Dr. T's security brief
dtau...@gmail.com
Experts Call for Rigorous Audit to Protect California Recall
Associated Press
Christina A. Cassidy; Kate Brumback
September 3, 2021
Election security experts, including computer scientists and cybersecurity researchers, have sent a letter to California's Secretary of State calling for an audit of the state’s Sept. 14 gubernatorial recall election following the public distribution of Dominion Voting Systems' election management system. The letter stated that "the release of the Dominion software into the wild has increased the risk to the security of California elections to the point that emergency action is warranted." The experts want California counties using the Dominion system to perform a "risk-limiting audit," which employs a statistical approach to ensure reported results and actual votes cast match up. University of Michigan's J. Alex Halderman said even voters now have sufficient physical access to voting systems to implant malware. Said Halderman, "It's just really multiplied the number of people who are in a position to do harm to our elections by a very large factor."
AWS Researcher Merges 2 Quantum Computers to Help Make Cryptography Keys Stronger
ZDNet
Daphne Leprince-Ringuet
September 3, 2021
Amazon Web Services' Mario Berta combined the capabilities of two quantum computers in order to generate truly random numbers to strengthen cryptographic keys. Berta merged quantum processors from Rigetti and IonQ to exploit quantum particles' state of superposition, and the phenomenon that an equal number of quantum bits can yield a string of bits with an equal number of random values. The processors generate two independent bit strings that are processed by a randomness extractor (RE) algorithm to combine multiple weakly random bit sources into one nearly perfect random string.
Popular Smart Home Security System Can Be Remotely Disarmed
TechCrunch
Zack Whittaker
August 31, 2021
Researchers at cybersecurity company Rapid7 found vulnerabilities that can be used to remotely disarm the Fortress S03 smart home security system. The Wi-Fi-based system allows owners to monitor their homes with a mobile application via Internet-linked cameras, motion sensors, and sirens, and to arm or disarm it with a radio-controlled key fob. The researchers said hackers can remotely query an unauthenticated application programming interface without the server checking the request's legitimacy; the server would return the device's unique International Mobile Equipment Identity number, which could be used to disarm the system. In addition, intercepting unencrypted radio signals between the S03 and the key fob could permit the "arm" and "disarm" signals to be captured and replayed. Rapid7 informed Fortress of the flaws, then publicly disclosed them when the company did not respond after three months; a law firm representing Fortress called the claims of vulnerabilities in the S03 system "false, purposely misleading, and defamatory," without specifying why they are false, or that Fortress has fixed the vulnerabilities.
Imaginary Numbers Protect AI from Very Real Threats
Duke University Pratt School of Engineering
Ken Kingery
August 31, 2021
Computer engineers at Duke University have shown that numbers with both real and imaginary components can be critical in securing artificial intelligence algorithms against threats while preserving efficiency. Including just two complex-valued layers among hundreds if not thousands of training iterations offers sufficient protection. For example, using complex numbers with imaginary components can instill additional flexibility for adjusting internal parameters within a neural network being trained on a set of images. Duke's Eric Yeats said, "The complex-valued neural networks have the potential for a more 'terraced' or 'plateaued' landscape to explore. And elevation change lets the neural network conceive more complex things, which means it can identify more objects with more precision." This enables gradient-regularization neural networks using complex numbers to arrive at solutions just as quickly as those lacking the extra security.
Researchers, Cybersecurity Agency Urge Action by Microsoft Cloud Database Users
Reuters
Joseph Menn
August 29, 2021
Researchers at cloud security company Wiz have urged all users of Microsoft's Azure cloud platform to change their digital access keys to the Cosmos DB database system. The team reported that attackers could exploit a vulnerability to access the primary digital keys for most database users and steal, change, or delete millions of records. Microsoft patched the flaw and advised some customers to change their keys, although it found no evidence of exploitation. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency recently issued a bulletin urging all Azure Cosmos DB customers to change their certificate key.
Have You Really Deleted Your Personal Data From Your Device When You Dispose of It?
University of Waterloo Cheriton School of Computer Science (Canada)
August 27, 2021
Many users leave sensitive personal information on their electronic devices when discarding them, according to scientists at Canada's University of Guelph (U of G) and University of Waterloo. The researchers polled and interviewed 166 people, and learned that just 62% of those who sold, donated, recycled, or returned their electronics to the manufacturer deleted their data via a secure factory reset. Another 25% used insecure techniques like moving files to the recycle bin or trash can and emptying it, while 8% did not even try to remove their personal data. U of G's Hassan Khan said, "When we manually delete a file, the file is still there. Only the record for how to access the file is deleted." Khan suggested device manufacturers should use artificial intelligence methods to detect when users are disposing of their devices, and guide them through proper erasure procedures.
Tech Companies Pledge Billions in Cybersecurity Investments
Associated Press
Eric Tucker
August 26, 2021
The White House announced that following a private meeting between President Joe Biden and top technology executives, some leading tech companies have committed to billions of dollars in investments to boost cybersecurity defenses and train skilled workers. Google plans to invest $10 billion over the next five years to secure the software supply chain and expand zero-trust programs, while Microsoft pledged $20 billion in investment over the next five years in addition to plans to make $150 million in technical services available to local governments for upgrading their cybersecurity. IBM will train 150,000 people in cybersecurity over three years, and Apple plans develop a program to enhance the technology supply chain.
38 Million Records Were Exposed Online—Including Contact-Tracing Info
Wired
Lily Hay Newman
August 23, 2021
Over 1,000 Web applications mistakenly exposed 38 million records online that included sensitive information. Analysts at security firm Upguard traced the leak to a flaw in Microsoft's Power Apps development platform, where the data was stored. Power Apps is designed to ease the generation of Web or mobile apps for outside use, and manages internal databases and supplies ready-made application programming interfaces (APIs). The researchers learned the platform automatically rendered data publicly accessible when enabling APIs. Organizations affected by the data exposure included American Airlines, the Maryland Department of Health, and the New York City Metropolitan Transportation Authority; none of the data is known to have been compromised, and Microsoft has fixed the flaw.
BlackBerry Resisted Announcing Major Flaw in Software Powering Cars, Hospital Equipment
Politico
Betsy Woodruff Swan; Eric Geller
August 17, 2021
BlackBerry has announced that a vulnerability in its old but still widely used operating system, QNX, that could allow hackers to cripple devices ranging from cars to critical hospital and factory equipment. The vulnerability was reported by security researchers at Microsoft in April, and many companies whose operating systems and software contained the vulnerability publicly disclosed it in May, in conjunction with the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Sources say BlackBerry initially denied the BadAlloc vulnerability affected its products, then sought to warn its direct customers privately. Said David Wheeler of George Mason University, “BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases. We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”
Emerging Space Industry Could Be Target For Cyberattacks
Vox 
(7/29) reports some cybersecurity experts are warning that the emerging private space industry could be “a giant target for hackers.” Federal lawmakers and agencies have acted “to address the impending threat of cyberattacks on space systems.” The Federal Aviation Administration “helped create the Space Information Sharing Analysis Center (Space ISAC), a collaboration that coordinates with companies across the space industry to share information about potential threats and attacks to their cybersecurity.” Erin Miller, Space ISAC’s executive director, said, “Infrastructure that is distributed globally means that there’s a very broad attack surface. We need to be building in and designing cybersecurity capabilities into every single one of our space systems.”
University Of Virginia Engineering Research Finds Security Flaw In Computer Microchips
The Charlottesville (VA) Daily Progress (7/25, McKenzie) reports that “a computer microchip feature that boosts a processor’s speed also could give away secrets, including passwords, to the right hacker, a University of Virginia engineering school research team has discovered.” Led by Ashish Venkat, “an assistant professor of computer science, the researchers found a way to attack modern computer processors that use speculative execution to increase the speed of microchips and processors.” Speculative execution “allows the processor to predict which instructions it likely will be asked to execute and prepares by pulling instructive code from memory.” The pulling “of the information, however, could be manipulated by hackers to access information from the processor and the system.” The vulnerability “is in the processor’s micro-op cache, a collection of instructions from which the processor can choose when predicting what the next command will be. The process makes computing quicker.”
Virginia Tech Targeted In Ransomware Attacks
The Roanoke (VA) Times (7/16, Friedenberger) reported that Virginia Tech “was the target of two cyberattacks recently, but the university does not believe that data was stolen or taken.” The university “was one of over potentially 1,000 businesses affected by a ransomware attack earlier this month that was centered on U.S. information technology firm Kaseya, which provides software tools to IT outsourcing shops.” Virginia Tech spokesman Mark Owczarski “said Friday a few university units use Kaseya, a Miami-based company that provides software tools to IT outsourcing shops.” He “said the malware the hackers pushed out to Kaseya customers could have exposed Virginia Tech student data, but the university found no evidence that happened.”
State Department To Offer $10 Million To Identify Threat Actors In State-Sanctions Cyberattacks
The AP (7/15, Bajak) reports that the Department of State “will offer rewards up to $10 million for information leading to the identification of anyone engaged in foreign state-sanctioned malicious cyber activity, including ransomware attacks, against critical U.S. infrastructure.” In addition, “A task force set up by the White House will coordinate efforts to stem the ransomware scourge.” In “another move Thursday, the Treasury Department’s Financial Crimes Enforcement Network will work with banks, technology companies and others on better anti-money-laundering efforts for cryptocurrency and more rapid tracing of ransomware proceeds, which are paid in virtual currency.” However, Bloomberg (7/15, Jacobs, House) reports that “some members of Congress who took part in a briefing with Deputy National Security Adviser Anne Neuberger on Wednesday said they were less than impressed. One lawmaker, who was granted anonymity to discuss the briefing, said there was no discussion of a new government entity to lead the counterattack against ransomware operatives and that much of the discussion focused on defense – of businesses and critical infrastructure.”
Google CEO Sundar Pichai Addresses Internet Freedom, Taxes, And Privacy
Phone Arena (7/12, Petrova) reports that Google CEO Sundar Pichai discussed “important matters in the tech world” in an interview with the BBC. He commented on “internet freedom, taxes paid by Google, and the next big things in technology that we might expect, specifically, focusing on AI and quantum computing.” Pichai “stated that privacy is a foundation to everything Google does and that privacy is a fundamental human right.” He focused on AI and quantum computing when asked about “what to expect from the evolution of tech,” saying that “AI is a profound technology, even more profound than the discovery of fire and electricity, or the internet” and quantum computing “is bound to open up an entirely new range of solutions for future development.”
Experts Discuss Kaseya Ransomware Attack
The Guardian (UK) (7/6) reported that “hackers last week infiltrated a Florida-based information technology firm and deployed a ransomware attack, seizing troves of data and demanding $70m in payment for its return.” The hack of the Kaseya firm, “which is already being called ‘the biggest ransomware attack on record,’ has affected hundreds of businesses globally, including supermarkets in Sweden and schools in New Zealand.” This hack “was particularly egregious because the bad actors behind it had targeted the very systems typically used to protect customers from malicious software, said Doug Schmidt, a professor of computer science at Vanderbilt University.” Said Schmidt, “This is very scary for a lot of reasons – it’s a totally different type of attack than what we have seen before. If you can attack someone through a trusted channel, it’s incredibly pervasive – it’s going to ricochet way beyond the wildest dreams of the perpetrator.”