Dr. T's security brief

1 view
Skip to first unread message

Daniel Tauritz

unread,
May 22, 2021, 9:24:29 AM5/22/21
to sec-...@googlegroups.com

SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
The Wall Street Journal
James Rundle
April 26, 2021


At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do what it is asking to do. Ericom Software Ltd.'s Chase Cunningham said, "No one who actually understands zero trust says abandon the perimeter. But the reality of it is that you need to understand your perimeter's probably already compromised, especially when you're in a remote space." Carnegie Mellon University's Gregory Touhill stressed that zero trust is not a technology but a strategy, and "we've got too many folks in industry that are trying to peddle themselves as zero-trust vendors selling the same stuff that wasn't good enough the first time."

Full Article

*May Require Paid Registration

 

 

Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug
USA Today
Mike Snider
April 24, 2021


Scammers could exploit a bug in iPhones and MacBooks' AirDrop feature to access owners' email and phone numbers, according to researchers at Germany's Technical University of Darmstadt (TU Darmstadt). AirDrop allows users with both Bluetooth and Wi-Fi activated to discover nearby Apple devices, and share documents and other files; however, strangers in range of such devices can extract emails and phone numbers when users open AirDrop, because the function checks such data against the other user's address book during the authentication process. The researchers said they alerted Apple to the vulnerability nearly two years ago, but the company "has neither acknowledged the problem nor indicated that they are working on a solution." They recommend users disable AirDrop and not open the sharing menu, and to only activate the function when file sharing is needed, then deactivate it when done.

Full Article

 

 

Multiple Agencies Breached by Hackers Using Pulse Secure Vulnerabilities
The Hill
Maggie Miller
April 20, 2021


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said hackers had infiltrated federal agencies and other critical organizations by exploiting flaws in products from Utah-based software company Ivanti Pulse Connect Secure (PCS). The CISA alert followed cybersecurity group FireEye's Mandiant Solutions' publication of a blog post attributing some breaches to a Chinese state-sponsored hacking group and another Chinese advanced persistent threat group. CISA said that hackers had installed webshells in PCS products, which enabled them to circumvent security features. The agency said Ivanti was developing a patch, adding that it "strongly encouraged" all users to update to the latest version of the software and to look for signs of breaches. CISA issued an emergency directive requiring all federal agencies evaluate how many PCS products they and third-party organizations used, and to update them by April 23.

Full Article

 

 

Apple Targeted in $50-Million Ransomware Hack of Supplier Quanta
Bloomberg
Kartikay Mehrotra
April 21, 2021


Taiwan-based Apple contract manufacturer Quanta Computer suffered a ransomware attack apparently by Russian operator REvil, which claimed to have stolen the blueprints of Apple's latest products. A user on the cybercrime forum XSS posted Sunday that REvil was about to declare its "largest attack ever," according to an anonymous source. REvil named Quanta its latest victim on its "Happy Blog" site, claiming it had waited to publicize the breach until Apple's latest product launch because Quanta had refused to pay its ransom demands. By the time the launch ended, REvil had posted schematics for a new laptop, including the workings of what seems to be a Macbook designed as recently as March.
 

Full Article

 

 

Researchers Uncover Advertising Scam Targeting Streaming-TV Apps
The Wall Street Journal
Patience Haggin; Jeff Horwitz
April 21, 2021


Nearly 1 million mobile devices were infected with malware that emulated streaming-TV applications and collected revenue from unwitting advertisers, according to researchers at cybersecurity firm Human Security. The researchers said the orchestrators of this so-called "Pareto" scheme spoofed an average of 650 million ad placement opportunities daily in online ad exchanges, stealing money intended for apps available on streaming-TV platforms run by Roku, Amazon.com, Apple, and Google. The creator of 29 apps underpinning the fraud was identified as TopTop Media, a subsidiary of Israel-based M51 Group. The analysts said the operation could be thwarted if digital ad companies strictly followed industry guidance for tracking the origins of traffic and deployed certain security measures. Human Security's Michael McNally said, "Measurement and security companies will just play whack-a-mole, as long as the industry hasn't upgraded to better defenses."
 

Full Article

*May Require Paid Registration

 

 

Amazon Bringing Palm-Scanning Payment System to Whole Foods Stores
CNBC
Annie Palmer
April 21, 2021


Amazon's palm-scanning payment system will be rolled out to a Whole Foods store in Seattle's Capitol Hill neighborhood before expanding to seven other Whole Foods stores in the area in the coming months. About a dozen Amazon physical stores already offer the Amazon One payment system, which allows shoppers who have linked a credit card to their palm print to pay for items by holding their palm over a scanning device. Amazon says the palm-scanning system is "highly secure" and more private than facial recognition and other biometric systems. The company says thousands of people have signed up to use the system at the Amazon stores.
 

Full Article

 

 

A Growing Problem of 'Deepfake Geography': How AI Falsifies Satellite Images
University of Washington
Kim Eckart
April 21, 2021


Researchers at the University of Washington (UW), Oregon State University, and Binghamton University used satellite photos of three cities and manipulation of video and audio files to identify new methods of detecting deepfake satellite images. The team used an artificial intelligence framework that can infer the characteristics of satellite images from an urban area, then produce deepfakes by feeding the characteristics of the learned satellite image properties onto a different base map. The researchers combined maps and satellite imagery from Tacoma, WA, Seattle, and Beijing to compare features and generate deepfakes of Tacoma, based on the characteristics of the other cities. UW's Bo Zhao said, "This study aims to encourage more holistic understanding of geographic data and information, so that we can demystify the question of absolute reliability of satellite images or other geospatial data. We also want to develop more future-oriented thinking in order to take countermeasures such as fact-checking when necessary."

Full Article

 

 

Study: 'Fingerprint' for 3D Printer Accurate 92% of Time
University at Buffalo News
Melvin Bankhead III
April 21, 2021


To reduce illicit use of three-dimensional (3D) printers, the University at Buffalo (UB)'s Zhanpeng Jin and colleagues devised a method to accurately identify each machine’s unique "fingerprint." The researchers determined each hot end of a printer's extruders has specific thermodynamic properties, which affect the precise way the 3D model is assembled; this heating signature, or ThermoTag, can identify the specific extruder, and by extension the model of 3D printer used. Once the printer model is identified, its buyer can be traced in instances in which they may have used the printer for unlawful purposes. The UB researchers said they were able to correctly identify a source printer with 92% accuracy using this method.
 

Full Article

 

Daniel Tauritz

unread,
May 23, 2021, 12:05:08 PM5/23/21
to sec-...@googlegroups.com

Millions of Older Broadband Routers Have Security Flaws, Warn Researchers
ZDNet
Daphne Leprince-Ringuet
May 6, 2021


Millions of U.K. households use old broadband routers that hackers could exploit, according to a probe conducted by consumer watchdog Which? and security researchers at consultancy Red Maple Technologies. Which? polled over 6,000 adults and flagged 13 older routers still commonly used by consumers across Britain; Red Maple analysts determined nine of the 13 devices did not meet modern security standards. Which? calculated that up to 7.5 million U.K. users could potentially be affected, as vulnerable routers present an opportunity for hackers to spy on people as they browse, or to steer them to spam websites. The researchers also highlighted weak default passwords as a vulnerability in older routers.
 

Full Article

 

 

Patch Issued to Tackle Critical Security Issues Present in Dell Driver Software Since 2009
ZDNet
Charlie Osborne
May 4, 2021


Computer vendor Dell has issued a patch to remedy five longstanding vulnerabilities in driver software discovered by a team at threat intelligence solutions provider SentinelLabs. Security researcher Kasif Dekel found the flaws by exploring the DBUtil BIOS driver found in Dell's desktop and laptop PCs, notebooks, and tablets. The focus of his investigation was the software's dbutil_2_3.sys module, which is installed and loaded on-demand by initiating the firmware update process, then unloaded after a system reboot. Two of the flaws identified were memory corruption issues in the driver, another two were security failures rooted in a lack of input validation, and the final issue found could be leveraged to trigger a denial of service. The SentinelLabs team said these vulnerabilities have been present since 2009, although there is no evidence of exploitation in the wild.

Full Article

 

 

Spectre Exploits Beat All Mitigations: Fixes to Severely Degrade Performance
Tom's Hardware
Anton Shilov
May 1, 2021


Three new variants of Spectre exploits that affect all modern chips from AMD and Intel with micro-op caches were discovered by researchers at the University of Virginia and the University of California, San Diego. The variants include a same-thread cross-domain attack that leaks across the user-kernel boundary; a cross-simultaneous multithreading (SMT) hack that transmits across two SMT threads operating on the same physical core, but different logical cores, through the micro-op cache; and transient execution attacks that can leak unauthorized secrets accessed along a misspeculated path, even before a transient instruction can be sent to execution. The researchers suspect mitigating the exploits will degrade performance more significantly than fixes for previous Spectre vulnerabilities. AMD and Intel were alerted, but have issued no microcode updates or operating system patches.

Full Article

 

 

An Uncrackable Combination of Invisible Ink, AI
American Chemical Society
May 5, 2021

Researchers have printed complexly encoded data using a carbon nanoparticle-based ink that can be read only by an artificial intelligence (AI) model when exposed to ultraviolet (UV) light. The researchers created the ‘invisible’ ink, which appears blue when exposed to UV light, using carbon nanoparticles from citric acid and cysteine. They then trained an AI model to identify symbols written in the ink and illuminated by UV light, and to use a special codebook to decode them. The model, which was tested using a combination of normal red ink and UV fluorescent ink, read the messages with 100% accuracy. The researchers said the algorithms potentially could be used for secure encryption with hundreds of unpredictable symbols because they can detect minute modifications in symbols.
 

Full Article

 

 

Protocol Makes Bitcoin Transactions More Secure, Faster Than Lightning
TU Wein (Austria)
May 4, 2021


Researchers at Austria's Vienna University of Technology (TU Wein), Spain's IMDEA Software Institute, and Purdue University have developed an improved protocol for faster, more secure Bitcoin transactions. The researchers sought to improve on the "Lightning Network" of payment channels between blockchain users, which allows many transactions to be processed in a short amount of time. A simulation showed the new protocol results in a factor of four to 33 fewer failed transactions, compared with the Lightning Network. TU Wein's Lukas Aumayr said, "We can mathematically prove that our new protocol does not allow certain errors and problems in any situation."

Full Article

 

 

Microsoft Finds Memory Allocation Holes in Range of IoT, Industrial Technology
ZDNet
Chris Duckett
April 30, 2021


The security research unit for Microsoft's new Azure Defender for IoT product discovered a number of poor memory allocation operations in code used in Internet of Things (IoT) and operational technology (OT), like industrial control systems, that could fuel malicious code execution. Dubbed BadAlloc, the exploits are associated with improperly validating input, which leads to heap overflows. The team, called Section 52, said the use of these functions becomes problematic when passed external input that can trigger an integer overflow or wraparound as values to the functions. Microsoft said it alerted the affected vendors (including Google Cloud, ARM, Amazon, Red Hat, Texas Instruments, and Samsung Tizen) and patched the vulnerabilities in cooperation with the U.S. Department of Homeland Security. The team recommended the isolation of IoT devices and OT networks from corporate information technology networks using firewalls.

Full Article

 

 

Fertility Apps Collect, Share Intimate Data Without Users' Knowledge or Permission
News-Medical Life Sciences
May 4, 2021

A study by researchers at Newcastle University in the U.K. and Sweden's Umea University found that many top-rated fertility apps collect and share personal information without the knowledge or permission of users. The researchers studied the privacy notices and tracking practices of 30 free fertility apps chosen from the top search results in the Google Play Store. They determined that the privacy notices and tracking practices of the majority of these apps do not comply with the EU's General Data Protection Regulation. The researchers also found that regardless of whether the user engages with the apps' privacy notices, an average of 3.8 trackers were activated as soon the apps were installed and opened. The researchers believe more adequate lawful and ethical processes are needed to handle such data.
 

Full Article

 

 

Algorithms Improve How We Protect Our Data
Daegu Gyeongbuk Institute of Science and Technology (South Korea)
May 3, 2021


Researchers at South Korea's Daegu Gyeongbuk Institute of Science and Technology (DGIST) have developed algorithms that estimate and validate encryption security with less computational complexity. The "Min-entropy" metric typically is used to estimate and validate a source's ability to generate random numbers used to encrypt data. An offline algorithm developed by the researchers estimates min-entropy based on an entire dataset; they also developed an online estimator that requires limited data samples and improves in accuracy as the data samples increase. Because the online estimator does not require storage for entire datasets, it is suitable for Internet of Things devices and other applications with memory, storage, and hardware constraints. DGIST's Yongjune Kim said, "Our evaluations showed that our algorithms can estimate min-entropy 500 times faster than the current standard algorithm while maintaining estimation accuracy."

Full Article

 

 

Breakthrough Army Technology is Game Changer for Deepfake Detection
U.S. Army Research Laboratory
April 29, 2021


Researchers at the U.S. Army Combat Capabilities Development Command's Army Research Laboratory and the University of Southern California (USC) have developed a deepfake detection method for supporting mission-essential tasks. The team said DefakeHop's core innovation is Successive Subspace Learning (SSL), a signal representation and transform theory designed as a neural network architecture. USC's C.-C. Jay Kuo described SSL as "a complete data-driven unsupervised framework [that] offers a brand new tool for image processing and understanding tasks such as face biometrics." Among DefakeHop's purported advantages over current state-of-the-art deepfake video detection methods are mathematical transparency, less complexity, and robustness against adversarial attacks.

Full Article

 

Cyberattacks Against Colleges Increase Amid Pandemic

The Chronicle of Higher Education Share to FacebookShare to Twitter (4/14, Mangan) reports that a message, “emailed to thousands of students and employees at the University of Colorado’s Boulder campus last week” said that their personal information, “including addresses, phone numbers, Social Security numbers, academic progress reports, and financial documents, had been stolen.” Their university was “refusing to cooperate with extortion demands” and as a result, the data “was starting to be posted on the dark web, the shadowy back channel of the internet where cybercriminals lurk.” Elsewhere around the country, students and employees “at least nine other universities were receiving similar warnings.” The campuses are “part of an escalating number of extortion and ransomware attacks the FBI has been tracking since March 2020, when the COVID-19 pandemic took hold in the US.” Cybercriminals have “taken advantage of the unique circumstances of the pandemic to double down on their demands.”

 

Poll Finds “AI-Powered” Cyberattacks Expected To Increase

TechRadar Share to FacebookShare to Twitter (4/12) reports new research has “said AI-powered software will soon be powerful enough spearhead advanced cyberattacks, prompting IT teams to deploy smarter security solutions, themselves.” Polling 300 C-level executives on their views of the future cybersecurity landscape, cybersecurity AI company Darktrace “found that almost all respondents (96%) are preparing for an onslaught of AI-powered cyberattacks.” Nearly two-thirds (68%) are “under the impression that cybercriminals will be deploying AI on impersonation and spear-phishing attacks.” To prepare for future attacks, most of the executives “polled for the report said they started deploying AI-powered defenses, mostly because they don’t believe (60%) humans are a match for automated cyberattacks, even if they could find enough, due to the ever-growing talent drought.” They also “believe current security solutions are a liability because they’re unable to anticipate new attacks.”

Reply all
Reply to author
Forward
0 new messages