Dr. T's security brief
dtau...@gmail.com
JPMorgan to Test Face, Palm Recognition for Payments
Bloomberg
Jennifer Surane
March 23, 2023
Financial services company JPMorgan Chase intends to allow consumers to make transactions via palm or face recognition at certain U.S. retailers as part of a test. Customers would need to register their palms or faces in-store, then scan their biometrics to complete the transaction and obtain a receipt at checkout. Consumers will be able to connect many different types of payment to JPMorgan's new system. A Formula 1 race in Miami may participate in the test, while the bank said it may extend the service to its wider U.S. merchant base if the test pans out. JPMorgan cited U.K.-based business and technology consultancy Goode Intelligence's forecast that biometric technology should account for about $5.8 trillion in transactions and 3 billion users by 2026.
*May Require Paid Registration
Tackling Counterfeit Seeds with 'Unclonable' Labels
MIT News
David L. Chandler
March 22, 2023
A biodegradable tag developed by Massachusetts Institute of Technology (MIT) scientists can provide seeds with an "unclonable" code of authenticity. The label incorporates tiny dots of silk-derived material, each bearing a unique blend of different chemical signatures. The tags "leverage randomness and uncertainty in the process of application, to generate unique signature features that can be read, and that cannot be replicated," according to MIT's Benedetto Marelli. The researchers used drop-casting to produce tags less than 1/10th of an inch in diameter; Marelli said they added color to make the microparticles cohere into random patterns that can be read by spectrograph, portable microscope, or cellphone cameras with a macro lens. The image can be processed locally to produce the physically unclonable functions code, then transmitted to the cloud for comparison with a secure database to guarantee product authenticity.
Computer Engineering Research Prompts Bug Fixes, Updates to Major GPU Frameworks
UC Santa Cruz Newscenter
Emily Cerf
March 21, 2023
Tests developed by researchers at the University of California, Santa Cruz and Google exposed bugs in a major graphical processing unit (GPU) that led to revisions in a key GPU framework for programming Web browsers. The researchers find bugs using mathematical models of programming languages to steer their tests toward areas of interest in the GPU known for hiding flaws. They assessed GPUs on desktops from various companies, uncovering a bug in an AMD compiler that prompted the firm to confirm and patch it on its devices. This also spurred fixes to the WebGPU framework used by coders to guarantee browsers' Web-page acceleration with new GPU technologies.
Researchers Reveal Inaudible Remote Cyber-Attacks on Voice Assistant Devices
University of Texas at San Antonio
Ari Castañeda
March 20, 2023
Researchers at the University of Texas at San Antonio (UTSA) developed the Near-Ultrasound Inaudible Trojan (NUIT) to show how hackers can exploit the vulnerabilities of smart device microphones and voice assistants remotely and silently online. The researchers showed that once hackers have gained unauthorized access to a device via malicious apps, websites, audio, or video, they can transmit inaudible action commands to lower the device’s volume so users cannot hear the voice assistant's response and commence additional attacks on other devices. UTSA's Guenevere Chen said, "The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address."
Wave of Stealthy China Cyberattacks Hits U.S., Private Networks, Google Says
The Wall Street Journal
Robert McMillan; Dustin Volz
March 16, 2023
Researchers in Google's Mandiant division found that state-sponsored hackers in China were using techniques that have allowed them to evade common cybersecurity tools and spy on government and business networks for years without being detected. The researchers said hackers are compromising devices on the edge of the network and targeting software from VMware Inc. or Citrix Systems Inc., among others, which often run on computers without antivirus or endpoint detection software. Mandiant's Charles Carmakal said the attacks, which generally exploit previously undetected flaws, likely are more widespread than previously known. Carmakal noted this cyberattack method "is a lot harder for us to investigate, and it is certainly exponentially harder for victims to discover these intrusions on their own. Even with our hunting techniques, it's hard for them to find it."
*May Require Paid Registration
Quantum Computers May Finally Have Practical Use *May Require Paid Registration |
Detecting Manipulations in Microchips
Ruhr-Universität Bochum (Germany)
Julia Weiler
March 20, 2023
A team that included researchers from Germany's Ruhr University Bochum and the Max Planck Institute for Security and Privacy developed a method of identifying hardware Trojans that uses algorithms to detect differences between construction plans for chips and electron microscope images of real chips. In tests of chips in various sizes, the researchers found some designs had been changed retroactively to cause minimal deviations between the construction plans and the actual chips. Modifications were detected on 90-, 65-, and 40-nanometer chips, but three subtle changes were missed in the smallest (28-nanometer) chips. Said Ruhr's Steffen Becker, "Machine learning could probably improve the detection algorithm to such an extent that it would also detect the changes on the smallest chips that we missed."
Password Mismanagement Still at the Heart of Security Issues
GCN
Chris Teale
March 14, 2023
According to researchers at the threat intelligence firm SpyCloud, government employees in the U.S. and internationally often reuse passwords. The report found that 61% of those with more than one password exposed in the last year reused them in multiple places, including government work and personal accounts. Among government emails, the most common exposed passwords were "123456," "12345678," and "password." The report also revealed that close to 74% of stolen government credentials involved malware-infected devices. Meanwhile, a report from the cybersecurity software firm Ivanti found that 32% of U.S. government employees used the same work password for longer than a year.
What Happens When Your Phone is Spying on You
UC San Diego Today
March 13, 2023
Computer scientists at the University of California, San Diego, New York University, and Cornell Tech found smartphone spyware applications leak the information they gather. Promoted as tools to monitor underage children and employees, these apps are abused to secretly spy on others by recording their devices' activities. Little technical expertise is required to install and run the apps, and abusers need only temporary access to the victim's device. The researchers analyzed 14 leading spyware apps for Android phones, exposing data-recording methods that include tapping the device's microphone to record phone calls and using invisible browsers that stream video from the camera to a spyware server.
Big Tech Using Trade Agreements To Circumvent Consumer Data Legislation And Conceal Software Codes, Lawmakers Say
Roll Call 
(3/21, Ratnam) reports “tech companies are using international trade agreements to conceal software codes behind artificial intelligence programs as well as circumvent U.S. legislation that could curb the industry’s freewheeling use of consumer data, according to lawmakers and advocacy groups.” As lawmakers try “to rein in Big Tech, industry ‘lobbyists and lawyers are trying to rig the digital trade deals to undermine those new laws,’ Sen. Elizabeth Warren, D-Mass., said last week.” The dispute over “the role trade deals play in creating global rules for the tech industry comes as Congress is weighing legislation that would address data privacy, content moderation, antitrust enforcement and curbs on artificial intelligence technologies.”
TikTok CEO To “Face Skeptical Lawmakers” In House Testimony Thursday
Roll Call (3/22, Ratnam) reports that in testimony before the House Energy and Commerce Committee on Thursday, TikTok CEO Shou Zi Chew will attempt to “persuade lawmakers that his company isn’t the tech version of the suspected Chinese spy balloon shot down as it flew over the U.S. last month.” Chew and his company are seeking to blunt “widespread calls either to be shut down or sold to a U.S. company because of fears that Beijing is using it to collect data on Americans and engaging in a subversive propaganda campaign.” Chew is expected to “face a barrage of questions” from lawmakers of both parties “on whether Beijing has access to Americans’ data collected by the app, as well as on dangers faced by kids hooked on an app that lawmakers have likened to opium and fentanyl.”
Bloomberg (3/23) reports that because China is “known to be interested in having its technology companies share the data they collect — its ubiquitous popularity among Americans carries geopolitical implications far beyond the mobile-phone screen.” American adult users of TikTok “will spend an average of 56 minutes a day on the app this year, far more than on either Facebook or Instagram, according to researcher Insider Intelligence.”
The AP (3/22) reports Chew plans to “tell Congress that the video-sharing app is committed to user safety, data protection and security, and keeping the platform free from Chinese government influence.” In prepared remarks released ahead of the hearing, Chew promotes what he describes as the platform’s unprecedented “level of access and transparency,” adding, “Let me state this unequivocally: ByteDance is not an agent of China or any other country.” Chew also said that TikTok has not received a “request to share U.S. user data with the Chinese government, nor would TikTok honor such a request if one were ever made.” Chew “said TikTok’s data security project, dubbed Project Texas, is the right answer, not a ban or a sale of the company.”
Bowman, Influencers Highlight Free Speech Concerns On TikTok Ban. The Wall Street Journal (3/22, Tracy, Subscription Publication) reports TikTok dispatched more than 20 of the social media app’s top influencers to Washington DC to lobby lawmakers and others in support of the platform ahead of Tik Tok CEO Shou Zi Chew’s testimony, and CNBC (3/22, Feiner) reports that on Wednesday, Rep. Jamaal Bowman (D-NY) was expected to “host a news conference with more than 30 TikTok creators whose platforms are threatened by the U.S. government’s push toward greater restrictions on the app.” Bowman believes that fears “over potential risks associated with the app have been disproportionate to the available evidence about its vulnerabilities,” and told journalists that if he receives new information from the Justice Department, “I will stand up and say I was wrong and go the other way, but right now what I’m hearing is a lot of fear mongering and speculation and not as much actual evidence.”
WPost Poll: Majority Of Americans Concerned About TikTok’s China Links, Plurality Back A Ban. The Washington Post (3/22, Kelly, Lima, Guskin, Clement) reported on the findings of its poll that 41 percent of American back a ban on TikTok, “with a majority expressing concerns over the company’s links to China, underscoring that distrust of the foreign-owned app has spread beyond Washington, even as its domestic user base soars.” Twenty-five percent oppose such a ban, and 71 percent are “concerned that TikTok’s parent company is based in China, including 36 percent” who say they are “very concerned.”
Why The Government Keeps Looking At TikTok. US News & World Report (3/22) reports, “The battle between the U.S. and China over TikTok comes into full view on Thursday when the social media platform’s CEO testifies before Congressional lawmakers.” The platform “has 150 million American users but it’s been dogged by persistent claims that it threatens national security and user privacy, or could be used to promote pro-Beijing propaganda and misinformation.” The Committee on Foreign Investment in the US, “part of the Treasury Department — is carrying out a review, and has reportedly threatened a U.S. ban on the app unless its Chinese owners divest their stake. China’s Foreign Ministry in turn accused the United States itself of spreading disinformation about TikTok’s potential security risks.”
In Contentious Hearing, TikTok CEO Tells House Panel ByteDance Is “Not An Agent Of China”
The AP (3/23, Hadero, Amiri) reports that TikTok CEO Shou Zi Chew “faced a grilling Thursday from a U.S. congressional committee in a rare public appearance where he made his own case for why the hugely popular video-sharing app shouldn’t be banned.” In her opening statement, House Energy and Commerce Chair Cathy McMorris Rodgers said, “Mr. Chew, you are here because the American people need the truth about the threat TikTok poses to our national and personal security.” But Chew, “a 40-year-old Singapore native,” testified that TikTok “prioritizes the safety of its young users and denied allegations that the app is a national security risk. He reiterated the company’s plan to protect U.S. user data by storing all such information on servers maintained and owned by the server giant Oracle. ‘Let me state this unequivocally: ByteDance is not an agent of China or any other country,’ Chew said.”
However, Politico (3/23, Kern) says, “Over the course of several combative exchanges, it seemed that lawmakers from both parties weren’t buying” Chew’s “explanations or defenses.” The Washington Post (3/23, A1, Zakrzewski, Stein) called the hearing a “five-hour thrashing that underscored the popular app’s precarious future in the United States.” The New York Times (3/23, Kang, McCabe, Maheshwari) says that the “bipartisan unity at the hearing was striking.”
Axios (3/23, Gold) reports Chew “repeatedly categorized TikTok as a global enterprise when asked about whether it’s a Chinese company.” However, McMorris Rodgers said, “ByteDance is beholden to the CCP, and ByteDance and TikTok are one and the same. ... When you celebrate the 150 million American users on TikTok, it emphasizes the urgency for Congress to act...that is 150 million Americans that the CCP can collect sensitive information on, and control what we ultimately see, hear and believe.”
USA Today (3/23, Tran, Looker) reports Chew “dodged questions about what the app does with users’ data, its ties to China and the ways the platform prevents harmful content for children. Committee members grew frustrated as Chew repeatedly avoided clear yes or no answers to their inquiries.” For example, Rep. Lisa Blunt Rochester (D-DE) told Chew, “I think quite frankly your testimony has raised more questions for me than answers.” Reuters (3/23, Shepardson) reports Rep. Frank Pallone (D-NJ), the ranking member on the panel, said to Chew, “You’re gonna continue to gather data, you’re gonna continue to sell data...and continue to be under the aegis of the Communist Party.”
Roll Call (3/23, Ratnam) says Chew “repeatedly denied that TikTok, a U.S.-based company headquartered in Los Angeles and Singapore, is controlled by its China-based parent ByteDance,” but his “assurances appeared to be weakened when China’s Commerce Ministry on Thursday said it would oppose a forced sale of TikTok, as is being contemplated by the Biden administration, because such a sale would involve the export of Chinese technology.”
White House Encouraging ByteDance To Sell TikTok To Avoid Ban. Axios (3/23, Nichols) says the Administration “has a simple response to the army of TikTok influencers who swarmed Capitol Hill [Wednesday]: The app can stay – if ByteDance agrees to sell it.” According to Axios, “The White House is under intense pressure...to protect the nation from potential security threats posed by the Chinese ownership of TikTok,” but “at the same time, many young – and progressive – Americans use TikTok as though their life depends on it.” Axios adds, “Democrats close to the White House are concerned that Biden could face a political reckoning if his actions lead the app to be deleted from the phones of young Americans.” An anonymous “US official” is quoted as saying, “The administration can achieve its national security goals without necessarily banning the app, including by ByteDance selling TikTok.”
The Washington Post (3/23, A1, Zakrzewski, Stein) reports the Administration “has pushed TikTok’s Chinese owners to sell their stakes in the company. But the company has bristled at divestment, and senior administration officials do not think they have the legal authority to ban TikTok without an act of Congress, according to one person with knowledge of internal government discussions.”
WPost Warns Against Banning TikTok. In an editorial, the Washington Post (3/23) says the TikTok “saga seems to have come full circle – with a U.S. president reportedly pushing for the sale of the app, or else a total ban. Joe Biden’s campaign for the move is more coherent and convincing than his predecessor’s 2020 attempt, but the desired outcome is still unsettling.” The Post says a ban on the service “might look like a blow to China in the short run. Yet it would be a victory for that country’s philosophy of techno-nationalism and a defeat for an open world and open web. If the White House does try to ban TikTok, it will owe citizens – users of the platform and non-users alike – a good explanation.”
dtau...@gmail.com
Microsoft Patched Bing Vulnerability That Allowed Snooping on Email, Other Data
The Wall Street Journal
Robert McMillan
March 29, 2023
Microsoft last month patched an issue discovered by security firm Wiz Inc. in the Bing search engine that allowed unauthorized access to email and other data. The researchers determined an error in the way applications were configured on Microsoft's Azure cloud-computing platform could allow unauthorized access to Bing users' Microsoft 365 emails, documents, calendars, and other tools. The software giant said a small number of applications using the Azure Active Directory login management service were impacted by the misconfiguration issue. Wiz said it had no evidence the issue had been used by anyone. In announcing in a blog post the issue had been fixed, Microsoft offered ways in which companies and consumers can better protect themselves from such unauthorized intrusions.
Pwn2Own Hackers Breach a Tesla Twice
PC Magazine
Marco Marcelline
March 25, 2023
Participants of the Pwn2Own software exploitation conference hacked technology from automaker Tesla twice at the Zero Day Initiative's Pwn2Own software exploitation conference, earning $350,000 and a Model 3 infotainment system. The team from French security company Synacktiv executed a time-of-check-to-time-of-use (TOCTOU) exploit against a Tesla Gateway, then employed a heap overflow and an out-of-band write vulnerability to gain access to and compromise the Model 3. Pwn2Own describes a TOCTOU exploit as a "file-based race condition that occurs when a resource is checked for a particular value, and that value changes before the resource is used, invalidating the results of the check." SecurityWeek said Tesla is expected to release patches to correct the flaws exposed by the Synacktiv hacks.
Hackers Drain Bitcoin ATMs of $1.5 Million by Exploiting 0-Day Bug
Ars Technica
Dan Goodin
March 21, 2023
General Bytes reported that over $1.5 million in bitcoin was drained from hot wallets (Internet-accessible wallets) via its bitcoin ATMs (BATMs) by hackers that exploited a previously unknown zero-day vulnerability. This flaw allowed the hackers to use the master server interface, which permits customers to upload videos from the BATM terminal to the crypto application server (CAS), to upload and execute a malicious Java application. Although the vulnerability was patched 15 hours after it was discovered, the stolen bitcoin could not be recovered. In response to the incident, General Bytes said it would no longer manage CASes for customers.
Making the Internet of Things More Secure
Washington University in St. Louis McKelvey School of Engineering
Beth Miller
March 27, 2023
Washington University in St. Louis' Shantanu Chakrabartty and Mustafizur Rahman used a prototype synchronized pseudo-random-number generator (SPRNG) to enhance the security of Internet of Things (IoT) communications. The prototype employs Fowler-Nordheim quantum tunneling to prevent tampering, snooping, and side-channel attacks. The method involves electrons jumping through and reshaping a triangular barrier, which offers a simpler, more energy-efficient, and self-powered connection that Chakrabartty called attack-proof. He said SPRNG “could be used as a trusted platform module on IoT and used to verify and authenticate secure transactions, such as software upgrades. Since this system does not require access to GPS [global positioning systems] for synchronization, it could be used in resource-constrained and adversarial environments, including healthcare and military IoTs."
TIM Provides Alternative to Text-Based Passwords
University of Surrey (U.K.)
March 23, 2023
The Transparent Image Moving (TIM) authentication system for mobile phones developed by researchers at the U.K.'s University of Surrey, New Zealand's University of Auckland, and South Korea's Mokpo National University could enhance the security of mobile devices. TIM's authentication process requires users to pick and move predefined images to a designated position. The researchers found 85% of TIM users thought the system could help block password guessing and shoulder surfing attacks, while 71% believe it offers greater usability than other commercially available image-based solutions. Said Surrey's Rizwan Asghar, “We believe imaged-based and interactive authentication processes like TIM are a step in the right direction."
Protecting AI Models from 'Data Poisoning'
IEEE Spectrum
Payal Dhar
March 24, 2023
Computer scientists from ETH Zurich in Switzerland, Google, chipmaker Nvidia, and machine learning (ML) integrity platform Robust Intelligence demonstrated two data poisoning exploits that do not appear to have been attempted so far. The split-view poisoning attack leverages the fact that data observed when curated could diverge from data seen during artificial intelligence (AI) model training. By controlling a significant portion of a large image dataset, attackers can infiltrate AI training data with malicious content. The front-running attack involves modifying data like Wikipedia articles so they are snapshotted as a direct download, with the compromised data fed into AI models. The demonstrations targeted 10 popular datasets.
ChatGPT Data Leak More Extensive Than Previously Reported
Mashable (3/24) reports, “OpenAI has shared that even more private data from a small number of users was exposed” by a ChatGPT bug that prompted its shutdown on March 20. The company is quoted saying, “In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. ... Full credit card numbers were not exposed at any time.” Mashable says, “The hours OpenAI is referring to was a nine hour window before the bug was discovered. OpenAI reports that the payment-related information of 1.2 percent of ChatGPT Plus subscribers were exposed. Those users have been notified by OpenAI.”
Twitter Says Parts Of Its Source Code Were Leaked Online
The New York Times (3/26, Mac, Conger) reports that portions of Twitter’s source code were “leaked online, according to a legal filing, a rare and major exposure of intellectual property as the company struggles to reduce technical issues and reverse its business fortunes under Elon Musk.” At Twitter’s request, the code was removed on Friday by GitHub, a collaboration platform where the code was posted, but the code “appeared to have been public for at least several months.” Twitter has launched an investigation “into the leak and executives handling the matter have surmised that whoever was responsible left the San Francisco-based company last year, two people briefed on the internal investigation said.” One concern is that “the code includes security vulnerabilities that could give hackers or other motivated parties the means to extract user data or take down the site, they said.” The AP (3/26, D'Innocenzio) reports Twitter also “asked the court to identify the alleged infringer or infringers who posted Twitter’s source code on systems operated by GitHub without Twitter’s authorization.”
Crypto Companies Seeing “All-Out Battle” With US Regulators
Politico (3/26, Harty) reports crypto businesses “have warned for months that the Biden administration is quietly moving to push them out of the U.S.” and “with the collapse of three crypto-friendly banks, they say the evidence is piling up.” According to Politico, it “marks the latest front in what is already an all-out battle between the once high-flying industry and officials in Washington that could shape the future of crypto in the U.S.” In contrast, Politico reports European lawmakers “are trying to court crypto companies, sparking concern among Republicans that the U.S. may see its reputation as a home for financial innovation diminished.”
Microsoft Introduces “AI-Powered Cybersecurity Assistant”
Reuters (3/28, Mathews) reports Microsoft on Tuesday launched a “tool to help cybersecurity professionals identify breaches, threat signals and better analyze data, using OpenAI’s latest GPT-4 generative artificial intelligence model.” The “Security Copilot” tool is a “simple prompt box that will help security analysts with tasks like summarizing incidents, analyzing vulnerabilities and sharing information with co-workers on a pinboard.”
Ed Tech Experts Say Schools Should Be Concerned About ChatGPT’s Student Data Privacy
K-12 Dive (3/29, Merod) reports, “School districts should be concerned about ChatGPT’s terms of use when permitting the artificial intelligence tool on school devices, especially when it comes to protecting students’ personally identifiable information, according to Pete Just, founding chair of the Indiana CTO Council, speaking during the Consortium for School Networking (CoSN) conference this month.” OpenAI is “very elusive” about its data privacy policy, “and will share its information with anybody, said panelist Keith Bockwoldt, chief information officer of Hinsdale Township High School District 86 in Illinois.” Even if schools “block ChatGPT on their networks and devices due to a fear of exposing student data, Bockwoldt said, those students can still use the technology at home.”