Apple Issues Emergency Security Updates to Close Spyware Flaw
The New York Times
Nicole Perlroth
September 13, 2021
Apple has released emergency security patches after researchers at the University of Toronto's Citizen Lab in Canada found a flaw that allows spyware from Israel's NSO Group to infect any Apple product. The researchers discovered a Saudi activist's iPhone had been hacked with NSO's Pegasus spyware using a zero-click remote exploit that can infect targets without their awareness, commandeer device functions, and transmit information to NSO clients. More than 1.65 billion Apple products in use globally have been susceptible to the spyware since at least March. Apple said it intends to launch new security defenses for its iMessage texting application in its next iOS 15 software update, expected later this year.
*May Require Paid Registration
Almost No One Encrypts Their Emails Because It Is Too Much of a Hassle
New Scientist
Chris Stokel-Walker
September 10, 2021
A study by researchers at Germany's Leibniz University Hannover of 81 million email messages sent from January 1994 to July 2021 found that only 0.06% of the emails were encrypted. The researchers also found that encryption tools like S/MIME or PGP were used by only 5.46% of the 37,000 university students and staff in the study. Leibniz's Christian Stransky noted that "S/MIME and PGP are not very usable for normal users," as they require the use of specialist email clients and, in some cases, third-party tools. Alan Woodward at the U.K.’s University of Surrey said, "With the rise of end-to-end encryption in messaging apps [such as WhatsApp], which just happens as if by magic, users naturally use that route if they want to have a private conversation."
*May Require Paid Registration
Italy Data Authority Asks Facebook for Clarifications on Smart Glasses
Reuters
Elvira Pollina
September 10, 2021
Italian data protection authority Garante has asked Facebook to provide it with clarifications related to its newly launched smart glasses, to determine the product's compliance with that nation’s privacy laws. Developed with Ray-Ban manufacturer EssilorLuxottica, the Ray-Ban Stories glasses allow users to hear music, take calls, or shoot photos and videos and share them across Facebook's services via a companion application. Garante made its request via the Irish Data Protection Commissioner (DPC), which oversees Facebook because the social-media giant's European headquarters are based in Ireland. The regulator said it wanted clarification on measures Facebook has deployed to shield people occasionally filmed, especially children, and on systems adopted to anonymize collected data, and features of the smartglasses' voice assistant.
AI Can Detect Deepfake Face Because Its Pupils Have Jagged Edges
New Scientist
Chris Stokel-Walker
September 10, 2021
A computer model developed by researchers at New York’s University of Albany can determine whether an image of a face is a deepfake by examining its pupils; the model will deem the image a fake if the pupils are not circular or elliptical. If the image passes that test, the model will check whether the pupil has smooth or jagged edges, with the latter indicating a deepfake. University of Albany's Siwei Lyu said, "Even though [generative adversarial network] GAN models are very powerful, they don't really understand human biology very well. A lot of these very fine details won't be represented by the model effectively." Although the shape of one's pupils can be affected by certain diseases and infections, Lyu noted that such cases are rare.
*May Require Paid Registration
CISA Launches Initiative to Combat Ransomware
Federal Computer Week
Chris Riotta
August 5, 2021
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially launched the Joint Cyber Defense Collaborative (JCDC), an anti-ransomware initiative supported by public-private information sharing. CISA director Jen Easterly said the organization was created to develop cyber defense strategies and exchange insights between the federal government and private-sector partners. A CISA webpage said interagency officials will work in the JCDC office to lead the development of U.S. cyber defense plans that incorporate best practices for dealing with cyber intrusions; a key goal is coordinating public-private strategies to combat cyberattacks, particularly ransomware, while engineering incident response frameworks. Said security vendor CrowdStrike Services’ Shawn Henry, the JCDC "will create an inclusive, collaborative environment to develop proactive cyber defense strategies" and help "implement coordinated operations to prevent and respond to cyberattacks."
Researchers Say They've Found a Wildly Successful Bypass for Face Recognition Tech
Gizmodo
Lucas Ropek
August 4, 2021
Computer scientists at Israel's Tel Aviv University (TAU) say they have developed a "master face" method for circumventing a large number of facial recognition systems, by applying artificial intelligence to generate a facial template. The researchers say the technique exploits such systems' usage of broad sets of markers to identify specific people; producing facial templates that match many such markers essentially creates an omni-face that can bypass numerous safeguards. The researchers created the master face by plugging an algorithm into a generative adversarial network that builds digital images of artificial human faces. The TAU team said testing showed the template was able unlock over 20% of the identities in an open source database of 13,000 facial images operated by the University of Massachusetts.
New York City's Vaccine Passport Plan Renews Online Privacy Debate
The New York Times
Erin Woo; Kellen Browning
August 4, 2021
New York's City's mandate that people must show proof at least one coronavirus vaccine shot, or vaccine passport, to enter businesses has revived the debate of whether these digital certificates undermine online privacy. The applications may enable location tracking, and privacy researchers are worried about digital surveillance escalating. The New York Civil Liberties Union's Allie Bohm said without restrictions, presenting a digital vaccination passport whenever people enter a public place could lead to a "global map of where people are going," which could be sold or turned over to third parties, law enforcement, or government authorities. Privacy advocates are not reassured by vaccine pass developers' claims that their products uphold privacy, given that authoritarian regimes have exploited COVID-19 contact-tracing apps for surveillance or criminal investigation.
*May Require Paid Registration
Kaseya Ransomware Attack Sets Off Race to Hack Service Providers
Reuters
Joseph Menn
August 3, 2021
Cybersecurity experts warn that July's ransomware attack on technology-management software from Kaseya, which crippled as many as 1,500 organizations, has ignited a race by criminals to uncover similar flaws. Investigators said an affiliate of REvil, the Russian-speaking hacker gang, exploited two vulnerabilities in the software to infiltrate about 50 managed services providers (MSPs). Victor Gevers at the nonprofit Dutch Institute for Vulnerability Disclosure said his team found similar bugs in other MSPs, which he did not disclose as not all the flaws have been fixed. MSPs are an efficient ransomware vehicle due to their broad access inside client networks, and the sheer number of MSPs Kaseya's software served caused attacks to multiply before the company could alert everyone. Eric Goldstein at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said the agency is trying to make MSPs and their customers aware of the danger and remedial strategies.
Security Flaws Found in Popular EV Chargers
TechCrunch
Aria Alamalhodaei
August 3, 2021
Analysts at U.K. cybersecurity firm Pen Test Partners have identified flaws in the application programming interfaces of six home electric vehicle (EV) charging brands, as well as the Chargepoint public EV charging station network. Pen Test analyst Vangelis Stykas found several vulnerabilities that could enable hackers to commandeer user accounts, hinder charging, and repurpose a charger as a backdoor into the owner's home network. The Chargepoint flaw, meanwhile, could let hackers steal electricity and shift the cost to driver accounts, and activate or deactivate chargers. Some EV chargers use a Raspberry Pi compute module, a popular low-cost computer that Pen Test’s Ken Munro said is unsuitable for commercial applications due to its lack of a secure bootloader. Charger manufacturers have corrected most of the issues, but the flaws' existence highlights the poor regulation of Internet of Things devices.
Security Bug Affects Nearly All Hospitals in North America
TechRadar
Anthony Spadafora
August 2, 2021
Researchers at security firm Armis identified nine critical vulnerabilities in the Nexus Control Panel that powers all current models of Swisslog Healthcare's Translogic pneumatic tube system (PTS) stations. The Translogic PTS system is used in 3,000 hospitals worldwide and 80% of major hospitals in North America to deliver medications, blood products, and lab samples across multiple hospital departments. Hackers can exploit the vulnerabilities, dubbed PwnedPiper, to gain control over a hospital's pneumatic tube network, with the potential to launch ransomware attacks. Armis' Ben Seri said his firm had told Swisslog of the vulnerabilities at the beginning of May, “and has been working with the manufacturer to test the available patch and ensure proper security measures will be provided to customers."
Census Data Change to Protect Privacy Rattles Researchers, Minority Groups
The Wall Street Journal
Paul Overberg; Sarah Chaney Cambon
August 2, 2021
The U.S. Census Bureau will use a complex algorithm to adjust 2020 Census statistics to prevent the data from being recombined to disclose information about individual respondents. The bureau's Ron Jarmin said it will use differential privacy, an approach it has long employed in some fashion, which involves adding statistical noise to data. Small random numbers, both positive and negative, will be used to adjust most of the Census totals, with inconsistent subtotals squared up. The Bureau indicated that for most groups and places, this will result in fairly accurate totals, although distortion is likely to be higher for smaller groups and areas like census blocks. This has raised concerns among local officials, as population-based formulas are used to allocate billions of dollars in federal and state aid. University of Minnesota researchers said after a fifth test of the method that "major discrepancies remain for minority populations."
*May Require Paid Registration
Do You Hear What I Hear? A Cyberattack.
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
July 30, 2021
Carnegie Mellon University's Yang Cai and colleagues have designed a method of making abnormal network traffic audible by rendering cybersecurity data musically. The researchers explored several sound mapping algorithms, converting numeral datasets into music with diverse melodies, harmonies, time signatures, and tempos. They produced music using network traffic data from an actual malware distribution network, and presented it to non-musicians, who could accurately identify pitch shifts when played on different instruments. Said the researchers, "We are not only making music, but turning abstract data into something that humans can process." Said Cai, “The process of sonification—using audio to perceptualize data—is not new, but sonification to make data more appealing to the human ear is.”
Smart Reporting Tool Could Combat Fake News on Encrypted Chat Apps
New Scientist
Chris Stokel-Walker
September 17, 2021
Researchers at George Washington University say they have built a tool that would allow users to expose fake news without endangering their privacy. The Fuzzy Anonymous Complaint Tally System (FACTS) would let users report a message without disclosing its contents, and only decrypt the identity of the sender and message contents to a third party if the number of complaints about a single message exceeded a certain limit. FACTS would prevent malefactors from falsely labeling messages as misinformation by logging complaints about messages, but not their contents, and automatically deciding if they match previous complaints so users could not report the same messages multiple times. Said Alan Woodward at the U.K.'s University of Surrey, the tool "has the advantage that it is a scoring of complaints and doesn't involve requiring access to message content per se."
App Helps Iranians Hide Messages in Plain Sight
Wired
Lily Hay Newman
September 17, 2021
The Nahoft Android app can help Iranians conceal messages by encrypting up to 1,000 characters of Farsi text into random word strings. Released on Google Play by the human rights group United for Iran, Nahoft also can encrypt communications and embed them unnoticeably within image files. The code the app generates is designed to appear inconspicuous and benign, and using real words makes it less likely to be flagged by content scanners. The open source app can bypass government-imposed Internet blackouts: users enter words that the app encodes, allowing them to write the resulting string of seemingly random words in a letter, or read it to another Nahoft user over the phone, for them to input into their app manually to see what the uncoded message. United for Iran's Reza Ghazinouri said the regime will have difficulty blocking Nahoft as long as Google Play remains accessible in Iran.
Encryption Technique Better Protects Photographs in the Cloud
Scientific American
Harini Barath
September 16, 2021
The Easy Secure Photos (ESP) tool created by Columbia University computer scientists can encrypt cloud-stored photos while still allowing authorized users to browse and display their images. ESP preserves blocks of pixels while shifting them around to obscure the image; it splits the photo into three separate files to contain its red, green, or blue color data, then scrambles the pixel blocks surrounding the files. The files remain valid, but appear as grainy black-and-white static to unauthorized users. The files can still be compressed and are compatible with many cloud storage platforms, so users with the right decryption keys can view them in their original form. Users also can access their photos from multiple devices via ESP, using a system in which each device has its own unique key pair.
The Battle for Digital Privacy Is Reshaping the Internet
The New York Times
Brian X. Chen
September 16, 2021
Mounting online privacy fears are changing businesses' digital advertising strategies, with Apple and Google overhauling their online data collection rules. Apple has launched tools that block marketers from tracking people, while Google, reliant on digital ads, is retooling to target ads at people without exploiting their personal data. Such changes may weaken brands that use targeted ads to sell goods. Brendan Eich, a founder of the Brave private Web browser, said Google and Apple's differing views on revoking digital ads will lead to "a tale of two Internets." Trade Desk chief executive Jeff Green said, “The Internet is answering a question that it’s been wrestling with for decades, which is: How is the Internet going to pay for itself?”
Toolkit to Test Apple Security Finds Vulnerability
NC State University News
September 13, 2021
A software toolkit designed by North Carolina State University (NC State) researchers to evaluate Apple device hardware security uncovered a previously unknown vulnerability during a proof-of-concept demonstration. NC State's Gregor Haas said the team used the checkm8 bug as a starting point; the flaw lets users control the first code to run on the system as it boots up. Haas said the toolkit "allows us to observe what's happening across the device, to remove or control security measures that Apple has installed, and so on." During the proof-of-concept demo, the team reverse-engineered key Apple hardware components and identified a vulnerability to a so-called iTimed attack, which enables a program to access cryptographic keys used by one or more programs on an Apple device. NC State's Aydin Aysu said they alerted Apple of the vulnerability, and will use the toolkit to investigate other types of attacks.
Is Your Mobile Provider Tracking Your Location? This Technology Could Stop It.
USC Viterbi School of Engineering
Caitlin Dawson
August 12, 2021
A new system devised by researchers at the University of Southern California Viterbi School of Engineering (USC Viterbi) and Princeton University can thwart the tracking of cellphone users by network operators while maintaining seamless connectivity. The Pretty Good Phone Privacy software architecture anonymizes personal identifiers sent to cell towers, effectively severing phone connectivity from authentication and billing without altering network hardware. The system transmits an anonymous, cryptographically signed token in place of a personally identifiable signal to the tower, using a mobile virtual network operator like Cricket or Boost as a substitute or intermediary. USC Viterbi's Barath Raghavan said, "Now the identity in a specific location is separated from the fact that there is a phone at that location." The system also ensures that location-based services still function normally.
Cornell Researchers Discover 'Code-Poisoning' Attack
ZDNet
Jonathan Greig
August 12, 2021
A backdoor attack discovered by researchers at Cornell University Tech has the potential to compromise algorithmic training and email accounts, among other things. The researchers said the "code poisoning" attack can "manipulate natural-language modeling systems to produce incorrect outputs and evade any known defense" without "any access to the original code or model by uploading malicious code to open-source sites that are frequently used by many companies and programmers." Cornell's Vitaly Shmatikov explained, "With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected — and a single attack can actually target multiple victims." As a defense, the researchers recommend using a system able to identify deviations from the model's original code. Said Shmatikov, non-expert users building models using code they do not understand "can have devastating security consequences."
5G Shortcut Leaves Phones Exposed to Stingray Surveillance
Wired
Lily Hay Newman
August 10, 2021
Researchers at the University of Stavanger in Norway and Technische Universität Berlin in Germany found that major phone carriers in those countries continue to deploy 5G in "non-standalone" mode. This means the existing 4G network infrastructure is used as a starting point for issuing 5G data speeds, leaving phones vulnerable to stingray surveillance. Stingrays trick devices into connecting to them and track devices using IMSI numbers, which 5G is designed to encrypt. University of Stavanger's Ravishankar Borgaonkar said, "You're getting the high speed connection, but the security level you have is still 4G." However, Pennsylvania State University's Syed Rafiul Hussain said carriers will still run parallel 4G and 3G infrastructure even when 5G standalone mode has been implemented. Hussain explained, "4G stingray attacks, downgrading, man-in-the-middle attacks—those will exist for years even though we have 5G."
Israeli Cybersecurity Firm Check Point Uncovers Amazon Security Flaw
The Times of Israel
Luke Tress
August 9, 2021
Analysts at Israeli cybersecurity firm Check Point discovered a critical flaw in Amazon software that would let malefactors hijack a victim's Kindle e-reader and steal data. The analysts said the flaw would allow hackers to infect the Kindle by sending users a single, malicious e-book. Attackers could then commandeer the e-reader through an exploit chain by combining a series of security bugs, with the target not having to take any further action or have any other indications of intrusion. Sensitive user information such as Amazon account credentials or billing information could then become accessible, and the analysts warned the exploit could have enabled bad actors to victimize a specific demographic. Amazon corrected the flaw in April via a firmware update after Check Point notified the company in February.
'Glowworm Attack' Recovers Audio From Devices' Power LEDs
Ars Technica
Jim Salter
August 9, 2021
Israeli scientists have demonstrated a novel passive variant of the TEMPEST exploit called Glowworm, which can extract electronic conversations by analyzing devices' power indicator light-emitting diodes (LEDs). Ben-Gurion University of the Negev (BGU) researchers employed a photodiode mated to an optical telescope to monitor fluctuations in LED signal strength on consumer devices, including smart speakers, simple PC speakers, and universal serial bus hubs. The photodiode converts the flickering of power LED output caused by voltage changes into an electrical signal, which is processed by an analog/digital converter and played back directly. The Glowworm attack requires no active signaling, which would render it resistant to any electronic countermeasure probe; the BGU team retrieved intelligible audio from 35 meters (114 feet) away. The team is apparently the first to publish the exploit and demonstrate its empirical feasibility.
NIST Study on Kids' Passwords Shows Gap Between Knowledge of Password Best Practices, Behavior
NIST News
August 11, 2021
A survey of more than 1,500 U.S. students between the ages of eight and 18 by the National Institute of Standards and Technology revealed a gap between children's knowledge of good password practices and their behavior. The survey found that children are learning password best practices, like memorizing them and logging out after sessions. Their passwords often mentioned sports, video games, names, animals, movies, titles like "princess," numbers, and colors, and the strength of these passwords increased with grade level. However, the researchers found that children typically reuse passwords and share them with friends. When asked about the reason for passwords, elementary students primarily cited safety; middle and high school students more often cited privacy. Among other things, the survey found that younger children used their families for help in creating and maintaining home passwords.
U.S. Prisons Mull AI to Analyze Inmate Phone Calls
Reuters
David Sherfinski; Avi Asher-Schapiro
August 9, 2021
The U.S. House Appropriations Committee's push to study the use of artificial intelligence (AI) to analyze prison inmates' phone calls has prisoner advocates and families warning of risks of error, misunderstandings, and racial bias. Several state and local prisons have already begun using such technology, and the House panel is urging the Department of Justice to consider potential federal utilization and to identify shortcomings in the information the tech generates. The Oxford, AL police department has deployed Verus software from LEO Technologies, which uses Amazon Web Services’ natural language processing and transcription technology to process and flag prisoner calls. Oxford Police Chief Bill Partridge said such surveillance has helped local forces solve cold case homicides and has prevented suicides. Critics warn of tools potentially amplifying racial bias; for example, a Stanford/Georgetown University analysis found Amazon's automatic speech recognition software committed significantly more errors for black speakers than white speakers.
City PhD Researcher Develops Smart-Car Identity and Access Management System
City University of London
August 10, 2021
Researchers at the City University of London in the U.K. have developed an identity and access management system to make smart cars less vulnerable to cyber attacks. Via usage control policies, the SIUV system issues privileges to drivers or applications based on their credentials or claims. Access to in-car resources is based on the issued privileges. Subject claims, resource attributions, and environmental conditions are monitored continuously, allowing the system to reevaluate policies or revoke issued privileges and usage decisions as necessary. Meanwhile, the system uses verifiable credentials to ensure claims are secure and verifiable. The researchers indicate that the U.K. Driver and Vehicle Licensing Agency could issue cryptographically verifiable credentials as driver's licenses, with SIUV employed to validate the claims within the credential on an ongoing basis and allow or deny access to in-car components based on its usage control policy evaluations.
Technology Can Block Cyberattacks from Impacting the Nation's Electric Power Grid
Idaho National Laboratory
July 20, 2021
Researchers at Idaho National Laboratory (INL) and Visgence Inc. demonstrated that their Constrained Cyber Communication Device (C3D) can prevent cyberattacks from affecting the national power grid. The researchers showed that the device automatically blocks remote access attempts that could indicate a cyberattack and informs operators of the abnormal commands. The C3D autonomously reviews and filters commands sent to protective relay devices, which order breakers to shut off electricity flow in the event of a disturbance but are not designed to block quick and stealthy cyberattacks. The researchers built and connected a 36-foot mobile substation to INL's full-scale electric power grid test bed. When a sudden power spike command was sent to the substation relays, it was blocked immediately by the C3D device. INL's Jake Gentle explained, "The C3D device sits deep inside a utility's network, monitoring and blocking cyberattacks before they impact relay operations."
Gaming-Related Malware on the Rise on Mobile, PCs
IEEE Spectrum
Charles Q. Choi
October 21, 2021
Analysts at cybersecurity firm Proofpoint's Cloudmark mobile and email security division warn that popular online games are helping to spread malware on PCs and mobile devices. Data from virtual private network (VPN) service Atlas VPN indicated more than 303,000 PCs were infiltrated by such malware, adware, and spyware between July 1, 2020, and June 30, 2021, while another 50,000 users had attempted to download files masquerading as the 10 most-played mobile games. Cloudmark's Jacinta Tobin said games often are connected with online spaces where hackers prowl, like YouTube channels. Cloudmark also expressed concern about mobile-device exploits, such as the just-discovered TangleBot malware targeting Android devices in North America, which spreads through texts.
China-Linked Hacking Group Accessing Calling Records Worldwide
Reuters
Joseph Menn
October 19, 2021
U.S. cybersecurity company CrowdStrike said a suspected China-linked hacking gang has infiltrated mobile telephone networks and used specialized tools to access calling records and texts from telecommunication carriers worldwide. The group, which CrowdStrike calls LightBasin, has been active since at least 2016. CrowdStrike's Adam Meyers said the company culled information about the group by responding to incidents in multiple nations. He said LightBasin's programs could capture specific data without attracting attention, noting, "I've never seen this degree of purpose-built tools." Meyers said evidence of the group’s associations with China include cryptography reliant on Pinyin phonetic versions of Chinese-language characters, as well as the use of methods the Chinese government has used in previous attacks.
Australia Considers New Privacy Rules to Protect Children on Social Media
The Wall Street Journal
Mike Cherney
October 25, 2021
The Australian government has released draft legislation that would enable the creation of a binding online privacy code for tech companies that would prohibit social media companies like Facebook from directing children to harmful content. Under such a code, social media companies would be required to ensure children's best interests are the primary consideration during the collection, use, and potential disclosure of their personal information. It also would require social media platforms to obtain parental approval to create accounts for children under 16. The legislation is expected to be introduced in Australia's parliament early next year, and if passed, Australia's privacy regulator would oversee the development of a code within 12 months, with input from the tech industry. Companies found to violate the code could be fined 10% of their annual Australian revenue.
Facial Recognition Cameras Arrive in U.K. School Canteens
Financial Times
Cynthia O'Murchu
October 17, 2021
Nine schools in the U.K.'s North Ayrshire region now use facial recognition cameras to accept cashless payments by scanning pupils' faces in cafeterias/canteens. David Swanston at education systems vendor CRB Cunninghams, which installed the cameras, said they verify facial images against encrypted faceprint templates stored on school servers. Many U.K. schools have adopted biometric payment systems, but privacy advocates say normalizing facial recognition technology is hardly necessary. Said Silkie Carlo with campaign group Big Brother Watch of the new system, "It’s normalizing biometric identity checks for something that is mundane. You don't need to resort to airport style [technology] for children getting their lunch."
Two-Thirds of Cloud Attacks Could Be Stopped by Checking Configurations
ZDNet
Charlie Osborne
September 15, 2021
IBM Security X-Force's latest Cloud Security Threat Landscape report concluded that two-thirds of cloud attacks occurring during the year-long study period "would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems." Researchers uncovered issues with credentials or policies in each penetration test performed by IBM's X-Force Red security team while sampling scanned cloud environments. They cited improperly configured assets, password spraying, and switching from on-premises infrastructure as the most frequently observed initial breach vectors. Application programming interface configuration and security issues, remote exploitation, and accessing confidential data were other common vectors. The team recommended businesses "manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back."
VPNs Could Be Vulnerable to Attacks That Send You to Fake Websites
New Scientist
Chris Stokel-Walker
August 17, 2021
Arizona State University (ASU) researchers have found that hackers could exploit virtual private networks (VPNs) to strip users' anonymity and send them to bogus websites by tapping what ASU's William Tolley calls "a fundamental networking vulnerability." The vulnerability monitors the presence and size of the data packets routed along the VPN. Attackers first send different-sized packets to different entry/exit ports, which if forwarded signals that the targeted port is the correct one; they can then send packets where they have altered the source address to seem as if they originate from one of the legitimate ends of the connection. The researchers say they have alerted a number of VPN providers to the attack, but it is unlikely that all currently used networks will be patched. Tolley said, "Our advice is to avoid VPNs if you're trying to keep your information private from government entities, or something like that."
How Does 'Normal' Internet Browsing Look Today? Now We Know
Carnegie Mellon University CyLab Security and Privacy Institute
October 26, 2021
A study by researchers at Carnegie Mellon University (CMU) aimed to determine what constitutes "normal" Internet browsing, in an effort to understand how people are led to download malicious content. The researchers set out to build a dataset that would serve as a foundation for other researchers by studying the browsing behavior of 257 people through CMU's Security Behavior Observatory. The researchers found that study subjects spent half their browsing time on about 30 Websites. Said CMU's Kyle Crichton, "We observed a lot of people who started out at a popular streaming service like Netflix or Hulu, and they must not have found what they wanted, then they'd jump out to the periphery." Crichton added, "Now that we know what normal behavior looks like, we can start to identify anomalous behavior and begin to address any number of security challenges."
China Passes One of the World's Strictest Data-Privacy Laws
The Wall Street Journal
Eva Xiao; Zhao Yueling; Raffaele Huang
August 20, 2021
China's top legislative body has passed the Personal Information Protection Law, which closely resembles Europe's General Data Protection Regulation. Effective Nov. 1, the law requires any organization or individual handling the personal data of Chinese citizens to minimize data collection and obtain prior consent. The law requires facial recognition cameras in public places to be marked prominently and used only to maintain public security. Among other things, the law aims to curb algorithmic discrimination by requiring transparent automated decision-making, and for companies to allow individuals to opt out of personalized marketing. Additional rules, effective Oct. 1, require companies that process auto data to increase data security and protect personal information collected from vehicles.
OSU Cryptography Research Leads to Huge Efficiency Gain in Secure Computing
Oregon State University News
Steve Lundeberg
August 18, 2021
A more efficient secure computation protocol developed by Oregon State University's Mike Rosulek and Lance Roy focuses on garbled circuits. Roy said a normal computer circuit has gates that execute basic data computations, while the gates in a garbled circuit are modified to encrypt the data going through them. Rosulek assumed in previous research that the most efficient construction of garbled circuits could not be surpassed, but Roy found it was possible only if a gate used all or none of the data in an input. The slicing technique Roy conceived of would leak too much data to keep the garbled circuits secure. However, Roy said, "If the way the garbled circuits were built was randomized—i.e., by rolling the dice—and some other information was kept secret, the slicing idea could be made secure."
Millions of Web Camera, Baby Monitor Feeds Exposed
Wired
Lily Hay Newman
August 17, 2021
Researchers at cybersecurity firm Mandiant have identified a vulnerability in a software development kit (SDK) affecting more than 83 million smart devices. The flaw in ThroughTek Kalay, an SDK that facilitates the connection between a device and mobile apps, could enable hackers to access live video and audio streams over the Internet, assume full control of devices remotely, launch denial of service attacks, or install malicious firmware. If a hacker obtains the device's unique identifier (UID) through a social engineering attack or by searching for a manufacturer's Web vulnerabilities, they could reregister the UID and hijack the connection when a user next accesses the device. The researchers, who said they have seen no evidence of real-world exploitation of the vulnerability, said they hope to raise awareness about the problem without telling potential attackers how to exploit it.
AMD Hardware Security Tricks Can Be Bypassed with Shock of Electricity
TechRadar
Mayank Sharma
August 13, 2021
Researchers at Germany's Technische Universität Berlin have demonstrated a voltage fault injection attack that can bypass AMD's Secure Encrypted Virtualization (SEV) technology. Using the AMD Secure Processor (AMD-SP), AMD SEV separates security-sensitive operations from software executing elsewhere, to protect virtual machines in untrusted environments. Attackers can manipulate the input voltage to AMD systems on a chip to trigger an error in the AMD-SP's read-only memory bootloader. The attack requires only inexpensive, off-the-shelf components, including a $30 Teensy µController, and a $12 flash programmer (although physical access to the server is required). The researchers recommend software or hardware modifications to identify voltage modulation, or additional circuitry to guard against such voltage glitches.
'Capture' Your IoT Devices and Improve Their Security
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
August 13, 2021
Carnegie Mellon University's Han Zhang and colleagues uncovered pervasive security vulnerabilities in third-party libraries that Internet of Things (IoT) device vendors may use in their software. The researchers analyzed 122 different IoT firmware for 27 smart home devices released over eight years. They found, Zhang said, that "vendors update libraries very infrequently, and they use outdated—and often vulnerable—versions most of the time." To ameliorate potential exploitation, the researchers proposed Capture, a system that lets devices on a local network leverage a centralized hub with libraries that are kept up to date. The team said Capture would ensure the libraries are updated and secure, although it includes limitations (like a single point of failure) that future research will need to address.
Biden Administration Orders Federal Agencies to Fix Hundreds of Cyber Flaws
The Wall Street Journal
Dustin Volz
November 3, 2021
A new order released by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, directs almost all federal agencies to patch cybersecurity vulnerabilities deemed to be a "significant risk to the federal enterprise." The order covers about 200 known security flaws discovered from 2017 to 2020, and another 90 discovered this year. It applies to all executive branch departments and agencies except for the U.S. Department of Defense, the Central Intelligence Agency, and the Office of the Director of National Intelligence. Said Easterly, "While this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA's public catalog."
Identity Verification Technique Offers Robust Solution to Hacking
McGill University Newsroom (Canada)
November 3, 2021
Scientists at Canada's McGill University and Switzerland's University of Geneva have developed a secure identity verification technique based on the precept that information cannot exceed the speed of light. "Our research found and implemented a secure mechanism to prove someone's identity that cannot be replicated by the verifier of this identity," said McGill's Claude Crépeau. The technique expands the zero-knowledge proof through a system involving two physically separated prover-verifier pairs. The two provers must demonstrate to the verifiers that they possess a shared knowledge of a method for using three colors to color in an image comprised of thousands of interconnected shapes, without coloring two adjacent shapes the same. Geneva's Hugo Zbinden said, "It's like when the police interrogate two suspects at the same time in separate offices. It's a matter of checking their answers are consistent, without allowing them to communicate with each other."
Facebook, Citing Societal Concerns, Plans to Shut Down Facial Recognition System
The New York Times
Kashmir Hill; Ryan Mac
November 2, 2021
Facebook intends to shutter its facial recognition system, deleting the face-scan data of over 1 billion users and removing a feature that has provoked privacy concerns, government probes, litigation, and regulatory distress. Jerome Pesenti at Facebook's recently renamed parent firm, Meta, said the closure was prompted by "many concerns about the place of facial recognition technology in society." The software feature introduced in 2010 automatically identified people appearing in users' digital photo albums and suggested users tag them with a click, linking their accounts to the images. Although Facebook limited facial recognition to its own site and kept it from third parties, privacy advocates questioned how much facial data was collected and what the company could do with it.
Sneaky Trick Could Allow Attackers to Hide 'Invisible' Vulnerabilities in Code
ZDNet
Liam Tung
November 1, 2021
The Rust Security Response working group has flagged an obscure vulnerability as a general bug affecting all code written in popular languages that use the Unicode component. Ross Anderson at the U.K.'s Cambridge University said one hack exploits Unicode directionality to effectively control characters embedded in comments and strings to rearrange source code characters and change its logic. Unicode supports left-to-right and right-to-left languages via bidirectional override, an invisible feature called a codepoint. Anderson and Microsoft's Nicholas Boucher found they could be used to reorder how source code is displayed in certain editors and code-review tools. "If an adversary successfully commits targeted vulnerabilities into open source code by deceiving human reviewers, downstream software will likely inherit the vulnerability," they warn, recommending developers upgrade to Rust version 1.56.1.
Coding Bug Helped Researchers Build Secret BlackMatter Ransomware Decryption Tool
Tech Crunch
Carly Page
October 25, 2021
Researchers at the cybersecurity firm Emsisoft helped recover encrypted files of victims of the BlackMatter ransomware operation. The researchers determined that a vulnerability in BlackMatter's encryption process allowed encrypted files to be recovered without victims paying the ransom. They did not announce the vulnerability when it was discovered earlier this year for fear the BlackMatter group would issue a fix. Emsisoft's Fabian Wosar said, "Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs [computer emergency readiness teams], and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands."
Superconducting Silicon-Photonic Chip for Quantum Communication
SPIE Newsroom
November 1, 2021
A superconducting silicon-photonic chip developed by researchers at China's Nanjing and Sun Yat-sen universities has been used to facilitate quantum communication. The chip's superconducting nanowire single-photon detector (SNSPD) supports optimal time-bin Bell state measurement and improves the key rate in quantum communication. The researchers tapped the optical waveguide-integrated SNSPD's high-speed feature to reduce the dead time of single-photon detection by more than an order of magnitude compared to traditional normal-incidence SNSPD. The end product is a server for measurement-device-independent quantum key distribution, which significantly augments the security of quantum cryptography. Nanjing University's Xiao-Song Ma said, "This work shows that integrated quantum-photonic chips provide not only a route to miniaturization, but also significantly enhance the system performance compared to traditional platforms."
Sensors Add to Accuracy, Power of U.S. Nuclear Weapons but May Create Security Perils
The Washington Post
R. Jeffrey Smith
October 29, 2021
Sensors created by Sandia National Laboratories for U.S. ballistic missiles could augment detonation timing and accuracy, enhancing nuclear warheads’ ability to strike enemy missiles, hardened command posts, and other military targets. Sandia's Paul J. Hommert said the sensors are better at computing the best moment for blast ignition than those on existing U.S. weapons. The warhead’s fuze, sensors, and computers are embedded within a compact capsule, which Hommert said would be installed on three new types of warheads atop land- and sea-based missiles, and partly on warheads to be carried by planes deployed in Europe. The U.S. Air Force plans to install the technology in land-based missiles slated for deployment by the end of the decade; after that, it will be deployed on more than 1,300 warheads in the U.S. arsenal.
Microsoft to Work with Community Colleges to Fill 250,000 Cyber Jobs
Reuters
Stephen Nellis
October 29, 2021
Microsoft announced plans to collaborate with U.S. community colleges to fill 250,000 cybersecurity jobs during the next four years. The company will offer scholarships or other assistance to approximately 25,000 students. It also will provide training for new and existing teachers at 150 community colleges, as well as giving free curriculum materials to community colleges and four-year schools nationwide. Microsoft's Brad Smith said, "This is an opportunity for us to get started. This is not the ceiling on what we'll do." Smith noted that many Microsoft customers could have prevented hacks with better practices but do not have the cybersecurity personnel to implement them.
Big Data Can Render Some as 'Low-Resolution Citizens'
Cornell Chronicle
Tom Fleischman
October 28, 2021
Cornell University's Steven Jackson and Ranjit Singh analyzed India's Aadhaar biometrics-based individual identification system as it impacted the country's approximately 1.4 billion people. With over 1.25 billion residents registered, Aadhaar is designed to provide standardized legal identity to all citizens, including those who previously lacked identity documents. The researchers found that people whose fingerprints on file were not distinct, or low-resolution, had problems getting registered. Singh said, "That, to a certain extent, allowed Steve and me to actually talk about how people need to be in 'high resolution' to become a part of the system." Singh added, “It’s not just about social hierarchies, it’s about hierarchy as it manifests through data.”
A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death
Wall Street Journal
Kevin Poulsen; Robert McMillan; Melanie Evans
September 30, 2021
A lawsuit filed against Alabama's Springhill Medical Center alleges that a 2019 ransomware attack directly contributed to the death of a newborn. If proven in court, this would mark the first confirmed death resulting from a ransomware attack. Teiranni Kidd was admitted to the hospital nearly eight days into a ransomware attack that left patient health records inaccessible and left fewer eyes on fetal heart rate monitors because they could not be displayed at the nurses' station. Attending obstetrician Katelyn Parnell said the death of Kidd's daughter was preventable had she seen an indication from the monitor that the fetus was in distress. Springhill refused to pay the ransom when the hackers, believed to be the Russian-based Ryuk gang, resulting in a network outage that lasted at least three weeks.
Researchers Find Apple Pay, Visa Contactless Hack
BBC News
September 29, 2021
Researchers at the U.K.'s universities of Birmingham and Surrey uncovered a hack for making unauthorized contactless payments on iPhones by exploiting a weakness in Apple Pay. They enabled contactless Visa payment from a locked iPhone using Apple Pay's "Express Transit" feature, which allows commuters to make quick payments. Placing a piece of radio equipment nearby makes the iPhone think it is near a ticket barrier, while an Android phone running a special application transmits signals from the iPhone to a contactless payment terminal; communications with the terminal are tweaked so it thinks the iPhone has been unlocked and payment authorized. The researchers said the problem concerns Visa cards set up in Express Transit mode in the iPhone's wallet. Visa called the hack “impractical,” while Apple described it as “unlikely.”
Smartphone Motion Sensors Could Be Used to Listen to Phone Conversations
University of Illinois at Urbana-Champaign
Kim Guderman
September 27, 2021
Smartphone accelerometers could be used to eavesdrop on phone conversations, according to University of Illinois Urbana-Champaign (UIUC) researchers. The motion sensor can capture sound vibrations during conversations, and the researchers developed a neural network to convert that very-low-sampling-rate data into high-bandwidth signals. UIUC's Tarek Abdelzaher said, "Human speech has a special pattern. By constraining your interpretation to that special pattern, you can guess higher frequency from low frequency. This won't work with any random sound, but for some keywords or numbers, it works fairly well."
Research Finds Security Flaws in Apps for Popular Smart Home Devices |
Federal Agencies Warn Companies to Be on Guard Against Prolific Ransomware Strain
The Hill
Maggie Miller
September 22, 2021
The U.S. Federal Bureau of Investigation (FBI), National Security Agency, and Cybersecurity and Infrastructure Security Agency issued a joint alert warning companies to be on guard against the Conti ransomware variant, noting that hundreds of groups around the globe had already fallen victim to it. The alert came months after the FBI issued an alert outlining how the variant was used to target at least 16 healthcare and first responder networks. While most of the targets of the Conti ransomware were in the U.S., others have also been targeted, including the Irish healthcare system. Testifying before the House Homeland Security Committee, FBI Director Christopher Wray said, “Ransomware has mushroomed significantly over the last year, and it’s on pace to mushroom again this year."
Quantum Cryptography Records with Higher-Dimensional Photons
TU Wein (Austria)
September 21, 2021
A new type of quantum cryptography protocol developed by researchers at Austria's Technical University of Vienna (TU Wien) speeds up the generation of quantum cryptographic keys and makes them more robust against interference. With the new protocol, photon pairs can be generated at eight different points in a special crystal, and each can move along eight different paths, or several paths at the same time. TU Wien's Marcus Huber said, "The space of possible quantum states becomes much larger. The photon can no longer be described by a point in two dimensions; mathematically, it now exists in eight dimensions." The researchers set a record in entanglement-based quantum cryptography key generation at 8,307 bits per second and over 2.5 bits per photon pair.
Simple Make-Up Tips Can Help You Avoid Facial Recognition Software
New Scientist
Chris Stokel-Walker
September 24, 2021
Researchers at Israel's Ben-Gurion University of the Negev developed artificial intelligence software that can provide makeup advice to foil facial recognition systems. Tests showed the software's recommendations tricked real-world facial recognition systems 98.8% of the time, with the success rate in identifying women wearing its recommended makeup declining from 42.6% to 0.9%, and from 52.5% to 1.5% for men. The adversarial machine learning system identifies which elements of a person's face are considered unique by facial recognition systems and highlights them on a digital heat map, which is used to determine where makeup can be applied to change the person's perceived face shape. The system recommends only natural makeup hues, so people potentially could protect their privacy without drawing attention to themselves.
States at Disadvantage in Race to Recruit Cybersecurity Pros
Associated Press
Kathleen Foody
September 25, 2021
U.S. states face a shortage of cybersecurity professionals and lack the deep pockets to compete with federal, global, and specialized cybersecurity companies. State governments are increasingly targeted for the data contained within their agencies and computer networks that is vital to critical infrastructure. Although the federal government and individual states have started training programs, competitions, and scholarships to cultivate more cybersecurity pros, such efforts may not pay off for years. Drew Schmitt at cybersecurity firm GuidePoint Security said state and local governments cannot compete with private organizations in terms of salaries. Michael Hamilton with the PISCES Project said state governments can nurture cybersecurity pros, but often end up "getting into the fistfight with all the others that want to hire these people and losing."
Inside Higher Ed (11/4, Smalley) reports LaGuardia Community College in New York City “is partnering with Mastercard to provide on-the-job cybersecurity training. Northern Virginia Community College announced in August that it is launching a new information technology apprenticeship program created with AT&T that will provide training and on-the-job experience while bolstering the talent pool for federal customers in the national security sector.” MassBay Community College, “near Boston, recently launched a Center for Cybersecurity Education, which will offer students cybersecurity internships and projects in partnership with industry partners.” More programs “are likely on the way as the cybersecurity job market grows and employers’ needs expand with new cyberthreats emerging almost daily.”
The Wall Street Journal (10/21, McMillan, Subscription Publication) reports Microsoft and Recorded Future say the hacking group Fin7, which is believed to have written the software used in the Colonial Pipeline hack, has set up a fake company under the moniker Bastion Secure to recruit tech talent for software development, support staff, and more.
The Hill (10/21, Miller) reports the GOOD AI Act – a new “bipartisan” Senate bill introduced by Sens. Gary Peters (D-MI) and Rob Portman (R-OH) on Thursday – “is aiming to secure data collected by artificial intelligence technologies, such as facial recognition technologies, as these types of technologies continue to grow in use.” The measure “would require the Office of Management and Budget to establish and consult with an AI working group in ensuring that all federal contractors are taking adequate steps to secure data obtained through AI, and that the data is being used to protect national security while not compromising privacy.” The Hill adds that “legislation has strong bipartisan backing.”
K-12 Dive (8/5, Riddell) reports that Cyber.org, “the academic arm of the nonprofit Cyber Innovation Center, on Wednesday unveiled its K-12 cybersecurity learning standards in an effort to align criteria nationwide and support the development of a strong, diverse talent pipeline in the high-demand STEM field.” The standards, “which states will have the option of adopting ahead of the 2022-23 school year, are built around three themes representing fundamental areas of cybersecurity education: computing systems, digital citizenship and security.” Each area “covers relevant topics like the Internet of Things and threat actors.” Janet Hartkopf, cyber program director at Basha High School in Arizona said in a press release, “Educators now have a clear rubric to guide cybersecurity curriculum and help address the existing gaps in the talent pipeline.” The US currently “has over 464,000 unfilled cybersecurity positions.”
Botnet Buster Finds IoT Command and Control Centers
UC Riverside News
Holly Ober
November 5, 2021
University of California, Riverside (UCR) computer scientists have developed a tool that cripples botnets by fooling them into exposing their Internet of Things (IoT) command and control (CnC) servers. The CnCHunter tool contacts a suspicious Internet server using actual malware, and observes how the malware communicates with it; meaningful dialogue between suspect and malware in botnet language indicates the server is a CnC. UCR's Michalis Faloutsos said, "We try to detect botnets proactively and by fooling malware twice, first by activating the malware in a safe environment, and then intercepting and redirecting the traffic where we want to trick the botnet to engage with us." The researchers ran the tool on "selected 100 IoT malware samples collected between 2017 and 2021 and were able to find their CnC servers with a 92% precision," said UCR's Ali Davanian.
Widespread Security Risk Identified in Phones, Bluetooth Devices
IEEE Spectrum
Michelle Hampson
November 4, 2021
Bluetooth hardware contains a security flaw that may compromise about 40% of mobile devices, according to University of California, San Diego (UCSD) researchers. The hardware underlies the operation of phone-tracking applications, which UCSD's Nishant Bhaskar said "require frequent and constant transmission of Bluetooth beacons to be detected by nearby devices. Unfortunately, this also means that an adversary can also find out where we are at all times by simply listening to the Bluetooth transmissions from our personal devices." Defects or imperfections during manufacture can slightly distort Bluetooth signals from individual devices, resulting in the generation of a unique signature. Experiments showed approximately 40% of mobile devices could be identified individually within crowds based on their Bluetooth signal signatures.
World Bank Program Looks to Blockchain to Solve Carbon Emissions Data Issues
Bloomberg Green
Crystal Kim; Jennifer Zabasajja
November 5, 2021
The World Bank's Climate Warehouse program is consulting with cryptocurrency startups like the Chia Network to build a "public-good layer" for climate. Chia's Gene Hoffman said the layer would impart trust and transparency by sitting atop a blockchain, and allow countries and groups to disclose and vet carbon assets in a centralized fashion. Chia's data layer harnesses its permissionless public blockchain to allow project peers to exchange data in an auditable manner without ceding control of the data owned by each peer. Nations using the platform could indicate compliance with the Paris Agreement on reducing carbon emissions by submitting a verifiable dataset.
Drone at Pennsylvania Electric Substation First to 'Specifically Target Energy Infrastructure'
CNN
Sean Lyngaas
November 4, 2021
A recent memo from the U.S. Federal Bureau of Investigation, Department of Homeland Security, and National Counterterrorism Center revealed that a July 2020 drone crash near a Pennsylvania power substation was the first known case of a "modified unmanned aircraft system likely being used in the U.S. to specifically target energy infrastructure." The memo said the drone likely was modified to create a "short circuit to cause damage to transformers or distribution lines, based on the design and recovery location." The agencies further stated that "we expect illicit [unmanned aircraft system] activity to increase over energy sector and other critical infrastructure facilities as use of these systems in the U.S. continues to expand."
Australia Says U.S. Facial Recognition Software Firm Clearview Breached Privacy Law
Reuters
Byron Kaye
November 3, 2021
The Office of the Australian Information Commissioner (OAIC) said U.S. facial recognition software company Clearview AI violated privacy laws by collecting images from Websites without Australians' consent, and without checking the accuracy of its matches. Clearview cross-references photos scraped from social media sites into a database of billions of images. Information commissioner Angelene Falk said the company's actions carried "significant risk of harm to individuals, including vulnerable groups such as children and victims of crime, whose images can be searched on Clearview AI's database." She called the clandestine collection of images "unreasonably intrusive and unfair." OAIC has ordered Clearview to stop collecting facial images and biometric templates from people in Australia, and to delete images and templates collected there.
Singapore Inks Pact with Finland to Mutually Recognize IoT Security Labels
ZDNet
Eileen Yu
October 6, 2021
Singapore and Finland have agreed to recognize each other's cybersecurity labels for Internet of Things (IoT) devices, in order to help consumers evaluate the products' security. Singapore's Cyber Security Agency (CSA) said the alliance aims to reduce duplicated testing and help manufacturers bring products to market more easily. Both countries would acknowledge cybersecurity labels issued by the CSA and by Finland's Transport and Communications Agency. Consumer IoT products that met Finland's cybersecurity label mandates would be recognized as having satisfied Singapore's Cybersecurity Labeling Scheme Level 3 requirements, and vice versa.
Uber Faces Legal Action Over 'Racially Discriminatory' Facial Recognition ID Checks
Tech Crunch
Natasha Lomas
October 5, 2021
Uber's use of real-time facial recognition technology in its driver and courier identity check system in the U.K. is the subject of a legal action filed by the App Drivers & Couriers Union (ADCU) alleging the technology discriminates against people of color. Uber requires identity checks in which drivers must provide a real-time selfie; they face dismissal if the selfie does not match a stored reference photo, as well as automatic revocation of their private hire driver and vehicle licenses. The real-time facial recognition checks, in use in the U.K. since March 2020, use Microsoft's FACE API technology. The union said its lawyers will argue that facial recognition systems are "inherently faulty and generate particularly poor accuracy results when used with people of color."
Blockchain Technology Could Provide Secure Communications for Robot Teams
MIT Media Lab
Adam Zewe
October 5, 2021
Researchers at the Massachusetts Institute of Technology (MIT) and Spain's Polytechnic University of Madrid suggest blockchain technology could ensure secure communications for robot teams. A blockchain supplies a tamper-proof record of messages issued by robot team leaders, so follower robots can note inconsistencies in the data trail. In a simulation, data was stored in each block as a set of directions from a leader robot to followers; a malicious robot attempting to alter the content of a block changes the block hash, so the doctored block is no longer connected to the chain and false directions can be easily disregarded by followers. MIT's Eduardo Castelló said, "These techniques are useful to be able to validate, audit, and understand that the system is not going to go rogue."
Google to Pay Developers to Make Open Source Projects More Secure |
Creating Wireless Signals with Ethernet Cable to Steal Data From Air-Gapped Systems |
Google, DeepMind Face Lawsuit Over Deal with Britain's National Health Service
CNBC
Sam Shead
October 1, 2021
Alphabet subsidiaries Google and DeepMind face litigation for obtaining and processing over a million patient health records in the U.K. without consent. British law firm Mishcon de Reya said it had filed suit with the High Court on behalf of about 1.6 million plaintiffs, whose medical records DeepMind acquired to develop a patient monitoring application called Streams. New Scientist previously disclosed that DeepMind's agreement with the U.K.'s National Health Service (NHS) exceeded what was publicly announced. The U.K. Information Commissioner's Office decreed the agreement did not comply with that nation’s data protection law, yet a subsequent audit by law firm Linklaters determined the Royal Free London NHS Foundation Trust's use of Streams was legal, and complied with the statutes. Mishcon's Ben Lasserson said the planned lawsuit "should help to answer fundamental questions about the handling of sensitive personal data."
Widely Used Bitcoin ATMs Have Major Security Flaws
Gizmodo
Tom McKay
September 30, 2021
Security researchers at crypto exchange Kraken warn that many bitcoin ATMs contain serious vulnerabilities that hackers could exploit. Kraken found software and hardware flaws within the General Bytes BATMtwo (GBBATM2) ATM model; Coin ATM Radar calculates that General Bytes has provided nearly 23% of all crypto ATMs globally, including 18.5% of U.S. units and 65.4% of European units. Owners have installed many such ATMs without changing the default admin quick response (QR) code that functions as a password, which is shared across units. Kraken also cited a lack of secure boot mechanisms, enabling hackers to fool GBBATM2s into running malware, as well as "critical vulnerabilities in the ATM management system." The exchange recommends bitcoin ATM users conduct cryptocurrency transactions in trustworthy locations overseen by surveillance cameras, and for operators to change the default QR code.
DeFi Platform Mistakenly Sends $89 Million; CEO Begs Return
Bloomberg
Joe Light
October 1, 2021
The decentralized finance (DeFi) platform Compound mistakenly sent users almost $90 million in cryptocurrency due to a bug in a recent update, and CEO Robert Leshner is calling on users to return it voluntarily. DeFi platforms rely on "smart contracts" between users that are governed entirely by computer code. Compound also distributes COMP tokens that give users a say in how the protocol works. Leshner noted that the error involved 280,000 COMP tokens worth about $89.3 million that were distributed on Oct. 1. Said University of Pennsylvania Wharton School's Kevin Werbach, "The vast majority of people in the world are not going to trust their money to something if they are told a bug will cause you immutably to lose everything."
The Washington Post (8/25, Harwell) reports the US government intends “to expand its use of facial recognition to pursue criminals and scan for threats, an internal survey has found, even as concerns grow about the technology’s potential for contributing to improper surveillance and false arrests.” Several departments, including “Agriculture, Commerce, Defense, Homeland Security, Health and Human Services, Interior, Justice, State, Treasury, and Veterans Affairs – told the Government Accountability Office that they intend to grow their facial recognition capabilities by 2023, the GAO said in a report posted to its website Tuesday.” Many of these departments “use face-scanning technology so employees can unlock their phones and laptops or access buildings, though a growing number said they are using the software to track people and investigate crime.”
Axios (8/25, Garfinkel) also covers the story.
SSL Certificate Research Highlights Pitfalls for Company Data, Competition
ZDNet
Charlie Osborne
November 5, 2021
A new report from security research firm Detectify Labs researchers indicates that many companies do not realize their SSL (Secure Sockets Layer)/TLS (Transport Layer Security) certificates can leak confidential information and create entry points for hackers. The researchers analyzed more than 900 million SSL/TLS certificates and associated events generated by Google, Amazon, and other issuing organizations. Among other things, the researchers found the "overwhelming majority of newly certified domains" have been given descriptive names, which could enable competitors to undermine new companies or products if the certification is issued at the development stage. Detectify's Fredrik Nordberg Almroth added, "An attacker could see if a certificate is about to expire or has been signed using a weak signature algorithm. The latter can be exploited to listen in on Website traffic or create another certificate with the same signature—allowing an attacker to pose as the affected service."
Chinese Computer Scientist Awarded Kyoto Prize for Work Playing 'Vital Role in Modern Society'
South China Morning Post (Hong Kong)
Holly Chik
November 10, 2021
Japan's Inamori Foundation named Chinese computer scientist Andrew Yao Chi-chih recipient of the international Kyoto Prize in advanced technology for "essential concepts and models that play a vital role in modern society." In 1982, Yao introduced the concept of secure multiparty computation (MPC), which facilitates computation on encrypted values. Said Yao, "If you use MPC, it's possible to have multiple databases do any joint computations without leaking its own data." Yao said MPC theory has advanced significantly in the last four decades, with ramifications for financial technology, data training, and drug discovery. The Inamori Foundation lauded Yao's quantum communication complexity concept for enabling "quantitative performance evaluation of quantum computing. These achievements have a great impact and ripple effect on the information science field."
Cybersecurity Experts Sound Alarm on Apple, EU Phone Scanning Plans
The New York Times
Kellen Browning
October 14, 2021
Over a dozen cybersecurity experts criticized proposals by Apple and the European Union (EU) to scan phones for illegal content, warning they would encourage government surveillance. Apple said its client-side scanning tool would process images on iPhones uploaded to the iCloud storage service, and compare image fingerprints against a database of child sexual abuse material to find matches. Privacy advocates balked, suggesting the technology could undermine digital privacy and be used by authoritarian regimes to suppress dissent. The cybersecurity experts said EU documents suggest the bloc's government desires a similar program to police encrypted devices for evidence of child sexual abuse, organized crime, and terrorist activity. They also called Apple's technology ineffective, noting people had posted workarounds shortly after the company announced its plans.
Privacy Fears as Moscow Metro Rolls Out Facial Recognition Pay System
The Guardian (U.K.)
Pjotr Sauer
October 15, 2021
Privacy activists warn the Moscow metro's just-launched cashless, cardless, and phoneless Face Pay facial recognition payment system constitutes a sinister move by Russia to monitor and control its people. Moscow mayor Sergey Sobyanin said passengers must connect their photo, bank card, and metro card to Face Pay via the metro's mobile application, and city authorities said passengers' data will be "securely encrypted." Stanislav Shakirov with digital rights activist group Roskomsvoboda said, "We are moving closer to authoritarian countries like China that have mastered facial technology. The Moscow metro is a government institution and all the data can end up in the hands of the security services."
Neighbor Wins Privacy Row Over Smart Doorbell, Cameras
BBC News
Jane Wakefield
October 14, 2021
Judge Melissa Clarke in the U.K. has ruled that security cameras and a smart doorbell installed on the house of Oxfordshire resident Jon Woodard "unjustifiably invaded" neighbor Mary Fairhurst's privacy. Clarke determined Amazon's Ring doorbell captured images of Fairhurst's house and garden, while a camera on Woodard's shed was aimed to capture almost all of her garden and parking space. Clarke also ruled that audio data collected by cameras on the shed, in a driveway, and on the doorbell was processed unlawfully, and could record conversations "even more problematic and detrimental than video data," in violation of U.K. data laws and the U.K. General Data Protection Regulation.
Google Analyzed 80 Million Ransomware Samples: Here's What It Found
ZDNet
Campbell Kwan
October 13, 2021
Cybersecurity firm VirusTotal analyzed 80 million ransomware samples submitted by users in 140 countries and found that Israel submitted the greatest number of samples since the beginning of 2020. Following Israel, the report showed that South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran, and the U.K. were the countries most affected by ransomware, based on each country’s number of submissions. The ransomware-as-a-service group GandCrab accounted for 78.5% of samples submitted, followed Babuk (7.6%) and Cerber (3.1%). The report found that Windows-based executables or dynamic link libraries accounted for 95% of ransomware files detected; just 2% were Android-based. VirusTotal researchers said, "We believe this makes sense given that ransomware samples are usually deployed using social engineering and/or by droppers (small programs designed to install malware)."
Study Reveals Scale of Data-Sharing from Android Phones
Trinity College Dublin (Ireland)
October 11, 2021
A study by researchers at Ireland's Trinity College Dublin and the U.K.'s University of Edinburgh found that vendor-customized Android variants transmit significant amounts of data from mobile phones to the operating system (OS) developer and third parties with system apps pre-installed on those handsets, like Google, Microsoft, LinkedIn, and Facebook. The analysis found that users are unable to opt out from this data collection. Trinity College's Doug Leith said, "We've been too focused on Web cookies and on badly-behaved apps. I hope our work will act as a wake-up call to the public, politicians and regulators. Meaningful action is urgently needed to give people real control over the data that leaves their phones."
Professional Footballers Threaten Data Firms with GDPR Legal Action
BBC News
Nick Hartley
October 21, 2021
Hundreds of professional footballers (soccer players) have threatened litigation against the data collection industry, demanding remuneration for the trading of their performance data over the past six years, and an annual fee for any future use. The 850-player Global Sports Data and Technology Group is led by former U.K. football team manager Russell Slade, whose legal team said lack of compensation for licensed use of footballers' personal data violates Europe's General Data Protection Regulation. The attorney leading the group's action, Chris Farnell, thinks it could lead to a game-changing rethink of data trading, particularly in terms of "how that data is being used and how it's going to be rewarded."
Cryptography Game-Changer for Biomedical Research at Scale
EPFL (Switzerland)
Tanya Petersen
October 11, 2021
An international research team has developed a federated analytics system that allows healthcare providers to perform statistical analyses and develop machine learning models in collaboration without sharing their underlying datasets. Researchers at Switzerland's EPFL (Swiss Federal Institute of Technology Lausanne), Lausanne University Hospital, the Massachusetts Institute of Technology, and Harvard University used the FAMHE federated analytics system to reproduce two published multicentric studies. They found the same scientific results could have been achieved without transferring and centralizing the datasets. Said EPFL's Jean-Pierre Hubaux, "FAMHE uses multiparty homomorphic encryption, which is the ability to make computations on the data in its encrypted form across different sources without centralizing the data and without any party seeing the other parties' data."
Search Engine Could Help Researchers Scour Internet for Privacy Documents
Penn State News
Matt Swayne
October 13, 2021
Pennsylvania State University (Penn State) scientists have designed a search engine that uses artificial intelligence to sift through millions of online documents, which could help privacy researchers find content related to online privacy. The PrivaSeer engine identifies relevant documents using natural language processing (NLP). Penn State's Mukund Srinath said the NLP approach focuses on certain words in text to distinguish between privacy and non-privacy policy documents. PrivaSeer has compiled approximately 1.4-million English language Website privacy policies. Said Penn State’s Shomir Wilson, “This can be a resource for researchers both in natural language processing and privacy, who are interested in this domain of text.”
Modern Healthcare (9/8, Cohen, Subscription Publication) reports “the University of Minnesota is forming a center focused on medical device cybersecurity with funding from UnitedHealth Group’s Optum and four medical device companies, the university announced Wednesday.” The “center, which aims to bring together university, industry and government collaborators, grew out of medical devicemakers’ interest in forming a hub for device security research, education and workforce training, according to a news release from the University of Minnesota.” Abbott, Optum, “Boston Scientific, Medtronic and Smiths Medical collectively are providing most of the funding.”
The New York Times (9/7, Ngo) reports that Howard University, “one of the country’s leading historically Black colleges and universities, canceled some classes for a second day after it was hit with a ransomware attack.” All online and hybrid undergraduate classes “are suspended for Wednesday, according to a statement by the university.” All in-person classes “in Washington will resume as scheduled.” The university “had suspended classes on Tuesday after shutting down its network to investigate the attack.” An alternative Wi-Fi system “will be set up but will not be available tomorrow, according to the statement.”
CNN (9/7, Cohen) reports according to a statement from the university, “To date, there has been no evidence of personal information being accessed or exfiltrated; however, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed.”
The Hill (9/7, Oshin) reports the university “has engaged both the FBI and the DC government about the ransomware attack and has said it will implement new online safety measures to protect student data and its facilities.”
ABC News (9/7, Barr) reports “last week, the FBI and the Cybersecurity Infrastructure Security Agency (CISA) warned companies to be vigilant and on alert for ransomware attacks over the Labor Day weekend.” The agencies “noted that the past two major cyber attacks have occurred over a holiday weekend – noting that, leading into the Mother’s Day weekend, the Colonial Pipeline was hacked, over Memorial Day weekend meat supplier JBS was hacked and over the Fourth of July weekend IT management company Kaseya was hacked.”
Also reporting is Newsweek (9/7, Fung).
EdSource (9/7, Peele, Willis, Gordon, Burke) reports “over the last five months,” the California Community Colleges’ central office has been “unable to provide student enrollment totals for the fall 2020 or spring 2021 terms.” The system website “designed to provide the enrollment of the 115 local community colleges across the state has carried a red-lettered warning for months: Don’t trust the numbers.” Now there are the bots. News last week “that alleged scammers have besieged the system with phony student applications in attempts to score student aid and federal pandemic relief grants put a spotlight on the system’s lingering data problems and its inability to count how many people are attending the nation’s biggest higher education system, which has historically served some 2 million students.” The double problem “of an inability to know how many students are taking classes and the sudden invasion of scammers is ‘quite striking,’ said professor Thomas Dee of Stanford University’s Graduate School of Education, and needs prompt fixing.”
Higher Ed Dive (9/1, Jones) reports “as the Labor Day holiday looms, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are urging companies and public sector organizations to consider proactive threat hunting and create offline data backups to protect against ransomware attacks, citing recent incidents that took place over holiday weekends.” Though there is no information “pointing to a specific pending attack, the agencies warned that several recent ransomware attacks – including the Kasaya attack over Independence Day – took place over extended holiday weekends.” Experts say “the pandemic increased risks for colleges when it forced them to move classes and activities online.”
The New Orleans Times-Picayune (9/1) reports the National Science Foundation “has awarded a $1.2 million grant to Phani Vadrevu, a computer science professor at the University of New Orleans, to develop methods to protect users from web-based social engineering attacks such as survey scams, scareware and phishing expeditions.” The project “will use artificial intelligence to track and model online attacks.”
The Los Angeles Times (8/31, Watanabe) reports the California Community Colleges system “is investigating potentially widespread fraud involving fake ‘bot students’ enrolled in active courses in what officials suspect is a scam to obtain financial aid or COVID-19 relief grants.” The 116-campus system “is beefing up internal reporting and security measures after finding that 20% of recent traffic on its main portal for online applications was ‘malicious and bot-related,’ according to a memo issued Monday.” Nearly 15% of that traffic “was caught by new software called Imperva Advanced Bot Detection, which was installed last month, and the matter remained of ‘grave concern,’ she said.” California Community Colleges Chancellor Eloy Ortiz Oakley “said at least six campuses have reported an unusual spike in enrollment attempts involving possibly fake students.” However, “officials have not yet been able to identify where the ‘pings’ are coming from or how many colleges are involved.”
Security Vulnerabilities in Computer Memories
ETH Zurich (Switzerland)
Oliver Morsch
November 15, 2021
A team of researchers from the Swiss Federal Institute of Technology, Zurich (ETH Zurich), the Netherlands' Vrije Universiteit Amsterdam, and semiconductor manufacturer Qualcomm Technologies identified major security flaws in dynamic random-access memory (DRAM) devices. ETH Zurich's Kaveh Razavi said the Rowhammer vulnerability in DRAMs, exploited by hackers to induce bit errors and access restricted areas inside the computer, remains unaddressed. Countermeasures designed to neutralize Rowhammer merely detect simple attacks. Razavi said the researchers' Blacksmith software, which systematically applies complex hammering patterns, found a successful exploit in each of 40 DRAM memories tested. This means current DRAM memories could remain hackable by Rowhammer attacks for years to come.
DHS Program to Attract, Retain Cybersecurity Talent
The Hill
Maggie Miller
November 15, 2021
The U.S. Department of Homeland Security (DHS) has launched a program to find and hire cybersecurity professionals. The federal agency will use the Cyber Talent Management System (CTMS) to simplify and screen the application process. Candidates hired through CTMS will join the DHS Cybersecurity Service, focused on shielding critical infrastructure from cyberattacks. The program will be used to fill vacancies at DHS' Cybersecurity and Infrastructure Security Agency and the DHS Office of the Chief Information Officer, and will help to fill vacancies at other DHS entities starting next year. Said DHS Secretary Alejandro Mayorkas, "This new system will enable our department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission."
Big Data Privacy for ML Just Got 100 Times Cheaper
Rice University News
Jade Boyd
November 16, 2021
Rice University's Anshumali Shrivastava and Ben Coleman have developed RACE (repeated array of count estimators), an inexpensive technique to ensure personal data privacy when using or sharing large databases for machine learning (ML). The researchers applied locality sensitive hashing to generate abstracts or "sketches" of a huge database of sensitive records. Coleman said RACE sketches are safe for public release and useful for algorithms that employ kernel sums, and for ML programs that execute common tasks like classification, ranking, and regression analysis. Said Shrivastava, "RACE changes the economics of releasing high-dimensional information with differential privacy. It's simple, fast, and 100 times less expensive to run than existing methods."
Delta to Roll Out Facial Recognition in Atlanta Domestic Terminal
Atlanta Journal-Constitution
Kelly Yamanouchi
October 26, 2021
Delta Air Lines intends to launch a facial recognition pilot program in the domestic terminal of Atlanta's Hartsfield-Jackson International Airport as soon as Nov. 3, in partnership with the U.S. Transportation Security Administration. Delta's Greg Forbes said the aim is to make air travel more convenient and "hands-free and touch-free" via biometric solutions. The airline said about 25% of its Atlanta customers would meet the conditions for the optional facial recognition check-in. The ACM Global Technology Policy Council last year warned facial recognition "has often compromised fundamental human and legal rights of individuals to privacy, employment, justice, and personal liberty." However, council chair James Hendler wrote that Delta's implementation "makes it clear where and how it is being used," offers an opt-out process, and has human backup for when the system malfunctions.
Latest Russian Cyberattack Targeting Hundreds of U.S. Networks
Reuters
Susan Heavey
October 25, 2021
Microsoft warns the Russia-based agency Nobelium has targeted hundreds of U.S. companies and organizations, specifically "resellers and other technology service providers" of cloud services, in its latest cyberattack. The software giant, which alerted 609 customers between July 1 and Oct. 19 that they had been targeted, informed The New York Times that only a small percentage of the latest attacks succeeded. U.S. officials verified the operation was underway, with one anonymous official calling it "unsophisticated, run-of-the mill operations that could have been prevented if the cloud service providers had implemented baseline cybersecurity practices." Microsoft blogged that the latest attack again confirms Russia's ambition "to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government."
Distributed Protocol Underpinning Cloud Computing Automatically Determined Safe, Secure
University of Michigan News
October 25, 2021
Formal verification techniques developed by University of Michigan researchers can automatically confirm the integrity of Paxos, a foundational distributed computing protocol that underlies cloud computing services. Paxos describes an approach called consensus incorporated within almost all critical distributed systems, including all cloud-supported applications. Formal verification techniques can demonstrate something is correct and reliable, and certify the proper functioning of a specific algorithm, piece of software, or computer chip. The researchers' IC3PO model-checking system sifts through every state a program can enter and determines whether it matches a description of safe behavior. If correctness is verified, IC3PO produces an inductive invariant—a proof by induction that the property universally holds—which took Paxos under an hour.
Russia Is Censoring the Internet, with Coercion and Black Boxes
The New York Times
Adam Satariano; Paul Mozur
October 23, 2021
The Russian government has forced the country's largest telecom and Internet service providers to install black boxes connected to a command center in Moscow, so that it can block, filter, and slow down Websites to control what the public sees online. The initiative was pushed to the forefront this spring when the filtering system was used for the first time to slow Twitter to a crawl. Twitter then agreed to remove dozens of posts the government determined were illegal. Russia's Internet regulator, Roskomnadzor, also has threatened to take down YouTube, Facebook, and Instagram if they do not block certain content on their own. The technology has been installed at 500 locations of telecom operators, and is expected to rise to more than 1,000 by next year.
Quantum-Encrypted Information Transmitted Over Fiber More Than 600 Km Long
Optica
October 21, 2021
Researchers at the University of Leeds and Toshiba Europe in the U.K. established secure quantum communication over 605 kilometers (375 miles) of fiber through a new signal stabilization method. The researchers used the twin-field quantum key distribution protocol, which enables two geographically separated users to establish a common secret bit-string by sharing photons, which are usually transmitted over an optical fiber. The stabilization technique utilizes two optical reference signals at different wavelengths to minimize phase fluctuations over long distances. The researchers demonstrated that this method could support repeater-like performance while accommodating losses outside the traditional limit of 100 decibels over a 605-kilometer-long quantum channel. Toshiba Europe's Andrew Shields said, "This will allow us to build national- and continental-scale fiber networks connecting major metropolitan areas."
For Rules in Technology, the Challenge Is to Balance Code, Law
The New York Times
Ephrat Livni
November 23, 2021
The idea that "code is law," observed in a 1999 book by Harvard University's Lawrence Lessig, has been embraced by the cryptocurrency industry, with some firms contending code can be a better arbitrator than traditional regulators. However, issues have emerged in the decentralized finance (DeFi) sector, with hackers this summer overriding smart contract instructions to steal $600 million from the Poly Network, which lets users transfer cryptocurrencies across blockchain networks. DeFi platforms typically are established as Decentralized Autonomous Organizations governed democratically by a community of users who vote with crypto tokens. Said Lessig, "We need a more sophisticated approach, with technologists and lawyers sitting next to behavioral psychologists and economists," to define parameters to code social values into programs.
How to Find Hidden Spy Cameras with a Smartphone
Help Net Security
Zeljka Zorz
November 23, 2021
Scientists at the National University of Singapore and South Korea's Yonsei University developed a smartphone application that can find tiny spy cameras concealed in everyday objects, using smartphones' time-of-flight (ToF) sensor. The researchers said the Laser-Assisted Photography Detection (LAPD) app spots hidden cameras better than commercial camera detectors, and much better than the human eye. The app, which works on any smartphone handset equipped with a time of flight (ToF) sensor, can only scan a single object at a time, and requires about a minutes to scan that object. The researchers said the app could be made more accurate by taking advantage of the handset’s flashlight and RGB cameras.
U.K., U.S. Join Forces to Strike Back in Cyberspace
BBC News
Gordon Corera
November 19, 2021
The U.S. and U.K. announced a collaboration to strike back against mutual adversaries engaging in malicious cyber-activities, to address "evolving threats with a full range of capabilities." At an annual meeting of intelligence chiefs, U.K. General Sir Patrick Sanders and Government Communications Headquarters director Sir Jeremy Fleming and U.S. Cyber Command director General Paul Nakasone "reaffirmed" their pledge to jointly disrupt and deter new and emergent cyberthreats. They said they would accomplish this "by planning enduring combined cyberspace operations that enable a collective defense and deterrence and impose consequences on our common adversaries who conduct malicious cyber-activity." The "persistent engagement" approach used by the U.S. entails contesting adversaries daily to disrupt their cyberattack infrastructure, while Britain suggests a similar strategy with the launch of its National Cyber Force.
This Tool Protects Your Private Data While You Browse
UC San Diego News Center
Ioana Patringenaru
November 18, 2021
The SugarCoat tool developed by researchers at the University of California, San Diego (UCSD) and Brave Software can better protect users' private data as they browse the Web. SugarCoat targets scripts that attack privacy but are critical to Website operations, replacing them with safe scripts that possess the same properties. The open-source SugarCoat is configured to integrate with existing privacy focused browsers like Brave, Firefox, and Tor, and browser extensions like uBlock Origin. UCSD's Michael Smith said, "SugarCoat integrates with existing content-blocking tools like ad blockers, to empower users to browse the Web without giving up their privacy."
Roll Call (11/18, DeChiaro) reports Democratic leaders have revealed that “House and Senate negotiators will soon go to conference in an effort to send bipartisan legislation aimed at advancing U.S. competitiveness in science and technology to President Joe Biden’s desk.” In June, the Senate “passed legislation that would authorize around $200 billion in spending for the National Science Foundation, the Energy Department and other government agencies tasked with research and development in 21st-century fields of technology such as artificial intelligence, quantum computing, robotics and cybersecurity.” The bill, called the US Innovation and Competition Act “USICA,” “would also approve $52 billion in spending to bolster the struggling U.S. semiconductor industry.” However, “the House has not passed a companion measure.” A representative of “Speaker Nancy Pelosi did not respond to questions about which bills the House would bring to conference.”
The Jerusalem Post (ISR) (11/17, Bob) reported that Israel, the United Arab Emirates, “and five other countries engaged in the first-ever simulation of a mega-cyberattack on the international airline industry, the Israel National Cyber Directorate has announced.” The simulation was made public by the Israel National Cyber Directorate (INCD) only on Wednesday.