Dr. T's security brief
dtau...@gmail.com
Georgia Won't Update Dominion Software Until After 2024 Election
CNN
Zachary Cohen; Sean Lyngaas
June 14, 2023
A two-year-old report unsealed this week as part of a lawsuit in Georgia indicates state election officials will not update flawed voting software until after 2024, claiming it is safe despite federal recommendations for upgrades. The report highlights vulnerabilities for certain Dominion Voting machines previously confirmed by federal cybersecurity officials. Georgia election officials say it is highly improbable that malefactors will exploit the flaws, and they have already followed some security recommendations without updating the software. Report author Alex Halderman at the University of Michigan warned not correcting the flaws until 2025 is "worse than doing nothing, since it puts would-be adversaries on notice that the state will conduct the presidential election with this particular version of software with known vulnerabilities, giving them nearly 18 months to prepare and deploy attacks."
JPL Creates PDF Archive to Aid Malware Research
Jet Propulsion Laboratory
June 14, 2023
Data scientists at the U.S. National Aeronautics and Space Administration's Jet Propulsion Laboratory (JPL) have compiled 8 million portable document formats (PDFs) into an open source archive for enhancing online security. The corpus is part of the Defense Advanced Research Projects Agency's Safe Documents program. Experts can look through this archive to find malware that could be concealed within the files' code to help predict emerging online threats and to augment PDF technology. The researchers identified the PDFs for inclusion using Common Crawl, a public repository of web-crawl data, while specialized software re-fetched truncated files. The approximately 8-terabyte dataset is the largest publicly available corpus of its type.
Renault-Led Concept Car Offers Cyberattack Protection
Bloomberg
Benoit Berthelot
June 14, 2023
French automaker Renault partnered with five French companies to deliver a concept car that features advanced biometry, energy efficiency, and cybersecurity protection. Renault and chipmaker STMicroelectronics, software developer Dassault Systemes, telecom carrier Orange, defense firm Thales, and information technology provider Atos developed the H1st Vision concept's various innovations. Features include electricity-saving vehicle-to-grid bidirectional technology; a "detect and response" cybersecurity system linked to a response center; sensors in the steering wheel that can analyze the driver's mood and health; and biometric detection of the driver's silhouette and face when they approach the vehicle. The Software République consortium said these innovations would be available in the Renault 5 model, which should go on sale next year.
*May Require Paid Registration
Hackers Can Steal Cryptographic Keys by Video-Recording Power LEDs
Ars Technica
Dan Goodin
June 13, 2023
Researchers at Cornell Tech's Urban Tech Hub and the Cyber Security Research Center at Israel's Ben-Gurion University of the Negev demonstrated side-channel attacks that video-record the power light emitting diodes (LEDs) of smart card readers and smartphones. One such attack uses an Internet-connected surveillance camera to capture high-speed video of the power LEDs on a smart card reader or an attached peripheral during cryptographic operations. The researchers were able to extract a 256-bit Elliptic Curve Digital Signature Algorithm key from the same government-approved smart card used in the Minerva side-channel attack. A second exploit recovered a Samsung Galaxy S8 phone's private Supersingular Isogeny Key Encapsulation key by focusing an iPhone 13's camera on the power LED of a Universal Serial Bus speaker linked to the handset.
Nvidia's AI Software Tricked into Leaking Data
Financial Times
Mehul Srivastava; Cristina Criddle
June 9, 2023
At San Francisco-based Robust Intelligence, researchers found the "NeMo Framework" in Nvidia's artificial intelligence software can be manipulated into leaking private data. The framework enables developers to work with an array of large language models. The researchers were able to prompt language models to bypass safety guardrails. Instructing the system to swap the letter "I" with "J," for instance, triggered the release of personally unidentifiable information from a database. They also replicated Nvidia's example of a narrow discussion about a jobs report to get the model to shift to topics beyond the specific subjects set forth in the system's guardrails. Said Robust Intelligence's Yaron Singer, also a computer science professor at Harvard University, " These findings represent a cautionary tale about the pitfalls that exist."
*May Require Paid Registration
Singapore Plans Nationwide Network to Protect Against Future Quantum Threats
The Straits Times (Singapore)
Osmond Chia; Anne Chan Min
June 6, 2023
Telecommunication companies in Singapore have partnered with the Infocomm Media Development Authority (IMDA), a part of the Singapore Ministry of Communications and Information), to overhaul existing fiber networks to enable them to protect themselves, and the companies with which they do business, from future quantum computer attacks. IMDA indicated that approved telecom service providers will construct a nationwide quantum-resistant network to protect connected businesses under the National Quantum-Safe Network Plus program. The network will soon become available to critical infrastructure like hospitals and banks, so they don’t need to build their own networks.
Secure Information Transfer Using Spatial Correlations in Quantum Entangled Beams of Light
University of Oklahoma
Chelsea Julian
June 5, 2023
A study led by University of Oklahoma (OU) researchers demonstrated that spatial correlations in quantum entangled beams of light can be used to encode information and transmit it securely. They accomplished this using two entangled beams of light, which achieve stronger correlations than classical light and maintain their interconnectedness regardless of their distance apart. The researchers transferred spatial patterns from one optical field to two new optical fields produced via four-wave mixing, a quantum mechanical process. OU's Gaurav Nirala explained, "The encoded spatial pattern can be retrieved solely by joint measurements of generated fields."
Microsoft Finds macOS Bug That Lets Hackers Bypass SIP Root Restrictions
BleepingComputer
Sergiu Gatlan
May 30, 2023
Apple has patched a vulnerability discovered by Microsoft security researchers, dubbed Migraine, that would have allowed attackers with root privileges to install "undeletable" malware and access the victim's private data. The researchers said, "By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP [System Integrity Protection] checks." Bypassing SIP also would allow attackers to circumvent Transparency, Consent, and Control (TCC) policies to gain access the victim's private data. The vulnerability was patched in Apple's May 18 security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7.
Fitness App Loophole Allows Access to Home Addresses
North Carolina State University
Matt Shipman
June 7, 2023
North Carolina State University (NC State) researchers found an exploit in the Strava mobile fitness-tracking application that permits anyone to find personal information about certain users, including their home addresses. NC State's Anupam Das said a loophole in the app's heatmap feature aggregates anonymized data so users can see how many others exercise in a given area. The researchers determined anyone can look up all Strava users in a given area, as well as where their fitness routes start and end, by studying the heatmap's aggregate data. Kevin Childs, formerly of NC State, said the researchers contacted Strava about the loophole, and were told the app “Does not share heatmap data unless several users are active in a given area.”
Framework Reduces Consumers' Privacy Risk, Preserves Advertisers' Utility
Carnegie Mellon University Heinz College News
June 1, 2023
A team of researchers at Carnegie Mellon University (CMU), the University of Virginia, and New York University developed and tested a machine learning-based framework to measure and reduce consumers' individual privacy risk while retaining advertisers' utility. The framework uses a flexible obfuscation scheme to conceal a subset of locations visited by consumers based on personalized suppression parameters commensurate with their risk level, while also factoring in differing types and levels of risks and utilities. The researchers validated their framework through analysis of 1 million trajectories (travel paths) produced by 40,000 consumers in a major U.S. metropolitan area, in partnership with a leading data aggregator that combines location data across more than 400 popular mobile applications. Said Meghanath Macha, who led the study, “Our framework fills a critical void and offers an important tool for the privacy-aware practices of big data location-based applications and services, providing a balance between privacy risks and data utilities.”
Amazon To Pay $30M In Settlement With FTC Over Alexa, Ring Privacy Violations
The AP 
(5/31, McKinnon) reports Amazon “will pay more than $30 million to settle alleged privacy violations involving its voice assistant Alexa and its doorbell camera Ring.” The AP explains, “The Federal Trade Commission voted to file charges in two separate cases Wednesday that could also force the company to delete certain data collected by its popular internet-connected devices. In the Alexa case, the FTC said Amazon had deceived users of the voice assistance service for years. It retained children’s recordings indefinitely unless a parent requested the information be deleted, the agency said, and even when it deleted those recordings, Amazon often kept the transcripts.” Reuters (5/31, Bartz) reports the agency also revealed a former Ring employee “spied for months on female customers in 2017 with cameras placed in bedrooms and bathrooms.” Reuters says the settlements in the cases “are the agency’s latest effort to hold Big Tech accountable for policies critics say place profits from data collection ahead of privacy.”
The Wall Street Journal (5/31, McKinnon, Subscription Publication) provides similar coverage.
Mercer University Faces Three Class-Action Lawsuits Over Data Breach
Higher Ed Dive (6/6, Schwartz) reports Mercer University was “recently hit with at least three newly filed class action lawsuits over a data breach, with plaintiffs alleging that the Georgia college failed to safeguard their personal data.” One plaintiff is a “former law student at Mercer, while another is a professor at Yale School of Medicine who taught a course at Mercer in 2016 and 2018. Another, a former student who stayed anonymous over privacy concerns, said he suffered from fraudulent credit card charges after the data breach.” None of the lawsuits, “which contend more than 93,000 people were caught up in the data breach, have been certified as class actions yet. They all allege that Mercer improperly delayed informing affected individuals and failed to have adequate cybersecurity defenses.”
FBI Warns AI Software Being Employed For “Sextortion,” Harassment
Reuters (6/7, Satter) reports the FBI has warned Americans “that criminals are increasingly using artificial intelligence to create sexually explicit images to intimidate and extort victims.” In an alert circulated “this week, the bureau said it had recently observed an uptick in extortion victims saying they had been targeted using doctored versions of innocent images taken from online posts, private messages or video chats.” The Bureau noted that in some cases children have been targeted.
Democratic Lawmakers Voice Concerns Over Twitter’s Data Security
The Hill (6/8, Klar, Kagubare) reports, “A group of Democratic senators sent a letter to Twitter last week raising concerns that recent resignations of top data security executives could put consumer privacy and data security in jeopardy and potentially violate a 2022 consent decree with the Federal Trade Commission.” The letter comes after “the recent resignation of Twitter’s head of trust and safety, Ella Irwin, and the company’s head of brand safety and advertising quality, A.J. Brown. Irwin, who oversaw content moderation, took the role last fall after Twitter’s former head of trust and safety Yoel Roth resigned amid Elon Musk’s chaotic acquisition of the company.”