Dr. T's security brief
Daniel Tauritz
U.S. Takes Steps to Protect Electric System From Cyberattack
CNBC
April 20, 2021
The U.S. Department of Energy (DOE) announced Monday a 100-day initiative that aims to protect the nation's electric system from cyberattacks. The initiative calls on owners and operators of power plants and electric utilities to follow concrete milestones to implement technologies that allow for real-time intrusion detection and response. In addition, DOE is requesting feedback from electric utilities, energy companies, government agencies, and others on how to safeguard the energy system supply chain. Energy Secretary Jennifer Granholm said the U.S. "faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses."
A Hacker's Nightmare: Programmable Chips Secured by Chaos
IEEE Spectrum
Payal Dhar
April 19, 2021
Ohio State University (OSU) scientists demonstrated a method of using physically unclonable functions (PUFs)—technology for generating unique signatures for programmable chips—to thwart hackers. OSU's Noeloikeau Charlot said, "Because there's so many possible fingerprints, even if [hackers] have access to your device, it would still take longer than the lifetime of the universe for them to actually record all possible combinations." OSU's Daniel Gauthier said current PUFs contain a limited number of secrets, which when numbering in the tens, hundreds of thousands, or even 1 million, gives properly equipped hackers enough knowledge to crack those secrets. The team built a network in the PUFs of randomly interconnected logic gates in order to create "deterministic chaos," which machine learning exploits could not decipher.
U.S. Banks Deploy AI to Monitor Customers, Workers Amid Tech Backlash
Reuters
Paresh Dave; Jeffrey Dastin
April 19, 2021
Several U.S. banks, including City National Bank of Florida, JPMorgan Chase & Co., and Wells Fargo & Co. are rolling out artificial intelligence systems to analyze customer preferences, monitor employees, and detect suspicious activity near ATMs. City National will commence facial recognition trials in early 2022, with the goal of replacing less-secure authentication systems. JPMorgan is testing video analytic technology at some Ohio branches, and Wells Fargo uses the technology in an effort to prevent fraud. Concerns about the use of such technology range from errors in facial matches and the loss of privacy to disproportionate use of monitoring systems in lower-income and non-white communities. Florida-based Brannen Bank's Walter Connors said, "Anybody walking into a branch expects to be recorded. But when you're talking about face recognition, that's a larger conversation."
FBI Launched Operation to Wipe Out Hacker Access to Hundreds of U.S. Servers
The Washington Post
Tonya Riley
April 14, 2021
The U.S. Department of Justice (DOJ) said the Federal Bureau of Investigation (FBI) has launched a campaign to eliminate hacker access to hundreds of U.S.-based servers exposed by a bug in Microsoft Exchange software discovered earlier this year. The flaw gave hackers back doors into the servers of at least 30,000 U.S. organizations. Although the number of vulnerable servers have been reduced, attackers have already installed malware on thousands to open a separate route of infiltration; DOJ said hundreds of Web shells remained on certain U.S.-based computers running Microsoft Exchange by the end of March. The department's court filing said Microsoft identified the initial intruders as members of the China-sponsored HAFNIUM group.
*May Require Paid Registration
Millions of Devices at Risk From NAME:WRECK DNS Bugs
Computer Weekly
Alex Scroxton
April 13, 2021
Researchers at cybersecurity provider Forescout Research Labs and Israeli cybersecurity consultancy JSOF discovered nine new Domain Name System (DNS) vulnerabilities that could imperil more than 100 million connected Internet of Things (IoT) devices, at least a third of them located in the U.K. Collectively designated NAME:WRECK, the bugs affect four popular Transmission Control Protocol/Internet Protocol (TCP/IP) stacks: FreeBSD, IPnet, Nucleus NET, and NetX. Malefactors who exploit the vulnerabilities in a denial of service or remote code execution attack could disrupt or hijack targeted networks. Forescout's Daniel dos Santos said, "Complete protection against NAME:WRECK requires patching devices running the vulnerable versions of the IP stacks, and so we encourage all organizations to make sure they have the most up-to-date patches for any devices running across these affected IP stacks."
Shift Online Exposed College Cybersecurity Vulnerabilities
Higher Ed Dive 
(3/30, Poremba) reports that “one of the first big data breaches to impact a college campus hit Ohio State University in 2010, involving the records of more than 700,000 people affiliated with the school.” While there has never “been evidence that records were actually stolen, the event was a wake-up call for Ohio State and other major universities, said Dave Kieffer, an information technology leader at Ohio State at the time of the breach.” The threat then “was novel, but over the past decade, colleges have become more proactive in addressing such risks.” When the pandemic “forced most colleges to move the bulk of classes and activities online last spring, it raised the level of cybersecurity risk created by these kinds of vulnerabilities.” Although students and staff “were distributed across the globe, cybersecurity systems had to be maintained.”
The ACLU Is Seeking Government Data On AI Use In National Security
Axios (3/26, Walsh) reported the ACLU “will be seeking information about how the government is using artificial intelligence in national security.” The development of AI has “major implications for security, surveillance, and justice.” The ACLU’s request may help “shed some light on the government’s often opaque applications of AI.” The ACLU is “specifically concerned about ‘vetting and screening processes in agencies like Homeland Security, and tools that can analyze voice, data and video.’” The FOIA request was “prompted in part by a recent 750-page report put out by the National Security Commission on Artificial Intelligence that lays out a case for the US to embrace AI throughout the national security sector.”