Simple Firmware Update Completely Hides a Device's Bluetooth Fingerprint
A firmware update developed by University of California San Diego researchers prevents a connected device user from being tracked using the device's unique Bluetooth fingerprint. The new method hides the device's Bluetooth fingerprint using multiple layers of randomization. The researchers tested the firmware update on the Texas Instruments CC2640 chipset used in various smart devices and found the level of tracking accuracy achieved in one minute without the firmware update would take more than 10 days of continuous observation with the firmware update.
[ » Read full article ]
UC San Diego Today; Ioana Patringenaru (July 10, 2024)
New Blast-RADIUS Attack Breaks 30-Year-Old Protocol Used in Networks Everywhere
Researchers at Cloudfare, University of California San Diego, BastionZero, Microsoft Research, and the Netherlands' Centrum Wiskunde & Informatica found the RADIUS (Remote Authentication Dial-In User Service) network protocol is vulnerable to an attack that could enable hackers to assume control of industrial controllers, telecommunications services, ISPs, enterprise networks, and more. With "Blast RADIUS," an attacker with an active adversary-in-the-middle position can gain administrative access to devices that authenticate themselves to a server via the RADIUS protocol.
[ » Read full article ]
Ars Technica; Dan Goodin (July 9, 2024)
10 Billion Passwords Exposed in Largest Leak Ever
Cybernews researchers discovered what they described as the largest-ever password compilation on a popular hacking forum. The rockyou2024.txt file, posted July 4 by a user known as "ObamaCare," contains 9,948,575,739 unique plaintext passwords. Although these passwords are from a combination of old and new data breaches, the researchers said the risk of credential stuffing attacks is higher given that the passwords were compiled into a single, searchable database.
[ » Read full article ]
PC Magazine; Emily Price (July 6, 2024)
Intel CPUs Face Spectre-Like 'Indirector' Attack
University of California San Diego researchers demonstrated a technique that can deploy Spectre-like side channel attacks on high-end Intel CPUs by exploiting a speculative execution feature to redirect a program's control flow. The technique, called Indirector, could dupe the CPU into incorrectly altering the order in which individual instructions and function calls are executed and allow attackers to access sensitive data.
[ » Read full article ]
Dark Reading; Jai Vijayan (July 3, 2024)
Rust Leaps Forward in Language Popularity Index
Rust achieved its highest position ever in the monthly Tiobe Programming Index of computer language popularity, reaching the 13th spot in July. Previously, Rust has never gone higher than 17th place in the index. Tiobe CEO Paul Jansen attributed Rust’s ascent to a February U.S. report recommending Rust over C/C+ for security reasons.
[ » Read full article ]
InfoWorld; Paul Krill (July 8, 2024)
Australia Spy Agency Moves Intelligence Data to Cloud
In a deal with Amazon Web Services, the Australian Defense Force will move its top secret intelligence data to the cloud to increase interoperability with the U.S. Rachel Noble, director general of the Australian Signals Directorate, added that top secret datacenters will be built in Australia as the national security agency ramps up AI use to analyze data.
[ » Read full article ]
Reuters; Kirsty Needham (July 4, 2024)
Attacks on the Global Positioning System (GPS) are being perpetrated worldwide, daily. GPS jamming is common in the airspace near conflict zones. The U.S. has lagged behind other countries in replacing aging GPS satellites and developing backup plans. The European Galileo system authenticates its signals, and China is developing timing stations and laying fiber-optic cables to eliminate the need for satellites to provide navigation.
[ » Read full article *May Require Paid Registration ]
The New York Times; Selam Gebrekidan; K.K. Rebecca Lai; Pablo Robles (July 2, 2024); et al.
Tiny Chip Could Secure Quantum Wi-Fi
A quantum phase array (QPA) developed by California Institute of Technology researchers could allow secure quantum Wi-Fi communication in any location. The QPA contains more than 1,000 electronic components arranged on a 1.8 mm by 3 mm silicon-based chip. The system on a chip features 32 antennas that can transmit and receive quantum signals moving through free space, and it can operate at room temperature.
[ » Read full article ]
New Scientist; Karmela Padavic-Callaghan (July 2, 2024)
CrowdStrike Issue Causes Major Global Outages
An update by cybersecurity firm CrowdStrike led to a major IT outage on Friday, impacting businesses around the world. CrowdStrike said it is in the process of rolling back the update that caused the issue and that a fix for the defect had been deployed. Said CEO George Kurtz, "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted.” Airlines, banks, and telecom firms were among the companies impacted.
[ » Read full article ]
CNBC; Katrina Bishop; Arjun Kharpal (July 19, 2024)
Kaspersky Labs Quits U.S. After Ban
Russia's Kaspersky Labs is pulling out of the U.S. following a ban on the sale and distribution of its antivirus and cybersecurity software, noting that "business opportunities in the country are no longer viable." This follows comments from U.S. Commerce Secretary Gina Raimondo that Kaspersky posed a serious risk to U.S. infrastructure and services due to Moscow's influence over the company. Software updates, resales, and licensing of Kaspersky products will be prohibited in the U.S. beginning Sept. 29.
[ » Read full article ]
BBC; João da Silva (July 16, 2024)
Investigators Raced to Crack Phone Used by Trump Rally Gunman
The latest phone-cracking technology was used to quickly access the phone of the man suspected of shooting former U.S. President Donald Trump during a campaign event. The phone was a relatively new model, which can be harder for law enforcement to access than old phones because of newer software. Insiders said the FBI was able to crack the suspect's phone within 45 minutes.
[ » Read full article ]
Washington Post; Devlin Barrett; Emily Davies (July 16, 2024)
Hackers Claim Leak of Internal Disney Slack Messages over AI Concerns
Activist hacking group Nullbulge claimed it leaked thousands of Disney’s internal Slack messaging channels, which included information about unreleased projects, raw images, computer codes, and log-ins. The group said it leaked about 1.2 terabytes of information and that it wants to protect artists’ rights and compensation for their work, especially in the age of AI.
[ » Read full article ]
CNN; Ramishah Maruf (July 15, 2024)
CISA Urges Software Makers to Eliminate OS Command Injection Vulnerabilities
An alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI calls on software manufacturers to eliminate "entirely preventable" operating system (OS) command injection vulnerabilities. The alert said designing and developing software that trusts user input without proper validation or sanitization “can allow threat actors to execute malicious commands, putting customers at risk." The agencies indicated OS command injection vulnerabilities can be avoided with clear separations between user input and a command's contents.
[ » Read full article ]
Infosecurity Magazine; James Coker (July 11, 2024)
Germany to Phase Out Chinese Components from Its 5G Core Network
German Interior Minister Nancy Faeser said "a clear and strict agreement" has been made with telecom providers Deutsche Telekom, Vodafone, and Telefonica Deutschland to phase out the use of components from Huawei, ZTE, and other Chinese companies from Germany's 5G network products by 2029. The agreement is intended to protect Germany's critical infrastructure from potential security risks posed by China.
[ » Read full article ]
Reuters; Andreas Rinke; Rachel More; Chiara Holzhaeuser (July 11, 2024); et al.
The New York Times (7/14) reports Google is “in talks to buy Wiz, a New York-based cybersecurity start-up,” for roughly $23 billion in what would be “its largest-ever acquisition to improve what it can offer to business customers.” Google is pursuing the acquisition “despite the possibility that regulators might try to block the deal.” However, “the company may be willing to fight to beef up its cloud-computing division, which lags behind Amazon Web Services and Microsoft Azure.” The Wall Street Journal (7/14, Subscription Publication) reports that if a deal for Wiz materializes, it would be among the largest technology transactions recently, given that antitrust scrutiny and high interest rates are deterring potential buyers.
The Washington Post (7/12, A1, Menn, Gregg) reported, “Hackers stole records detailing the phone contacts of almost all AT&T Wireless customers in one of the most serious breaches of sensitive consumer data in recent years, the company disclosed in a securities filing Friday.” This “cache includes the numbers called or texted by more than 100 million customers between May 1 and Oct. 31, 2022, as well as one day this past January.” The cache also “contains the numbers themselves as well as the frequency and combined durations of the interactions, but not the customer names or the content of those communications, AT&T said.”
The New York Times (7/12, Gross, Kaye) reports the company in a regulatory filing “said it became aware of the breach in April.” But “the Justice Department requested in May and June that AT&T delay the public disclosure of the incident because of ‘a substantial risk to national security and public safety,’ a spokesman for the department said.”
AT&T Paid Hacker $370,000 To Delete Stolen Data. Digital Trends (7/14) reports that after news broke on Friday “that a security breach had impacted tens of millions” or AT&T’s customers, “a new report claims that the carrier paid around $370,000 to the hacker to delete all of the stolen data.” AT&T sent a cryptocurrency payment to the hackers in May, “and as part of the deal, the hacker had to provide a video that proved the data had been deleted, Wired reported on Sunday.” Communicating with AT&T through a cybersecurity researcher as an intermediary, the hacker “had originally demanded $1 million to delete the data, but ended up accepting around a third of that.” Digital Trends says, “The perpetrator is believed to be part of the ShinyHunters hacking group that’s also believed to have been involved in stealing data from unsecured storage accounts operated by US cloud computing company Snowflake.”
Entrepreneur Magazine (7/17, Wong) reports cybercrime has surged globally, causing over $12 billion in damages in the past decade. AI now plays a crucial role in both perpetrating and combating cyber threats. Chief information security officers leverage AI technologies like machine learning to detect anomalies and prevent damage. Amazon GuardDuty, an AI-based threat detector, protects AWS accounts by analyzing data and automating threat remediation. IBM Watson for Cybersecurity also uses AI to detect threats from various sources. Despite advancements, challenges remain, including securing generative AI projects. Case studies of Andritz AG and United Family Healthcare illustrate successful AI-based cybersecurity implementations. As generative AI use expands, the need for robust cybersecurity will grow, necessitating advancements in AI-based protection.
Inside Higher Ed (7/18, Coffey) reports that more than a dozen higher education organizations are opposing a federal proposal requiring more than 5,000 colleges and universities to report cybersecurity attacks. Educause, “a nonprofit focused on education and technology, sent a letter July 1 to express concerns about a proposal from the Cybersecurity and Infrastructure Security Agency (CISA).” The proposal “expands on the Cyber Incident Reporting for Critical Infrastructure Act of 2022” to include higher education institutions. The American Council on Education (ACE) also filed a letter on July 3, supported by 15 other organizations, criticizing the lack of consultation with the education sector. Both Educause and ACE argue “the strain the new proposals could put on both small and large institutions.” The public comment period ended on July 3, and final regulations are expected in October 2025.
Security Firm Discovers Remote Worker Is North Korean Hacker
KnowBe4, a U.S. security training firm, disclosed that it had unknowingly hired a remote software engineer who turned out to be a North Korean hacker. The firm revealed in a blog post that as soon as the employee received a company-issued Mac, it began to load malware. The Mac's onboard security software detected the malware, however, and the company was able to prevent the hacker from using the device to compromise its internal systems.
[ » Read full article ]
PC Magazine; Michael Kan (July 23, 2024)
Malware Shuts Down Heating in Ukrainian City
Cybersecurity company Dragos on Tuesday published a report detailing how a new malware designed to target a specific type of heating system controller caused the loss of heating for nearly 48 hours during winter to over 600 apartment buildings in Lviv, Ukraine. The FrostyGoop malware was designed to interact with industrial control devices over Modbus, a decades-old protocol widely used across the world to control devices in industrial environments.
[ » Read full article ]
TechCrunch; Lorenzo Franceschi-Bicchierai (July 23, 2024)
U.S. Mandates Stricter Cybersecurity for R&D Institutions
According to a memo from the U.S. Office of Science and Technology Policy, higher education institutions certified by federal research agencies must implement cybersecurity programs for research and development (R&D) security. Institutions receiving more than $50 million in federal science and engineering support annually must certify to the funding agency their R&D security programs cover cybersecurity, and must implement a cybersecurity program following the CHIPS and Science Act’s cybersecurity document for research-focused entities.
[ » Read full article ]
Security Intelligence; Jonathan Reed (July 22, 2024)
Microsoft's Global Sprawl Under Fire After Historic Outage
The July 19 computer outage resulting from a defective CrowdStrike update to Windows systems worldwide shines a spotlight on the global economy's dependence on Microsoft. Although Microsoft said only an estimated 8.5 million devices were impacted, accounting for less than 1% of computers running the Windows operating system, U.S. Federal Trade Commission Chair Lina Khan said it underscores "how concentration can create fragile systems."
[ » Read full article *May Require Paid Registration ]
The Washington Post; Cristiano Lima-Strong; Cat Zakrzewski; Jeff Stein (July 20, 2024)
How China Avoided Worst of Global Tech Meltdown
China managed to escape much of the damage caused by the faulty CrowdStrike software update Friday for the simple reason that the computer security provider is hardly used in the country. Additionally, China is not as reliant on Microsoft as the rest of the world; domestic companies are that nation’s dominant cloud providers.
[ » Read full article ]
BBC News; Nick Marsh (July 20, 2024)
DHS Develops Robot for Walking DoS Attacks
The U.S. Department of Homeland Security (DHS) has developed a four-legged robot designed to jam the wireless transmissions of smart home devices. The NEO robot is equipped with an antenna array designed to overload home networks, to disrupt devices that rely on wireless communication protocols. The robot also may be used to communicate with subjects in a target area, or to provide remote eyes and ears to agents on the ground.
[ » Read full article *May Require Paid Registration ]
Tom's Hardware; Jowi Morales (July 23, 2024)
Technology Policy Experts Say It's Time to Rethink Data Privacy Protections
The latest TechBrief released by ACM's global Technology Policy Council focuses on data privacy protections. “Few people realize that, in just the last decade, new technologies such as generative AI have made old approaches to ensuring data privacy obsolete,” said co-author Micah Altman at the Massachusetts Institute of Technology. "We call for a new set of best practices in our field to manage privacy risks. We also emphasize that privacy regulation must keep pace with privacy protection technologies."
[ » Read full article ]
ACM Media Center (July 25, 2024)
EU Cloud Scheme Needs More Privacy Safeguards, French Watchdog Says
French privacy watchdog CNIL said improvements must be made to the data protection safeguards in the proposed EU certification scheme for cloud services (EUCS). The EUCS is intended to protect ICT packages sold in the EU from cyberattacks. However, the CNIL said, "In its current state, the EUCS no longer allows providers to demonstrate that they protect stored data against access by a foreign power."
[ » Read full article ]
Euronews; Cynthia Kroet (July 22, 2024)
Politico (7/19, Sakellariadis, Miller, Gedeon) reported the Administration on Friday raced “to assess the fallout from a massive IT outage that is ricocheting across the globe, grounding airplanes, ripping through health systems and snarling IT networks at federal agencies and Fortune 500 companies.” Deputy NSA for Cyber and Emerging Technology Anne Neuberger “said during a panel at the Aspen Security Forum Friday that she had spent the morning assessing the impact of the outage on all U.S. critical infrastructure sectors,” and also “said she spoke with George Kurtz, the CEO of cybersecurity giant CrowdStrike, and convened interagency calls to understand the impact of the errant software update, and had reached out to foreign partners to offer assistance as well.”
The Washington Post (7/19, Ziegler, Telford, Gilbert) detailed how “countless people worldwide...were tangled by a software outage affecting Microsoft Windows users,” which “disrupted airports, hospitals, transportation systems and other businesses, creating a cascade of chaos and inconvenience.” The New York Times (7/19, A1, Satariano, Mozur, Tobin) calls the outage “unparalleled,” adding that “the fallout, which was immediate and inescapable, highlighted the brittleness of global technology infrastructure,” since “when a single flawed piece of software is released over the internet, it can almost instantly damage countless companies and organizations that depend on the technology.”
The Washington Post (7/19, A1) explained that “as more information emerged about the cause of the outage, it seemed clear it was nothing more than an accident, one caused by faulty software in an automated update from...CrowdStrike,” underlining “the vulnerability of major industries” to such events. The Post adds with “the AI revolution...poised to make these systems even more interdependent and opaque,” the Post adds that “political leaders have been slow to react to these changes in part because few of them understand the technology,” though “even technologists can’t fully understand the complexities of our globally networked systems.”
CrowdStrike Deploys Fix For Issue Causing Global Tech Outage Reuters (7/19, Sophia) reported CrowdStrike CEO George Kurtz on Friday announced it had “deployed a fix for an issue that triggered a major tech outage that affected industries ranging from airlines to banking to healthcare worldwide,” while Microsoft “said separately it had fixed the underlying cause for the outage of its 365 apps and services including Teams and OneDrive, but residual impact was affecting some services.” Reuters says the “massive” outage led to “major airlines halting flights,” took “some broadcasters off-air,” and left “sectors ranging from banking to healthcare hit by system problems.”
Airlines Face Difficulties Recovering From CrowdStrike Outage As Cancellations Continue. The AP (7/21) reports airlines “continued to struggle to restore operations two days after a faulty software update caused technological havoc worldwide and resulted in several carriers grounding flights,” with total cancellations reaching 1,461, topped by Delta Airlines and United Airlines. Transportation Secretary Buttigieg spoke with Delta CEO Ed Bastian on Sunday “about the airline’s high number of cancellations since Friday,” and “the Transportation Department said its top officials have reminded Delta of the airline’s obligation to provide refunds to passengers whose flights were canceled and who don’t want to be rebooked on a later flight.” Nonetheless, Reuters (7/21, Valetkevitch, Shepardson) says Delta “struggled to restore normal operations on Sunday,” having “canceled just over a quarter of its schedule Sunday and delayed another 1,700 flights or 46%,” amid “ongoing operational problems caused by the outage’s impact on its crew tracking system.”
The Washington Post (7/22, Lima) reports the House Homeland Security Committee on Monday “demanded that CrowdStrike CEO George Kurtz commit by Wednesday to appearing on Capitol Hill” to explain the widespread computer outages caused by his company’s botched software update over the weekend and commit to “mitigation steps” to prevent future issues. The error “threw businesses and government organizations worldwide into disarray,” forcing airlines “to ground thousands of flights” and disrupting “emergency services such as the 911 call line.” The Post adds that the “worldwide meltdown is forcing regulators and lawmakers to confront the extent to which the global economy and critical infrastructure relies on a small set of software services.” The AP (7/22) reports that in a letter to Kurtz, Republican lawmakers said they “cannot ignore the magnitude of this incident, which some have claimed is the largest IT outage in history,” adding that Americans “deserve to know in detail how this incident happened and the mitigation steps CrowdStrike is taking.”
Colleges Continue To Grapple With CrowdStrike Outage. Inside Higher Ed (7/22, Alonso) reports “colleges and universities were and continue to be affected by massive technology outages caused by an update to CrowdStrike, a cybersecurity software, on Friday.” Two institutions in Texas, Texas A&M University and the University of Houston at Victoria, “canceled classes in the wake of the outage,” and last Friday, Texas A&M “announced that 81 percent of its servers had been restored and classes would resume as normal today.” Higher ed institutions “aren’t alone,” but in some cases, “institutions’ online learning arms were impacted more than their in-person campuses.” Though CrowdStrike released “a solution to the shutdowns within hours of the flawed update, the process is too complicated for many who aren’t IT professionals,” meaning the outage “will most likely have the direst effect on universities where faculty and staff work remotely and can’t easily get their computers looked at in person.”
CrowdStrike “is blaming a bug in an update that allowed its cybersecurity systems to push bad data out to millions of customer computers, setting off last week’s global tech outage that grounded flights, took TV broadcasts off air and disrupted banks, hospitals and retailers,” the AP (7/24) reports. Additionally, the company “outlined measures it will take to prevent the problem from recurring, including staggering the rollout of updates, giving customers more control over when and where they occur, and providing more details about the updates that it plans.”
Delta May Take $500 Million Loss From CrowdStrike Outage. The New York Post (7/24, Herzlich) reports that Delta Air Lines may face a $500 million impact this quarter due to last week’s global CrowdStrike outage, according to Citi Research analyst Stephen Trent. Citigroup reduced Delta’s third-quarter earnings per share estimate by 60 cents to $1.37, citing operational expenses and potential customer compensation costs. Conor Cunningham of Melius Research estimated a $350 million hit to Delta’s operating profit and a possible fine from the Department of Transportation, which is investigating the airline for canceling over 5,000 flights. Delta declined to comment on the projected financial loss.
DDoS Attack Triggers New Microsoft Global Outage
A global outage of Microsoft services on Tuesday was started by a Distributed Denial-of-Service (DDoS) attack, the company said. An error in Microsoft’s DDoS protection measures then amplified the impact of the attack rather than mitigating it, the firm added. The outage lasted for around 10 hours, during which time customers reported issues with a range of Microsoft platforms.
[ » Read full article ]
Infosecurity Magazine; James Coker (July 31, 2024)
Meta's AI Safety System Defeated by Space Bar
Meta last week unveiled Prompt-Guard-86M alongside its Llama 3.1 generative AI model, to detect prompt injection attacks. However, Robust Intelligence researcher Aman Priyanshu found the Prompt-Guard-86M classifier model is itself vulnerable to prompt injection attacks. Priyanshu explained adding spaces between the letters of a given prompt and leaving out punctuation "effectively renders the classifier unable to detect potentially harmful content."
[ » Read full article ]
The Register (U.K.); Thomas Claburn (July 29, 2024)
DOJ Says TikTok Collected U.S. User Views on Sensitive Issues
In documents filed in federal appeals court in Washington, U.S. Department of Justice (DOJ) attorneys said TikTok employees sent sensitive data about U.S. users to engineers at parent company ByteDance in China via an internal Web-suite system. The Lark system was used to transmit data on users' views on sensitive topics like religion, abortion, and gun control; the data was stored on Chinese servers. DOJ expressed concerns about the potential for "covert content manipulation" by the Chinese government.
[ » Read full article ]
Associated Press; Haleluya Hadero; Eric Tucker (July 27, 2024)
AI Snoops on HDMI Cables to Capture Screen Data
An AI model developed by researchers at Uruguay's University of the Republic can reconstruct digital signals by intercepting electromagnetic radiation leaked from the HDMI cable that connects a computer and monitor. This would allow hackers to view a user's computer screen as they enter encrypted messages or personal information. Said the university’s Federico Larroca, “If you really care about your security, whatever your reasons are, this could be a problem.”
[ » Read full article ]
Tom's Hardware; Jeff Butts (July 28, 2024)
Search Engine Exposes Privacy Violations
Former Google engineer Tim Libert has launched webXray, a search engine that lets users identify which websites are tracking them and where the data goes. Users can input a search term to identify all the websites connected to that term that are tracking the data and search queries connected to their IP address and giving that information to Google, advertisers, and third-party data brokers. Libert said his goal is "to give privacy enforcers equal technology as privacy violators."
[ » Read full article ]
Wired; Brian Merchant (July 24, 2024)
Hackers Vie for Millions in Contest to Thwart Cyberattacks
About 40 contestants are vying for a $2-million prize in a contest sponsored by the U.S. Defense Advanced Research Projects Agency (DARPA) to come up with an autonomous program capable of scanning lines of open-source code, identifying security flaws, and repairing them. The AIxCC challenge aims to harness AI to counter a lack of skilled engineers to catch poorly maintained open-source software.
[ » Read full article ]
The Washington Post; Joseph Menn (July 27, 2024)
Paris Olympics' Cyber Team Braces for Onslaught
Government, private-sector, and Olympic cybersecurity specialists have collaborated for months to prevent cyberattacks during the Summer Games. ANSSI, the French government's cybersecurity agency, worked with 500 companies, organizations, and facilities that it identified as critical to the Summer Games to perform cybersecurity audits of their systems.
[ » Read full article ]
Bloomberg; Jamie Tarabay; Benoit Berthelot (July 25, 2024)
Meta Agrees to $1.4-Billion Settlement in Biometric Data Suit
Facebook parent Meta agreed to pay $1.4 billion to settle a Texas lawsuit over the unauthorized use of biometric data from users. The suit, filed in 2022 by the state's attorney general, accused Meta of capturing and using the biometric data of millions of Texas residents from uploaded photos and videos on Facebook without permission, violating state law.
[ » Read full article ]
CNBC; Dan Mangan (July 30, 2024)
Georgia Website That Lets Voters Cancel Registrations Displayed Personal Data
Georgia election officials are urging people to use a state website to cancel voter registrations when someone moves out of state or dies, despite a Monday rollout of the site marred by a glitch that allowed people to access others’ personal data. The issue, which has been fixed, underscored concerns that the site could allow outsiders to unjustifiably cancel voter registrations.
[ » Read full article ]
Associated Press; Jeff Amy; Charlotte Kramon (July 30, 2024)
One Question Saved Ferrari from a Deepfake Scam
With one question, an executive at Ferrari stopped an effort to use deepfake technology to scam the company. CEO Benedetto Vigna (pictured) was impersonated on a call by deepfake software that, using a convincing imitation of Vigna's southern Italian accent, said he needed to discuss something confidential that required an unspecified currency-hedge transaction to be carried out. The executive started to have suspicions and asked, for identification purposes, the title of the book Vigna had recently recommended to him. With that, the call ended.
[ » Read full article ]
Bloomberg; Daniele Lepido (July 26, 2024)
China Wants to Start National Internet ID System
Websites and apps in China verify users with their phone numbers, which are tied to personal ID numbers all adults are assigned. Now, the government wants to assume the job of user verification and give people a single ID to use across the Internet. Critics warn such a move would give the government more power to monitor what people do online.
[ » Read full article *May Require Paid Registration ]
The New York Times; Meaghan Tobin; John Liu (July 31, 2024)
U.S. Indicts North Korean Hacker
The U.S. Department of Justice announced on Thursday that Rim Jong Hyok (pictured) was indicted for his alleged role in a scheme to breach U.S. hospital computer systems and extort them for ransom. Rim is an alleged member of a hacking group working for North Korea's military intelligence agency. U.S., South Korean, and British government security agencies on Thursday released information on North Korean hackers’ tactics and warned the hackers were targeting classified and other sensitive information in the nuclear, aerospace, and other sectors to advance their country's military and nuclear programs.
[ » Read full article ]
CNN; Sean Lyngaas (July 25, 2024)
California DMV Puts 42 Million Car Titles on Blockchain
To make the title transfer process more efficient and prevent fraud, the California Department of Motor Vehicles (DMV) digitized 42 million car titles, putting them on Ava Labs' Avalanche blockchain. This will allow California residents to claim their car titles via a mobile app and reduce in-person DMV visits. Additionally, with blockchain technology, a transparent and unalterable record of property ownership will be created, making it easier to detect lien fraud.
[ » Read full article ]
Reuters; Akash Sriram (July 30, 2024)
Senate Passes Legislation Aimed at Protecting Minors Online
The U.S. Senate on Tuesday passed bipartisan legislation aimed at protecting children online. The Kids Online Safety Act requires platforms to provide safeguards for minors, including restricting access to minors’ personal data and providing parents with tools to supervise minors’ use of a platform. The Children and Teens’ Online Privacy Protection Act amends the Children’s Online Privacy Protection Act of 1998 to strengthen protections relating to the online collection, use, and disclosure of personal information of minors.
[ » Read full article ]
CNN; Shania Shelton (July 30, 2024)
Punishment Sought for Russian Troops Using Smartphones in Ukraine War
A draft law proposed by Russia's State Duma Defense Committee would classify the use of electronic devices intended for "household purposes" while in the combat zone in Ukraine as a gross disciplinary offense. These are devices are equipped with cameras, audio, and geolocation functions, such as smartphones. A recent report by cybersecurity software firm Enea found mobile phones could be tracked easily on the battlefield in numerous ways.
[ » Read full article ]
Reuters; Lidia Kelly (July 23, 2024)
Security Week (7/30) reports Cisco’s inaugural State of Industrial Networking report found that cybersecurity and artificial intelligence are the top investment priorities for industrial organizations. Based on a survey of 1,000 individuals from companies in 17 countries across 20 sectors, the report shows 89% of respondents view cybersecurity compliance as very or extremely important. Cybersecurity risks are identified as significant internal and external barriers to growth. Over 60% of respondents reported increased spending on operational technology over the past year.
Researchers Uncover AWS Vulnerabilities, 'Shadow Resource' Vector
During a Black Hat USA 2024 session, Aqua Security researchers detailed six critical vulnerabilities in AWS services, which have since been patched, and a new "shadow resource" attack vector. An AWS S3 bucket (shadow resource) is created automatically when customers create a CloudFormation service with the AWS Management Console for the first time in a new region. The researchers identified weaknesses in the bucket-naming process that could allow attackers to guess the name of a potential bucket prior to its creation.
[ » Read full article ]
TechTarget; Rob Wright (August 7, 2024)
Faulty Instructions in Alibaba's T-Head C910 RISC-V CPUs Blow Away All Security
A serious vulnerability in Alibaba subsidiary T-Head Semiconductor's RISC-V processors, identified by researchers at Germany's CISPA Helmholtz Center for Information Security, could allow attackers to assume complete control of a device. The GhostWrite vulnerability affecting the four T-Head C910 CPU cores in the TH1520 SoC could enable attackers to read and write physical memory and execute arbitrary code with kernel and machine-mode privileges.
[ » Read full article ]
The Register (U.K.); Thomas Claburn (August 7, 2024)
Illinois Voter Data Exposed by Unsecured Databases
More than a dozen databases containing sensitive voter information from multiple counties in Illinois were openly accessible on the Internet, revealing 4.6 million records that included driver's license numbers and other personally identifiable information. Security researcher Jeremiah Fowler uncovered a total of 13 exposed databases, none of them password-protected or requiring any type of authentication to access.
[ » Read full article ]
Wired; Lily Hay Newman (August 2, 2024)
Smartphone Flaw Reveals Floor Plans
A security flaw found in smartphones can be used to create a map of the room users are in and determine what they are doing. The vulnerability, discovered by researchers at the Indian Institute of Technology Delhi, uses data in the GPS signal. The researchers created an AI-based system called AndroCon that interpreted the metrics provided by this data from five types of Android smartphones.
[ » Read full article ]
New Scientist; Matthew Sparkes (August 8, 2024)
The Race to Become First Document-Free Airport
Abu Dhabi's Zayed International Airport could become the world's first document-free airport by 2025. As part of its Smart Travel Project, the airport is installing biometric sensors at every identification checkpoint. Biometric information is collected by the Federal Authority for Identity, Citizenship, Customs & Port Security from anyone entering the United Arab Emirates at immigration, and the airport's system accesses this database to verify passengers at each checkpoint.
[ » Read full article ]
CNN; Ana DeOliva (August 7, 2024)
French Museum Network Hit by Ransomware Attack
The central data systems of dozens of museums in the Réunion des Musées Nationaux network in France were targeted by a ransomware attack. While venues in the network are hosting competitions for the Summer Olympics, officials say no events have been disrupted thus far. The attack, detected Sunday, hit data systems used by around 40 museums across the country.
[ » Read full article ]
Associated Press (August 6, 2024)
DOJ Sues TikTok, Alleging It Broke Child Privacy Law
The U.S. Department of Justice (DOJ) on Friday sued TikTok and its China-based owner ByteDance, alleging they violated a children’s privacy law by collecting data on millions of Americans younger than 13. According to the DOJ, TikTok made it too easy for children to create accounts and then collected data on those who did, constituting a “massive-scale” violation of the Children’s Online Privacy Protection Act.
[ » Read full article ]
The Washington Post; Drew Harwell (August 2, 2024)
The New York Times (8/2) reports the Justice Department sued TikTok on Friday, accusing the company of “illegally collecting children’s data and escalating a long-running battle between the U.S. government and the Chinese-owned app.” The Times says according to the DOJ, “TikTok broke the law by gathering personal information from users under the age of 13 without their parents’ permission.” The app also “knowingly allowed children under 13 to create and use TikTok accounts, the government said, and frequently failed to honor parents’ requests to delete their children’s accounts,” and the lawsuit “said those practices violated both the Children’s Online Privacy Protection Act.”
Reuters (8/2, Shepardson) reports the lawsuit, “which was joined by the Federal Trade Commission, said it was aimed at putting an end ‘to TikTok’s unlawful massive-scale invasions of children’s privacy.’” Rep. Frank Pallone (D-NJ) said the lawsuit “underscores the importance of divesting TikTok from Chinese Communist Party control. We simply cannot continue to allow our adversaries to harvest vast troves of Americans’ sensitive data.”
The Washington Post (8/7) reports that in 2021, London-based artificial intelligence firm Yoti initiated a campaign called “Share to Protect” in South Africa, which would “donate 20 South African rands, about $1, to their children’s school” for every child’s photo submitted. The initiative aimed to improve Yoti’s AI tool “that could estimate a person’s age by analyzing their facial patterns and contours.” While some parents participated, others expressed strong opposition due to privacy concerns. Companies such as Yoti, Incode, and VerifyMyAge “increasingly work as digital gatekeepers, asking users to record a live ‘video selfie’ on their phone or webcam, often while holding up a government ID, so the AI can assess whether they’re old enough to enter.” However, critics argue these systems could lead to privacy violations and misuse of personal data.
Ballot Randomization Flaws Threaten Voter Privacy
The paper “DVSorder: Ballot Randomization Flaws Threaten Voter Privacy” identifies a flaw in precinct-based ballot scanners made by Dominion Voting Systems, allowing attackers to link individuals with their votes and compromise ballot secrecy, using only public information. It received a Distinguished Paper Award at the USENIX Security 2024 conference.
Hackers Leak 2.7 Billion Data Records with Social Security Numbers
A threat actor known as Fenice has leaked the most complete version of the nearly 2.7 billion records of personal information for U.S. residents stolen earlier this year from National Public Data. The data can be accessed for free via the Breached hacking forum. Made available in two text files totaling 277GB, the data includes names, Social Security numbers, mailing addresses, and possible aliases. The data was scraped from public sources and sold for use in background checks, criminal records searches, and by private investigators.
[ » Read full article ]
BleepingComputer; Lawrence Abrams (August 11, 2024)
German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products after Outage
Germany's Federal Office for Information Security (BSI) wants changes in the way Microsoft gives security providers access to its Windows kernel and the way CrowdStrike and other cyber firms design their tools, in hopes of curbing that access. The agency says that its efforts are focused on reducing the likelihood of a massive tech outage, like the one that resulted from faulty CrowdStrike software last month.
[ » Read full article *May Require Paid Registration ]
WSJ Pro Cybersecurity; Catherine Stupp (August 14, 2024)
NIST Releases First Three Finalized Post-Quantum Encryption Standards
The National Institute of Standards and Technology (NIST) has released three encryption algorithms designed to withstand cyberattacks from a quantum computer. FIPS 203 is derived from post-quantum cryptographic algorithm Kyber. FIPS 204 is based on Dilithium and is designed to protect digital signatures. FIPS 205 is based on the security of SHA-2 or SHA-3 and offers robust security with very small public keys, generating signatures of about seven kilobytes. Said NIST's Laurie E. Locascio. “Quantum computing technology could become a force for solving many of society’s most intractable problems, and the new standards represent NIST’s commitment to ensuring it will not simultaneously disrupt our security."
[ » Read full article ]
NIST (August 13, 2024)
Experts Try to Hack New Voting Platform
At the DEF CON conference on Aug. 9, hackers attempted to infiltrate the new online Secure Internet Voting (SIV) platform to identify vulnerabilities. The SIV platform is being tested in small pilot programs across the U.S. and was used during a 2023 Republican primary race. Any hackers who identify flaws in the SIV platform will share $10,000 in prize money from SIV.
[ » Read full article ]
Reuters; James Pearson; Christopher Bing (August 9, 2024)
Want to Win a Bike Race? Hack Your Rival's Wireless Shifters
Relatively inexpensive hardware can be used to hack the Shimano Di2 wireless gear-shifting systems used by cyclists, according to researchers at the University of California San Diego and Northeastern University. They tested the eavesdrop-and-replay attack with a $1,500 USRP software-defined radio, an antenna, and a laptop but said the setup could be miniaturized. Attackers could spoof signals from up to 30 feet away, causing the target bike to shift gears unexpectedly or lock into the wrong gear. Shimano has released a firmware update to remedy the issue.
[ » Read full article ]
Wired; Andy Greenberg (August 14, 2024)
Home Robots Can Be Hacked to Spy on Owners
Security researchers Dennis Giese and Braelynn found vulnerabilities in Ecovacs' vacuum and lawnmower robots that could allow hackers to access the devices' cameras and microphones. The researchers found that anyone with a phone who is within 450 feet of an Ecovacs robot can hack the device via Bluetooth, then remotely access the microphones and cameras to spy on users. They also found that data stored on the robots, as well as the authentication token, stays on Ecovacs' cloud servers even after a user deletes their account, and the PIN number used to protect the lawnmower robots is stored in plain text inside the device.
[ » Read full article ]
TechCrunch; Lorenzo Franceschi-Bicchierai (August 9, 2024)
Infrared Laser Spies on Laptop's Keystrokes
Hacker Samy Kamkar (pictured) demonstrated a light-based keystroke eavesdropping technique at the Defcon security conference. The technique involves pointing an invisible laser through a window at a laptop and recording the computer's vibrations to reconstruct the characters being typed. Kamkar said his open-source surveillance system features the first laser microphone "modulated in the radio frequency domain," with the ability to pick up anything spoken or typed in the targeted room. Using the 400-kilohertz frequency, the laser microphone can convert sound into light, then into radio, and then back into sound.
[ » Read full article ]
Wired; Andy Greenberg (August 8, 2024)
GPS Spoofers 'Hack Time' on Commercial Airlines
A recent surge in GPS “spoofing” includes incidents in which time had been "hacked," according to Ken Munro, founder of cybersecurity firm Pen Test Partners. During a presentation at the DEF CON hacking convention on Saturday, Munro said, “We think too much about GPS being a source of position, but it's actually a source of time.” He described a recent case in which an aircraft operated by a major Western airline had its onboard clocks suddenly sent forward by years, causing the plane to lose access to its digitally-encrypted communication systems.
[ » Read full article ]
Reuters; James Pearson (August 10, 2024)
Computer Crash Reports Are Untapped Hacker Gold Mine
During a presentation at the Black Hat security conference, Mac security researcher Patrick Wardle explained that crash reports revealed the cause of the worldwide computer outages related to a flawed software update from CrowdStrike before it was officially disclosed. Wardle said crash reports provide valuable information about coding issues and potentially exploitable software vulnerabilities, with cyber criminals and state-backed hackers combing through them for information they can use to their advantage. Wardle presented multiple vulnerabilities he discovered in crash reports on his own devices, including bugs in the analysis tool YARA and in the current version of Apple's macOS operating system.
[ » Read full article ]
Wired; Lily Hay Newman (August 8, 2024)
Trump Campaign Confirms It Was Hacked
Former President Donald Trump’s campaign said Saturday that some of its internal emails had been hacked. The admission came after Politico started receiving emails from an anonymous account with documents from inside Trump’s operation, including a research dossier the campaign had done on Trump’s running mate, Ohio Sen. JD Vance. The campaign blamed “foreign sources hostile to the U.S.,” citing a Microsoft report on Friday that Iranian hackers “sent a spear phishing email in June to a high-ranking official on a presidential campaign.”
[ » Read full article ]
Politico; Alex Isenstadt (August 10, 2024)
NPR (8/14, Bolton) reports that tech companies Google and Microsoft will provide cybersecurity services to small hospitals following recent cyberattacks. On June 10, the Biden Administration announced these protections, including free security assessments and up to 75% discounts on cybersecurity tools. Cyberattacks against US healthcare have more than doubled between 2022 and 2023, affecting patient care. Smaller hospitals, often targets due to limited resources, face significant challenges in securing their systems. Experts, like Beau Woods and Amie Stepanovich, emphasize the necessity of these measures and call for continued support. Simulations, such as those led by CyberMed Summit, highlight the critical need for preparedness in handling cyberattacks.