Dr. T's security brief

4 views
Skip to first unread message

dtau...@gmail.com

unread,
Jun 1, 2024, 12:11:09 PMJun 1
to sec-...@googlegroups.com

Hackers Can Steal Data by Messing with Computer's Processor

Boise State University researchers found that hackers could extract information from software banned from connecting to the Internet by adjusting a computer's processor speed and encoding data in processor fluctuations that can be accessed remotely. Using the tactic with Intel processors, the researchers encoded and transmitted 55.24 bits per second between apps that otherwise had no means of passing data back and forth. An Intel spokesperson said the technique "could only be utilized by an attacker who has privileged access to the system they are attacking," so the company would not take any action to patch the vulnerability.
[
» Read full article *May Require Paid Registration ]

New Scientist; Matthew Sparkes (May 7, 2024)

 

Hacker Free-for-All in Fight for Routers

Hackers are surreptitiously coexisting inside compromised routers as they use the devices to disguise attacks motivated both by financial gain and state-backed espionage, according to researchers at U.S.-Japanese cybersecurity software company Trend Micro. In some cases the co-existence is peaceful, with financially motivated hackers providing spies access to already compromised routers in exchange for a fee. In other cases, state-backed hackers take control of devices previously hacked by the cybercrime groups.
[ » Read full article ]

Ars Technica; Dan Goodin (May 1, 2024)

 

Beijing Tightens Grip on China Social Media Giants

Stricter Chinese government rules on the country's Internet companies went into effect on May 1, requiring "network operators" to monitor information shared by users and to take action if sensitive information is posted. The rules detail how firms like Tencent, ByteDance, and Weibo must remove posts, save records, and report to authorities. The updated rules also expand the definition of sensitive information to include "work secrets," although uncertainty remains as to what constitutes a state secret.
[ » Read full article ]

BBC; João da Silva (May 1, 2024)

 

U.S. Senators Want Limits on Facial Recognition at Airports

In a May 2 letter, a bipartisan group of 14 U.S. Senators urged Senate leaders to limit the use of facial recognition technology by the Transportation Security Administration (TSA). According to the letter, "This technology poses significant threats to our privacy and civil liberties, and Congress should prohibit TSA's development and deployment of facial recognition tools until rigorous congressional oversight occurs." While TSA officials said the technology improves identity verification, concerns remain about who has access to the data and possible algorithmic bias, among other things.
[ » Read full article ]

Associated Press; Rebecca Santana (May 2, 2024)

Tech Giants Committing To Cybersecurity Pledge

The Wall Street Journal Share to FacebookShare to Twitter reports tech giants, including AWS, Microsoft, and Google, committed to a cybersecurity pledge written by the US Cybersecurity and Infrastructure Security Agency. The pledge, which will be unveiled this week at the RSA Conference, involves integrating seven cybersecurity best practices into the product development cycle. AWS and other signatories will report on their progress within a year, aiming to enhance technology safety and cybersecurity transparency. CISA Director Jen Easterly emphasized the importance of this commitment for improving security in technology products.

dtau...@gmail.com

unread,
Jun 2, 2024, 9:22:45 AMJun 2
to sec-...@googlegroups.com

NIST Finalizes Updated Guidelines for Protecting Sensitive Information

In two new publications, the U.S. National Institute of Standards and Technology (NIST) released finalized updated guidelines for protecting the sensitive data organizations that do business with the federal government handle, known as controlled unclassified information. “For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said NIST’s Ron Ross.
[ » Read full article ]

NIST News (May 14, 2024)

 

Underwater Datacenters Vulnerable to Loud Noises

University of Florida researchers found that acoustic vibrations could destroy underwater datacenters. In tests involving a computer server rack in a metal enclosure placed underwater, a 5KHz audible tone was found to disrupt computer drive operations from more than 6 meters away. University of Florida's Sara Rampazzi explained, "If it is just a denial-of-service attack, that can take a few seconds, depending on the power of the acoustic signal. But the longer you emit the sound, the more you damage the computer storage device."

[ » Read full article *May Require Paid Registration ]

New Scientist; Jeremy Hsu (May 14, 2024)

 

Female Health Apps Misuse Highly Sensitive Data, Study Finds

A study of the privacy practices of 20 popular female health monitoring apps in U.K. and U.S. Google Play stores by researchers at the U.K.'s King's College London and University College London found that many have poor data handling practices that leave users vulnerable to privacy and safety risks. The researchers found that apps handling medical and fertility data persuade users to enter sensitive data, which could be accessed by law enforcement or security authorities.
[ » Read full article ]

King's College London (U.K.) (May 13, 2024)

 

GhostStripe Attack Haunts Self-Driving Cars

Researchers in Singapore and the U.S. revealed an attack that exploits the complementary metal oxide semiconductor (CMOS) camera sensors in self-driving vehicles, preventing them from recognizing road signs. The GhostStripe attack uses LEDs to shine light patterns on road signs, which prevents the vehicles' machine-learning software from reading them. Rapidly flashing different colors onto the sign abuses the sensors' rolling digital shutters, distorting every frame captured by the cameras.
[ » Read full article ]

The Register (U.K.); Laura Dobberstein (May 10, 2024)

 

Report: School District Tech Leaders Worry AI Use Could Increase Cyberattacks

Education Week Share to FacebookShare to Twitter (5/10, Langreo) reported that while teachers are “using artificial intelligence in all kinds of ways to help them do their jobs,” that expanding use “has school district tech leaders worried that it could prompt more cyberattacks against schools, concludes a new report.” The Consortium for School Networking’s annual State of EdTech District Leadership report, “released April 30, recognizes that AI has significant potential to improve education, but at the same time it poses huge cybersecurity risks for schools.” The report surveyed 981 district tech leaders, and found that “almost two-thirds (63 percent) of district tech leaders are ‘very’ or ‘extremely’ concerned that the emerging technology will enable new forms of cyberattacks.” The report also found that about half (49 percent) of district tech leaders are also “very” or “extremely” concerned “about the lack of teacher training for integrating AI into instruction.”

 

US, Chinese Officials To Discuss AI Concerns On Tuesday

Bloomberg Share to FacebookShare to Twitter (5/13, Subscription Publication) reports that US officials “intend to highlight security concerns with China’s development of artificial intelligence when they meet representatives from that country to launch discussions over the emerging technology, according to senior administration officials.” Representatives from the US and China “will meet Tuesday in Geneva, according to the officials, who briefed reporters about the upcoming discussions on condition of anonymity. The meeting, which a senior official characterized as the first of its kind, initiates talks agreed to” last year by President Biden and his Chinese counterpart Xi Jinping to “address security and safety concerns over AI even as the two countries intensify their competition.”

        The Washington Post Share to FacebookShare to Twitter (5/13, Dou) reports an Administration official said Seth Center, the State Department deputy envoy for critical and emerging technology, and Tarun Chhabra, senior director for technology and national security at the National Security Council, will lead the US delegation. China will be “represented by officials from the Foreign Ministry and the National Development and Reform Commission, the nation’s central economic planning agency.” The AP Share to FacebookShare to Twitter (5/13) reports that China’s official Xinhua news agency, “citing the Foreign Ministry, said that the two sides would take up issues including the technological risks of AI and global governance.” Washington also “sees efforts undertaken on AI by China as possibly undermining the national security of the United States and its allies, and Washington has been vying to stay ahead of Beijing on the use of AI in weapons systems.”

 

Report: School District Leaders Grappling With Generative AI, Other Tech Challenges

Education Week Share to FacebookShare to Twitter (5/14, Solis) reports that while generative artificial intelligence “has taken up a lot of space in the minds of K-12 district technology leaders over the past two school years,” according to a report released by the Consortium for School Networking last month, “it is not the No. 1 priority for school district technology leaders.” Other priorities for district leaders include cybersecurity, which “continues to rank as the No. 1 priority for district tech leaders, according to the CoSN report, which surveyed 981 district tech leaders between Jan. 10 and Feb. 29.” Data privacy and security “ranked as the No. 2 priority for district tech leaders this year, one spot higher than in 2023.” Also on the list were staffing shortages in the technology department, professional AI training, and budget deficits.

dtau...@gmail.com

unread,
Jun 3, 2024, 8:51:57 AMJun 3
to sec-...@googlegroups.com

FBI Takes Down Global Army of Zombie Computer Devices

The FBI has dismantled the world's largest botnet, comprised of 19 million infected computers across more than 190 countries. The botnet was used to facilitate financial fraud, identity theft, child exploitation, bomb threats, and cyberattacks. More than 613,000 IP addresses in the U.S. were associated with the botnet. A Chinese citizen was arrested in Singapore and charged in connection with the alleged deployment of malware and the creation and operation of the "911 S5" residential proxy service.

[ » Read full article *May Require Paid Registration ]

Bloomberg; Katrina Manson; Bernadette Toh (May 29, 2024)

 

EU Explores Whether Telegram Falls Under Content Law

Messaging platform Telegram risks being hit by an EU crackdown on online platforms being used to funnel illegal or harmful content. Sources say regulators are examining whether the service should qualify as a major online platform under the Digital Services Act, which has stricter compliance rules to prevent the spread of misinformation for platforms with over 45 million active users.
[ » Read full article ]

Bloomberg; Samuel Stolton; Alberto Nardelli (May 28, 2024)

 

Browser Plug-Ins Can Help Improve Digital Privacy Literacy, Combat Manipulative Design

The Google Chrome Privacy Sandbox browser plug-in developed by University of Notre Dame researchers can help users see how different websites target them based on age, race, location, income, and household size. Another Chrome browser plug-in the researchers developed, called Dark Pita, can detect dark patterns on Amazon, YouTube, Netflix, Facebook, and X and explain their impact. Neither plug-in is available to the public yet.
[ » Read full article ]

Notre Dame News; Brandi Wampler (May 29, 2024)

 

Spyware Found on U.S. Hotel Check-In Computers

Security researcher Eric Daigle found a consumer-grade spyware app running on the check-in systems of at least three Wyndham hotels in the U.S. The pcTattletale app takes screenshots of guest details and customer information, and a security flaw in the spyware allows anyone to download the screenshots directly from the app's servers.
[ » Read full article ]

Tech Crunch; Zack Whittaker (May 22, 2024)

 

Backlogs at National Vulnerability Database Prompt Action

Federal agencies are turning to the private sector to ease backlogs at the U.S. National Vulnerability Database (NVD). Chainguard's Kaylin Trychon said the backlogs have led to delays in updates of common vulnerabilities and exposures (CVE) information. Trychon noted common platform enumeration matching was halted around Feb. 15, "meaning the CVE entries do not contain any metadata around 'what software is actually affected'." Earlier this year, the NVD indicated it was considering plans for an industry consortium to help improve the database.
[ » Read full article ]

CSO Online; Jr., John Mello (May 15, 2024)

 

U.S. Warns Cyberattacks Against Water Supplies Are Rising

The U.S. Environmental Protection Agency (EPA) issued an enforcement alert Monday to warn the nation's water utilities about increasingly frequent and severe cyberattacks, stating that it will pursue civil or criminal penalties based on its inspections. The alert revealed around 70% of utilities inspected last year had violated standards intended to protect against hacks. EPA Deputy Administrator Janet McCabe said China, Russia, and Iran are "actively seeking the capability to disable U.S. critical infrastructure."
[ » Read full article ]

Associated Press; Michael Phillis; Matthew Daly (May 20, 2024)

 

Students Stole $25 Million in Seconds by Exploiting ETH Blockchain Bug

The U.S. Department of Justice indicted two Massachusetts Institute of Technology students, for allegedly tampering with the ethereum blockchain to steal $25 million in cryptocurrency in just 12 seconds. The scheme took advantage of a vulnerability in the process just after a transaction is conducted but before it is added to the blockchain. It involved creating a series of ethereum validators though shell companies and foreign exchanges and deploying "bait transactions" to attract specialized bots used by buyers and sellers to identify lucrative prospects.
[ » Read full article ]

Ars Technica; Ashley Belanger (May 15, 2024)

 

Google, Apple Partner to Fight Tracker Stalking

To prevent location tracking stalking, Apple and Google announced that iPhone and Android phone users will receive alerts if a wireless location tracking device is nearby. Phones with up-to-date software will show users a message that a Bluetooth tracker is "found moving with you," with options to have the tracker play a sound so it can be located and instructions to disable it. The alerts will be required in "Find My" lost device trackers built by third-party companies.
[ » Read full article ]

CNBC; Kif Leswing (May 13, 2024)

 

Hackers Bring Trains Back to Life

Poland's SPS turned to hackers to address the failure of the Dolnoslaskie Rail trains it had been hired to refurbish. A trio of "white-hat" hackers from the Dragon Sector group determined software code in around a dozen of the trains' computers could cause shutdowns. They traced the code to Newag, an SPS rival that lost the contract to refurbish the trains, which denied the allegations. The Dragon Sector hackers ultimately devised programmatic workarounds to the code.

[ » Read full article *May Require Paid Registration ]

The Wall Street Journal; Jack Gillum; Karolina Jeznach (May 19, 2024)

 

Students Uncover Security Bug in Laundry Machines

Two students at the University of California, Santa Cruz identified a security flaw in the mobile app used by CSC ServiceWorks' Internet-connected laundry machines that could allow users to do their laundry without paying. The students were able to send remote commands to the machines to run a cycle without having money on their CSC laundry accounts, and were able to make it appear as though a laundry account through the CSC Go mobile app had a balance of several million dollars.
[ » Read full article ]

Tech Crunch; Zack Whittaker (May 17, 2024)

 

Cloud Computing Under the Cover of Quantum

Researchers at the U.K.'s University of Oxford and France's Sorbonne University demonstrated blind quantum computing using trapped ions. The quantum cloud system's "server" was made from a strontium ion (the network qubit) and a calcium ion (the memory qubit). The server does not know the electronic state of the network qubit but can still process its information via a laser-based process that entangles the network and memory qubits. The system also uses one-time-pad encryption to encode information, concealing the data and operations from the server.
[ » Read full article ]

Physics; Michael Schirber (May 21, 2024)

 

Advocacy Groups Using Vermont As “Possible Model” To Encourage Data Privacy Legislation

Politico Share to FacebookShare to Twitter (5/18) reports that Vermont lawmakers just “defied national trends by passing the toughest-yet state bill protecting online data privacy – and they did it by using a new tactic designed to get around industry pressure.” The bill lets Vermont residents “sue companies directly for collecting or sharing sensitive data without their consent.” However, Politico says that as they drafted and finalized the bill, lawmakers “deployed a countermeasure against business pushback: They brought together lawmakers in states from Maine to Oklahoma who had fought their own battles with the tech industry and asked them for advice.” While Gov. Phil Scott (R) has “yet to sign the bill, and lawmakers and industry are still jousting over it,” national consumer advocacy groups are already “looking to Vermont as a possible model for lawmakers who want to pass tough state tech regulations around the country.”

dtau...@gmail.com

unread,
Jun 8, 2024, 12:20:19 PMJun 8
to sec-...@googlegroups.com

NSA Urges Weekly Reboots of Smartphones

In a document detailing mobile device best practices, the U.S. National Security Agency (NSA) recommends users turn their devices off and then back on at least once every week to protect against zero-click exploits and spear-phishing. However, the NSA warns this method is not guaranteed to prevent or mitigate attacks. The organization also warned that some smartphone features “provide convenience and capability but sacrifice security.”
[ » Read full article ]

Forbes; Davey Winder (June 1, 2024)

 

Scientists Find Security Risk in RISC-V Open-Source Chip Architecture

Researchers at China's Northwestern Polytechnical University have identified a security risk in the RISC-V open-source chip architecture. China's domestic chip industry has relied on the standard to build CPUs and sidestep U.S. sanctions. The vulnerability in the RISC-V SonicBoom open-source code lets attackers skirt security protections in modern processors and operating systems without administrative rights. U.S. lawmakers reportedly are considering restricting China's access to RISC-V.

[ » Read full article *May Require Paid Registration ]

South China Morning Post; Zhang Tong (June 5, 2024)

 

Poland to Boost Cybersecurity After Fake News Attack

Polish Minister of Digital Affairs Krzysztof Gawkowski (pictured) said that nation will spend more than 3 billion zlotys ($760 million) to bolster cybersecurity following a cyberattack against state news agency PAP. Officials have expressed concerns about Russian interference in upcoming European Parliament elections being held in Poland. Gawkowski, who said the money would be put toward a "Cyber Shield," noted several cyberattacks on critical infrastructure June 2-3 were blocked.
[ » Read full article ]

Reuters; Alan Charlish; Pawel Florkiewicz (June 3, 2024)

 

Hundreds of Thousands of U.S. Internet Routers Destroyed in Newly Discovered 2023 Hack

Security researchers at Lumen Technologies' Black Lotus Labs identified a cyberattack on an unnamed Midwest U.S. telecommunications company that disabled more than 600,000 Internet routers. The attack, which occurred in October but was not disclosed then, was perpetrated by an unidentified hacking group. It involved a malicious firmware update sent to the company's customers that disabled their Internet routers by deleting elements of the routers' operational code.
[ » Read full article ]

Reuters; Christopher Bing (May 30, 2024)

 

Robot Cars Can Be Crashed with Foil, Paint on Cardboard

A team of researchers from several universities demonstrated that an autonomous vehicle (AV) running Baidu's open-source Apollo driving platform could be attacked using only metal foil and colored patches on cardboard. Placing a smooth metal surface between the vehicle’s radar and a target vehicle deflects the transmitted mmWave signals from the radar receiver and can hide the target vehicle from radar perception. The reflections also confused the car’s LiDAR lasers, while the color patch affected camera perception by misrepresenting input image pixel values.
[ » Read full article ]

The Register (U.K.); Laura Dobberstein (June 3, 2024)

 

Russian Bots Use Fake Tom Cruise for Olympic Disinformation

Microsoft researchers found a pro-Russia disinformation group used fake AI-generated audio to make it seem as though actor Tom Cruise narrated a video suggesting violence is likely at the upcoming Olympic Games in Paris. The video was presented as a Netflix documentary with falsified endorsements from well-known media outlets. A pro-Russia group also generated a video impersonating media outlet France24 to falsely report that nearly a quarter of Olympic ticket-buyers had sought refunds due to fears of terrorism in Paris.

[ » Read full article *May Require Paid Registration ]

Bloomberg; Jeff Stone; Daniel Zuidijk; Hugo Miller (June 3, 2024); et al.

 

New Techniques to Stop Audio Deepfakes

The U.S. Federal Trade Commission recently announced the three winners of its Voice Cloning Challenge, which involved developing strategies to prevent, monitor, and evaluate audio deepfakes. Researchers at Arizona State University won for OriginStory, a microphone with built-in sensors that detect and measure biosignals from human speakers to verify speech is human-generated. Software technology company OmniSpeech won for its AI Detect speech-processing software, which embeds machine learning algorithms into devices for real-time identification of AI-generated voices. Finally, researchers at Washington University in St. Louis were recognized for DeFake, which prevents cloning by adding tiny perturbations to human-voice recordings.
[ » Read full article ]

IEEE Spectrum; Rina Diane Caballar (May 30, 2024)

 

Spain Proposes Law to Improve Children’s Online Safety

A law proposed in Spain is intended to safeguard children from online threats by raising the age for opening a social media account to 16, from 14. The proposed law also would modify the criminal code to create specific crimes for creating deepfake images that target minors with sexually abusive material and establish virtual restraining orders for convicted criminals to prevent them from engaging in certain online activities or contacting victims through the Internet.
[ » Read full article ]

Associated Press; Joseph Wilson (June 4, 2024)

 

Spain's Data Watchdog Blocks EU Election Tools from Meta

The Spanish Data Protection Agency (AEPD) ordered the provisional suspension of two planned Meta products set to be deployed in the upcoming EU election on its social media platforms Instagram and Facebook. "The data processing envisaged by Meta would be contrary to Spanish data protection regulation and would, at the very least, breach the data protection principles of lawfulness, data minimization, and limitation of the retention period," the AEPD said.
[ » Read full article ]

Reuters; David Latona (May 31, 2024)

 

Healthcare Sector Maps Cyber Risk Posed by 'Single Points of Failure'

In response to a cyberattack on UnitedHealth Group's Change Healthcare unit, the U.S. Department of Health and Human Services is working with experts to map the cybersecurity risks associated with a single point of failure. In the case of UnitedHealth, the risk was having a single technology supplier in charge of payment processing. Creating such a risk map would allow the government and healthcare companies to address cyber weaknesses and formulate plans for emergencies and outages.

[ » Read full article *May Require Paid Registration ]

WSJ Pro Cybersecurity; Catherine Stupp (May 30, 2024)

 

FCC Approves $200 Million For K-12 Cybersecurity Pilot Program

Education Week Share to FacebookShare to Twitter (6/6, Klein) reports school districts and libraries “can soon seek new federal grants to protect against the mounting threat of cyberattacks under a pilot program approved June 6 by the Federal Communications Commission.” The cybersecurity program “will provide up to $200 million in competitive grants over three years to help schools and libraries purchase advanced firewalls, anti-virus protection technology, and other cybersecurity equipment. School districts will be eligible for a minimum of $15,000 and a maximum of $1.5 million, according to the agency’s draft description of the program.” The grants could become available “as early as this summer or fall.” The pilot will “help the FCC decide whether and how to direct further resources to cybersecurity equipment for schools and libraries on a permanent basis,” while advocates for district leaders “cheered the investment as a strong starting point.”

        K-12 Dive Share to FacebookShare to Twitter (6/6, Merod) reports that the FCC approved the pilot program “in a 3-2 vote on Thursday.” The Schools and Libraries Cybersecurity Pilot Program “aims to enroll a variety of schools and districts,” and funding amounts “will be determined using a formula that estimates a pre-discount cost of $13.60 per student.” In a fact sheet released in May, “the FCC acknowledged that the pilot’s current district budget cannot be sufficient enough on its own to cover all of a school’s cybersecurity needs.” The funding for the pilot program “will come from the FCC’s Universal Service Fund and will be separate from the commission’s E-rate program, a federal program that helps schools and libraries pay for broadband access.”

dtau...@gmail.com

unread,
Jun 15, 2024, 3:56:11 PMJun 15
to sec-...@googlegroups.com

Privacy-Enhancing Browser Extensions Fail to Meet User Needs

New York University researchers identified shortcomings in popular Web browser extensions used to safeguard privacy and block ads. The study covered "Ad-Blockers & Privacy Protection" extensions, including AdBlock Plus, uBloc Origin, Adguard, and Ghostery, and "Privacy Protection" extensions including Privacy Badger, Decentraleyes, and Disconnect. The researchers built a benchmarking framework for assessing browser extensions' strengths and weaknesses, using smart crawlers to analyze more than 1,500 websites for performance hits, compatibility issues, privacy policy strengths, ad-blocking capabilities, and filter list configurations.
[ » Read full article ]

NYU Tandon School of Engineering (June 11, 2024)

 

Apple Promises Not to Store, Allow Access to AI Data

At the 2024 Apple Worldwide Developers Conference, Apple’s Craig Federighi (pictured) introduced Private Cloud Compute (PCC). Part of what Apple calls "a brand new standard for privacy and AI," PCC achieves privacy through on-device processing. When a bigger, cloud-based model is needed to fulfill an AI request, it will "run on servers we've created especially using Apple silicon," said Federighi. PCC's server code will be publicly accessible, he said, so "independent experts can inspect the code that runs on these servers to verify this privacy promise."
[ » Read full article ]

Ars Technica; Kyle Orland (June 10, 2024)

 

Paris Olympics Crowd Scans Fuel AI Surveillance Fears

French authorities plan to use AI surveillance systems during the Olympics in Paris. The systems, already tested at train stations, concerts, and sporting events, will be used by police, fire and rescue services, and some French transport security agents when the games commence in late July. While the systems will scan for potential threats, they cannot be used for gait detection, facial recognition, and other processes used for identification.
[ » Read full article ]

The Japan Times; Adam Smith (June 13, 2024)

 

'Critical Oversight' Questions Perceived Security of Wireless Networks

Rice University, Brown University, and Northeastern University researchers identified a security flaw in high-frequency, high-speed wireless backhaul links for 5G wireless networks and other critical applications. They demonstrated the use of a metasurface-equipped drone to interfere with the links, easily intercepting high-frequency signals between rooftops in Boston, almost without a trace. Rice's Zhambyl Shaikhanov said, "Our discovery highlights a critical oversight in the perceived security of our wireless backhaul links."
[
» Read full article ]

Rice University; Marcy de Luna (June 6, 2024)

 

Deepfakes, Fraudsters, Hackers Coming for Cybersecurity Jobs

Some companies seeking cybersecurity workers are finding that some applicants are actually hackers. In response, some security leaders are looking more closely at résumés to weed out North Korean spies and those with over-embellished accomplishments. If such applicants make it through the hiring process, they could steal intellectual property, corporate data, or assets, or even insert vulnerabilities into code.

[ » Read full article *May Require Paid Registration ]

The Wall Street Journal; Belle Lin (June 7, 2024)

 

Microsoft, Google Boost Rural Hospital Cybersecurity

The White House, Microsoft, and Google announced that rural U.S. hospitals will have access to the tech companies' cybersecurity services for free or at a discount. Eligible rural hospitals will receive free security updates, security assessments, and staff training from Microsoft, and free cybersecurity advice from Google, along with access to a pilot program that will match hospitals with its cybersecurity services based on their needs.
[ » Read full article ]

CNN; Sean Lyngaas; Michelle Watson (June 10, 2024)

 

Uganda's Sweeping Surveillance State Is Built on National ID Cards

An analysis of interviews and documents by Bloomberg and Lighthouse Reports indicates that Uganda's decade-old biometric identification system is being used for public surveillance. Around 60% of citizens have obtained National Identification and Registration Authority-issued ID cards, which are required to obtain a mobile SIM, perform bank transactions, register to vote, and seek medical treatment. Uganda plans to issue new national ID cards, expanding the biometric data collected from residents beyond faces and fingerprints to iris scans. It also plans to roll out a real-time vehicle location tracking system that is connected to the national IDs.


[
» Read full article *May Require Paid Registration ]

Bloomberg; Olivia Solon; Nalinee Maleeyakul; Fred Ojambo (June 4, 2024)

 

C++ Language Rises in Tiobe Popularity Index

CC+ became the second-most-popular programming language, behind Python, in the Tiobe Programming Community Index for June. It pushed C to third place, its lowest-ever ranking, despite an advisory from the White House Office of the National Cyber Director calling on developers to transition from C++ to C due to memory safety concerns. The Tiobe index top 10 programming languages for June are Python, C++, C, Java, C#, JavaScript, Go, SQL, Visual Basic, and Fortran.
[ » Read full article ]

InfoWorld; Paul Krill (June 10, 2024)

 

Mississippi Sued by Tech Group over Age Verification on Websites

A tech industry group said in a lawsuit filed Friday that a newly passed law in Mississippi requiring users of digital services to verify their age will unconstitutionally limit access to online speech for residents. The measure, designed to protect children from sexually explicit material and set to go into effect July 1, "mandates that minors and adults alike verify their ages — which may include handing over personal information or identification that many are unwilling or unable to provide — as a precondition to access and engage in protected speech," the lawsuit says. The lawsuit was filed by NetChoice, whose members include Google and Meta.
[
» Read full article ]

Associated Press; Emily Wagster Pettus (June 7, 2024)

Google Layoffs Impacting Company’s Ability To Vet Warrants For User Data, Source Says

The Washington Post Share to FacebookShare to Twitter (6/7, De Vynck) reports Google “cut a group of workers from the team responsible for making sure government requests for its users’ private information are legitimate and legal, raising concerns among workers and privacy experts that the company is weakening its ability to protect customer data.” According to an unnamed source, Google “laid off about 10 members of its Legal Investigations Support team late last month and told another group of about 10 that they would have to move cities or leave the company, effectively leading them to resign.” While a Google spokesperson “said the team has close to 150 people and that those who resign over the required re-location will be replaced,” the source indicated that the cuts still “represent a significant reduction in the company’s ability to vet and respond to search warrants and other requests, and have already led to delays in fulfilling court orders.”

Groups Ask For Preempting State Laws In Data Privacy Bill

Roll Call Share to FacebookShare to Twitter (6/10) reports that a “wide-ranging group of tech and other companies is asking that a prominent data privacy bill be altered to fully preempt state privacy laws.” United for Privacy, “a coalition of trade groups that also represent retailers, advertising agencies and financial services companies,” on Monday wrote to House Energy and Commerce Chair Cathy McMorris Rodgers and the panel’s ranking member, Frank Pallone Jr., requesting changes to their draft bill. The committee’s panel on Innovation, Data, and Commerce last month “advanced by voice vote the discussion draft that would establish a federal data privacy standard, restrict the activities of data brokers, preempt some state privacy laws, prohibit targeted advertising to children and require parental consent for kids accessing certain platforms.”

Startup Discovers Numerous Vulnerabilities In Popular AI Tools

The Washington Post Share to FacebookShare to Twitter (6/12, Lorenz) reports Haize Labs, a startup specializing in AI safety, has discovered numerous vulnerabilities in well-known generative AI tools. The programs were found to generate violent content and provide instructions for creating weapons and conducting cyberattacks. Haize, founded by three recent college graduates, aims to expose and resolve these AI vulnerabilities, referring to itself as a “Moody’s for AI.” The AI industry, says Carnegie Mellon professor Graham Neubig, needs independent safety entities. Haize is open-sourcing discovered vulnerabilities on GitHub and is working with Anthropic to test an unreleased algorithmic product.

Microsoft President Grilled In Congress Over Cyber Breaches

Politico Share to FacebookShare to Twitter (6/13, Sakellariadis) reports that although Microsoft President Brad Smith appeared before the House Homeland Security Committee on Thursday “determined to win back lawmakers’ trust following a sweeping Chinese hack into US networks last summer,” he faced skepticism and criticism from multiple lawmakers “about whether he was being transparent about the company’s response to the breach, other recent security lapses,” and whether its “continued business in China” makes it vulnerable to that country’s intelligence services. The hearing focused on a “scathing government report this April that concluded Microsoft had committed a ‘cascade’ of avoidable errors in the summer hack, easing the way for Chinese hackers to steal unclassified emails from top US officials.” Although Smith said Microsoft took responsibility for all the errors found in the report, “many lawmakers appeared to leave the hearing with greater doubts.”

Texas Lt. Gov. Expresses Concern About Energy Usage Of AI Data Centers And Cryptocurrency Miners

KDFW-TV Share to FacebookShare to Twitter Dallas (6/13, Boyer) reports Texas Lt. Gov. Dan Patrick (R) expressed concern in a post on X on Wednesday about the energy usage of cryptocurrency mining operations and AI data centers after Electric Reliability Council of Texas CEO Pablo Vegas told a state Senate committee that the state’s power demand could double in the next six years due in part to demand from data centers and mining operations. Patrick said, “We need to take a close look at those two industries. They produce very few jobs compared to the incredible demands they place on our grid.” Patrick added, “We want data centers, but it can’t be the wild, wild west of data centers and crypto miners crashing our grid and turning the lights off.”

dtau...@gmail.com

unread,
Jun 22, 2024, 5:47:33 PMJun 22
to sec-...@googlegroups.com

U.S. Bans Sales of Kaspersky Software over Russia Ties

The U.S. on Thursday announced plans to bar the sale of antivirus software made by Russia's Kaspersky Lab in the U.S. "Russia has shown it has the capacity and the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action," said Commerce Secretary Gina Raimondo. The new restrictions go into effect Sept. 29.
[ » Read full article ]

Reuters; Alexandra Alper (June 21, 2024)

 

Officials Query if Any Deaths Directly Linked to U.K. Hospital Hack

In the wake of the June 3 ransomware attack against U.K. lab services provider Synnovis, which resulted in major disruptions at hospitals and clinics in London, healthcare providers are being asked to report any deaths or serious harms tied to the incident. The cyberattack resulted in the delay of 800 planned operations and 700 outpatient appointments, blood shortages, and disruptions to pathology services. Many services have yet to be restored.

[ » Read full article *May Require Paid Registration ]

Bloomberg; Ryan Gallagher (June 19, 2024)

 

Cyberattacks Devastate Research Institutions

Hackers are increasingly targeting research institutions for cyberattacks. These cyberattacks, most involving ransomware, block access to data and programs, impacting student enrollment, delaying research projects, and taking a toll on researchers' mental health. Germany's Berlin Natural History Museum, the U.K.'s British Library and University of Manchester, Carnegie Mellon University, and Stanford University are among the institutions affected in recent years.
[ » Read full article ]

Nature; Diana Kwon (June 13, 2024)

 

Vermont Governor Vetoes Data Privacy Bill

Vermont’s Governor Phil Scott (pictured) vetoed a data privacy bill that would have let residents file civil lawsuits against companies that break certain privacy rules. Scott said the legislation would have made Vermont “a national outlier and more hostile than any other state to many businesses and non-profits.” The legislation would have prohibited the sale of private, sensitive data. It also would have set limits on the amount of personal data companies can collect and use.
[ » Read full article ]

Associated Press; Lisa Rathke (June 14, 2024)

Daniel Tauritz

unread,
Jun 29, 2024, 9:48:13 AMJun 29
to sec-...@googlegroups.com

Security Loophole Affects Every Device, Internet Connection

Researchers at Austria's Graz University of Technology discovered a security vulnerability affecting every Internet connection and device. "SnailLoad" can bypass firewalls, VPNs, and other security tools to allow hackers to spy on anyone, without the need for malicious code or device access; instead, monitoring changes in Internet connection speeds allows hackers to obtain detailed information about users' online activity. The researchers said there is no easy way to fix this security issue.
[ » Read full article ]

Independent (U.K.); Andrew Griffin (June 24, 2024)

 

Indonesia Won't Pay $8-million Ransom After Cyberattack

The Indonesian government says it will not pay the $8-million ransom demanded by the hacking group that attacked its national data center. The services of more than 200 national and regional government agencies were disrupted by the June 20 cyberattack. Some, such as immigration services, have come back online, while others are being restored. PT Telkom Indonesia is collaborating with local and international authorities to break the encryption that blocked access to its data.
[ » Read full article ]

Associated Press; Niniek Karmini (June 25, 2024)

 

Passwords Weakened by Advancements in Computing Processing

A new report on password strength noted the advancements in computer processing power made cracking passwords significantly easier. Kaspersky researchers said it took them less than one hour to crack 59% of 193 million passwords in a database obtained from the dark web. Eight-character passwords composed of same-case English letters and digits or 36 combinable characters were cracked within 17 seconds. The researchers used a Nvidia RTX 4090 GPU and different algorithms for their experiment.
[ » Read full article ]

TechRadar; Sead Fadilpasic (June 19, 2024)

 

Demand for Better Cybersecurity Fuels Job Market

The FBIs Internet Criminal Complaint Center has received an average of 758,000 complaints of cyberattacks per year over the past five years. The growing threat has created a booming job market for cybersecurity specialists. The Biden administration views the hundreds of thousands of cyber job vacancies as a national security issue.
[ » Read full article ]

The Washington Post; Fredrick Kunkle (June 21, 2024)

 

Verizon Screwup Caused 911 Outage in Six States

Verizon Wireless will pay a $1.05-million penalty to the U.S. Treasury in response to a 911 outage in December 2022. The Federal Communications Commission (FCC) said hundreds of 911 calls in Alabama, Florida, Georgia, North Carolina, South Carolina, and Tennessee failed to go through during the outage, which lasted nearly two hours. The outage was caused by "the reapplication of a known flawed security policy update file," according to an FCC consent decree.
[
» Read full article ]

Ars Technica; Jon Brodkin (June 25, 2024)

 

AI Recording Apps Stir Privacy, Efficacy Concerns In University Classrooms

Inside Higher Ed Share to FacebookShare to Twitter (6/24, Coffey) reports Georgetown University Law Center “announced last year it would be using Otter, an artificial intelligence-powered transcription service,” which is raising concerns about privacy, consent, and efficacy. The decision to replace human note-takers with Otter was met with resistance from students, including one who found the AI service “completely unworkable.” Professor Marc Watkins from the University of Mississippi highlighted that many faculty members are unaware of these AI devices being sold directly to students via social media. Questions are also being raised about the impact of AI transcription services on long-term learning. Despite these concerns, some students are embracing the technology as a helpful tool, while others are calling for universities to work with AI transcription companies to address these issues.

NYU Researchers Develop Grid Security Solutions

POWER Share to FacebookShare to Twitter (6/26, Proctor) reports that NYU’s Tandon School of Engineering is addressing grid security challenges through a project called DISCOVER. Led by professors Farshad Khorrami and Francisco de Leon, the project aims to create a digital twin to evaluate software and firmware updates before real-world implementation. The project, funded by a $4.8 million Department of Energy grant, highlights the importance of preventive cybersecurity in ensuring the resilience of the power grid. Khorrami emphasizes the need for robust cybersecurity systems to defend against malicious attacks.

Microsoft Notifies Additional Customers Their Emails Were Accessed By Russian Hackers

Bloomberg Share to FacebookShare to Twitter (6/27, Bleiberg, Bass, Subscription Publication) reports Microsoft is informing “additional customers that emails they exchanged with the technology giant were accessed by Russian hackers, a sign that a previously reported state-sponsored breach has had wider repercussions than initially thought.” In January, Microsoft had “disclosed that hackers had stolen senior leaders’ emails that they were using to try to break into customers’ communications, including those of government agencies,” blaming the “Midnight Blizzard” group believed linked to the Russian Foreign Intelligence Service.

dtau...@gmail.com

unread,
Jul 6, 2024, 8:16:51 PMJul 6
to sec-...@googlegroups.com

Nations Warn Key Open Source Programs Not Sufficiently Protected

The FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and their counterparts in Canada and Australia warn that many open source programs fail to protect against emerging and evolving threat actors. A CISA report found that 52% of 172 open source projects studied contained code written in a memory-unsafe language. The report revealed that Linux comprises 95% unsafe code, compared to open source projects using unsafe code in Tor (93%), MySQL Server (84%), and Chromium (51%).
[ » Read full article ]

TechRadar; Craig Hale (June 27, 2024)

 

CDK Global Hack Shows Risk of One Software Vendor Dominating an Industry

The recent cyberattack on CDK Global, which provides software for most U.S. car dealerships, has raised concerns about individual software providers dominating an entire industry. A small number of niche software providers also dominate the airline, banking, and healthcare sectors. While depending on a single vendor can derail an entire industry in the event of a cyberattack or outage, expanding the number of software suppliers servicing a specific industry also provides new entry points for cyberattacks.

[ » Read full article *May Require Paid Registration ]

The Wall Street Journal; Belle Lin (June 29, 2024)

 

Universities Continue To Grapple With Cybersecurity Threats

Inside Higher Ed Share to FacebookShare to Twitter (7/1, Coffey) reports in 2023, “a data breach hit dozens of institutions across the nation,” and nearly a year later, “those breaches are still occurring. MOVEit, a software product used by several universities and related organizations for file transfers, announced Friday that it had found new vulnerabilities that could lead to further security problems.” Higher education institutions “are now markedly more prepared than they were last year, according to several cybersecurity experts who have seen institutions invest more time and money into safety measures.” An Inside Higher Ed survey last fall “found that 82 percent of CIOs said they were ‘moderately,’ ‘very’ or ‘extremely’ confident that their institution’s cybersecurity practices could prevent ransomware attacks – up from 73 percent in 2022.” Software company Malwarebytes called 2023 “the worst ransomware year on record for education,” noting a “70 percent increase in reported attacks.”

YouTube Updates AI Content Takedown Policy

TechCrunch Share to FacebookShare to Twitter (7/1, Perez) reports YouTube quietly updated its policy in June, allowing individuals to request the removal of AI-generated content that simulates their face or voice as a privacy violation. The policy requires first-party claims and includes exceptions. YouTube will review complaints based on several factors and give uploaders 48 hours to respond. The policy change, part of YouTube’s responsible AI agenda, was not widely advertised.

California Considers AI Regulation Bill

The AP Share to FacebookShare to Twitter (7/2) reports California lawmakers are considering a bill that would require AI companies to implement safety measures to prevent potential threats, such as wiping out the electric grid or aiding in chemical weapons development. The bill, authored by Democratic state Sen. Scott Wiener, aims to set safety standards for AI models costing over $100 million to train. Meta VP and Deputy Chief Privacy Officer Rob Sherman said, “The bill will make the AI ecosystem less safe, jeopardize open-source models relied on by startups and small businesses, rely on standards that do not exist, and introduce regulatory fragmentation.” The proposal could also drive companies out of state and create a new state agency to oversee AI developers.

Los Angeles Unified’s AI Chatbot Project Faces Setbacks

The New York Times Share to FacebookShare to Twitter (7/1, Goldstein) reports AI platform Ed, developed by AllHere, was supposed to be an “educational friend” to “half a million students in Los Angeles public schools,” aimed to assist students with academic and mental health resources. Superintendent Alberto Carvalho had high hopes for Ed, promising that it would “democratize” and “transform education.” However, two months after Carvalho’s April speech promoting the software, AllHere’s founder left, and the company furloughed most staff due to financial issues. Despite the setbacks, a simplified version of Ed remains available in 100 priority schools. The district’s goal “is for the chatbot to be available in September,” pending AllHere’s acquisition. Anthony Aguilar, chief of special education for the district, noted Ed was part of Carvalho’s plan to address post-pandemic educational challenges.

        The Seventy Four Share to FacebookShare to Twitter (7/1, Keierleber) reports as the eight-year-old startup “rolled out Los Angeles Unified School District’s flashy new AI-driven chatbot,” a former company executive “was sending emails to the district and others that Ed’s workings violated bedrock student data privacy principles. Those emails were sent shortly before The 74 first reported last week that AllHere, with $12 million in investor capital, was in serious straits.” A former senior director of software engineering at AllHere “who was laid off in April” told “district officials, its independent inspector general’s office and state education officials that the tool processed student records in ways that likely ran afoul of L.A. Unified’s own data privacy rules and put sensitive information at risk of getting hacked.”

Undisclosed Hack Of OpenAI Sparked Internal Fears Of Vulnerability To China

The New York Times Share to Facebook