Dr. T's security brief
Daniel Tauritz
SolarWinds, Microsoft Hacks Prompt Focus on Zero-Trust Security
The Wall Street Journal
James Rundle
April 26, 2021
At an April 22 virtual event hosted by Cyber Education Institute LLC's Billington Cybersecurity unit, U.S. Department of Defense's John Sherman said the public and private sectors should adopt zero-trust models that constantly verify whether a device, user, or program should be able to do what it is asking to do. Ericom Software Ltd.'s Chase Cunningham said, "No one who actually understands zero trust says abandon the perimeter. But the reality of it is that you need to understand your perimeter's probably already compromised, especially when you're in a remote space." Carnegie Mellon University's Gregory Touhill stressed that zero trust is not a technology but a strategy, and "we've got too many folks in industry that are trying to peddle themselves as zero-trust vendors selling the same stuff that wasn't good enough the first time."
*May Require Paid Registration
Researchers Say Changing Simple iPhone Setting Fixes Long-Standing Privacy Bug |
Multiple Agencies Breached by Hackers Using Pulse Secure Vulnerabilities
The Hill
Maggie Miller
April 20, 2021
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said hackers had infiltrated federal agencies and other critical organizations by exploiting flaws in products from Utah-based software company Ivanti Pulse Connect Secure (PCS). The CISA alert followed cybersecurity group FireEye's Mandiant Solutions' publication of a blog post attributing some breaches to a Chinese state-sponsored hacking group and another Chinese advanced persistent threat group. CISA said that hackers had installed webshells in PCS products, which enabled them to circumvent security features. The agency said Ivanti was developing a patch, adding that it "strongly encouraged" all users to update to the latest version of the software and to look for signs of breaches. CISA issued an emergency directive requiring all federal agencies evaluate how many PCS products they and third-party organizations used, and to update them by April 23.
Apple Targeted in $50-Million Ransomware Hack of Supplier Quanta
Bloomberg
Kartikay Mehrotra
April 21, 2021
Taiwan-based Apple contract manufacturer Quanta Computer suffered a ransomware attack apparently by Russian operator REvil, which claimed to have stolen the blueprints of Apple's latest products. A user on the cybercrime forum XSS posted Sunday that REvil was about to declare its "largest attack ever," according to an anonymous source. REvil named Quanta its latest victim on its "Happy Blog" site, claiming it had waited to publicize the breach until Apple's latest product launch because Quanta had refused to pay its ransom demands. By the time the launch ended, REvil had posted schematics for a new laptop, including the workings of what seems to be a Macbook designed as recently as March.
Researchers Uncover Advertising Scam Targeting Streaming-TV Apps
The Wall Street Journal
Patience Haggin; Jeff Horwitz
April 21, 2021
Nearly 1 million mobile devices were infected with malware that emulated streaming-TV applications and collected revenue from unwitting advertisers, according to researchers at cybersecurity firm Human Security. The researchers said the orchestrators of this so-called "Pareto" scheme spoofed an average of 650 million ad placement opportunities daily in online ad exchanges, stealing money intended for apps available on streaming-TV platforms run by Roku, Amazon.com, Apple, and Google. The creator of 29 apps underpinning the fraud was identified as TopTop Media, a subsidiary of Israel-based M51 Group. The analysts said the operation could be thwarted if digital ad companies strictly followed industry guidance for tracking the origins of traffic and deployed certain security measures. Human Security's Michael McNally said, "Measurement and security companies will just play whack-a-mole, as long as the industry hasn't upgraded to better defenses."
*May Require Paid Registration
Amazon Bringing Palm-Scanning Payment System to Whole Foods Stores
CNBC
Annie Palmer
April 21, 2021
Amazon's palm-scanning payment system will be rolled out to a Whole Foods store in Seattle's Capitol Hill neighborhood before expanding to seven other Whole Foods stores in the area in the coming months. About a dozen Amazon physical stores already offer the Amazon One payment system, which allows shoppers who have linked a credit card to their palm print to pay for items by holding their palm over a scanning device. Amazon says the palm-scanning system is "highly secure" and more private than facial recognition and other biometric systems. The company says thousands of people have signed up to use the system at the Amazon stores.
A Growing Problem of 'Deepfake Geography': How AI Falsifies Satellite Images
University of Washington
Kim Eckart
April 21, 2021
Researchers at the University of Washington (UW), Oregon State University, and Binghamton University used satellite photos of three cities and manipulation of video and audio files to identify new methods of detecting deepfake satellite images. The team used an artificial intelligence framework that can infer the characteristics of satellite images from an urban area, then produce deepfakes by feeding the characteristics of the learned satellite image properties onto a different base map. The researchers combined maps and satellite imagery from Tacoma, WA, Seattle, and Beijing to compare features and generate deepfakes of Tacoma, based on the characteristics of the other cities. UW's Bo Zhao said, "This study aims to encourage more holistic understanding of geographic data and information, so that we can demystify the question of absolute reliability of satellite images or other geospatial data. We also want to develop more future-oriented thinking in order to take countermeasures such as fact-checking when necessary."
Study: 'Fingerprint' for 3D Printer Accurate 92% of Time
University at Buffalo News
Melvin Bankhead III
April 21, 2021
To reduce illicit use of three-dimensional (3D) printers, the University at Buffalo (UB)'s Zhanpeng Jin and colleagues devised a method to accurately identify each machine’s unique "fingerprint." The researchers determined each hot end of a printer's extruders has specific thermodynamic properties, which affect the precise way the 3D model is assembled; this heating signature, or ThermoTag, can identify the specific extruder, and by extension the model of 3D printer used. Once the printer model is identified, its buyer can be traced in instances in which they may have used the printer for unlawful purposes. The UB researchers said they were able to correctly identify a source printer with 92% accuracy using this method.
Daniel Tauritz
Millions of Older Broadband Routers Have Security Flaws, Warn Researchers
ZDNet
Daphne Leprince-Ringuet
May 6, 2021
Millions of U.K. households use old broadband routers that hackers could exploit, according to a probe conducted by consumer watchdog Which? and security researchers at consultancy Red Maple Technologies. Which? polled over 6,000 adults and flagged 13 older routers still commonly used by consumers across Britain; Red Maple analysts determined nine of the 13 devices did not meet modern security standards. Which? calculated that up to 7.5 million U.K. users could potentially be affected, as vulnerable routers present an opportunity for hackers to spy on people as they browse, or to steer them to spam websites. The researchers also highlighted weak default passwords as a vulnerability in older routers.
Patch Issued to Tackle Critical Security Issues Present in Dell Driver Software Since 2009
ZDNet
Charlie Osborne
May 4, 2021
Computer vendor Dell has issued a patch to remedy five longstanding vulnerabilities in driver software discovered by a team at threat intelligence solutions provider SentinelLabs. Security researcher Kasif Dekel found the flaws by exploring the DBUtil BIOS driver found in Dell's desktop and laptop PCs, notebooks, and tablets. The focus of his investigation was the software's dbutil_2_3.sys module, which is installed and loaded on-demand by initiating the firmware update process, then unloaded after a system reboot. Two of the flaws identified were memory corruption issues in the driver, another two were security failures rooted in a lack of input validation, and the final issue found could be leveraged to trigger a denial of service. The SentinelLabs team said these vulnerabilities have been present since 2009, although there is no evidence of exploitation in the wild.
Spectre Exploits Beat All Mitigations: Fixes to Severely Degrade Performance
Tom's Hardware
Anton Shilov
May 1, 2021
Three new variants of Spectre exploits that affect all modern chips from AMD and Intel with micro-op caches were discovered by researchers at the University of Virginia and the University of California, San Diego. The variants include a same-thread cross-domain attack that leaks across the user-kernel boundary; a cross-simultaneous multithreading (SMT) hack that transmits across two SMT threads operating on the same physical core, but different logical cores, through the micro-op cache; and transient execution attacks that can leak unauthorized secrets accessed along a misspeculated path, even before a transient instruction can be sent to execution. The researchers suspect mitigating the exploits will degrade performance more significantly than fixes for previous Spectre vulnerabilities. AMD and Intel were alerted, but have issued no microcode updates or operating system patches.
An Uncrackable Combination of Invisible Ink, AI
American Chemical Society
May 5, 2021
Researchers have printed complexly encoded data using a carbon nanoparticle-based ink that can be read only by an artificial intelligence (AI) model when exposed to ultraviolet (UV) light. The researchers created the ‘invisible’ ink, which appears blue when exposed to UV light, using carbon nanoparticles from citric acid and cysteine. They then trained an AI model to identify symbols written in the ink and illuminated by UV light, and to use a special codebook to decode them. The model, which was tested using a combination of normal red ink and UV fluorescent ink, read the messages with 100% accuracy. The researchers said the algorithms potentially could be used for secure encryption with hundreds of unpredictable symbols because they can detect minute modifications in symbols.
Protocol Makes Bitcoin Transactions More Secure, Faster Than Lightning
TU Wein (Austria)
May 4, 2021
Researchers at Austria's Vienna University of Technology (TU Wein), Spain's IMDEA Software Institute, and Purdue University have developed an improved protocol for faster, more secure Bitcoin transactions. The researchers sought to improve on the "Lightning Network" of payment channels between blockchain users, which allows many transactions to be processed in a short amount of time. A simulation showed the new protocol results in a factor of four to 33 fewer failed transactions, compared with the Lightning Network. TU Wein's Lukas Aumayr said, "We can mathematically prove that our new protocol does not allow certain errors and problems in any situation."
Microsoft Finds Memory Allocation Holes in Range of IoT, Industrial Technology |
Fertility Apps Collect, Share Intimate Data Without Users' Knowledge or Permission
News-Medical Life Sciences
May 4, 2021
A study by researchers at Newcastle University in the U.K. and Sweden's Umea University found that many top-rated fertility apps collect and share personal information without the knowledge or permission of users. The researchers studied the privacy notices and tracking practices of 30 free fertility apps chosen from the top search results in the Google Play Store. They determined that the privacy notices and tracking practices of the majority of these apps do not comply with the EU's General Data Protection Regulation. The researchers also found that regardless of whether the user engages with the apps' privacy notices, an average of 3.8 trackers were activated as soon the apps were installed and opened. The researchers believe more adequate lawful and ethical processes are needed to handle such data.
Algorithms Improve How We Protect Our Data
Daegu Gyeongbuk Institute of Science and Technology (South Korea)
May 3, 2021
Researchers at South Korea's Daegu Gyeongbuk Institute of Science and Technology (DGIST) have developed algorithms that estimate and validate encryption security with less computational complexity. The "Min-entropy" metric typically is used to estimate and validate a source's ability to generate random numbers used to encrypt data. An offline algorithm developed by the researchers estimates min-entropy based on an entire dataset; they also developed an online estimator that requires limited data samples and improves in accuracy as the data samples increase. Because the online estimator does not require storage for entire datasets, it is suitable for Internet of Things devices and other applications with memory, storage, and hardware constraints. DGIST's Yongjune Kim said, "Our evaluations showed that our algorithms can estimate min-entropy 500 times faster than the current standard algorithm while maintaining estimation accuracy."
Breakthrough Army Technology is Game Changer for Deepfake Detection
U.S. Army Research Laboratory
April 29, 2021
Researchers at the U.S. Army Combat Capabilities Development Command's Army Research Laboratory and the University of Southern California (USC) have developed a deepfake detection method for supporting mission-essential tasks. The team said DefakeHop's core innovation is Successive Subspace Learning (SSL), a signal representation and transform theory designed as a neural network architecture. USC's C.-C. Jay Kuo described SSL as "a complete data-driven unsupervised framework [that] offers a brand new tool for image processing and understanding tasks such as face biometrics." Among DefakeHop's purported advantages over current state-of-the-art deepfake video detection methods are mathematical transparency, less complexity, and robustness against adversarial attacks.
Cyberattacks Against Colleges Increase Amid Pandemic
The Chronicle of Higher Education 
(4/14, Mangan) reports that a message, “emailed to thousands of students and employees at the University of Colorado’s Boulder campus last week” said that their personal information, “including addresses, phone numbers, Social Security numbers, academic progress reports, and financial documents, had been stolen.” Their university was “refusing to cooperate with extortion demands” and as a result, the data “was starting to be posted on the dark web, the shadowy back channel of the internet where cybercriminals lurk.” Elsewhere around the country, students and employees “at least nine other universities were receiving similar warnings.” The campuses are “part of an escalating number of extortion and ransomware attacks the FBI has been tracking since March 2020, when the COVID-19 pandemic took hold in the US.” Cybercriminals have “taken advantage of the unique circumstances of the pandemic to double down on their demands.”
Poll Finds “AI-Powered” Cyberattacks Expected To Increase
TechRadar (4/12) reports new research has “said AI-powered software will soon be powerful enough spearhead advanced cyberattacks, prompting IT teams to deploy smarter security solutions, themselves.” Polling 300 C-level executives on their views of the future cybersecurity landscape, cybersecurity AI company Darktrace “found that almost all respondents (96%) are preparing for an onslaught of AI-powered cyberattacks.” Nearly two-thirds (68%) are “under the impression that cybercriminals will be deploying AI on impersonation and spear-phishing attacks.” To prepare for future attacks, most of the executives “polled for the report said they started deploying AI-powered defenses, mostly because they don’t believe (60%) humans are a match for automated cyberattacks, even if they could find enough, due to the ever-growing talent drought.” They also “believe current security solutions are a liability because they’re unable to anticipate new attacks.”