Dr. T's security brief
dtau...@gmail.com
Apple Issues Emergency Security Updates to Close Spyware Flaw
The New York Times
Nicole Perlroth
September 13, 2021
Apple has released emergency security patches after researchers at the University of Toronto's Citizen Lab in Canada found a flaw that allows spyware from Israel's NSO Group to infect any Apple product. The researchers discovered a Saudi activist's iPhone had been hacked with NSO's Pegasus spyware using a zero-click remote exploit that can infect targets without their awareness, commandeer device functions, and transmit information to NSO clients. More than 1.65 billion Apple products in use globally have been susceptible to the spyware since at least March. Apple said it intends to launch new security defenses for its iMessage texting application in its next iOS 15 software update, expected later this year.
*May Require Paid Registration
Almost No One Encrypts Their Emails Because It Is Too Much of a Hassle
New Scientist
Chris Stokel-Walker
September 10, 2021
A study by researchers at Germany's Leibniz University Hannover of 81 million email messages sent from January 1994 to July 2021 found that only 0.06% of the emails were encrypted. The researchers also found that encryption tools like S/MIME or PGP were used by only 5.46% of the 37,000 university students and staff in the study. Leibniz's Christian Stransky noted that "S/MIME and PGP are not very usable for normal users," as they require the use of specialist email clients and, in some cases, third-party tools. Alan Woodward at the U.K.’s University of Surrey said, "With the rise of end-to-end encryption in messaging apps [such as WhatsApp], which just happens as if by magic, users naturally use that route if they want to have a private conversation."
*May Require Paid Registration
Italy Data Authority Asks Facebook for Clarifications on Smart Glasses
Reuters
Elvira Pollina
September 10, 2021
Italian data protection authority Garante has asked Facebook to provide it with clarifications related to its newly launched smart glasses, to determine the product's compliance with that nation’s privacy laws. Developed with Ray-Ban manufacturer EssilorLuxottica, the Ray-Ban Stories glasses allow users to hear music, take calls, or shoot photos and videos and share them across Facebook's services via a companion application. Garante made its request via the Irish Data Protection Commissioner (DPC), which oversees Facebook because the social-media giant's European headquarters are based in Ireland. The regulator said it wanted clarification on measures Facebook has deployed to shield people occasionally filmed, especially children, and on systems adopted to anonymize collected data, and features of the smartglasses' voice assistant.
AI Can Detect Deepfake Face Because Its Pupils Have Jagged Edges
New Scientist
Chris Stokel-Walker
September 10, 2021
A computer model developed by researchers at New York’s University of Albany can determine whether an image of a face is a deepfake by examining its pupils; the model will deem the image a fake if the pupils are not circular or elliptical. If the image passes that test, the model will check whether the pupil has smooth or jagged edges, with the latter indicating a deepfake. University of Albany's Siwei Lyu said, "Even though [generative adversarial network] GAN models are very powerful, they don't really understand human biology very well. A lot of these very fine details won't be represented by the model effectively." Although the shape of one's pupils can be affected by certain diseases and infections, Lyu noted that such cases are rare.
*May Require Paid Registration
CISA Launches Initiative to Combat Ransomware
Federal Computer Week
Chris Riotta
August 5, 2021
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially launched the Joint Cyber Defense Collaborative (JCDC), an anti-ransomware initiative supported by public-private information sharing. CISA director Jen Easterly said the organization was created to develop cyber defense strategies and exchange insights between the federal government and private-sector partners. A CISA webpage said interagency officials will work in the JCDC office to lead the development of U.S. cyber defense plans that incorporate best practices for dealing with cyber intrusions; a key goal is coordinating public-private strategies to combat cyberattacks, particularly ransomware, while engineering incident response frameworks. Said security vendor CrowdStrike Services’ Shawn Henry, the JCDC "will create an inclusive, collaborative environment to develop proactive cyber defense strategies" and help "implement coordinated operations to prevent and respond to cyberattacks."
Researchers Say They've Found a Wildly Successful Bypass for Face Recognition Tech
Gizmodo
Lucas Ropek
August 4, 2021
Computer scientists at Israel's Tel Aviv University (TAU) say they have developed a "master face" method for circumventing a large number of facial recognition systems, by applying artificial intelligence to generate a facial template. The researchers say the technique exploits such systems' usage of broad sets of markers to identify specific people; producing facial templates that match many such markers essentially creates an omni-face that can bypass numerous safeguards. The researchers created the master face by plugging an algorithm into a generative adversarial network that builds digital images of artificial human faces. The TAU team said testing showed the template was able unlock over 20% of the identities in an open source database of 13,000 facial images operated by the University of Massachusetts.
New York City's Vaccine Passport Plan Renews Online Privacy Debate
The New York Times
Erin Woo; Kellen Browning
August 4, 2021
New York's City's mandate that people must show proof at least one coronavirus vaccine shot, or vaccine passport, to enter businesses has revived the debate of whether these digital certificates undermine online privacy. The applications may enable location tracking, and privacy researchers are worried about digital surveillance escalating. The New York Civil Liberties Union's Allie Bohm said without restrictions, presenting a digital vaccination passport whenever people enter a public place could lead to a "global map of where people are going," which could be sold or turned over to third parties, law enforcement, or government authorities. Privacy advocates are not reassured by vaccine pass developers' claims that their products uphold privacy, given that authoritarian regimes have exploited COVID-19 contact-tracing apps for surveillance or criminal investigation.
*May Require Paid Registration
Kaseya Ransomware Attack Sets Off Race to Hack Service Providers
Reuters
Joseph Menn
August 3, 2021
Cybersecurity experts warn that July's ransomware attack on technology-management software from Kaseya, which crippled as many as 1,500 organizations, has ignited a race by criminals to uncover similar flaws. Investigators said an affiliate of REvil, the Russian-speaking hacker gang, exploited two vulnerabilities in the software to infiltrate about 50 managed services providers (MSPs). Victor Gevers at the nonprofit Dutch Institute for Vulnerability Disclosure said his team found similar bugs in other MSPs, which he did not disclose as not all the flaws have been fixed. MSPs are an efficient ransomware vehicle due to their broad access inside client networks, and the sheer number of MSPs Kaseya's software served caused attacks to multiply before the company could alert everyone. Eric Goldstein at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said the agency is trying to make MSPs and their customers aware of the danger and remedial strategies.
Security Flaws Found in Popular EV Chargers
TechCrunch
Aria Alamalhodaei
August 3, 2021
Analysts at U.K. cybersecurity firm Pen Test Partners have identified flaws in the application programming interfaces of six home electric vehicle (EV) charging brands, as well as the Chargepoint public EV charging station network. Pen Test analyst Vangelis Stykas found several vulnerabilities that could enable hackers to commandeer user accounts, hinder charging, and repurpose a charger as a backdoor into the owner's home network. The Chargepoint flaw, meanwhile, could let hackers steal electricity and shift the cost to driver accounts, and activate or deactivate chargers. Some EV chargers use a Raspberry Pi compute module, a popular low-cost computer that Pen Test’s Ken Munro said is unsuitable for commercial applications due to its lack of a secure bootloader. Charger manufacturers have corrected most of the issues, but the flaws' existence highlights the poor regulation of Internet of Things devices.
Security Bug Affects Nearly All Hospitals in North America
TechRadar
Anthony Spadafora
August 2, 2021
Researchers at security firm Armis identified nine critical vulnerabilities in the Nexus Control Panel that powers all current models of Swisslog Healthcare's Translogic pneumatic tube system (PTS) stations. The Translogic PTS system is used in 3,000 hospitals worldwide and 80% of major hospitals in North America to deliver medications, blood products, and lab samples across multiple hospital departments. Hackers can exploit the vulnerabilities, dubbed PwnedPiper, to gain control over a hospital's pneumatic tube network, with the potential to launch ransomware attacks. Armis' Ben Seri said his firm had told Swisslog of the vulnerabilities at the beginning of May, “and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers."
Census Data Change to Protect Privacy Rattles Researchers, Minority Groups
The Wall Street Journal
Paul Overberg; Sarah Chaney Cambon
August 2, 2021
The U.S. Census Bureau will use a complex algorithm to adjust 2020 Census statistics to prevent the data from being recombined to disclose information about individual respondents. The bureau's Ron Jarmin said it will use differential privacy, an approach it has long employed in some fashion, which involves adding statistical noise to data. Small random numbers, both positive and negative, will be used to adjust most of the Census totals, with inconsistent subtotals squared up. The Bureau indicated that for most groups and places, this will result in fairly accurate totals, although distortion is likely to be higher for smaller groups and areas like census blocks. This has raised concerns among local officials, as population-based formulas are used to allocate billions of dollars in federal and state aid. University of Minnesota researchers said after a fifth test of the method that "major discrepancies remain for minority populations."
*May Require Paid Registration
Do You Hear What I Hear? A Cyberattack.
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
July 30, 2021
Carnegie Mellon University's Yang Cai and colleagues have designed a method of making abnormal network traffic audible by rendering cybersecurity data musically. The researchers explored several sound mapping algorithms, converting numeral datasets into music with diverse melodies, harmonies, time signatures, and tempos. They produced music using network traffic data from an actual malware distribution network, and presented it to non-musicians, who could accurately identify pitch shifts when played on different instruments. Said the researchers, "We are not only making music, but turning abstract data into something that humans can process." Said Cai, “The process of sonification—using audio to perceptualize data—is not new, but sonification to make data more appealing to the human ear is.”
dtau...@gmail.com
Smart Reporting Tool Could Combat Fake News on Encrypted Chat Apps
New Scientist
Chris Stokel-Walker
September 17, 2021
Researchers at George Washington University say they have built a tool that would allow users to expose fake news without endangering their privacy. The Fuzzy Anonymous Complaint Tally System (FACTS) would let users report a message without disclosing its contents, and only decrypt the identity of the sender and message contents to a third party if the number of complaints about a single message exceeded a certain limit. FACTS would prevent malefactors from falsely labeling messages as misinformation by logging complaints about messages, but not their contents, and automatically deciding if they match previous complaints so users could not report the same messages multiple times. Said Alan Woodward at the U.K.'s University of Surrey, the tool "has the advantage that it is a scoring of complaints and doesn't involve requiring access to message content per se."
App Helps Iranians Hide Messages in Plain Sight
Wired
Lily Hay Newman
September 17, 2021
The Nahoft Android app can help Iranians conceal messages by encrypting up to 1,000 characters of Farsi text into random word strings. Released on Google Play by the human rights group United for Iran, Nahoft also can encrypt communications and embed them unnoticeably within image files. The code the app generates is designed to appear inconspicuous and benign, and using real words makes it less likely to be flagged by content scanners. The open source app can bypass government-imposed Internet blackouts: users enter words that the app encodes, allowing them to write the resulting string of seemingly random words in a letter, or read it to another Nahoft user over the phone, for them to input into their app manually to see what the uncoded message. United for Iran's Reza Ghazinouri said the regime will have difficulty blocking Nahoft as long as Google Play remains accessible in Iran.
Encryption Technique Better Protects Photographs in the Cloud
Scientific American
Harini Barath
September 16, 2021
The Easy Secure Photos (ESP) tool created by Columbia University computer scientists can encrypt cloud-stored photos while still allowing authorized users to browse and display their images. ESP preserves blocks of pixels while shifting them around to obscure the image; it splits the photo into three separate files to contain its red, green, or blue color data, then scrambles the pixel blocks surrounding the files. The files remain valid, but appear as grainy black-and-white static to unauthorized users. The files can still be compressed and are compatible with many cloud storage platforms, so users with the right decryption keys can view them in their original form. Users also can access their photos from multiple devices via ESP, using a system in which each device has its own unique key pair.
The Battle for Digital Privacy Is Reshaping the Internet
The New York Times
Brian X. Chen
September 16, 2021
Mounting online privacy fears are changing businesses' digital advertising strategies, with Apple and Google overhauling their online data collection rules. Apple has launched tools that block marketers from tracking people, while Google, reliant on digital ads, is retooling to target ads at people without exploiting their personal data. Such changes may weaken brands that use targeted ads to sell goods. Brendan Eich, a founder of the Brave private Web browser, said Google and Apple's differing views on revoking digital ads will lead to "a tale of two Internets." Trade Desk chief executive Jeff Green said, “The Internet is answering a question that it’s been wrestling with for decades, which is: How is the Internet going to pay for itself?”
Toolkit to Test Apple Security Finds Vulnerability
NC State University News
September 13, 2021
A software toolkit designed by North Carolina State University (NC State) researchers to evaluate Apple device hardware security uncovered a previously unknown vulnerability during a proof-of-concept demonstration. NC State's Gregor Haas said the team used the checkm8 bug as a starting point; the flaw lets users control the first code to run on the system as it boots up. Haas said the toolkit "allows us to observe what's happening across the device, to remove or control security measures that Apple has installed, and so on." During the proof-of-concept demo, the team reverse-engineered key Apple hardware components and identified a vulnerability to a so-called iTimed attack, which enables a program to access cryptographic keys used by one or more programs on an Apple device. NC State's Aydin Aysu said they alerted Apple of the vulnerability, and will use the toolkit to investigate other types of attacks.
Is Your Mobile Provider Tracking Your Location? This Technology Could Stop It.
USC Viterbi School of Engineering
Caitlin Dawson
August 12, 2021
A new system devised by researchers at the University of Southern California Viterbi School of Engineering (USC Viterbi) and Princeton University can thwart the tracking of cellphone users by network operators while maintaining seamless connectivity. The Pretty Good Phone Privacy software architecture anonymizes personal identifiers sent to cell towers, effectively severing phone connectivity from authentication and billing without altering network hardware. The system transmits an anonymous, cryptographically signed token in place of a personally identifiable signal to the tower, using a mobile virtual network operator like Cricket or Boost as a substitute or intermediary. USC Viterbi's Barath Raghavan said, "Now the identity in a specific location is separated from the fact that there is a phone at that location." The system also ensures that location-based services still function normally.
Cornell Researchers Discover 'Code-Poisoning' Attack
ZDNet
Jonathan Greig
August 12, 2021
A backdoor attack discovered by researchers at Cornell University Tech has the potential to compromise algorithmic training and email accounts, among other things. The researchers said the "code poisoning" attack can "manipulate natural-language modeling systems to produce incorrect outputs and evade any known defense" without "any access to the original code or model by uploading malicious code to open-source sites that are frequently used by many companies and programmers." Cornell's Vitaly Shmatikov explained, "With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected — and a single attack can actually target multiple victims." As a defense, the researchers recommend using a system able to identify deviations from the model's original code. Said Shmatikov, non-expert users building models using code they do not understand "can have devastating security consequences."
5G Shortcut Leaves Phones Exposed to Stingray Surveillance
Wired
Lily Hay Newman
August 10, 2021
Researchers at the University of Stavanger in Norway and Technische Universität Berlin in Germany found that major phone carriers in those countries continue to deploy 5G in "non-standalone" mode. This means the existing 4G network infrastructure is used as a starting point for issuing 5G data speeds, leaving phones vulnerable to stingray surveillance. Stingrays trick devices into connecting to them and track devices using IMSI numbers, which 5G is designed to encrypt. University of Stavanger's Ravishankar Borgaonkar said, "You're getting the high speed connection, but the security level you have is still 4G." However, Pennsylvania State University's Syed Rafiul Hussain said carriers will still run parallel 4G and 3G infrastructure even when 5G standalone mode has been implemented. Hussain explained, "4G stingray attacks, downgrading, man-in-the-middle attacks—those will exist for years even though we have 5G."
Israeli Cybersecurity Firm Check Point Uncovers Amazon Security Flaw
The Times of Israel
Luke Tress
August 9, 2021
Analysts at Israeli cybersecurity firm Check Point discovered a critical flaw in Amazon software that would let malefactors hijack a victim's Kindle e-reader and steal data. The analysts said the flaw would allow hackers to infect the Kindle by sending users a single, malicious e-book. Attackers could then commandeer the e-reader through an exploit chain by combining a series of security bugs, with the target not having to take any further action or have any other indications of intrusion. Sensitive user information such as Amazon account credentials or billing information could then become accessible, and the analysts warned the exploit could have enabled bad actors to victimize a specific demographic. Amazon corrected the flaw in April via a firmware update after Check Point notified the company in February.
'Glowworm Attack' Recovers Audio From Devices' Power LEDs
Ars Technica
Jim Salter
August 9, 2021
Israeli scientists have demonstrated a novel passive variant of the TEMPEST exploit called Glowworm, which can extract electronic conversations by analyzing devices' power indicator light-emitting diodes (LEDs). Ben-Gurion University of the Negev (BGU) researchers employed a photodiode mated to an optical telescope to monitor fluctuations in LED signal strength on consumer devices, including smart speakers, simple PC speakers, and universal serial bus hubs. The photodiode converts the flickering of power LED output caused by voltage changes into an electrical signal, which is processed by an analog/digital converter and played back directly. The Glowworm attack requires no active signaling, which would render it resistant to any electronic countermeasure probe; the BGU team retrieved intelligible audio from 35 meters (114 feet) away. The team is apparently the first to publish the exploit and demonstrate its empirical feasibility.
NIST Study on Kids' Passwords Shows Gap Between Knowledge of Password Best Practices, Behavior
NIST News
August 11, 2021
A survey of more than 1,500 U.S. students between the ages of eight and 18 by the National Institute of Standards and Technology revealed a gap between children's knowledge of good password practices and their behavior. The survey found that children are learning password best practices, like memorizing them and logging out after sessions. Their passwords often mentioned sports, video games, names, animals, movies, titles like "princess," numbers, and colors, and the strength of these passwords increased with grade level. However, the researchers found that children typically reuse passwords and share them with friends. When asked about the reason for passwords, elementary students primarily cited safety; middle and high school students more often cited privacy. Among other things, the survey found that younger children used their families for help in creating and maintaining home passwords.
U.S. Prisons Mull AI to Analyze Inmate Phone Calls
Reuters
David Sherfinski; Avi Asher-Schapiro
August 9, 2021
The U.S. House Appropriations Committee's push to study the use of artificial intelligence (AI) to analyze prison inmates' phone calls has prisoner advocates and families warning of risks of error, misunderstandings, and racial bias. Several state and local prisons have already begun using such technology, and the House panel is urging the Department of Justice to consider potential federal utilization and to identify shortcomings in the information the tech generates. The Oxford, AL police department has deployed Verus software from LEO Technologies, which uses Amazon Web Services’ natural language processing and transcription technology to process and flag prisoner calls. Oxford Police Chief Bill Partridge said such surveillance has helped local forces solve cold case homicides and has prevented suicides. Critics warn of tools potentially amplifying racial bias; for example, a Stanford/Georgetown University analysis found Amazon's automatic speech recognition software committed significantly more errors for black speakers than white speakers.
City PhD Researcher Develops Smart-Car Identity and Access Management System
City University of London
August 10, 2021
Researchers at the City University of London in the U.K. have developed an identity and access management system to make smart cars less vulnerable to cyber attacks. Via usage control policies, the SIUV system issues privileges to drivers or applications based on their credentials or claims. Access to in-car resources is based on the issued privileges. Subject claims, resource attributions, and environmental conditions are monitored continuously, allowing the system to reevaluate policies or revoke issued privileges and usage decisions as necessary. Meanwhile, the system uses verifiable credentials to ensure claims are secure and verifiable. The researchers indicate that the U.K. Driver and Vehicle Licensing Agency could issue cryptographically verifiable credentials as driver's licenses, with SIUV employed to validate the claims within the credential on an ongoing basis and allow or deny access to in-car components based on its usage control policy evaluations.
Technology Can Block Cyberattacks from Impacting the Nation's Electric Power Grid
Idaho National Laboratory
July 20, 2021
Researchers at Idaho National Laboratory (INL) and Visgence Inc. demonstrated that their Constrained Cyber Communication Device (C3D) can prevent cyberattacks from affecting the national power grid. The researchers showed that the device automatically blocks remote access attempts that could indicate a cyberattack and informs operators of the abnormal commands. The C3D autonomously reviews and filters commands sent to protective relay devices, which order breakers to shut off electricity flow in the event of a disturbance but are not designed to block quick and stealthy cyberattacks. The researchers built and connected a 36-foot mobile substation to INL's full-scale electric power grid test bed. When a sudden power spike command was sent to the substation relays, it was blocked immediately by the C3D device. INL's Jake Gentle explained, "The C3D device sits deep inside a utility's network, monitoring and blocking cyberattacks before they impact relay operations."
dtau...@gmail.com
Gaming-Related Malware on the Rise on Mobile, PCs
IEEE Spectrum
Charles Q. Choi
October 21, 2021
Analysts at cybersecurity firm Proofpoint's Cloudmark mobile and email security division warn that popular online games are helping to spread malware on PCs and mobile devices. Data from virtual private network (VPN) service Atlas VPN indicated more than 303,000 PCs were infiltrated by such malware, adware, and spyware between July 1, 2020, and June 30, 2021, while another 50,000 users had attempted to download files masquerading as the 10 most-played mobile games. Cloudmark's Jacinta Tobin said games often are connected with online spaces where hackers prowl, like YouTube channels. Cloudmark also expressed concern about mobile-device exploits, such as the just-discovered TangleBot malware targeting Android devices in North America, which spreads through texts.
China-Linked Hacking Group Accessing Calling Records Worldwide
Reuters
Joseph Menn
October 19, 2021
U.S. cybersecurity company CrowdStrike said a suspected China-linked hacking gang has infiltrated mobile telephone networks and used specialized tools to access calling records and texts from telecommunication carriers worldwide. The group, which CrowdStrike calls LightBasin, has been active since at least 2016. CrowdStrike's Adam Meyers said the company culled information about the group by responding to incidents in multiple nations. He said LightBasin's programs could capture specific data without attracting attention, noting, "I've never seen this degree of purpose-built tools." Meyers said evidence of the group’s associations with China include cryptography reliant on Pinyin phonetic versions of Chinese-language characters, as well as the use of methods the Chinese government has used in previous attacks.
Australia Considers New Privacy Rules to Protect Children on Social Media
The Wall Street Journal
Mike Cherney
October 25, 2021
The Australian government has released draft legislation that would enable the creation of a binding online privacy code for tech companies that would prohibit social media companies like Facebook from directing children to harmful content. Under such a code, social media companies would be required to ensure children's best interests are the primary consideration during the collection, use, and potential disclosure of their personal information. It also would require social media platforms to obtain parental approval to create accounts for children under 16. The legislation is expected to be introduced in Australia's parliament early next year, and if passed, Australia's privacy regulator would oversee the development of a code within 12 months, with input from the tech industry. Companies found to violate the code could be fined 10% of their annual Australian revenue.
Facial Recognition Cameras Arrive in U.K. School Canteens
Financial Times
Cynthia O'Murchu
October 17, 2021
Nine schools in the U.K.'s North Ayrshire region now use facial recognition cameras to accept cashless payments by scanning pupils' faces in cafeterias/canteens. David Swanston at education systems vendor CRB Cunninghams, which installed the cameras, said they verify facial images against encrypted faceprint templates stored on school servers. Many U.K. schools have adopted biometric payment systems, but privacy advocates say normalizing facial recognition technology is hardly necessary. Said Silkie Carlo with campaign group Big Brother Watch of the new system, "It’s normalizing biometric identity checks for something that is mundane. You don't need to resort to airport style [technology] for children getting their lunch."
Two-Thirds of Cloud Attacks Could Be Stopped by Checking Configurations
ZDNet
Charlie Osborne
September 15, 2021
IBM Security X-Force's latest Cloud Security Threat Landscape report concluded that two-thirds of cloud attacks occurring during the year-long study period "would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems." Researchers uncovered issues with credentials or policies in each penetration test performed by IBM's X-Force Red security team while sampling scanned cloud environments. They cited improperly configured assets, password spraying, and switching from on-premises infrastructure as the most frequently observed initial breach vectors. Application programming interface configuration and security issues, remote exploitation, and accessing confidential data were other common vectors. The team recommended businesses "manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back."
VPNs Could Be Vulnerable to Attacks That Send You to Fake Websites
New Scientist
Chris Stokel-Walker
August 17, 2021
Arizona State University (ASU) researchers have found that hackers could exploit virtual private networks (VPNs) to strip users' anonymity and send them to bogus websites by tapping what ASU's William Tolley calls "a fundamental networking vulnerability." The vulnerability monitors the presence and size of the data packets routed along the VPN. Attackers first send different-sized packets to different entry/exit ports, which if forwarded signals that the targeted port is the correct one; they can then send packets where they have altered the source address to seem as if they originate from one of the legitimate ends of the connection. The researchers say they have alerted a number of VPN providers to the attack, but it is unlikely that all currently used networks will be patched. Tolley said, "Our advice is to avoid VPNs if you're trying to keep your information private from government entities, or something like that."
How Does 'Normal' Internet Browsing Look Today? Now We Know
Carnegie Mellon University CyLab Security and Privacy Institute
October 26, 2021
A study by researchers at Carnegie Mellon University (CMU) aimed to determine what constitutes "normal" Internet browsing, in an effort to understand how people are led to download malicious content. The researchers set out to build a dataset that would serve as a foundation for other researchers by studying the browsing behavior of 257 people through CMU's Security Behavior Observatory. The researchers found that study subjects spent half their browsing time on about 30 Websites. Said CMU's Kyle Crichton, "We observed a lot of people who started out at a popular streaming service like Netflix or Hulu, and they must not have found what they wanted, then they'd jump out to the periphery." Crichton added, "Now that we know what normal behavior looks like, we can start to identify anomalous behavior and begin to address any number of security challenges."
China Passes One of the World's Strictest Data-Privacy Laws
The Wall Street Journal
Eva Xiao; Zhao Yueling; Raffaele Huang
August 20, 2021
China's top legislative body has passed the Personal Information Protection Law, which closely resembles Europe's General Data Protection Regulation. Effective Nov. 1, the law requires any organization or individual handling the personal data of Chinese citizens to minimize data collection and obtain prior consent. The law requires facial recognition cameras in public places to be marked prominently and used only to maintain public security. Among other things, the law aims to curb algorithmic discrimination by requiring transparent automated decision-making, and for companies to allow individuals to opt out of personalized marketing. Additional rules, effective Oct. 1, require companies that process auto data to increase data security and protect personal information collected from vehicles.
OSU Cryptography Research Leads to Huge Efficiency Gain in Secure Computing
Oregon State University News
Steve Lundeberg
August 18, 2021
A more efficient secure computation protocol developed by Oregon State University's Mike Rosulek and Lance Roy focuses on garbled circuits. Roy said a normal computer circuit has gates that execute basic data computations, while the gates in a garbled circuit are modified to encrypt the data going through them. Rosulek assumed in previous research that the most efficient construction of garbled circuits could not be surpassed, but Roy found it was possible only if a gate used all or none of the data in an input. The slicing technique Roy conceived of would leak too much data to keep the garbled circuits secure. However, Roy said, "If the way the garbled circuits were built was randomized—i.e., by rolling the dice—and some other information was kept secret, the slicing idea could be made secure."
Millions of Web Camera, Baby Monitor Feeds Exposed
Wired
Lily Hay Newman
August 17, 2021
Researchers at cybersecurity firm Mandiant have identified a vulnerability in a software development kit (SDK) affecting more than 83 million smart devices. The flaw in ThroughTek Kalay, an SDK that facilitates the connection between a device and mobile apps, could enable hackers to access live video and audio streams over the Internet, assume full control of devices remotely, launch denial of service attacks, or install malicious firmware. If a hacker obtains the device's unique identifier (UID) through a social engineering attack or by searching for a manufacturer's Web vulnerabilities, they could reregister the UID and hijack the connection when a user next accesses the device. The researchers, who said they have seen no evidence of real-world exploitation of the vulnerability, said they hope to raise awareness about the problem without telling potential attackers how to exploit it.
AMD Hardware Security Tricks Can Be Bypassed with Shock of Electricity
TechRadar
Mayank Sharma
August 13, 2021
Researchers at Germany's Technische Universität Berlin have demonstrated a voltage fault injection attack that can bypass AMD's Secure Encrypted Virtualization (SEV) technology. Using the AMD Secure Processor (AMD-SP), AMD SEV separates security-sensitive operations from software executing elsewhere, to protect virtual machines in untrusted environments. Attackers can manipulate the input voltage to AMD systems on a chip to trigger an error in the AMD-SP's read-only memory bootloader. The attack requires only inexpensive, off-the-shelf components, including a $30 Teensy µController, and a $12 flash programmer (although physical access to the server is required). The researchers recommend software or hardware modifications to identify voltage modulation, or additional circuitry to guard against such voltage glitches.
'Capture' Your IoT Devices and Improve Their Security
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
August 13, 2021
Carnegie Mellon University's Han Zhang and colleagues uncovered pervasive security vulnerabilities in third-party libraries that Internet of Things (IoT) device vendors may use in their software. The researchers analyzed 122 different IoT firmware for 27 smart home devices released over eight years. They found, Zhang said, that "vendors update libraries very infrequently, and they use outdated—and often vulnerable—versions most of the time." To ameliorate potential exploitation, the researchers proposed Capture, a system that lets devices on a local network leverage a centralized hub with libraries that are kept up to date. The team said Capture would ensure the libraries are updated and secure, although it includes limitations (like a single point of failure) that future research will need to address.
dtau...@gmail.com
Biden Administration Orders Federal Agencies to Fix Hundreds of Cyber Flaws
The Wall Street Journal
Dustin Volz
November 3, 2021
A new order released by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, directs almost all federal agencies to patch cybersecurity vulnerabilities deemed to be a "significant risk to the federal enterprise." The order covers about 200 known security flaws discovered from 2017 to 2020, and another 90 discovered this year. It applies to all executive branch departments and agencies except for the U.S. Department of Defense, the Central Intelligence Agency, and the Office of the Director of National Intelligence. Said Easterly, "While this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA's public catalog."
Identity Verification Technique Offers Robust Solution to Hacking
McGill University Newsroom (Canada)
November 3, 2021
Scientists at Canada's McGill University and Switzerland's University of Geneva have developed a secure identity verification technique based on the precept that information cannot exceed the speed of light. "Our research found and implemented a secure mechanism to prove someone's identity that cannot be replicated by the verifier of this identity," said McGill's Claude Crépeau. The technique expands the zero-knowledge proof through a system involving two physically separated prover-verifier pairs. The two provers must demonstrate to the verifiers that they possess a shared knowledge of a method for using three colors to color in an image comprised of thousands of interconnected shapes, without coloring two adjacent shapes the same. Geneva's Hugo Zbinden said, "It's like when the police interrogate two suspects at the same time in separate offices. It's a matter of checking their answers are consistent, without allowing them to communicate with each other."
Facebook, Citing Societal Concerns, Plans to Shut Down Facial Recognition System
The New York Times
Kashmir Hill; Ryan Mac
November 2, 2021
Facebook intends to shutter its facial recognition system, deleting the face-scan data of over 1 billion users and removing a feature that has provoked privacy concerns, government probes, litigation, and regulatory distress. Jerome Pesenti at Facebook's recently renamed parent firm, Meta, said the closure was prompted by "many concerns about the place of facial recognition technology in society." The software feature introduced in 2010 automatically identified people appearing in users' digital photo albums and suggested users tag them with a click, linking their accounts to the images. Although Facebook limited facial recognition to its own site and kept it from third parties, privacy advocates questioned how much facial data was collected and what the company could do with it.
Sneaky Trick Could Allow Attackers to Hide 'Invisible' Vulnerabilities in Code
ZDNet
Liam Tung
November 1, 2021
The Rust Security Response working group has flagged an obscure vulnerability as a general bug affecting all code written in popular languages that use the Unicode component. Ross Anderson at the U.K.'s Cambridge University said one hack exploits Unicode directionality to effectively control characters embedded in comments and strings to rearrange source code characters and change its logic. Unicode supports left-to-right and right-to-left languages via bidirectional override, an invisible feature called a codepoint. Anderson and Microsoft's Nicholas Boucher found they could be used to reorder how source code is displayed in certain editors and code-review tools. "If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability," they warn, recommending developers upgrade to Rust version 1.56.1.
Coding Bug Helped Researchers Build Secret BlackMatter Ransomware Decryption Tool
Tech Crunch
Carly Page
October 25, 2021
Researchers at the cybersecurity firm Emsisoft helped recover encrypted files of victims of the BlackMatter ransomware operation. The researchers determined that a vulnerability in BlackMatter's encryption process allowed encrypted files to be recovered without victims paying the ransom. They did not announce the vulnerability when it was discovered earlier this year for fear the BlackMatter group would issue a fix. Emsisoft's Fabian Wosar said, "Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs [computer emergency readiness teams], and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands."
Superconducting Silicon-Photonic Chip for Quantum Communication
SPIE Newsroom
November 1, 2021
A superconducting silicon-photonic chip developed by researchers at China's Nanjing and Sun Yat-sen universities has been used to facilitate quantum communication. The chip's superconducting nanowire single-photon detector (SNSPD) supports optimal time-bin Bell state measurement and improves the key rate in quantum communication. The researchers tapped the optical waveguide-integrated SNSPD's high-speed feature to reduce the dead time of single-photon detection by more than an order of magnitude compared to traditional normal-incidence SNSPD. The end product is a server for measurement-device-independent quantum key distribution, which significantly augments the security of quantum cryptography. Nanjing University's Xiao-Song Ma said, "This work shows that integrated quantum-photonic chips provide not only a route to miniaturization, but also significantly enhance the system performance compared to traditional platforms."
Sensors Add to Accuracy, Power of U.S. Nuclear Weapons but May Create Security Perils
The Washington Post
R. Jeffrey Smith
October 29, 2021
Sensors created by Sandia National Laboratories for U.S. ballistic missiles could augment detonation timing and accuracy, enhancing nuclear warheads’ ability to strike enemy missiles, hardened command posts, and other military targets. Sandia's Paul J. Hommert said the sensors are better at computing the best moment for blast ignition than those on existing U.S. weapons. The warhead’s fuze, sensors, and computers are embedded within a compact capsule, which Hommert said would be installed on three new types of warheads atop land- and sea-based missiles, and partly on warheads to be carried by planes deployed in Europe. The U.S. Air Force plans to install the technology in land-based missiles slated for deployment by the end of the decade; after that, it will be deployed on more than 1,300 warheads in the U.S. arsenal.
Microsoft to Work with Community Colleges to Fill 250,000 Cyber Jobs
Reuters
Stephen Nellis
October 29, 2021
Microsoft announced plans to collaborate with U.S. community colleges to fill 250,000 cybersecurity jobs during the next four years. The company will offer scholarships or other assistance to approximately 25,000 students. It also will provide training for new and existing teachers at 150 community colleges, as well as giving free curriculum materials to community colleges and four-year schools nationwide. Microsoft's Brad Smith said, "This is an opportunity for us to get started. This is not the ceiling on what we'll do." Smith noted that many Microsoft customers could have prevented hacks with better practices but do not have the cybersecurity personnel to implement them.
Big Data Can Render Some as 'Low-Resolution Citizens'
Cornell Chronicle
Tom Fleischman
October 28, 2021
Cornell University's Steven Jackson and Ranjit Singh analyzed India's Aadhaar biometrics-based individual identification system as it impacted the country's approximately 1.4 billion people. With over 1.25 billion residents registered, Aadhaar is designed to provide standardized legal identity to all citizens, including those who previously lacked identity documents. The researchers found that people whose fingerprints on file were not distinct, or low-resolution, had problems getting registered. Singh said, "That, to a certain extent, allowed Steve and me to actually talk about how people need to be in 'high resolution' to become a part of the system." Singh added, “It’s not just about social hierarchies, it’s about hierarchy as it manifests through data.”
A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
Wall Street Journal
Kevin Poulsen; Robert McMillan; Melanie Evans
September 30, 2021
A lawsuit filed against Alabama's Springhill Medical Center alleges that a 2019 ransomware attack directly contributed to the death of a newborn. If proven in court, this would mark the first confirmed death resulting from a ransomware attack. Teiranni Kidd was admitted to the hospital nearly eight days into a ransomware attack that left patient health records inaccessible and left fewer eyes on fetal heart rate monitors because they could not be displayed at the nurses' station. Attending obstetrician Katelyn Parnell said the death of Kidd's daughter was preventable had she seen an indication from the monitor that the fetus was in distress. Springhill refused to pay the ransom when the hackers, believed to be the Russian-based Ryuk gang, resulting in a network outage that lasted at least three weeks.
Researchers Find Apple Pay, Visa Contactless Hack
BBC News
September 29, 2021
Researchers at the U.K.'s universities of Birmingham and Surrey uncovered a hack for making unauthorized contactless payments on iPhones by exploiting a weakness in Apple Pay. They enabled contactless Visa payment from a locked iPhone using Apple Pay's "Express Transit" feature, which allows commuters to make quick payments. Placing a piece of radio equipment nearby makes the iPhone think it is near a ticket barrier, while an Android phone running a special application transmits signals from the iPhone to a contactless payment terminal; communications with the terminal are tweaked so it thinks the iPhone has been unlocked and payment authorized. The researchers said the problem concerns Visa cards set up in Express Transit mode in the iPhone's wallet. Visa called the hack “impractical,” while Apple described it as “unlikely.”
Smartphone Motion Sensors Could Be Used to Listen to Phone Conversations
University of Illinois at Urbana-Champaign
Kim Guderman
September 27, 2021
Smartphone accelerometers could be used to eavesdrop on phone conversations, according to University of Illinois Urbana-Champaign (UIUC) researchers. The motion sensor can capture sound vibrations during conversations, and the researchers developed a neural network to convert that very-low-sampling-rate data into high-bandwidth signals. UIUC's Tarek Abdelzaher said, "Human speech has a special pattern. By constraining your interpretation to that special pattern, you can guess higher frequency from low frequency. This won't work with any random sound, but for some keywords or numbers, it works fairly well."
Research Finds Security Flaws in Apps for Popular Smart Home Devices |
Federal Agencies Warn Companies to Be on Guard Against Prolific Ransomware Strain
The Hill
Maggie Miller
September 22, 2021
The U.S. Federal Bureau of Investigation (FBI), National Security Agency, and Cybersecurity and Infrastructure Security Agency issued a joint alert warning companies to be on guard against the Conti ransomware variant, noting that hundreds of groups around the globe had already fallen victim to it. The alert came months after the FBI issued an alert outlining how the variant was used to target at least 16 healthcare and first responder networks. While most of the targets of the Conti ransomware were in the U.S., others have also been targeted, including the Irish healthcare system. Testifying before the House Homeland Security Committee, FBI Director Christopher Wray said, “Ransomware has mushroomed significantly over the last year, and it’s on pace to mushroom again this year."
Quantum Cryptography Records with Higher-Dimensional Photons
TU Wein (Austria)
September 21, 2021
A new type of quantum cryptography protocol developed by researchers at Austria's Technical University of Vienna (TU Wien) speeds up the generation of quantum cryptographic keys and makes them more robust against interference. With the new protocol, photon pairs can be generated at eight different points in a special crystal, and each can move along eight different paths, or several paths at the same time. TU Wien's Marcus Huber said, "The space of possible quantum states becomes much larger. The photon can no longer be described by a point in two dimensions; mathematically, it now exists in eight dimensions." The researchers set a record in entanglement-based quantum cryptography key generation at 8,307 bits per second and over 2.5 bits per photon pair.
Simple Make-Up Tips Can Help You Avoid Facial Recognition Software
New Scientist
Chris Stokel-Walker
September 24, 2021
Researchers at Israel's Ben-Gurion University of the Negev developed artificial intelligence software that can provide makeup advice to foil facial recognition systems. Tests showed the software's recommendations tricked real-world facial recognition systems 98.8% of the time, with the success rate in identifying women wearing its recommended makeup declining from 42.6% to 0.9%, and from 52.5% to 1.5% for men. The adversarial machine learning system identifies which elements of a person's face are considered unique by facial recognition systems and highlights them on a digital heat map, which is used to determine where makeup can be applied to change the person's perceived face shape. The system recommends only natural makeup hues, so people potentially could protect their privacy without drawing attention to themselves.
States at Disadvantage in Race to Recruit Cybersecurity Pros
Associated Press
Kathleen Foody
September 25, 2021
U.S. states face a shortage of cybersecurity professionals and lack the deep pockets to compete with federal, global, and specialized cybersecurity companies. State governments are increasingly targeted for the data contained within their agencies and computer networks that is vital to critical infrastructure. Although the federal government and individual states have started training programs, competitions, and scholarships to cultivate more cybersecurity pros, such efforts may not pay off for years. Drew Schmitt at cybersecurity firm GuidePoint Security said state and local governments cannot compete with private organizations in terms of salaries. Michael Hamilton with the PISCES Project said state governments can nurture cybersecurity pros, but often end up "getting into the fistfight with all the others that want to hire these people and losing."
Microsoft, AT&T Partner With Community Colleges On Cybersecurity Training
Inside Higher Ed 
(11/4, Smalley) reports LaGuardia Community College in New York City “is partnering with Mastercard to provide on-the-job cybersecurity training. Northern Virginia Community College announced in August that it is launching a new information technology apprenticeship program created with AT&T that will provide training and on-the-job experience while bolstering the talent pool for federal customers in the national security sector.” MassBay Community College, “near Boston, recently launched a Center for Cybersecurity Education, which will offer students cybersecurity internships and projects in partnership with industry partners.” More programs “are likely on the way as the cybersecurity job market grows and employers’ needs expand with new cyberthreats emerging almost daily.”
Ransomware Gang Masquerades As Real Company To Recruit Tech Talent
The Wall Street Journal (10/21, McMillan, Subscription Publication) reports Microsoft and Recorded Future say the hacking group Fin7, which is believed to have written the software used in the Colonial Pipeline hack, has set up a fake company under the moniker Bastion Secure to recruit tech talent for software development, support staff, and more.
Senators Unveil Bipartisan Bill To Protect AI-Collected Data
The Hill (10/21, Miller) reports the GOOD AI Act – a new “bipartisan” Senate bill introduced by Sens. Gary Peters (D-MI) and Rob Portman (R-OH) on Thursday – “is aiming to secure data collected by artificial intelligence technologies, such as facial recognition technologies, as these types of technologies continue to grow in use.” The measure “would require the Office of Management and Budget to establish and consult with an AI working group in ensuring that all federal contractors are taking adequate steps to secure data obtained through AI, and that the data is being used to protect national security while not compromising privacy.” The Hill adds that “legislation has strong bipartisan backing.”
National K-12 Cybersecurity Learning Standards Attempt To Strengthen STEM Pipeline
K-12 Dive (8/5, Riddell) reports that Cyber.org, “the academic arm of the nonprofit Cyber Innovation Center, on Wednesday unveiled its K-12 cybersecurity learning standards in an effort to align criteria nationwide and support the development of a strong, diverse talent pipeline in the high-demand STEM field.” The standards, “which states will have the option of adopting ahead of the 2022-23 school year, are built around three themes representing fundamental areas of cybersecurity education: computing systems, digital citizenship and security.” Each area “covers relevant topics like the Internet of Things and threat actors.” Janet Hartkopf, cyber program director at Basha High School in Arizona said in a press release, “Educators now have a clear rubric to guide cybersecurity curriculum and help address the existing gaps in the talent pipeline.” The US currently “has over 464,000 unfilled cybersecurity positions.”
dtau...@gmail.com
Botnet Buster Finds IoT Command and Control Centers
UC Riverside News
Holly Ober
November 5, 2021
University of California, Riverside (UCR) computer scientists have developed a tool that cripples botnets by fooling them into exposing their Internet of Things (IoT) command and control (CnC) servers. The CnCHunter tool contacts a suspicious Internet server using actual malware, and observes how the malware communicates with it; meaningful dialogue between suspect and malware in botnet language indicates the server is a CnC. UCR's Michalis Faloutsos said, "We try to detect botnets proactively and by fooling malware twice, first by activating the malware in a safe environment, and then intercepting and redirecting the traffic where we want to trick the botnet to engage with us." The researchers ran the tool on "selected 100 IoT malware samples collected between 2017 and 2021 and were able to find their CnC servers with a 92% precision," said UCR's Ali Davanian.
Widespread Security Risk Identified in Phones, Bluetooth Devices
IEEE Spectrum
Michelle Hampson
November 4, 2021
Bluetooth hardware contains a security flaw that may compromise about 40% of mobile devices, according to University of California, San Diego (UCSD) researchers. The hardware underlies the operation of phone-tracking applications, which UCSD's Nishant Bhaskar said "require frequent and constant transmission of Bluetooth beacons to be detected by nearby devices. Unfortunately, this also means that an adversary can also find out where we are at all times by simply listening to the Bluetooth transmissions from our personal devices." Defects or imperfections during manufacture can slightly distort Bluetooth signals from individual devices, resulting in the generation of a unique signature. Experiments showed approximately 40% of mobile devices could be identified individually within crowds based on their Bluetooth signal signatures.
World Bank Program Looks to Blockchain to Solve Carbon Emissions Data Issues
Bloomberg Green
Crystal Kim; Jennifer Zabasajja
November 5, 2021
The World Bank's Climate Warehouse program is consulting with cryptocurrency startups like the Chia Network to build a "public-good layer" for climate. Chia's Gene Hoffman said the layer would impart trust and transparency by sitting atop a blockchain, and allow countries and groups to disclose and vet carbon assets in a centralized fashion. Chia's data layer harnesses its permissionless public blockchain to allow project peers to exchange data in an auditable manner without ceding control of the data owned by each peer. Nations using the platform could indicate compliance with the Paris Agreement on reducing carbon emissions by submitting a verifiable dataset.
Drone at Pennsylvania Electric Substation First to 'Specifically Target Energy Infrastructure'
CNN
Sean Lyngaas
November 4, 2021
A recent memo from the U.S. Federal Bureau of Investigation, Department of Homeland Security, and National Counterterrorism Center revealed that a July 2020 drone crash near a Pennsylvania power substation was the first known case of a "modified unmanned aircraft system likely being used in the U.S. to specifically target energy infrastructure." The memo said the drone likely was modified to create a "short circuit to cause damage to transformers or distribution lines, based on the design and recovery location." The agencies further stated that "we expect illicit [unmanned aircraft system] activity to increase over energy sector and other critical infrastructure facilities as use of these systems in the U.S. continues to expand."
Australia Says U.S. Facial Recognition Software Firm Clearview Breached Privacy Law
Reuters
Byron Kaye
November 3, 2021
The Office of the Australian Information Commissioner (OAIC) said U.S. facial recognition software company Clearview AI violated privacy laws by collecting images from Websites without Australians' consent, and without checking the accuracy of its matches. Clearview cross-references photos scraped from social media sites into a database of billions of images. Information commissioner Angelene Falk said the company's actions carried "significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI's database." She called the clandestine collection of images "unreasonably intrusive and unfair." OAIC has ordered Clearview to stop collecting facial images and biometric templates from people in Australia, and to delete images and templates collected there.
Singapore Inks Pact with Finland to Mutually Recognize IoT Security Labels
ZDNet
Eileen Yu
October 6, 2021
Singapore and Finland have agreed to recognize each other's cybersecurity labels for Internet of Things (IoT) devices, in order to help consumers evaluate the products' security. Singapore's Cyber Security Agency (CSA) said the alliance aims to reduce duplicated testing and help manufacturers bring products to market more easily. Both countries would acknowledge cybersecurity labels issued by the CSA and by Finland's Transport and Communications Agency. Consumer IoT products that met Finland's cybersecurity label mandates would be recognized as having satisfied Singapore's Cybersecurity Labeling Scheme Level 3 requirements, and vice versa.
Uber Faces Legal Action Over 'Racially Discriminatory' Facial Recognition ID Checks
Tech Crunch
Natasha Lomas
October 5, 2021
Uber's use of real-time facial recognition technology in its driver and courier identity check system in the U.K. is the subject of a legal action filed by the App Drivers & Couriers Union (ADCU) alleging the technology discriminates against people of color. Uber requires identity checks in which drivers must provide a real-time selfie; they face dismissal if the selfie does not match a stored reference photo, as well as automatic revocation of their private hire driver and vehicle licenses. The real-time facial recognition checks, in use in the U.K. since March 2020, use Microsoft's FACE API technology. The union said its lawyers will argue that facial recognition systems are "inherently faulty and generate particularly poor accuracy results when used with people of color."
Blockchain Technology Could Provide Secure Communications for Robot Teams
MIT Media Lab
Adam Zewe
October 5, 2021
Researchers at the Massachusetts Institute of Technology (MIT) and Spain's Polytechnic University of Madrid suggest blockchain technology could ensure secure communications for robot teams. A blockchain supplies a tamper-proof record of messages issued by robot team leaders, so follower robots can note inconsistencies in the data trail. In a simulation, data was stored in each block as a set of directions from a leader robot to followers; a malicious robot attempting to alter the content of a block changes the block hash, so the doctored block is no longer connected to the chain and false directions can be easily disregarded by followers. MIT's Eduardo Castelló said, "These techniques are useful to be able to validate, audit, and understand that the system is not going to go rogue."
Google to Pay Developers to Make Open Source Projects More Secure |
Creating Wireless Signals with Ethernet Cable to Steal Data From Air-Gapped Systems |
Google, DeepMind Face Lawsuit Over Deal with Britain's National Health Service
CNBC
Sam Shead
October 1, 2021
Alphabet subsidiaries Google and DeepMind face litigation for obtaining and processing over a million patient health records in the U.K. without consent. British law firm Mishcon de Reya said it had filed suit with the High Court on behalf of about 1.6 million plaintiffs, whose medical records DeepMind acquired to develop a patient monitoring application called Streams. New Scientist previously disclosed that DeepMind's agreement with the U.K.'s National Health Service (NHS) exceeded what was publicly announced. The U.K. Information Commissioner's Office decreed the agreement did not comply with that nation’s data protection law, yet a subsequent audit by law firm Linklaters determined the Royal Free London NHS Foundation Trust's use of Streams was legal, and complied with the statutes. Mishcon's Ben Lasserson said the planned lawsuit "should help to answer fundamental questions about the handling of sensitive personal data."
Widely Used Bitcoin ATMs Have Major Security Flaws
Gizmodo
Tom McKay
September 30, 2021
Security researchers at crypto exchange Kraken warn that many bitcoin ATMs contain serious vulnerabilities that hackers could exploit. Kraken found software and hardware flaws within the General Bytes BATMtwo (GBBATM2) ATM model; Coin ATM Radar calculates that General Bytes has provided nearly 23% of all crypto ATMs globally, including 18.5% of U.S. units and 65.4% of European units. Owners have installed many such ATMs without changing the default admin quick response (QR) code that functions as a password, which is shared across units. Kraken also cited a lack of secure boot mechanisms, enabling hackers to fool GBBATM2s into running malware, as well as "critical vulnerabilities in the ATM management system." The exchange recommends bitcoin ATM users conduct cryptocurrency transactions in trustworthy locations overseen by surveillance cameras, and for operators to change the default QR code.
DeFi Platform Mistakenly Sends $89 Million; CEO Begs Return
Bloomberg
Joe Light
October 1, 2021
The decentralized finance (DeFi) platform Compound mistakenly sent users almost $90 million in cryptocurrency due to a bug in a recent update, and CEO Robert Leshner is calling on users to return it voluntarily. DeFi platforms rely on "smart contracts" between users that are governed entirely by computer code. Compound also distributes COMP tokens that give users a say in how the protocol works. Leshner noted that the error involved 280,000 COMP tokens worth about $89.3 million that were distributed on Oct. 1. Said University of Pennsylvania Wharton School's Kevin Werbach, "The vast majority of people in the world are not going to trust their money to something if they are told a bug will cause you immutably to lose everything."
Feds Intend To Expand Use Of Facial Recognition In Spite Of Growing Concerns
The Washington Post (8/25, Harwell) reports the US government intends “to expand its use of facial recognition to pursue criminals and scan for threats, an internal survey has found, even as concerns grow about the technology’s potential for contributing to improper surveillance and false arrests.” Several departments, including “Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury, and Veterans Affairs – told the Government Accountability Office that they intend to grow their facial recognition capabilities by 2023, the GAO said in a report posted to its website Tuesday.” Many of these departments “use face-scanning technology so employees can unlock their phones and laptops or access buildings, though a growing number said they are using the software to track people and investigate crime.”
Axios (8/25, Garfinkel) also covers the story.
dtau...@gmail.com
SSL Certificate Research Highlights Pitfalls for Company Data, Competition
ZDNet
Charlie Osborne
November 5, 2021
A new report from security research firm Detectify Labs researchers indicates that many companies do not realize their SSL (Secure Sockets Layer)/TLS (Transport Layer Security) certificates can leak confidential information and create entry points for hackers. The researchers analyzed more than 900 million SSL/TLS certificates and associated events generated by Google, Amazon, and other issuing organizations. Among other things, the researchers found the "overwhelming majority of newly certified domains" have been given descriptive names, which could enable competitors to undermine new companies or products if the certification is issued at the development stage. Detectify's Fredrik Nordberg Almroth added, "An attacker could see if a certificate is about to expire or has been signed using a weak signature algorithm. The latter can be exploited to listen in on Website traffic or create another certificate with the same signature—allowing an attacker to pose as the affected service."
Chinese Computer Scientist Awarded Kyoto Prize for Work Playing 'Vital Role in Modern Society'
South China Morning Post (Hong Kong)
Holly Chik
November 10, 2021
Japan's Inamori Foundation named Chinese computer scientist Andrew Yao Chi-chih recipient of the international Kyoto Prize in advanced technology for "essential concepts and models that play a vital role in modern society." In 1982, Yao introduced the concept of secure multiparty computation (MPC), which facilitates computation on encrypted values. Said Yao, "If you use MPC, it's possible to have multiple databases do any joint computations without leaking its own data." Yao said MPC theory has advanced significantly in the last four decades, with ramifications for financial technology, data training, and drug discovery. The Inamori Foundation lauded Yao's quantum communication complexity concept for enabling "quantitative performance evaluation of quantum computing. These achievements have a great impact and ripple effect on the information science field."
Cybersecurity Experts Sound Alarm on Apple, EU Phone Scanning Plans
The New York Times
Kellen Browning
October 14, 2021
Over a dozen cybersecurity experts criticized proposals by Apple and the European Union (EU) to scan phones for illegal content, warning they would encourage government surveillance. Apple said its client-side scanning tool would process images on iPhones uploaded to the iCloud storage service, and compare image fingerprints against a database of child sexual abuse material to find matches. Privacy advocates balked, suggesting the technology could undermine digital privacy and be used by authoritarian regimes to suppress dissent. The cybersecurity experts said EU documents suggest the bloc's government desires a similar program to police encrypted devices for evidence of child sexual abuse, organized crime, and terrorist activity. They also called Apple's technology ineffective, noting people had posted workarounds shortly after the company announced its plans.
Privacy Fears as Moscow Metro Rolls Out Facial Recognition Pay System
The Guardian (U.K.)
Pjotr Sauer
October 15, 2021
Privacy activists warn the Moscow metro's just-launched cashless, cardless, and phoneless Face Pay facial recognition payment system constitutes a sinister move by Russia to monitor and control its people. Moscow mayor Sergey Sobyanin said passengers must connect their photo, bank card, and metro card to Face Pay via the metro's mobile application, and city authorities said passengers' data will be "securely encrypted." Stanislav Shakirov with digital rights activist group Roskomsvoboda said, "We are moving closer to authoritarian countries like China that have mastered facial technology. The Moscow metro is a government institution and all the data can end up in the hands of the security services."
Neighbor Wins Privacy Row Over Smart Doorbell, Cameras
BBC News
Jane Wakefield
October 14, 2021
Judge Melissa Clarke in the U.K. has ruled that security cameras and a smart doorbell installed on the house of Oxfordshire resident Jon Woodard "unjustifiably invaded" neighbor Mary Fairhurst's privacy. Clarke determined Amazon's Ring doorbell captured images of Fairhurst's house and garden, while a camera on Woodard's shed was aimed to capture almost all of her garden and parking space. Clarke also ruled that audio data collected by cameras on the shed, in a driveway, and on the doorbell was processed unlawfully, and could record conversations "even more problematic and detrimental than video data," in violation of U.K. data laws and the U.K. General Data Protection Regulation.
Google Analyzed 80 Million Ransomware Samples: Here's What It Found
ZDNet
Campbell Kwan
October 13, 2021
Cybersecurity firm VirusTotal analyzed 80 million ransomware samples submitted by users in 140 countries and found that Israel submitted the greatest number of samples since the beginning of 2020. Following Israel, the report showed that South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the U.K. were the countries most affected by ransomware, based on each country’s number of submissions. The ransomware-as-a-service group GandCrab accounted for 78.5% of samples submitted, followed Babuk (7.6%) and Cerber (3.1%). The report found that Windows-based executables or dynamic link libraries accounted for 95% of ransomware files detected; just 2% were Android-based. VirusTotal researchers said, "We believe this makes sense given that ransomware samples are usually deployed using social engineering and/or by droppers (small programs designed to install malware)."
Study Reveals Scale of Data-Sharing from Android Phones
Trinity College Dublin (Ireland)
October 11, 2021
A study by researchers at Ireland's Trinity College Dublin and the U.K.'s University of Edinburgh found that vendor-customized Android variants transmit significant amounts of data from mobile phones to the operating system (OS) developer and third parties with system apps pre-installed on those handsets, like Google, Microsoft, LinkedIn, and Facebook. The analysis found that users are unable to opt out from this data collection. Trinity College's Doug Leith said, "We've been too focused on Web cookies and on badly-behaved apps. I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones."
Professional Footballers Threaten Data Firms with GDPR Legal Action
BBC News
Nick Hartley
October 21, 2021
Hundreds of professional footballers (soccer players) have threatened litigation against the data collection industry, demanding remuneration for the trading of their performance data over the past six years, and an annual fee for any future use. The 850-player Global Sports Data and Technology Group is led by former U.K. football team manager Russell Slade, whose legal team said lack of compensation for licensed use of footballers' personal data violates Europe's General Data Protection Regulation. The attorney leading the group's action, Chris Farnell, thinks it could lead to a game-changing rethink of data trading, particularly in terms of "how that data is being used and how it's going to be rewarded."
Cryptography Game-Changer for Biomedical Research at Scale
EPFL (Switzerland)
Tanya Petersen
October 11, 2021
An international research team has developed a federated analytics system that allows healthcare providers to perform statistical analyses and develop machine learning models in collaboration without sharing their underlying datasets. Researchers at Switzerland's EPFL (Swiss Federal Institute of Technology Lausanne), Lausanne University Hospital, the Massachusetts Institute of Technology, and Harvard University used the FAMHE federated analytics system to reproduce two published multicentric studies. They found the same scientific results could have been achieved without transferring and centralizing the datasets. Said EPFL's Jean-Pierre Hubaux, "FAMHE uses multiparty homomorphic encryption, which is the ability to make computations on the data in its encrypted form across different sources without centralizing the data and without any party seeing the other parties' data."
Search Engine Could Help Researchers Scour Internet for Privacy Documents
Penn State News
Matt Swayne
October 13, 2021
Pennsylvania State University (Penn State) scientists have designed a search engine that uses artificial intelligence to sift through millions of online documents, which could help privacy researchers find content related to online privacy. The PrivaSeer engine identifies relevant documents using natural language processing (NLP). Penn State's Mukund Srinath said the NLP approach focuses on certain words in text to distinguish between privacy and non-privacy policy documents. PrivaSeer has compiled approximately 1.4-million English language Website privacy policies. Said Penn State’s Shomir Wilson, “This can be a resource for researchers both in natural language processing and privacy, who are interested in this domain of text.”
University Of Minnesota Creating Center For Medical Device Cybersecurity
Modern Healthcare (9/8, Cohen, Subscription Publication) reports “the University of Minnesota is forming a center focused on medical device cybersecurity with funding from UnitedHealth Group’s Optum and four medical device companies, the university announced Wednesday.” The “center, which aims to bring together university, industry and government collaborators, grew out of medical devicemakers’ interest in forming a hub for device security research, education and workforce training, according to a news release from the University of Minnesota.” Abbott, Optum, “Boston Scientific, Medtronic and Smiths Medical collectively are providing most of the funding.”
Howard University Cancels Classes After Ransomware Attack
The New York Times (9/7, Ngo) reports that Howard University, “one of the country’s leading historically Black colleges and universities, canceled some classes for a second day after it was hit with a ransomware attack.” All online and hybrid undergraduate classes “are suspended for Wednesday, according to a statement by the university.” All in-person classes “in Washington will resume as scheduled.” The university “had suspended classes on Tuesday after shutting down its network to investigate the attack.” An alternative Wi-Fi system “will be set up but will not be available tomorrow, according to the statement.”
CNN (9/7, Cohen) reports according to a statement from the university, “To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
The Hill (9/7, Oshin) reports the university “has engaged both the FBI and the DC government about the ransomware attack and has said it will implement new online safety measures to protect student data and its facilities.”
ABC News (9/7, Barr) reports “last week, the FBI and the Cybersecurity Infrastructure Security Agency (CISA) warned companies to be vigilant and on alert for ransomware attacks over the Labor Day weekend.” The agencies “noted that the past two major cyber attacks have occurred over a holiday weekend – noting that, leading into the Mother’s Day weekend, the Colonial Pipeline was hacked, over Memorial Day weekend meat supplier JBS was hacked and over the Fourth of July weekend IT management company Kaseya was hacked.”
Also reporting is Newsweek (9/7, Fung).
Bot Attacks Affect Enrollment Data At California Community Colleges
EdSource (9/7, Peele, Willis, Gordon, Burke) reports “over the last five months,” the California Community Colleges’ central office has been “unable to provide student enrollment totals for the fall 2020 or spring 2021 terms.” The system website “designed to provide the enrollment of the 115 local community colleges across the state has carried a red-lettered warning for months: Don’t trust the numbers.” Now there are the bots. News last week “that alleged scammers have besieged the system with phony student applications in attempts to score student aid and federal pandemic relief grants put a spotlight on the system’s lingering data problems and its inability to count how many people are attending the nation’s biggest higher education system, which has historically served some 2 million students.” The double problem “of an inability to know how many students are taking classes and the sudden invasion of scammers is ‘quite striking,’ said professor Thomas Dee of Stanford University’s Graduate School of Education, and needs prompt fixing.”
FBI Urges Vigilance Against Ransomware Attacks Over Labor Day Weekend
Higher Ed Dive (9/1, Jones) reports “as the Labor Day holiday looms, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are urging companies and public sector organizations to consider proactive threat hunting and create offline data backups to protect against ransomware attacks, citing recent incidents that took place over holiday weekends.” Though there is no information “pointing to a specific pending attack, the agencies warned that several recent ransomware attacks – including the Kasaya attack over Independence Day – took place over extended holiday weekends.” Experts say “the pandemic increased risks for colleges when it forced them to move classes and activities online.”
University Of New Orleans Science Professor Receives Grant to Fight Hacking
The New Orleans Times-Picayune (9/1) reports the National Science Foundation “has awarded a $1.2 million grant to Phani Vadrevu, a computer science professor at the University of New Orleans, to develop methods to protect users from web-based social engineering attacks such as survey scams, scareware and phishing expeditions.” The project “will use artificial intelligence to track and model online attacks.”
Fake Student Bot Accounts At California Community Colleges Tied To COVID-19 Relief Scam
The Los Angeles Times (8/31, Watanabe) reports the California Community Colleges system “is investigating potentially widespread fraud involving fake ‘bot students’ enrolled in active courses in what officials suspect is a scam to obtain financial aid or COVID-19 relief grants.” The 116-campus system “is beefing up internal reporting and security measures after finding that 20% of recent traffic on its main portal for online applications was ‘malicious and bot-related,’ according to a memo issued Monday.” Nearly 15% of that traffic “was caught by new software called Imperva Advanced Bot Detection, which was installed last month, and the matter remained of ‘grave concern,’ she said.” California Community Colleges Chancellor Eloy Ortiz Oakley “said at least six campuses have reported an unusual spike in enrollment attempts involving possibly fake students.” However, “officials have not yet been able to identify where the ‘pings’ are coming from or how many colleges are involved.”
dtau...@gmail.com
Security Vulnerabilities in Computer Memories
ETH Zurich (Switzerland)
Oliver Morsch
November 15, 2021
A team of researchers from the Swiss Federal Institute of Technology, Zurich (ETH Zurich), the Netherlands' Vrije Universiteit Amsterdam, and semiconductor manufacturer Qualcomm Technologies identified major security flaws in dynamic random-access memory (DRAM) devices. ETH Zurich's Kaveh Razavi said the Rowhammer vulnerability in DRAMs, exploited by hackers to induce bit errors and access restricted areas inside the computer, remains unaddressed. Countermeasures designed to neutralize Rowhammer merely detect simple attacks. Razavi said the researchers' Blacksmith software, which systematically applies complex hammering patterns, found a successful exploit in each of 40 DRAM memories tested. This means current DRAM memories could remain hackable by Rowhammer attacks for years to come.
DHS Program to Attract, Retain Cybersecurity Talent
The Hill
Maggie Miller
November 15, 2021
The U.S. Department of Homeland Security (DHS) has launched a program to find and hire cybersecurity professionals. The federal agency will use the Cyber Talent Management System (CTMS) to simplify and screen the application process. Candidates hired through CTMS will join the DHS Cybersecurity Service, focused on shielding critical infrastructure from cyberattacks. The program will be used to fill vacancies at DHS' Cybersecurity and Infrastructure Security Agency and the DHS Office of the Chief Information Officer, and will help to fill vacancies at other DHS entities starting next year. Said DHS Secretary Alejandro Mayorkas, "This new system will enable our department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission."
Big Data Privacy for ML Just Got 100 Times Cheaper
Rice University News
Jade Boyd
November 16, 2021
Rice University's Anshumali Shrivastava and Ben Coleman have developed RACE (repeated array of count estimators), an inexpensive technique to ensure personal data privacy when using or sharing large databases for machine learning (ML). The researchers applied locality sensitive hashing to generate abstracts or "sketches" of a huge database of sensitive records. Coleman said RACE sketches are safe for public release and useful for algorithms that employ kernel sums, and for ML programs that execute common tasks like classification, ranking, and regression analysis. Said Shrivastava, "RACE changes the economics of releasing high-dimensional information with differential privacy. It's simple, fast, and 100 times less expensive to run than existing methods."
Delta to Roll Out Facial Recognition in Atlanta Domestic Terminal
Atlanta Journal-Constitution
Kelly Yamanouchi
October 26, 2021
Delta Air Lines intends to launch a facial recognition pilot program in the domestic terminal of Atlanta's Hartsfield-Jackson International Airport as soon as Nov. 3, in partnership with the U.S. Transportation Security Administration. Delta's Greg Forbes said the aim is to make air travel more convenient and "hands-free and touch-free" via biometric solutions. The airline said about 25% of its Atlanta customers would meet the conditions for the optional facial recognition check-in. The ACM Global Technology Policy Council last year warned facial recognition "has often compromised fundamental human and legal rights of individuals to privacy, employment, justice, and personal liberty." However, council chair James Hendler wrote that Delta's implementation "makes it clear where and how it is being used," offers an opt-out process, and has human backup for when the system malfunctions.
Latest Russian Cyberattack Targeting Hundreds of U.S. Networks
Reuters
Susan Heavey
October 25, 2021
Microsoft warns the Russia-based agency Nobelium has targeted hundreds of U.S. companies and organizations, specifically "resellers and other technology service providers" of cloud services, in its latest cyberattack. The software giant, which alerted 609 customers between July 1 and Oct. 19 that they had been targeted, informed The New York Times that only a small percentage of the latest attacks succeeded. U.S. officials verified the operation was underway, with one anonymous official calling it "unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices." Microsoft blogged that the latest attack again confirms Russia's ambition "to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government."
Distributed Protocol Underpinning Cloud Computing Automatically Determined Safe, Secure
University of Michigan News
October 25, 2021
Formal verification techniques developed by University of Michigan researchers can automatically confirm the integrity of Paxos, a foundational distributed computing protocol that underlies cloud computing services. Paxos describes an approach called consensus incorporated within almost all critical distributed systems, including all cloud-supported applications. Formal verification techniques can demonstrate something is correct and reliable, and certify the proper functioning of a specific algorithm, piece of software, or computer chip. The researchers' IC3PO model-checking system sifts through every state a program can enter and determines whether it matches a description of safe behavior. If correctness is verified, IC3PO produces an inductive invariant—a proof by induction that the property universally holds—which took Paxos under an hour.
Russia Is Censoring the Internet, with Coercion and Black Boxes
The New York Times
Adam Satariano; Paul Mozur
October 23, 2021
The Russian government has forced the country's largest telecom and Internet service providers to install black boxes connected to a command center in Moscow, so that it can block, filter, and slow down Websites to control what the public sees online. The initiative was pushed to the forefront this spring when the filtering system was used for the first time to slow Twitter to a crawl. Twitter then agreed to remove dozens of posts the government determined were illegal. Russia's Internet regulator, Roskomnadzor, also has threatened to take down YouTube, Facebook, and Instagram if they do not block certain content on their own. The technology has been installed at 500 locations of telecom operators, and is expected to rise to more than 1,000 by next year.
Quantum-Encrypted Information Transmitted Over Fiber More Than 600 Km Long
Optica
October 21, 2021
Researchers at the University of Leeds and Toshiba Europe in the U.K. established secure quantum communication over 605 kilometers (375 miles) of fiber through a new signal stabilization method. The researchers used the twin-field quantum key distribution protocol, which enables two geographically separated users to establish a common secret bit-string by sharing photons, which are usually transmitted over an optical fiber. The stabilization technique utilizes two optical reference signals at different wavelengths to minimize phase fluctuations over long distances. The researchers demonstrated that this method could support repeater-like performance while accommodating losses outside the traditional limit of 100 decibels over a 605-kilometer-long quantum channel. Toshiba Europe's Andrew Shields said, "This will allow us to build national- and continental-scale fiber networks connecting major metropolitan areas."
dtau...@gmail.com
For Rules in Technology, the Challenge Is to Balance Code, Law
The New York Times
Ephrat Livni
November 23, 2021
The idea that "code is law," observed in a 1999 book by Harvard University's Lawrence Lessig, has been embraced by the cryptocurrency industry, with some firms contending code can be a better arbitrator than traditional regulators. However, issues have emerged in the decentralized finance (DeFi) sector, with hackers this summer overriding smart contract instructions to steal $600 million from the Poly Network, which lets users transfer cryptocurrencies across blockchain networks. DeFi platforms typically are established as Decentralized Autonomous Organizations governed democratically by a community of users who vote with crypto tokens. Said Lessig, "We need a more sophisticated approach, with technologists and lawyers sitting next to behavioral psychologists and economists," to define parameters to code social values into programs.
How to Find Hidden Spy Cameras with a Smartphone
Help Net Security
Zeljka Zorz
November 23, 2021
Scientists at the National University of Singapore and South Korea's Yonsei University developed a smartphone application that can find tiny spy cameras concealed in everyday objects, using smartphones' time-of-flight (ToF) sensor. The researchers said the Laser-Assisted Photography Detection (LAPD) app spots hidden cameras better than commercial camera detectors, and much better than the human eye. The app, which works on any smartphone handset equipped with a time of flight (ToF) sensor, can only scan a single object at a time, and requires about a minutes to scan that object. The researchers said the app could be made more accurate by taking advantage of the handset’s flashlight and RGB cameras.
U.K., U.S. Join Forces to Strike Back in Cyberspace
BBC News
Gordon Corera
November 19, 2021
The U.S. and U.K. announced a collaboration to strike back against mutual adversaries engaging in malicious cyber-activities, to address "evolving threats with a full range of capabilities." At an annual meeting of intelligence chiefs, U.K. General Sir Patrick Sanders and Government Communications Headquarters director Sir Jeremy Fleming and U.S. Cyber Command director General Paul Nakasone "reaffirmed" their pledge to jointly disrupt and deter new and emergent cyberthreats. They said they would accomplish this "by planning enduring combined cyberspace operations that enable a collective defense and deterrence and impose consequences on our common adversaries who conduct malicious cyber-activity." The "persistent engagement" approach used by the U.S. entails contesting adversaries daily to disrupt their cyberattack infrastructure, while Britain suggests a similar strategy with the launch of its National Cyber Force.
This Tool Protects Your Private Data While You Browse
UC San Diego News Center
Ioana Patringenaru
November 18, 2021
The SugarCoat tool developed by researchers at the University of California, San Diego (UCSD) and Brave Software can better protect users' private data as they browse the Web. SugarCoat targets scripts that attack privacy but are critical to Website operations, replacing them with safe scripts that possess the same properties. The open-source SugarCoat is configured to integrate with existing privacy focused browsers like Brave, Firefox, and Tor, and browser extensions like uBlock Origin. UCSD's Michael Smith said, "SugarCoat integrates with existing content-blocking tools like ad blockers, to empower users to browse the Web without giving up their privacy."
Democrats Say House, Senate Will Meet To Discuss R&D Proposals
Roll Call (11/18, DeChiaro) reports Democratic leaders have revealed that “House and Senate negotiators will soon go to conference in an effort to send bipartisan legislation aimed at advancing U.S. competitiveness in science and technology to President Joe Biden’s desk.” In June, the Senate “passed legislation that would authorize around $200 billion in spending for the National Science Foundation, the Energy Department and other government agencies tasked with research and development in 21st-century fields of technology such as artificial intelligence, quantum computing, robotics and cybersecurity.” The bill, called the US Innovation and Competition Act “USICA,” “would also approve $52 billion in spending to bolster the struggling U.S. semiconductor industry.” However, “the House has not passed a companion measure.” A representative of “Speaker Nancy Pelosi did not respond to questions about which bills the House would bring to conference.”
Israel, UAE Lead First-Ever Simulation Of Airline Mega-Cyberattack
The Jerusalem Post (ISR) (11/17, Bob) reported that Israel, the United Arab Emirates, “and five other countries engaged in the first-ever simulation of a mega-cyberattack on the international airline industry, the Israel National Cyber Directorate has announced.” The simulation was made public by the Israel National Cyber Directorate (INCD) only on Wednesday.
ITP (11/17, Parks) reported that drill participants “included representatives of airports, airlines, aircraft manufacturers, civilian aviation authorities, cyber authorities and cybersecurity companies from a number of countries, including Israel, the United States, Germany, Greece, Morocco, Bahrain and the UAE.”
Trade Arabia (BHR) (11/19) reports that “Yigal Unna, Director General of the Israel National Cyber Directorate, and Dr. Mohammed Al-Kuwaiti, Managing Director of the National Data Centre, were in attendance.”
School Districts Became Cybercrime Targets Amid Pandemic
Newsday (NY) (11/14, Schneider) reports “school districts are prime targets for cybercriminals because they hold an abundance of personal information on staff, students and local households, which can be stolen and used for identity theft and fraud.” During the pandemic, schools “fast-tracked the move to remote learning, and the computers handed to students often lacked adequate security.” Districts also “adopted online teaching platforms that were vulnerable to hacks.” School districts are “increasingly being attacked with ‘ransomware,’ in which a hacker locks up, or encrypts, a computer system and demands money to unlock it.”
Ransomware Attacks On Healthcare Networks Put Availability Of Medical Devices At Risk, FDA Director Of Cybersecurity Says
Healthcare Dive (10/4, Slabodkin)reports, “Ransomware attacks on healthcare facility networks are causing medical device ‘outages’ that put patient lives at risk, according to Kevin Fu, acting director of cybersecurity at the FDA’s Center for Devices and Radiological Health.” A cyberattack on a medical center in Alabama in 2019 allegedly affected “the normal operation of a fetal heartbeat monitor and a nurses’ station.” The hospital is being sued by the “parents of a baby born with the umbilical cord wrapped around their neck who died nine months later following severe brain damage.”
UMass Amherst Hires Cybersecurity Firm To Investigate Racist Emails
In continuing coverage, The New York Times (9/30, Jimenez) reports the University of Massachusetts Amherst “has enlisted a cybersecurity firm to help investigate the source of racist emails that were sent to Black student organizations, its chancellor told students this week.” The university’s chancellor, Kumble R. Subbaswamy, “said in a note to students that the anonymous emails were ‘contemptible and cowardly’ and that they were part of an increase in ‘anti-Black racist incidents’ that have taken place on the campus this semester.” Subbaswamy said, “We will not be intimidated by the hateful acts of craven individuals who hide in anonymity. We stand with our students who have been victimized, and we will continually strive for a more equitable community grounded in the principles of dignity and respect.” The university’s administration “did not immediately respond to a request for comment on Thursday night.”
NIST To Publish Cybersecurity Practice Guide Volumes Starting In 2022
FedScoop (9/27, Nyczepir) reported that the National Institute of Standards and Technology “plans to publish various volumes of its forthcoming Cybersecurity Practice Guide throughout 2022 and beyond.” The guide “will be the end result of NIST’s Implementing a Zero Trust Architecture Project.”
States At Disadvantage In Race To Recruit Cybersecurity Professionals
The AP (9/25, Foody) reported that “hiring and keeping staff capable of helping fend off a constant stream of cyberattacks and less severe online threats tops the list of concerns for state technology leaders.” There’s a “severe shortage of those professionals and not enough financial firepower to compete with federal counterparts, global brands and specialized cybersecurity firms.” State governments “are regular targets for cybercriminals, drawn by the troves of personal data within agencies and computer networks that are essential to patrolling highways, maintaining election systems and other key state services.” Aided “by industry groups, the federal government and individual states have created training programs, competitions and scholarships in hopes of producing more cybersecurity pros nationwide.” Those strategies “could take years to pay off, however.” States “have turned to outside contractors, civilian volunteers and National Guard units for help when their systems are taken down by ransomware and other hacks.”
Microsoft CEO Confirms Hiring Of Former AWS Executive In Internal Memo
Insider (9/15, Stewart) reports that on Tuesday Microsoft CEO Satya Nadella, in a leaked internal memo, “confirmed Charlie Bell — a veteran Amazon executive who helped build its cloud business before abruptly departing in August — is joining the company, and revealed Bell will oversee a new companywide cybersecurity engineering organization.” Bell “will report directly to Nadella and become executive vice president of the new organization, called Security, Compliance, Identity, and Management.” Nadella is quoted saying in the memo that Bell “will assume his job duties once a resolution is reached with his former employer.” A source familiar with the matter is cited saying Bell will take a few weeks off while Amazon and Microsoft work on a legal agreement on what Bell can do in his new role that would not violate a noncompete agreement.
Bloomberg (9/15, Bass) says the hiring of Bell “potentially set[s] in motion a legal battle between the two tech giants.” A Microsoft statement is quoted saying, “We’re sensitive to the importance of working through these issues together, as we’ve done when five recent Microsoft executives moved across town to work for Amazon.” Bloomberg adds, “Amazon, which has a history of seeking to enforce non-compete agreements vigorously, didn’t immediately comment on the move.”
Also reporting are GeekWire (9/15, Bishop), ZDNet (9/15, Foley), CRN (9/15, Goodison), and Windows Central (9/15).
dtau...@gmail.com
New Attacks on Web Browsers Detected
Ruhr-Universität Bochum (Germany)
December 2, 2021
Information technology scientists at Germany's Ruhr-Universität Bochum (RUB) and Niederrhein University of Applied Sciences detected 14 new types of Web browser-targeting cross-site leaks (XS-Leaks). XS-Leaks circumvent the same-origin policy designed to prevent the theft of information from a trusted Website, allowing hackers to identify site details that are linked to personal data. The researchers identified three defining XS-Leak characteristics and formalized a model for understanding the attacks, which also helps to detect new ones. They developed the XSinator.com site to automatically scan browsers for XS-leaks, and tested 56 browser-operating system combinations against 34 known XS-Leaks. RUB's Lukas Knittel said popular browsers such as Chrome and Firefox were susceptible to a large number of XS-Leaks.
Big Tech Privacy Moves Spur Companies to Amass Customer Data |
*May Require Paid Registration |
Finland Battles 'Exceptional' Malware Attack Spread by Phones
Bloomberg
Kati Pohjanpalo
November 30, 2021
Finland is working to counter malware-carrying text messages of unknown origin that number in the millions, according to Aino-Maria Vayrynen at the country's National Cyber Security Center. Finnish telecom Telia has intercepted hundreds of thousands of texts containing links to the FluBot malware. Many messages claim recipients have received a voice mail and request they open a link, which on Android devices summons a prompt that requests the installation of the malware-impregnated application; authorities said users of Apple's iPhones are ushered to fraudulent material on the site. "The malware attack is extremely exceptional and very worrying," said Teemu Makela at leading Finnish telecom Elisa Oyj.
All Versions of Windows Vulnerable to Zero-Day Exploit |
Most Cryptocurrency Trades May Be People Buying from Themselves
New Scientist
Chris Stokel-Walker
November 25, 2021
Researchers at the U.K.'s Newcastle University have found that as many as seven in 10 cryptocurrency trades on popular exchanges worldwide may involve people purchasing from themselves to inflate prices artificially. The researchers studied trades of the four most popular cryptocurrencies—bitcoin, Ethereum, Litecoin, and Ripple—on 29 cryptocurrency exchanges from July to November 2019. The researchers uncovered large volumes of "wash trading," in which investors sell and buy the same asset to create artificial interest in an investment, which generally distorts prices. They said such wash trading appeared to account for more than 70% of total trading volume on unregulated exchanges.
Chip Hides Wireless Messages in Plain Sight
Princeton University Electrical and Computer Engineering News
November 23, 2021
Princeton University researchers have developed a millimeter-wave wireless microchip that can thwart interception of wireless transmissions without affecting 5G network latency, efficiency, and speed. The technique used by the chip prevents eavesdropping by chopping a message into randomly sized segments, and assigning different segments to subsets of antennas in an array. The researchers coordinated the transmission so only a receiver in the desired direction could reconstruct the signal in the right order; to other receivers, it would resemble noise. Princeton's Kaushik Sengupta said of the technique, "You can still encrypt on top of it, but you can reduce the burden on encryption with an additional layer of security. It is a complementary approach."
Microsoft Announces Scholarship Program To Address Cybersecurity Skills “Crisis”
GeekWire (10/28) reports Microsoft has “announced a scholarship program for U.S. community colleges and other initiatives to address what it describes as a national cybersecurity skills crisis.” The tech giant “says it will offer free curriculum to all of the nation’s public community colleges, training for faculty at 150 community colleges, and scholarships and other resources for 25,000 students. Altogether, the campaign aims to...train as many as 250,000 new cybersecurity workers in the country by 2025, most of whom will work for businesses other than Microsoft.” GeekWire says news of the scholarship comes as Microsoft “has said it will quadruple its spending on cybersecurity solutions to $20 billion over the next five years, in addition to spending $150 million to improve security for U.S. government agencies.” The company also “recently hired former Amazon Web Services executive Charlie Bell to lead a consolidated security, compliance identity and management engineering organization inside the company.”
Amazon, Microsoft Reach Deal To Allow Charlie Bell To Work On Cybersecurity Issues At Microsoft
Bloomberg (10/11, Soper) reports Amazon and Microsoft came to an agreement that allowed former AWS SVP Charlie Bell to start “his new role Monday working on cybersecurity issues at Microsoft.” Bell’s hire “comes as Microsoft’s Azure cloud division has been closing the gap with market leader Amazon Web Services.” At AWS, Bell “long reported to former AWS leader Andy Jassy, now Amazon chief executive officer. Bell supervised the engineering teams working on AWS’s main software services.” A Microsoft spokesperson said, “After constructive discussions with Amazon, Charlie Bell started his new role on Oct. 11, focused on advancing cybersecurity capabilities that will benefit the tech sector and the broader economy.”
Recent Hacks Reveal Secrets That Raise Fears Of Collateral Damage
The Washington Post (10/7, Harwell) reports, “A chain of recent, devastating hacks is exposing some of the Internet’s most fiercely guarded secrets, stepping up a guerrilla struggle between tech firms and anonymous hackers and raising fears that everyday Internet users could get caught in the crossfire.” According to the Post, “Hackers this week dumped a colossal haul of data stolen from Twitch, the Amazon-owned streaming site, revealing what they said was not just the million-dollar payouts for its most popular video game streamers but the site’s entire source code – the DNA, written over a decade, central to keeping the company alive. That followed the hack by the group Anonymous that exposed the most crucial inner workings of Epik, an Internet services company popular with the far right, and triggered firings and other consequences for some of the company’s clients whose identities had previously been undisclosed.”
dtau...@gmail.com
Google Announces Lawsuit, Technical Action Against Blockchain Botnet Glupteba
ZDNet
Jonathan Greig
December 7, 2021
Google has filed suit against Glupteba, a Russia-based blockchain-backed botnet, to "create legal liability for the botnet operators, and help deter future activity." Google's Threat Analysis Group found the Glupteba botnet has compromised about 1 million Windows devices globally. Google's Royal Hansen and Halimah DeLaine Prado wrote in a blog post that the botnet "is notorious for stealing users' credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people's Internet traffic through infected machines and routers." Google said it also has disrupted Glupteba's command and control infrastructure, although that may only be temporary due to its "sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity."
Framework Will Improve the Security of All Firefox Users
UC San Diego Jacobs School of Engineering
December 6, 2021
Mozilla has started deploying a new framework designed to make the Firefox browser more secure on all Firefox platforms. Developed by researchers at the University of California San Diego (UCSD), University of Texas at Austin, and Mozilla, the RLBox framework increases browser security by sandboxing third-party libraries that are vulnerable to attacks from the rest of the browser. It has two main components: the sandboxing technique itself, and a tainted type system. Said UCSD's Deian Stefan, “To deal with such sophisticated attackers, we need multiple layers of defense and new techniques to minimize how much code we need to trust (to be secure). We designed RLBox exactly for this."
Microsoft Seizes 42 Websites From Chinese Hacking Group
The New York Times
Kellen Browning
December 6, 2021
Microsoft on Monday announced the seizure of 42 Websites from Chinese hacking group Nickel in order to disrupt the gang's intelligence-gathering operations. The company said it had been tracking Nickel since 2016, and is rerouting the sites' traffic to secure Microsoft servers. The software giant said Nickel's attacks were intended to install malware for surveillance and data theft; the group was alleged to be besieging organizations in 29 countries, and was suspected of using compromised data "for intelligence gathering from government agencies, think tanks, universities, and human rights organizations," according to Microsoft's Tom Burt. A federal court in Virginia issued a temporary restraining order against the hackers, and turned the Websites over to Microsoft.
How Can We Get Blockchains to Talk to Each Other?
IEEE Spectrum
Edd Gent
December 3, 2021
Stefan Schulte and colleagues at Austria's Vienna University of Technology are exploring communication between blockchains. The researchers developed a potential solution that relies on blockchain relays, smart contracts operating on one blockchain that can confirm events on another. The researchers have come up with an on-demand verification system, in which the relay assumes transactions between blockchains are valid unless they are disputed. Fraudulent submissions are discouraged because third parties must offer a cryptocurrency stake to participate, which disputants can seize if they prove invalidity.
These Researchers Wanted to Test Cloud Security. They Were Shocked by What They Found
ZDNet
Danny Palmer
December 1, 2021
Cybersecurity researchers at Palo Alto Networks created a honeypot comprised of 320 nodes around the world to determine how quickly they would be compromised by hackers. The researchers found that 80% of the honeypots were compromised within 24 hours, and all had been compromised within a week. SSH was the most attacked application, with each SSH honeypot compromised an average of 26 times per day; one was compromised 169 times in one day. Palo Alto Networks' Jay Chen said, "The fact that attackers could find and compromise our honeypots in minutes was shocking. This research demonstrates the risk of insecurely exposed services." Chen said the findings underscore "the importance of mitigating and patching security issues quickly."
Two Community Colleges Start Week Closed To Recover From Cyberattacks
Higher Ed Dive (11/29, Schwartz) reports “two community colleges, Lewis and Clark Community College in Illinois and Butler County Community College in Pennsylvania, are starting the week closed as they recover from separate cyberattacks.” Lewis and Clark Community College “told students via Facebook that all of its campuses will be closed throughout the week to give the school’s information technology systems time to recover from a ‘cybersecurity event.’” The school “enrolls about 4,700 students.” Meanwhile, Butler County Community College “is canceling remote classes and closing its main campus and other locations Monday and Tuesday while it restores databases, hard drives, servers and other devices affected by a recent ransomware attack, it announced Sunday.”
Researchers Uncover More Than A Dozen Vulnerabilities In Software Used In Medical Devices
CNN (11/9, Lyngaas) reports, “Researchers say they have found more than a dozen vulnerabilities in software used in medical devices and machinery used in other industries that, if exploited by a hacker, could cause critical equipment such as patient monitors to crash.” About “4,000 devices made by a range of vendors in the health care, government and retail sectors are running the vulnerable software, according to cybersecurity firms Forescout Technologies and Medigate, which discovered the issue.” According to the research, announced in a Forescout news release, “the vulnerabilities affect versions of the Nucleus Real-time Operating System.” In response, Dr. Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, said, “It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected.” Fu also “said the vulnerabilities could affect a range of medical devices, but that it depends on what version of the software is running and whether the device is connected to the internet.”
Facebook To Shut Down Facial Recognition System
The New York Times (11/2, Hill, Mac) reports Facebook “plans to shut down its decade-old facial recognition system this month, deleting the face scan data of more than one billion users and effectively eliminating a feature that has fueled privacy concerns, government investigations, a class-action lawsuit and regulatory woes.” In a blog post, Jerome Pesenti, Vice President of Artificial Intelligence at Facebook parent company Meta, “said...the social network was making the change because of ‘many concerns about the place of facial recognition technology in society.’” The Times adds that while Facebook “will not eliminate the software that powers the system, which is an advanced algorithm called DeepFace,” and a Meta spokesman conceded the company “has also not ruled out incorporating facial recognition technology into future products,” privacy advocates “nonetheless applauded the decision.”
dtau...@gmail.com
Researchers Uncover Coexistence Attacks on Wi-Fi, Bluetooth Chips
The Hacker News
Ravie Lakshmanan
December 16, 2021
Cybersecurity researchers at Germany's Technical University of Darmstadt and Italy's University of Brescia have disclosed a newly discovered exploit that taps a device's Bluetooth element to steal network passwords and manipulate traffic on a Wi-Fi processor. The hack targets combo chips, processors specially designed to handle different wireless signals simultaneously. According to the researchers, "The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information.” In addition, they said, an attacker could execute code on a Wi-Fi processor “even if it is not connected to a wireless network." The researchers are urging users to remove unnecessary Bluetooth pairings, erase unused Wi-Fi networks, and employ cellular rather than Wi-Fi communications in public spaces.
Protecting Users' Private Data While They Browse
National Science Foundation
December 14, 2021
The SugarCoat tool developed by scientists associated with the University of California, San Diego (UCSD) and Brave Software, with funding from the U.S. National Science Foundation, can better protect users' private data while they browse the Web. SugarCoat replaces privacy-harming scripts that are critical for Website function with innocuous substitutes that have the same properties. The open-source tool is designed to be integrated into privacy-focused browsers such as Brave, Firefox, and Tor, plus browser extensions like uBlock Origin. UCSD's Deian Stefan said, "SugarCoat is a practical system designed to address the lose-lose dilemma that privacy-focused tools face today: block privacy-harming scripts but break Websites that rely on them, or keep sites working, but give up on privacy."
Software Flaw Sparks Global Race to Patch Bug
The Wall Street Journal
Robert McMillan
December 13, 2021
Companies and governments scrambled this past weekend to patch a major bug in a piece of popular Internet software that security experts warned could grant hackers access to networks. Cybersecurity researchers said the bug, hidden in Log4j server code, is one of the most significant vulnerabilities in recent years due to its use on corporate networks; hackers began exploiting it on Friday, and Check Point Software Technologies observed more than 100,000 attempts over roughly 24 hours. Apache Software Foundation’s Ralph Goers said users must upgrade to correct the bug. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency urged corporate action, while German and Australian agencies issued similar warnings.
Cyber Protections Against Stealthy 'Logic Bombs' Targeting 3D-Printed Objects
SciTechDaily
December 10, 2021
Researchers at Rutgers University-New Brunswick and the Georgia Institute of Technology have proposed new protections for three-dimensionally-printed objects against the introduction of unwanted computer code, or logic bombs. The researchers explored the Mystique class of attacks targeting four-dimensional (4D) printing, which induces visually harmless objects to act maliciously when a logic bomb is activated by stimuli like temperature changes to the materials printed. The researchers’ initial solution to such attacks is to use a dielectric sensor to measure the composition and diameter of raw materials passing through the printer's extruder, to ensure they meet requirements before they are printed. A second safeguard uses high-resolution computed tomography to spot residual stresses in printed objects, which can identify 4D attacks in a single printing layer with 95.6% accuracy.
NIST Records Fifth Straight Year of Record Software Vulnerabilities
ZDNet
Jonathan Greig
December 8, 2021
The U.S. National Institute of Standards and Technology logged record software vulnerabilities for the fifth consecutive year in 2021, recording 18,378. The number of high-severity vulnerabilities declined from 4,381 last year to 3,646 this year, while medium- and low-risk vulnerabilities topped those observed in 2020. Bugcrowd's Casey Ellis said with fundamental technology development accelerating, vulnerabilities will grow in number as more software is created. Said Ellis, "High-impact issues tend to be more complicated, remediated more quickly once found, and—in the case of systemic high-impact vulnerability classes—are often prioritized for root-cause analysis and anti-pattern avoidance in the future, and thus can often be fewer in number." K2 Cyber Security's Pravin Madhani said the pandemic contributed to the increase in reported flaws, prompting many organizations to rush products to market with less-rigorous quality assurance.
Your Face Is, or Will Be, Your Boarding Pass
The New York Times
Elaine Glusac
December 7, 2021
Many biometric identification innovations use facial recognition, which the U.S. National Institute of Standards and Technology estimated is at least 99.5% accurate compared to iris scanning or fingerprints. Delta Air Lines in November launched a digital identity program for Transportation Security Administration (TSA) PreCheck members at Hartsfield-Jackson Atlanta International Airport, who can opt in to using facial recognition. Swiss biometrics technology company SITA also tested a system with United Airlines at San Francisco International Airport to compare driver licenses and passports to facial scans for baggage check and domestic boarding purposes. The CLEAR subscription service, meanwhile, allows subscribers to use dedicated kiosks to access their biometric data, confirm their identities, and advance to the front of the TSA security line.
House Passes Bipartisan Bills On Network Security, Cyber Literacy
The Hill (12/1, Miller) reports the House on Wednesday “passed three bipartisan bills intended to shore up network security and increase cyber literacy across the nation, following a difficult year fraught with several significant cybersecurity attacks.” The Understanding Cybersecurity of Mobile Networks Act would “require the National Telecommunications and Information Administration (NTIA) to examine and report back on cybersecurity vulnerabilities in mobile networks.” The American Cybersecurity Literacy Act calls for the National Telecommunications and Information Administration (NTIA) to “develop and roll out a cybersecurity literacy program to educate Americans about cyber risks.” Finally, the FUTURE Networks Act would require the FCC “to establish a sixth generation (6G) wireless technology task force to examine potential vulnerabilities and advantages in the future use of 6G technology.”
Daniel Tauritz
Hackers Can Penetrate 93% of Local Networks
Infosecurity Magazine
James Coker
December 20, 2021
Research by security company Positive Technologies determined that hackers can penetrate 93% of organizations' local networks, which penetration tests confirmed the researchers could accomplish in an average of two days. The researchers also confirmed the feasibility of 71% of "unacceptable events" that 20% of the companies asked to have checked, such as disruption of processes and services, and the theft of funds and important information. The most common breach method was found to be credential compromise, mainly due to easily guessable passwords. The researchers also said most companies lacked segmentation by business processes, allowing malefactors to develop multiple attack vectors concurrently. Positive Technologies' Ekaterina Kilyusheva said countermeasures can include "separation of business processes, configuration of security control, enhanced monitoring, and lengthening of the attack chain.”
Drones Take Center Stage in U.S.-China War on Data Harvesting
Bloomberg
Bruce Einhorn; Todd Shields
December 19, 2021
Critics are increasingly worried that Chinese-made unmanned aerial vehicles (drones) purchased by Americans are harvesting sensitive data for Chinese intelligence agencies. Chinese drone manufacturer CSZ DJI Technology owns more than half the U.S. drone market, and U.S. lawmakers are considering a ban on federal DJI drone purchases. Yale Law School's Oona Hathaway said while each piece of collected data may be individually insignificant, "combined, the pieces can give foreign adversaries unprecedented insight into the personal lives of most Americans." Paul Triolo at risk consultancy Eurasia Group predicts data security "will be a defining issue for the next decade" as innovations fuel "explosive demand" for more information.
Home Router Might be Intercepting Internet Traffic for a Good Reason
UC San Diego News Center
Ioana Patringenaru
December 15, 2021
University of California, San Diego (UCSD) researchers suggest routers in homes may be intercepting and transmitting Domain Name System (DNS) traffic to a different destination than the user intends, which means "someone else gets to see all that information," said UCSD's Audrey Randall. She explained that Internet service providers often do this to shield users from malware that contacts specific DNS resolvers. The researchers found home router software redirects DNS queries to an alternate resolver, and modifies the response to appear like it comes from the originally specified resolver. Said Randall, “When this type of transparent interception is used, you think you have control over your traffic, but you don’t.”
DHS Expands Bug Bounty Program To Include Log4j Vulnerability
The Hill (12/21) reports the Department of Homeland Security is expanding the Hack DHS program, announced last week, which offers bounties for finding vulnerabilities in external DHS systems an alerting the agency to them. The program now covers “issues related to the Apache logging library log4j vulnerability.” Security professionals have been “scrambling” to address the log4j vulnerability, which ha been used by “nation states and cybercriminals alike.”
Roll Call (12/21, Ratnam) reports McAfee Enterprise Principal Engineer and Head of Advanced Threat Research Steve Povolny said that while Apache offers a patch to fix the flaw, companies and government agencies use different versions of the log4j tool and have to figure out “which fix works with what version.”
FDA Issues Warning To Medical Device Makers Over Cybersecurity Risk In Popular Apache Log4j Software Tool
FierceBiotech (12/21, Park) reports that medtech developers are not immune to the vulnerability “discovered last month within the widely used Apache Log4j logging tool.” The vulnerability “makes it unnervingly easy for hackers to take control of cloud-based servers, allowing them to find and leak sensitive user information, remotely control connected devices, mine for cryptocurrency and more.” In a December 17 safety notice, the Food and Drug Administration warned, “These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality.”
Cyberthreats, Cyberinsurance Premiums On The Rise Among Colleges, Universities
Inside Higher Ed (12/16, Smalley) reports that “for both community colleges and four-year institutions, cyberthreats are now very pronounced, and that reality has led to more institutions facing cyberinsurance premium hikes of as much as 400 percent – or even discovering they are uninsurable.” Roughly “82 colleges and public school districts have been the victims of cyberattacks so far this year, disrupting learning at more than 1,000 individual institutions and schools across the country, according to the cybersecurity company Emsisoft.” No less than “three American community colleges have been attacked by cybercriminals using ransomware since Nov. 30, the latest in a wave of such attacks targeting at least 19 higher education institutions this year.”
dtau...@gmail.com
Happy New Year!
- Dr. T
White House National Security Adviser Asks Software Companies to Discuss Cybersecurity
Reuters
Jarrett Renshaw; Alexanda Alper
December 23, 2021
White House national security adviser Jake Sullivan has asked major software companies and developers to discuss cybersecurity enhancement, as hacks against U.S. targets this year added urgency to the threat. One exploit compromised over 20,000 organizations via a backdoor patch used in Microsoft's email software, which the government attributed to the Hafnium group with alleged ties to the Chinese government. Cyberattacks have escalated in frequency and impact, spurring the White House to issue an executive order in May that established a review board and new software standards for federal agencies. Anne Neuberger, deputy national security adviser for cyber & emerging technology, will host a discussion in January with corporate officials overseeing open-source projects and security.
IT Security: Computer Attacks with Laser Light
Karlsruhe Institute of Technology (Germany)
December 21, 2021
Researchers at Germany's Karlsruhe Institute of Technology (KIT), the Technical University of Braunschweig, and the Technical University of Berlin demonstrated that physically isolated computer systems can be hacked using a directed laser. The researchers found that hackers can communicate secretly with air-gapped computer systems over several meters of distance, using a directed laser to transmit data to the light-emitting diodes of traditional office devices without additional hardware at the attacked device. KIT's Christian Wressnegger said, "The LaserShark project demonstrates how important it is to additionally protect critical IT systems optically next to conventional information and communication technology security measures."
|
Identifying Fake Voice Recordings
Ruhr-Universität Bochum (Germany)
Julia Weiler
December 20, 2021
Joel Frank and Lea Schönherr at Germany's Ruhr-Universität Bochum (RUB) are developing tools to identify artificial intelligence (AI)-generated fake voice recordings. The researchers first compiled a dataset of about 118,000 AI-generated audio deepfakes, comprising roughly 196 hours of English and Japanese content. They then compared the deepfakes with recordings of real speech, and plotted the files as spectrograms showing frequency distribution over time, yielding subtle distinctions in the high frequencies between real and fake files. Frank and Schönherr then programmed algorithms that can distinguish between deepfakes and real speech as a starting point for scientists to devise novel detection methods.
dtau...@gmail.com
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations
The Hacker News
Ravie Lakshmanan
January 3, 2022
Researchers at France’s Research Institute of Computer Science and Random Systems (IRISA) have proposed harnessing electromagnetic field emanations from Internet of Things (IoT) devices to collect side-channel data about malware, even when evasion is implemented. The idea is to exploit this information to detect anomalies in emanations that deviate from previously observed patterns, and flag suspicious behavior mimicking the malware, versus the system's normal state. The framework requires no hardware modification, and can detect and classify malware such as kernel-level rootkits, ransomware, and distributed denial-of-service botnets. The IRISA researchers said the method is robust against code transformation/obfuscation schemes including random junk insertion, packing, and virtualization, even when the transformation is previously unknown.
Are Apple AirTags Being Used to Track People, Steal Cars?
The New York Times
Ryan Mac; Kashmir Hill
January 1, 2022
Concerns are mounting as Apple's location-tracking AirTag devices are being found on people's cars and in their belongings, giving rise to fear of stalking. Seven women interviewed by The New York Times think they were tracked with AirTags, including a 17-year-old whose mother put one on her car. Canadian police also reportedly have investigated cases of thieves placing AirTags on "high-end vehicles so they can later locate and steal them." Bluetooth-outfitted AirTags emit a signal that can be detected by devices using Apple's mobile operating system. While the devices incorporate abuse-preventing features include tracking alerts and automatic beeping, the Electronic Frontier Foundation's Eva Galperin warns they constitute a "uniquely harmful" threat, given the ubiquity of Apple products.
More Malicious Domains Are Online Than Ever Before
TechRadar
Anthony Spadafora
December 30, 2021
The Unit 42 group of cybersecurity firm Palo Alto Networks in September used a cloud-based detector to find malicious domains strategically registered years before they were actually employed. The researchers estimated 22.3% of strategically aged domains present a threat, with 3.8% being straight-out malicious, 19% suspicious, and 2% unsafe for work environments. Malefactors keep domains dormant to establish a "clean record" so their domains are less likely to be blocked when activated. Security systems frequently flag newly registered domains as malicious, yet the Palo Alto researchers said strategically aged domains are three times more likely to be malicious; a sudden spike in traffic usually signals a domain's maliciousness, while normal Websites experience more gradual traffic growth.
Hackers Get Better at Defeating Your 2FA Security
Gizmodo
Lucas Ropek
December 28, 2021
A team of researchers from Stony Brook University and cybersecurity firm Palo Alto Networks have discovered at least 1,200 different phishing toolkits being used to slip past two-factor authentication (2FA) protections. The researchers found these malicious software programs were designed to phish and steal 2FA login data from users of major Websites. These toolkits steal 2FA authentication cookies, either by infecting the victim’s computer with malware or by stealing them in-transit, along with the victim's password, in a Man-in-the-Middle-style attack. The hackers then are able to access the victim's account for as long as the cookie lasts.
Space Force To Use Commercial Satellite Navigation Data To Detect Electronic Interference
Space News (1/6, Erwin, Subscription Publication) reports that Slingshot Aerospace won a $2 million US Space Force contract to “develop an analytics tool that uses location data from commercial satellites in low Earth orbit to identify potential sources of electronic interference on the ground.”
Concern Grows As Apple Airtags Are Being Used To Stalk People
The New York Times (12/30, Mac, Hill) reported that “in recent months, people have posted on TikTok, Reddit and Twitter about finding” Apple AirTags “on their cars and in their belongings.” There is “growing concern that the devices may be abetting a new form of stalking, which privacy groups predicted could happen when Apple introduced the devices in April.” The New York Times “spoke with seven women who believe they were tracked with AirTags, including a 17-year-old whose mother surreptitiously placed one on her car to stay apprised of her whereabouts.” Some authorities “have begun to take a closer look at the threat posed by AirTags.” The West Seneca Police Department in New York “recently warned its community of the tracking potential of the devices after an AirTag was found on a car bumper. Apple complied with a subpoena for information about the AirTag in the case, which may lead to charges, West Seneca police said.”