay Ransom
The Wall Street Journal
Tawnell D. Hobbs
September 28, 2020
A hacker who locked computer servers in Las Vegas' Clark County School District with ransomware released documents with Social Security numbers, grades, and other stolen private data after officials refused to pay the ransom. The district is the largest known to be hit by hackers during the Covid-19 crisis, and marks an escalation in tactics for hackers who exploit schools heavily dependent on online learning and technology. Some school districts have made online learning their sole educational option during the pandemic; experts said this compounds the impact of ransomware and attackers' demands. Threat analyst Brett Callow at cybersecurity company Emsisoft said, "A big difference between this school year and last school year is they didn't steal data, and this year they do."
Hackers Infiltrated Many Washington State Agencies
Bloomberg
Kartikay Mehrotra; Dina Bass
September 27, 2020
At least 13 of Washington State's departments and commissions reportedly have been hit by a sophisticated malware attack. Although the attack has not affected state operations significantly, it highlights potential vulnerabilities in state computer networks about a month ahead of the U.S. Presidential election. The multifaceted attack enabled hackers to spread malware, including Trickbot and Emotet, and to establish a foothold in several state agencies. It remains uncertain whether any data was stolen. The U.S. Department of Homeland Security, the FBI, and Microsoft Corp. are assisting state efforts against the attack. The office of Washington Secretary of State Kim Wyman office tweeted it is aware of the attack, “though we have no reason at this time to believe this is targeted at elections.”
Third-Party Code Bug Left Instagram Users at Risk of Account Takeover
Computer Weekly
Alex Scroxton
September 24, 2020
Security teams at Check Point and Facebook reported a third-party remote code execution flaw in the Instagram photo-sharing platform, which could have enabled malefactors to hijack accounts and use victims' devices for surveillance. Facebook calls the bug an integer overflow leading to a heap buffer overflow, and was present in Mozjpeg, an open source, third-party JPEG decoder that Instagram uses to upload images to the application. Check Point's Yaniv Balmas highlighted the risks of using third-party code libraries to build app infrastructures without checking for flaws. Although patched six months ago, the Mozjpeg bug is only being disclosed now in the hope that a sufficient number of users have updated their apps to ameliorate its impact.
Amazon Introduces New Indoor Drone For Home Security
Reuters (9/24, Dastin) reports Amazon introduced several new products Thursday, including an indoor drone designed for security purposes. The introduction of the drone and other products with a security focus “reflects Amazon’s growing security business since its acquisition of smart doorbell maker Ring in 2018, an effort that’s drawn scrutiny from civil liberties advocates.” The drone, which Amazon calls the Ring Always Home Cam, “aims to capture video where customers otherwise lack static cameras.”
Additional coverage provided by the New York Times (9/24, Browning), USA Today (9/24, Graham), and the Washington Post (9/24).
Why You Should Be Very Skeptical of Ring's Indoor Security Drone
A security drone for your home may seem like a cool idea but do the benefits outweigh the risks?
IEEE Spectrum, 25 Sept. 2020
https://spectrum.ieee.org/automaton/robotics/drones/ring-indoor-security-drone
This Is How Much Top Hackers Are Earning From Bug Bounties |
3D Biometric Authentication Based on Finger Veins Almost Impossible to Fool
Optical Society of America
September 28, 2020
Researchers at the State University of New York at Buffalo (UB) have developed a three-dimensional (3D) biometric authentication methodology based on finger veins that they say can improve the security of this type of authentication. The protocol utilizes photoacoustic tomography, in which laser light directed onto the subject's finger generates sound when it encounters a vein; an ultrasound detector captures the sound, and uses all the sounds generated to create a 3D image of the veins. Testing found the technique can correctly accept or reject an identity 99% of the time. UB's Jun Xia said, "Since no two people have exactly the same 3D vein pattern, faking a vein biometric authentication would require creating an exact 3D replica of a person's finger veins, which is basically not possible."
Daniel Tauritz
GitHub Launches Code Scanning to Unearth Vulnerabilities Early
VentureBeat
Paul Sawers
September 30, 2020
GitHub last week launched a code-scanning tool to help developers identify flaws in code prior to its public rollout. A result of GitHub’s takeover last year of code analysis platform Semmle, the new tool is a static application security testing solution that converts code into a queryable format, then searches for vulnerability patterns. It automatically identifies flaws and errors in code revisions in real time, alerting the developer before the code approaches production. GitHub said during the scanner's beta-testing phase it scanned more than 12,000 repositories more than 1 million times, discovering 20,000 vulnerabilities; developers and maintainers corrected 72% of these errors within 30 days.
Clinical Trials Hit by Ransomware Attack on Health Tech Firm
The New York Times
Nicole Perlroth
October 3, 2020
Philadelphia-based software provider eResearch Technology (ERT) was hit two weeks ago by a ransomware attack that has slowed clinical trials. The exploit started when ERT workers learned that they were locked out of their data, and clients said this forced researchers to move certain clinical trials to pen and paper. ERT's Drew Bustos on Friday verified that ransomware had hijacked company systems on Sept. 20, when the firm took its systems offline, called in outside cybersecurity experts, and alerted the U.S. Federal Bureau of Investigation. Affected customers included IQVIA, the contract research organization helping manage AstraZeneca's Covid-19 vaccine trial, and drug maker Bristol Myers Squibb, which is leading a consortium in developing a rapid test for coronavirus.
Israeli Researchers Find Breach Allowing Hackers to Spy Through Remotes |
Researchers Fingerprint Exploit Developers Who Help Several Malware Authors
The Hacker News
Ravie Lakshmanan
October 2, 2020
Cybersecurity researchers from Check Point Research have deployed a methodology to determine the unique characteristics of a malware author and use that ‘fingerprint’ to identify other exploits developed by the same person. Identifying characteristics can include the use of hard-coded values or string names, how the code is organized, or how certain functions are implemented. The technique enabled the researchers to link 16 Windows local privilege escalation exploits to two zero-day sellers known as "Volodya" and "PlayBit." Said the researchers, "Both of our actors were very consistent in their respective exploitation routines, each sticking to their favorite way." The researchers believe the methodology could be used to identify additional exploit writers.
Critical Flaws Discovered in Popular Industrial Remote Access Systems
The Hacker News
Ravie Lakshmanan
October 1, 2020
Researchers at Israel's OTORIO industrial cybersecurity firm found critical defects in two popular industrial remote access systems that attackers could exploit to block access to industrial production floors, infiltrate company networks, tamper with data, and steal business secrets. The analysts found flaws in B&R Automation's SiteManager and GateManager ranging from path traversal to improper authentication, which could enable hackers to view sensitive data about other users, their assets, and their processes. Meanwhile, the analysts said, MB Connect Line's mbCONNECT24 was found to contain flaws that could enable attackers to access arbitrary information through Structured Query Language injection, steal session details in a cross-site request forgery attack, and leverage unused third-party libraries bundled with the software to obtain remote code execution. The flaws in both systems reportedly have been corrected.
EU's Top Court Limits Government Spying on Citizens' Mobile, Internet Data
CNBC
Sam Shead
October 6, 2020
The European Court of Justice ruled this week that European Union member states cannot collect mass mobile and Internet data on citizens. According to the ruling, requiring Internet and phone operators to undertake "general and indiscriminate transmission or retention of traffic data and location data" violates EU law. The court acknowledged there could be emergency scenarios involving national security threats in which a member state "may derogate from the obligation to ensure the confidentiality of data relating to electronic communications. Such an interference with fundamental rights must be accompanied by effective safeguards and be reviewed by a court or by an independent administrative authority." The ruling was issued in response to cases brought by Privacy International and French advocacy group La Quadrature du Net arguing that surveillance practices in the U.K., France, and Belgium violate fundamental human rights.