Dr. T's security brief
dtau...@gmail.com
North Korean Hackers Again Exploit Internet Explorer's Leftover Bits
Ars Technica
Kevin Purdy
December 8, 2022
Google's Threat Analysis Group (TAG) claims a North Korean government-backed hacker group continues to exploit persisting flaws in Microsoft's Internet Explorer (IE) browser. TAG analysts said the APT37 group targeted visitors to the South Korean website Daily NK, focusing on the Halloween crowd crush in Seoul's Itaewon district. The group allegedly circulated a potentially malware-bearing Microsoft Word .docx document related to the tragedy that exploited a long-known flaw in Office and WordPad rooted in IE's JavaScript (JScript) engine. APT37 has previously issued exploits that activated BLUELIGHT, ROKRAT, and DOLPHIN malware aimed at North Korean political and economic interests. Microsoft patched the exploit in the JScript engine, but the persistence of remote-code Word doc attacks suggests such hacks will linger.
Apple Details Plans to Beef Up Encryption of Data in iCloud
The New York Times
Tripp Mickle
December 7, 2022
Apple will expand its end-to-end encryption system in order to render most iCloud data unreadable, even when stored in datacenters. Although Apple had not fully encrypted the data so customers can more easily retrieve information for users who were locked out or lost account access, escalating breaches and more data migrating to the cloud prompted the company to fortify its security. The optional Advanced Data Protection framework was designed to shield data of public figures who hackers may target. The upgrade could potentially conflict with the U.S. government and other regimes. Apple has refused to help law enforcement unlock iPhones, while meeting many requests for iCloud backups that include unencrypted messages and photos.
*May Require Paid Registration
Go-Based Botnet Exploiting Dozens of IoT Vulnerabilities to Expand Network
The Hacker News
Ravie Lakshmanan
December 7, 2022
Researchers at Fortinet FortiGuard Labs identified a Go-based botnet that is taking advantage of 21 security vulnerabilities in Internet of Things devices and other software, singling out Windows and Linux operating systems in its efforts to assume control of the affected devices. Fortinet's Cara Lin said the Zerobot botnet "contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol." The vulnerabilities affect a range of devices, including TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework. Added Lin, "Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make[s] it harder to detect and gives it a higher capability to infect more devices."
Deepfake Detector Spots Fake Videos of Ukraine's President Zelensky
New Scientist
Jeremy Hsu
December 7, 2022
A deepfake detector can accurately identify fraudulent videos of Ukraine's president Volodymyr Zelensky, and can be trained to flag deepfakes of other prominent figures. Researchers at the University of California, Berkeley and the Czech Republic's Johannes Kepler Gymnasium trained a computer model on more than eight hours of publicly posted videos featuring Zelensky. The detector vets 10-second clips from a single video, analyzing up to 780 behavioral characteristics. Flagging multiple clips from the same video as false indicates human analysts should look closer. The University at Buffalo in New York's Siwei Lyu said the deepfake detector's holistic head-and-upper-body analysis is uniquely suited to identifying doctored videos.
Never-Before-Seen Malware Nuking Data in Russia's Courts, Mayors' Offices
Ars Technica
Dan Goodin
December 2, 2022
Researchers at Russian cybersecurity company Kaspersky and news service Izvestia warned of never-before-encountered CryWiper malware besieging mayors' offices and courts in Russia. The Kaspersky researchers named the malware after the .cry extension appended to corrupted data. Izvestia said once infecting a victim, CryWiper leaves a ransom note demanding 0.5 bitcoin and a wallet address to send the payment; the Kaspersky analysts said the Trojan then permanently destroys the target data. CryWiper uses the same algorithm as the IsaacWiper malware directed against targets in Ukraine, which generates pseudo-random numbers that infect files by overwriting data within them. "In many cases, wiper and ransomware incidents are caused by insufficient network security, and it is the strengthening of protection that should be paid attention to," the Kaspersky researchers said.
How China's Police Used Phones, Faces to Track Protesters
The New York Times
Paul Mozur; Claire Fu; Amy Chang Chien
December 2, 2022
China's police used an advanced surveillance system to track protesters who rallied against the government's pandemic policies this past week. The system enables authorities to target, detain, and intimidate protest organizers and vocal dissidents. Its tools include millions of cameras, facial recognition software programmed to identify local citizens, phone monitors, and data- and image-crunching applications. The phone trackers connect to and record data on the phones of passersby for police to review. Many protesters said they now avoid using virtual private networks or other foreign apps like Telegram and Signal out of fear their phones' software might be more closely monitored.
*May Require Paid Registration
TikTok Ban Unlikely To Be Included In NDAA
Roll Call 
(12/7, Newhouse) reports Republicans seeking to ban TikTok from “federal electronic devices may have missed their chance this Congress.” Rep. Ken Buck (R-CO) had hoped to “attach his bill to prohibit federal employees from downloading or using the app on a government-issued device to the fiscal 2023 defense authorization measure,” but a new draft of the bill “released late Tuesday doesn’t include such a provision.” Lawmakers could attach the “proposal to the fiscal 2023 omnibus spending package or, if that isn’t finished, a continuing resolution to avert a government shutdown when current funding expires Dec. 16.” Both chambers also could “pass the legislation as a stand-alone bill, but time is running out on the current Congress.”
CNBC (12/7, Feiner) reports that on Wednesday, analysts have “predicted that Meta, Google’s YouTube and Snap would stand to gain from a TikTok ban in the U.S.”
Indiana Sues TikTok For Misleading About Chinese Access To Data, Mature Content. Reuters (12/7, Singh) reports Indiana sued TikTok on Wednesday “over allegations that it is deceiving users about China’s access to their data and exposing children to mature content.” The office of Indiana Attorney General Todd Rokita, a Republican, “said the popular app, owned by ByteDance, violates the state’s consumer protection laws by not disclosing the Chinese government’s potential to access sensitive consumer information.” The complaint “added that inappropriate sexual and substance-related content can easily be found and are pushed by the company to children using TikTok.”
South Dakota Bans TikTok From State Agencies Over National Security Concerns. The Wall Street Journal (12/7, Woo, Kesling, Subscription Publication) reports that last week, South Dakota Gov. Kristi Noem (R) issued an executive order banning TikTok from state agencies over national-security concerns, due to the app’s Chinese ownership. The state tourism department has since deleted its TikTok account. South Dakota’s public broadcaster did the same. The state’s six public universities are evaluating next steps this week.
Rocket Lab, SpaceX Debut New Services For National Security
Aviation Week (12/6) reports that SpaceX and Rocket Lab “both kicked off December by unveiling government-oriented departments and services that stress reliability, security and adaptable or responsive-space capabilities for U.S. and allied governments.” Rocket Lab debuted Rocket Lab National Security to handle the company’s national security-linked services, like launching spysats and experimental military spacecraft.
CNET News (12/6, Anders) reports SpaceX and founder Elon Musk “have created a satellite network specifically for government use called Starshield to aid in national security, according to a recently published SpaceX webpage.” According to SpaceX, the program “will use Starlink technology, which delivers high-speed internet to consumers and businesses via thousands of low-orbiting satellites.” The satellites are capable “of bringing broadband internet to underserved areas minus the high latency and data restrictions that come with traditional, geostationary satellite internet services.”
Forbes Councils Member Discusses Responses To Cybersecurity Staff Shortage
In a piece for Forbes (12/6), Forbes Councils Member Anurag Lal, President & CEO of Netsfere, writes, “Cybersecurity and IT job positions are growing in demand faster than companies can hire,” and “a massive staffing shortage is plaguing the industry, particularly due to rapidly changing job requirements and qualifications.” Lal adds, “there are several ways businesses can lessen the IT labor shortage” including recruiting overseas, providing training for existing employees, and working “with high schools and universities to get more young professionals educated and into the workforce sooner.” Lal recommends “internships, student hires and mentorship programs” to “help feed the industry with eager new talent.” Lal concludes, “Employers want to turn the bright minds of the younger generations into their team members working to protect against hackers, not become them.”
Hacker Uses Exploit To Steal Crypto Funds From 8,000 Solana Wallets
Fortune (8/3) reports, “On Tuesday, Solana owners reported that their funds were vanishing – and by evening it became clear a hacker was draining millions from online wallets.” The hacks seem to be tied to an exploit of Slope wallets, a cryptocurrency wallet built for Solana. The hacker “has made off with at least $5.2 million worth of assets,” according to estimates by security companies. Solana Foundation Head of Communications Austin Federa said engineers “continue to investigate the root cause of an incident that resulted in approximately 8,000 wallets being drained.”
dtau...@gmail.com
NIST Revises Guidelines for Digital Identification in Federal Systems
U.S. National Institute of Standards and Technology
December 16, 2022
The U.S. National Institute of Standards and Technology (NIST) has drafted revised federal guidelines that support risk-informed management of Americans' digital identities. The draft publication encompasses technical requirements for establishing and authenticating digital identities of individuals, including employees of government contractors or members of the general public. They cover privacy requirements, factors for cultivating equity and usability of digital identity solutions, and supporting technologies and protocols, with risks faced by individuals accessing services and by service-providing organizations considered in parallel. Updates include a section on biometric information usage for identity proofing; more phishing-resistant authentication methods; and recommendations for sharing/exchanging user identity information between different systems. NIST's Laurie E. Locascio said the guidelines are designed to "get the right services to the right people while preventing fraud, preserving privacy, fostering equity, and delivering high-quality, usable services to all."
NIST Retires SHA-1 Cryptographic Algorithm
U.S. National Institute of Standards and Technology
December 15, 2022
Security experts at the U.S. National Institute of Standards and Technology (NIST) say the agency has retired the secure hash algorithm (SHA)-1 and recommends information technology professionals switch to more secure algorithms. SHA-1 has been in use for nearly 30 years as part of the Federal Information Processing Standard (FIPS) 180-1, but as it is increasingly vulnerable to ever-more-powerful computers, NIST's Chris Celi said users should migrate to the SHA-2 and SHA-3 groups of algorithms as soon as possible. NIST will discontinue use of SHA-1 in its last remaining specified protocols by Dec. 31, 2030, by which time the agency intends to publish FIPS 180-5 to remove the specification; amend NIST publications to reflect the algorithm’s phase-out, and develop and publish a transition process for validating cryptographic modules and algorithms.
Cyberattacks on Hospitals Thwart India's Push to Digitize Healthcare
NPR
Raksha Kumar
December 17, 2022
Massive cyberattacks targeting hospitals in India have undermined the nation's healthcare digitization initiatives. Last month, hackers compromised the health data of millions of patients at the All India Institute of Medical Sciences with ransomware. The breach has unsettled observers about Prime Minister Narendra Modi's National Digital Health Mission to digitize all Indians' health records, since India lacks resilient cybersecurity systems and strong data protection laws. The mission makes hospitals responsible for storing and protecting patient data, but Srinivas Kodali with the Free Software Movement of India says the government should provide such protection if the goal is to establish a unique national health ID.
Security Researchers Cite Theorem of Infinitely Typing Monkeys
Ruhr-Universität Bochum (Germany)
Julia Weiler
December 14, 2022
An international team of scientists led by Germany's Ruhr-Universität Bochum (RUB) is developing new techniques to efficiently identify coding errors in embedded systems via a system called Fuzzware. The researchers use fuzzing algorithms to feed random inputs to software to try to crash the application. The researchers expedite the fuzzing process by narrowing down possible inputs, which RUB's Thorsten Holz said involves employing only those inputs "that the firmware expects and can handle." Holz explained the process resembles the Infinite Monkey Theorem in that the fuzzer eventually, by chance, will use meaningful inputs after enough attempts. The team tested 77 firmwares with Fuzzware, checking up to three times more code than conventional fuzzing methods in the same amount of time.
Researcher Exploits Power Supply to Transmit, Steal Data from PC
PC Magazine
Michael Kan
December 12, 2022
Mordechai Guri at Israel's Ben-Gurion University of the Negev transmitted stolen data from a personal computer by manipulating the device's power supply. "By regulating the workload of the CPU [central processing unit], it is possible to govern its power consumption and hence control the momentary switching frequency of the SMPS (switch-mode power supplies)," Guri explained. "The electromagnetic radiation generated by this intentional process can be received from a distance using appropriate antennas." Guri said malware installed on a universal serial bus drive could infect the target PC, but suggested banning smartphone use around the computer as a countermeasure.
Blockchain Fails to Gain Traction in the Enterprise
The Wall Street Journal
Isabelle Bousquette
December 15, 2022
Blockchain technology's widespread enterprise adoption has failed to materialize, with a project by Danish shipping company A.P. Moller-Maersk and IBM's TradeLens to create a shipment-tracking platform the latest to be discontinued. Blockchain's complexity, the time needed to get a blockchain running, and problems recruiting participants have stymied major initiatives. IBM's Kathryn Guarini said blockchain demands changes to technology and business models that are difficult to drive forward, adding that enterprise blockchain has taken longer to bring change to business than originally predicted. Some experts maintain smaller projects involving fewer participants, with definite returns on investment and no sector-wide transformative ambitions, could reap greater success.
A Faster Way to Preserve Privacy Online
MIT News
Adam Zewe
December 7, 2022
Researchers at the Massachusetts Institute of Technology have developed a method for retrieving private information from a database that is approximately 30 times faster than comparable methods. Using this technique, users could search online databases without the server seeing their query, communicate without messaging apps knowing what they are saying or to whom, or access relevant online ads without sharing their interests with advertising servers. The researchers created the Simple PIR protocol to perform the bulk of the cryptographic work prior to the client sending a query. This involves producing a data structure that holds compressed information about database contents, which serves as a hint for the client. They developed the Double PIR scheme to reduce the size of the hint, generating a more compact hint with a fixed size.
Biden Signs Quantum Computing Cybersecurity Bill
FedScoop (12/21, Jones) reports President Biden on Wednesday signed “legislation to encourage federal government agencies to adopt technology that is protected from decryption by quantum computing.” The newly enacted legislation comes “amid fears that significant leaps in quantum technology being made by countries hostile to the United States, including China, could allow existing forms of secure encryption to be cracked much more quickly.” In particular, the Quantum Computing Cybersecurity Preparedness Act “requires the Office of Management and Budget to prioritize federal agencies’ acquisition of and migration to IT systems with post-quantum cryptography.” It mandates “also that the White House create guidance for federal agencies to assess critical systems one year after the National Institute of Standards and Technology issues planned post-quantum cryptography standards.”
Hacker Group Emails Knox College Students, Gains Access To Student Data
NBC News (12/20, Collier) reports that on December 12th at Knox College, a “hacker group known as Hive had broken into the college’s computer system and gained access to student data, a common ransomware tactic.” An email from Hive that went out to students said, “We have compromised your collage networks. The data we have includes your personal information, medical records, psychological assessments, and many other sensitive data. Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want. To us, this is a normal business day. For you, its a sad day where everyone will see your personal and private info.”
Experts Question Whether Crypto Industry Can Recover From Downturn
The Washington Post (12/18, Mark) says that “cryptocurrency prices have fallen by more than half, trading volume has cratered, and several high-profile companies have collapsed in liquidity crises” over the past year. The arrest of former FTX CEO Sam Bankman-Fried “has only deepened the sense that the crypto bubble has definitively popped, taking with it billions of dollars of investments made by regular people, pension funds, venture capitalists and traditional companies.” Meanwhile, governments “are suddenly pressing for more oversight. ... The crypto industry is calling this moment its ‘crypto winter.’” But, while the industry says it is “cyclical,” and “will eventually blow over,” experts “say the ferocity and scale of this downturn could end up leading to more of an ice age.” The Wall Street Journal (12/18, Banerji, Subscription Publication) provides similar coverage.
Leading Cybersecurity Companies Developing Unified Standard For Sharing Cyberattack Data
CNN Business (8/10, Fung) reports more than a dozen cybersecurity companies “are developing a single, open standard for sharing data about hacking threats, a project the companies say could help organizations detect cyberattacks more quickly.” The initiative led by Amazon, “Cloudflare, Crowdstrike, IBM, Okta and Salesforce, among others, aims to solve a critical bottleneck in the sharing of threat information: The different data formats currently in use across multiple cybersecurity tools and products.”
dtau...@gmail.com
Even the FBI Says You Should Use an Ad Blocker
TechCrunch
Zack Whittaker
December 22, 2022
The U.S. Federal Bureau of Investigation has issued an alert advising online users to install and use ad blockers. The advisory warns of hackers buying online ads highly placed in search results to pose as legitimate brands, in order to steal or extort money from targets. Malicious ads also are used to fool victims into installing malware masked as genuine applications. Ad blockers bar the display of any advertising, making it easier for browsers to find and access the websites of authentic brands. Ad-blocking Web browser extensions also prevent the tracking code within ads from loading, and some of the most effective ad blockers are available to consumers for free.
Twitter Security Flaw May Expose Videos in Direct Messages
New Scientist
Matthew Sparkes
December 21, 2022
Old Dominion University's Michael Nelson discovered a vulnerability in Twitter that could expose any video sent in a direct message to anyone online if a hacker correctly guesses the unique Web address for accessing the file. Nelson said attackers could generate a hash of a known video, then search for people who are sharing it. They also could exploit vulnerabilities in other software like browsers to track the addresses a person visits, then view any Twitter videos they had accessed. Twitter told Nelson the flaw is not a problem, as it requires users to disclose the URL publicly, although it might leave videos open to theft. "Just be aware that while your images enjoy a really impressive array of authentication protection [on Twitter], your videos do not," said Nelson.
Hackers Used Software Flaw to Take Down County Computer System
The New York Times
Sarah Maslin Nir; Nate Schweber
December 21, 2022
Suffolk County, NY, officials disclosed that hackers planned this fall's crippling ransomware attack on the county more than a year ago. Forensic analysis indicated the professional hacker gang BlackCat exploited a vulnerability in an obscure but common piece of software to infiltrate Suffolk's computer system on Dec. 19, 2021. Last year, the U.S. Cybersecurity & Infrastructure Security Agency published an advisory about the software flaw, recommending vulnerable organizations update their systems. Several Suffolk departments created a patch, but the county lacks a centralized interdepartmental cybersecurity protocol, while information technology teams are siloed. Suffolk executive Lisa Black said the office of the county clerk failed to patch the bug, enabling the hackers to orchestrate their infiltration and attack.
Critical Windows Code-Execution Vulnerability Undetected Until Now
Ars Technica
Dan Goodin
December 19, 2022
Microsoft has elevated a recently discovered Windows code-execution vulnerability from important to critical. The CVE-2022-37958 bug resembles the EternalBlue flaw used to set off WannaCry ransomware; it allows attackers to execute malware without requiring authentication, while a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other susceptible systems. The bug allows attackers to remotely detonate malware by accessing the SPNEGO Extended Negotiation security mechanism while the victim uses an authenticating Windows application protocol. CVE-2022-37958 also exists in a wider range of network protocols, offering hackers more flexibility than they had when exploiting EternalBlue. Microsoft corrected the flaw in September, but elevated its threat status when IBM's Valentina Palmiotti found its remote-code-execution capability.
Police in Australia Co-Opted COVID-19 Apps to Fight Crime
Associated Press
Rod McGuirk
December 20, 2022
Law enforcement officials in Western Australia ordered the state Health Department to provide information from the SafeWA COVID-19 contract tracing app as part of an investigation into a murder at a speedway in Perth. The QR code check-in data included the names, phone numbers, and arrival times of 2,439 fans who attended the December 2020 race. Provided under a government order requiring contact tracing information in the event of a COVID-19 outbreak, the data was supposed to be accessible only to contact tracing personnel. The matter has raised concerns over privacy, particularly since Australia's 1988 Privacy Act was implemented before widespread use of the Internet and smartphones.
Inventor of World Wide Web Wants Us to Reclaim our Data from Tech Giants
CNN
Daniel Renjifo
December 16, 2022
World Wide Web inventor and 2016 ACM A.M. Turing Award recipient Tim Berners-Lee founded the startup Inrupt with John Bruce to help users reclaim their personal data. The company's Personal Online Data Store (Solid Pod) allows people to store their data in one location and govern its access, rather than have it stored by applications and websites across the Web. Users can obtain Pods from certain providers, hosted by Web services like Amazon, or operate their own server. Bruce says this setup protects user data from corporations and governments, while also reducing the chances of hacker theft. Said Berners-Lee, "I think what [users are] missing sometimes is the lack of empowerment. You need to get back to a situation where you have autonomy, you have control of all your data."
California Lawmakers Pass Children’s Online Safety Bills
The New York Times (8/30, Singer) report that California lawmakers “have passed the first statute in the nation requiring apps and sites to install guardrails for users under 18.” The California Age-Appropriate Design Code Act “would compel many online services to curb the risks that certain popular features – like allowing strangers to message one another – may pose to child users.” The Times says the measure “could herald a shift in the way lawmakers regulate the tech industry.” The new rules would take effect in 2024 and could potentially “prompt some online services to introduce nationwide changes, rather than treat minors in California differently.”
CNBC (8/30, Feiner) reports on its website that the bill “would require online services to install additional safeguards for users under 18, including by defaulting to the highest possible privacy settings in most cases and providing ‘an obvious signal’ to the minor when their location is being monitored (such as by a parent or guardian).” In addition, it would “prohibit the use of so-called dark patterns – essentially design tricks made to steer users toward a specific choice – that would encourage minors to give away personal information that would not be necessary to provide the service.”
Data Brokers Lobby For Changes To Privacy Bill
Politico (8/28, Ng) reports that as lawmakers move toward passage of a federal data privacy law, “the brokers that profit from information on billions of people are spending big to nudge the legislation in their favor.” According to lobbying disclosure records, “five prominent data brokers boosted their collective spending on lobbying by roughly 11 percent in the second quarter of this year compared with the same period a year ago.” The brokers “including U.K.-based data giant RELX and credit reporting agency TransUnion, want changes to the bill – such as an easing of data-sharing restrictions that RELX says would hamper investigations of crimes. Some data brokers also want clearer permission to use third-party data for advertising purposes.” But, “privacy advocates say these requested changes would entrench practices in the data broker industry that have raised years of concerns about information collected en masse and shared without proper consent.”
Twitter Whistleblower To Testify Before Senate Panel
The Washington Post (8/24) reports the Senate Judiciary Committee announced Wednesday that pursuant to a subpoena, Twitter whistleblower Peiter Zatko will testify at a Sept. 13 hearing “about his allegations of security failures at the social network.” The announcement came one day after the Post “reported on Zatko’s whistleblower complaint to federal regulators that alleges ‘extreme, egregious deficiencies’ in its defenses against hackers, as well as meager efforts to fight spam.” Bloomberg (8/24, Birnbaum) reports Committee Chair Dick Durbin and Sen. Chuck Grassley (R-IA), the top Republican on the panel, said in a statement, “Mr. Zatko’s allegations of widespread security failures and foreign state actor interference at Twitter raise serious concerns. ... If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world.”
Politico (8/24, Kern) says the hearing “could be the first of many” as lawmakers “probe the implications of the cybersecurity vulnerability claims Zatko” made against Twitter. House Homeland Security Chair Bennie Thompson “said he has concerns about how the security allegations could impact the November midterms.” Thompson said Tuesday, “Our adversaries have a history of exploiting social media to disrupt our elections — and with the midterms only three months away, there is no time to waste.”
Reuters (8/24) reports aides to Sen. Richard Blumenthal (D-CT), who sits on the Senate Commerce Committee and the Judiciary Committee “also met Zatko this week.” Blumenthal, who “has a keen interest in Big Tech ,” wrote in a letter to FTC chair Lina Khan, “According to disclosures and evidence provided by Peiter ‘Mudge’ Zatko, a highly-respected cybersecurity expert who served as Twitter’s Security Lead from 2020 to 2022, Twitter executives allegedly failed to address significant security vulnerabilities, neglected the mishandling of personal data, and ignored known privacy risks to users for more than a decade.” Blumenthal “called for an FTC investigation in the letter.”
Twitter Executives Push Back On Zatko’s Allegations. The New York Times (8/24, Mac, Conger) reports Twitter executives “pushed back on Wednesday against what they said was a ‘false’ narrative being created” around Zatko’s allegations. At a weekly companywide meeting, Twitter chief executive Parag Agrawal, said Zatko’s whistleblower complaint “is foundationally, technically and historically inaccurate. ... There are accusations in there without any evidence and many points made without important context.” The TImes, which listened to the meeting, says “other executives – including Sean Edgett, the general counsel, and the privacy and security executives Damien Kieren and Lea Kissner – echoed Mr. Agrawal.”
Lawsuit Accuses Oracle Of Creating “Digital Dossiers” On Internet Users
Bloomberg Law (8/22, Vittorio, Subscription Publication) reports that Oracle “is accused in a new lawsuit of invading people’s privacy by using tracking technologies to build ‘digital dossiers’ on individual Internet users for marketing purposes.” According to Bloomberg Law, “The cloud infrastructure provider, also registered as a data broker in California, allegedly gathers and sells personal information without people’s permission in violation of state law and federal wiretap law, according to a class action complaint filed Friday in the US District Court for the Northern District of California.”
TechCrunch (8/22, Lomas) reports that the suit alleges that the tech giant’s “worldwide surveillance machine” has amassed detailed dossiers on some five billion people, accusing the company and its adtech and advertising subsidiaries of violating the privacy of the majority of the people on Earth.
Apple Discloses Security Vulnerabilities In Certain Devices
The AP (8/18, Klepper) reports Apple discovered and “disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.” The company “released two security reports about the issue on Wednesday, although they didn’t receive wide attention outside of tech publications.” According to Apple’s explanation of what is happening, “a hacker could get ‘full admin access’ to the device,” allowing “intruders to impersonate the device’s owner and subsequently run any software in their name, said Rachel Tobac, CEO of SocialProof Security.” CNN (8/18, Iyengar, Business) reports Apple “said the vulnerability affects iPhones dating back to the 6S model, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models and the 7th generation iPod touch.”
New Research Says TikTok Browser Can Track Users’ Keystrokes
The New York Times (8/19, Mozur, Mac, Che) reported the web browser “used within the TikTok app can track every keystroke made by its users, according to new research that is surfacing as the Chinese-owned video app grapples with US lawmakers’ concerns over its data practices.” The research from Felix Krause, a privacy researcher and former Google engineer, “did not show how TikTok used the capability, which is embedded within the in-app browser that pops up when someone clicks an outside link.” But Krause “said the development was concerning because it showed TikTok had built in functionality to track users’ online habits if it chose to do so.” Jane Manchun Wong, an independent software engineer and security researcher, said, “Based on Krause’s findings, the way TikTok’s custom in-app browser monitors keystrokes is problematic, as the user might enter their sensitive data such as login credentials on external websites.”
Carnegie Mellon, University Of British Columbia Students Win Hacker World Championship
Reuters (8/17) reports that “a team of hackers from two U.S. universities won the ‘Capture the Flag’ championship, a contest seen as the ‘Olympics of hacking,’ which draws together some of the world’s best in the field.” In the “carpeted ballroom of one of the largest casinos in Las Vegas, the few dozen hackers competing in the challenge sat hunched over laptops from Friday through Sunday during the DEF CON security conference that hosts the event.” The winning team “included participants from Carnegie Mellon University, its alumni, and the University of British Columbia.” The contest “involves breaking in to custom-built software designed by the tournament organizers.” Participants “must not only find bugs in the program but also defend themselves from hacks coming from other competitors.”
Colleges Emphasize Student Digital Privacy After Roe Overturn
Inside Higher Ed (8/17) reports that “in the weeks following the Supreme Court’s overturn of Roe v. Wade – the nearly 50-year federal right to abortion access – digital privacy advocates warned of government access to and weaponization of private health information found on period-tracking apps.” Now, some colleges “are warning students that the government is not the only entity that may seek to surveil reproductive health information, and period-tracking apps are not the only digital means for doing so.” College students’ intimate partners, “parents, dorm mates and their colleges, in addition to the government and hackers, may gain access to digital trails that paint a picture of reproductive health decisions.” Further, “web search histories, text messages and location tracking, in addition to apps, all hold potential to expose students’ private health information.” As colleges “adapt to the post-Roe landscape, many have offered students a range of direct, indirect and sometimes outdated messaging about how to protect their virtual privacy.”
Whitworth University Confirms Cyberattack After Weeks Of Rumors
Inside Higher Ed (8/18) reports that “in late July, Whitworth University undergraduate Byron Gustafson tried to access information on his university’s website, but his request did not go through.” At first, he “assumed the glitch was temporary.” But three days later, he “saw a brief post from the university indicating that the institution was experiencing technical difficulties.” In search of more information “than the university provided, he checked the ‘Whitworth Confessions’ Instagram account, where reports circulated widely that the university had been hit by a ransomware attack.” On Wednesday, “nearly three weeks later, Whitworth acknowledged for the first time what many concerned and frustrated students and faculty had suspected all along: the institution had been hit by a cyberattack.” The university “has neither confirmed nor denied rumors that the cyberattack involved ransom.”
dtau...@gmail.com
Code-Generating AI Can Introduce Security Vulnerabilities
TechCrunch
Kyle Wiggers
December 28, 2022
Software engineers who use code-generating artificial intelligence (AI) systems are more likely to cause security vulnerabilities in the apps they develop, according to researchers affiliated with Stanford University. Their study looked at Codex, an AI code-generating system developed by research lab OpenAI. The researchers recruited developers to use Codex to complete security-related problems across programming languages, including Python, JavaScript, and C. Participants who had access to Codex were more likely to write incorrect and “insecure” solutions to programming problems compared to a control group, and they were more likely to say that their insecure answers were secure compared to the people in the control.
Apple Fixes Bug That Let Malicious Apps Skirt macOS' Security Protections
Tech Crunch
Carly Page
December 20, 2022
Microsoft researchers have determined that a flaw in a core macOS security feature could enable attackers to deploy malware on affected devices. The "Achilles" vulnerability exploits the Gatekeeper security feature's Access Control Lists file permissions model, which quarantines apps and files downloaded from a web browser until Gatekeeper checks them. The vulnerability adds extremely restrictive permissions to downloadable files that prevents the quarantine attribute from being set. This means users could download and open malicious files on macOS without Gatekeeper's security protections being triggered. Apple recently reported that the flaw, which was identified in July, had been fixed.
To the Highest Bidder: A Military Database of Fingerprints, Iris Scans
The New York Times
Kashmir Hill; Ismay, John; Christopher F. Schuetze
December 27, 2022; et al.
German security researcher Matthias Marx successfully bid on eBay for a Secure Electronic Enrollment Kit, or SEEK II, which contained the names, nationalities, photographs, fingerprints, and iris scans of 2,632 people, mostly from Afghanistan and Iraq. Many were known terrorists and wanted individuals but others appeared to be people who had worked with the U.S. government or had been stopped at checkpoints. Over the past year, Marx and other researchers at the Chaos Computer Club, a European hacker association, bought six biometric capture devices on eBay, most for less than 200 Euro. Of the six, two of the SEEK II devices had sensitive data on them. The second SEEK II, with location metadata showing it was last used in Jordan in 2013, appeared to contain the fingerprints and iris scans of U.S. service members. “It was disturbing that they didn't even try to protect the data,” Marx said, referring to the U.S. military.
WPost: Schools Should Use Infrastructure Funds To Improve Cybersecurity
A Washington Post (10/18) editorial says, “Ransomware gangs are taking Americans to school. So far this year, hackers have taken hostage the sensitive data of at least 1,735 schools in 27 districts.” The Post argues, “The tech industry can at least slow this scourge. But educators should not rely only on outside help to fix this problem for them. ... Educational institutions can harden their defenses: Last year’s bipartisan infrastructure law authorized $1 billion to help local governments improve their cybersecurity capabilities – and public schools should be top candidates for fortification. ... Building capacity to oust ransomware attackers from the systems they have locked up is another important line of defense. The same bipartisan law created the Cyber Response and Recovery Fund to provide federal aid to breach victims. It has $20 million per year for five years that, if spent on helping schools after” cyberattacks, “could help liberate computer systems in institutions that failed...to observe good cybersecurity hygiene.”
HHS Report: Hackers Using Providers’ Security Tools To Conduct Cyberattacks
HHS recently released a report revealing tools similar to those “that healthcare providers use to operate and maintain secure IT systems can also be weaponized by hackers,” MedCity News (10/11, Adams) reports. HSS’ “report flagged legitimate security tools that are commonly used by providers, including Cobalt Strike and PowerShell.” According to Cerberus Sentinel cybersecurity expert Chris Clements, “cybercriminals’ methods rely on controlling remote computers and avoiding detection.” HHS “clarified that it is not suggesting healthcare organizations abandon the use of these tools altogether, but rather calling providers to evaluate their use based on the ‘merits and drawbacks’ of each tool.”
Uber CSO Convicted Of Covering Up 2016 Data Breach
The Washington Post (10/5, Menn) reports former Uber Chief Security Officer Joe Sullivan was found guilty “of federal charges stemming from payments he quietly authorized to hackers who breached the ride-hailing company in 2016.” Sullivan was convicted Wednesday “of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber’s privacy protections at the time, and of actively hiding a felony.” The case against him began “when a hacker emailed Uber anonymously and described a security lapse that allowed him and a partner to download data from one of the company’s Amazon repositories.” It came to light “that they had used a stray digital key Uber had left exposed to get into the Amazon account, where they found and extracted an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers.”
The Verge (10/5, Lawler) reports that the hackers “contacted Uber and negotiated a ransom payment in exchange for a promise to delete the stolen information, paid out in $100,000 worth of Bitcoin, and treated as part of the company’s Bug Bounty program.”
Founder Of “Black Girls In Cyber” Profiled For Her Work Helping Increase Diversity In STEM
The Hill (10/3, Kagubare) reports that “the cybersecurity workforce famously lacks diversity, but for Talya Parker, constantly seeing herself on pandemic-era video conferences as one of the few – if not the only – Black woman was a wake-up call.” Parker, “currently a privacy engineer at Google, said she started conducting a Facebook Live series called ‘Black Girls in Cyber’ where she would invite other Black women in security, privacy and other STEM industries to share their journeys and experiences.” The Facebook events “became popular, garnering a lot of attention, prompting one of her peers to suggest that she start a nonprofit organization to address the diversity challenges in the cyber workforce.”
In 2021, she “founded a nonprofit with the same name as her Facebook Live series, seeking to help women of color transition into cybersecurity, privacy and science, technology, engineering and math (STEM) careers.” The organization “provides mentors, scholarships, training and networking opportunities for its members, often collaborating with historically Black colleges and universities (HBCUs) that offer cyber and STEM programs.” The nonprofit also “partners with corporations to create internships and full-time employment opportunities for members interested in pursuing careers in those fields.”
Senate Majority Leader Calls On FTC, DOJ To Boost Protections Against Cybersecurity Breaches
CNN (10/2, Pellish) reports Senate Majority Leader Schumer called on federal officials on Sunday to boost efforts to protect US consumers from cybersecurity breaches. Speaking to reporters, Schumer said, “I am calling on the Federal Trade Commission, first, to ensure that companies do everything they can to protect consumer data, and on the Department of Justice to fully investigate and go after the hackers that aim to harm Americans.” According to CNN, “Schumer said he wants a stricter requirement for companies to report data breaches to make as many consumers as possible aware of any possible exposure.”
Microsoft Says Hackers Are Using Open Source Software And Fake Jobs For Phishing. ZDNet (9/30, Tung) reported, “Microsoft is warning that hackers are using open source software and bogus social media accounts to dupe software engineers and IT support staff with fake job offers that in reality lead to malware attacks.” A hacking crew linked to North Korean has been using open-source apps and LinkedIn recruitment bait to hit tech industry employees with trojan horses, said Microsoft’s advanced persistent threat (APT) research group.
Hackers Release Los Angeles Unified Data After District Refuses To Pay Ransom
The Wall Street Journal (10/2, Otis, Subscription Publication) reports a criminal group suspected of hacking the Los Angeles public school system released over the weekend some illegally obtained data after Superintendent Alberto Carvalho declined to pay a ransom. The district said it has set up a hotline for students, families, and employees to call with questions and added it would notify anyone whose personal data was impacted by the breach. Carvalho said in a statement Sunday, “Unfortunately, as expected, data was recently released by a criminal organization. In partnership with law enforcement, our experts are analyzing the full extent of this data release.”
The Los Angeles Times (10/2) reports the release of the data “came two days earlier than the deadline set by the syndicate that calls itself Vice Society – and happened in apparent response to what it took as Carvalho’s final answer. Hackers demand ransom to prevent the release of private information and also to receive decryption keys to unlock computer systems.” Screenshots reviewed by the Times “appear to show some Social Security numbers. But the full extent of the release remains unclear.”
Administration, TikTok Reportedly Near Agreement On National Security Issues
The New York Times (9/26, Hirsch, McCabe, Benner, Thrush) reports the Administration and TikTok have “drafted a preliminary agreement to resolve national security concerns posed by the Chinese-owned video app but face hurdles over the terms, as the platform negotiates to keep operating in the United States without major changes to its ownership structure, four people with knowledge of the discussions said.” Under the deal, TikTok would “make changes to its data security and governance without requiring its owner, the Chinese internet giant ByteDance, to sell it, said three of the people, who spoke on the condition of anonymity because the negotiations are confidential.” If completed, an agreement with the Biden Administration “is likely to be highly scrutinized, as TikTok has become a symbol of the Cold War-like atmosphere in relations between Beijing and Washington.” Completing an agreement “may also be difficult at a tricky political moment for the Biden administration, which has stepped up its cadence of criticism and executive actions addressing China.”
TikTok May Face $29M Fine For Failing To Protect Children’s Privacy. The New York Times (9/26, Singer) reports TikTok “may face a fine of £27 million, or about $29 million, for failing to protect children’s privacy in the United Kingdom.” In the “first major case under new British rules protecting minors online, British regulators on Monday sent a warning notice to TikTok saying the company had handled youngsters’ information without appropriate permission from their parents, processed sensitive details without the legal grounds to do so and failed to explain the platform’s data practices in ways that children could easily understand.” While the findings “are provisional, the legal document sent to TikTok by Britain’s data protection agency, the Information Commissioner’s Office, constitutes a formal notification that regulators intend to impose a fine.” The British announcement “comes as the US government is working to resolve national security concerns with TikTok, which is owned by the Chinese internet giant ByteDance.” In a statement, TikTok “said it disagreed with the findings of the Information Commissioner’s Office, noting that they were provisional.”
Big Tech Increasingly Embraces Zero Trust Architecture
The Wall Street Journal (9/24, Mims, Subscription Publication) reports that as hackers increasingly turn to social engineering to dupe Big Tech insiders into giving up information they need to breach corporate systems, industry leaders are embrace zero-trust architecture – a cybersecurity approach that assumes that no matter how robust a company’s external defenses are, hackers can get in.
Proposed Class-Action Suits Allege Facebook Dodged Apple Protections Against Tracking Internet Activity
USA Today (9/22, Schulz) reports that, in a proposed class-action complaint, two Facebook users are suing the company’s parent, Meta Platforms, alleging it worked around Apple’s requirement that users consent to their Internet activity being tracked. Links clicked on in the Facebook app are sent to an in-app browser instead of the smartphone’s default browser, which the lawsuits say allows Facebook to “track their internet activity and collect personally identifiable information, private health details, text entries and other sensitive confidential facts.”
TechCrunch (9/22, Hatmaker) reports the plaintiffs “allege that Meta is not only violating Apple’s policies, but breaking privacy laws at the state and federal level, including the Wiretap Act.” Engadget (9/22, Fingas) reports Meta “claimed its in-app browsers honor privacy decisions, including for ads.”
White House Releases Crypto Regulation Framework
CNBC (9/16, Sigalos) reported the White House on Friday “released its first-ever framework on what crypto regulation in the U.S. should look like – including ways in which the financial services industry should evolve to make borderless transactions easier, and how to crack down on fraud in the digital asset space.” According to CNBC, “The new directives tap the muscle of existing regulators such as the Securities and Exchange Commission and the Commodity Futures Trading Commission, but nobody’s mandating anything yet.” CNBC adds that “the framework follows an executive order issued in March, in which President Biden called on federal agencies to examine the risks and benefits of cryptocurrencies and issue official reports on their findings.”
Federal Regulators Recommend Safeguards For Cryptocurrency Markets
The AP (10/3, Hussein) reports that federal regulators on Monday “recommended a series of new safeguards to ensure that a growing and unregulated cryptocurrency market doesn’t imperil U.S. financial stability.” As part of a package of seven recommendations, regulators “called on Congress to pass legislation that would address the systemic risks caused by the growth of stablecoins, which are a form of cryptocurrency pegged to the price of another financial asset, like the U.S. dollar or gold.” High volatility in cryptocurrency markets, “especially in stablecoins, has made regulators particularly wary about the need for regulation as usage of the digital asset continues to grow.”
Uber Computer System Breached
The New York Times (9/15, Conger, Roose) reports Uber discovered its computer network “had been breached on Thursday,” including “many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.” The Washington Post (9/15) reports Uber’s computer systems were breached “and the company has alerted authorities, the ride-hailing giant said Thursday.” In a tweet, the company said that it was “responding to a cybersecurity incident.” Internal screenshots obtained “by The Washington Post showed the hacker claiming to have wide-ranging access insider Uber’s corporate networks and appeared to indicate the hacker was motivated by the company’s treatment of its drivers.”
Uber Cites Hacker Group Lapsus$ As Responsible For Cybersecurity Incident
Reuters (9/19, Balu) reports Uber on Monday linked a “hacker affiliated with the Lapsus$ hacking group [as] responsible for its cyber attack last week which forced the ride-hailing company to shut several internal communications temporarily.” The company “said it was in close coordination with the FBI and the U.S. Department of Justice on the matter.” CNN (9/19, Fung) reports the attacker did not “access user-facing systems, user accounts, databases containing personal information or the code that powers Uber’s products, the company said.”
Newsom Signs California Juvenile Online Privacy Bill
The New York Times (9/15, Singer) reports California Gov. Gavin Newsom on Thursday signed a bill “that could transform how many social networks, games and other services treat minors” in the state. The new law “will require sites and apps to curb the risks that certain popular features” pose such as facilitating messaging between people who do not know each other otherwise. Additionally, the law will “require online services to turn on the highest privacy settings by default for children.” The law will take effect in July 2024.
The Wall Street Journal (9/15, Bobrowsky, Subscription Publication) reports social media companies must take into account California users’ ages on a new level beginning in 2024. The effective date delay gives them time to analyze what features might pose any harm to children and restrict them by default. The AP (9/15, Thompson) reports this is the first state law of its kind in the United States. Under its tenets, affected companies “have to submit a ‘data protection impact assessment’ to the state’s attorney general before offering new online services, products, or features attractive to children.”
Popular School Messaging App Hacked To Send Explicit Photo To Parents
NBC News (9/14) reports that “a messaging app for parents and teachers said Wednesday that it was hacked after some parents said they had received messages with an explicit photo that is infamous on the internet.” School districts “in Illinois, New York, Oklahoma and Texas all said Wednesday that the photo was sent through the app, Seesaw, to parents and teachers in private chats.” Seesaw, “which, according to its website, is used by 10 million teachers, students and family members, declined to say how many users were affected.” In an emailed statement, “its vice president of marketing, Sunniya Saleem, said that ‘specific user accounts were compromised by an outside actor’ and that ‘we are taking this extremely seriously.’”
Twitter’s Former Security Chief Appears Before Senate Panel To Lay Out Allegations Against Company
The AP (9/13, Gordon, O'Brien, Ortutay) reports Twitter’s former security chief Peiter “Mudge” Zatko “told Congress Tuesday there was ‘at least one agent’ from China’s intelligence service on Twitter’s payroll and that the company knowingly allowed India to add agents to the company roster as well, potentially giving those nations access to sensitive data about users.” These revelations came about when “Zatko, a respected cybersecurity expert and Twitter whistleblower...appeared before the Senate Judiciary Committee to lay out his allegations against the company.” He “told lawmakers that the social media platform is plagued by weak cyber defenses that make it vulnerable to exploitation by ‘teenagers, thieves and spies’ and put the privacy of its users at risk.” The CBS Evening News (9/13) reported Zatko said, “They don’t know what data they have, where it lives or where it came from, and, so, unsurprisingly, they can’t protect it.”
The Washington Post (9/13, Zakrzewski, Menn, Siddiqui, Lima) reports Zatko “testified before Congress that the company’s failure to secure sensitive data causes ‘real harm to real people,’ prompting senators to grapple with Washington’s inability to effectively regulate major social networks.” Zatko’s Senate testimony “said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers.”
Roll Call (9/13, Ratnam) reports “Zatko also told lawmakers that U.S. regulators are unable to police tech companies, singling out the Federal Trade Commission as being in over its head and allowing tech companies to ‘grade their own homework.’” The federal “practice of slapping companies with one-time fines is ‘priced in’ by Twitter and other tech companies as the cost of doing business, he said.”
Politico (9/13, Kern, Geller) reports “Twitter’s protection of users’ sensitive data is so lax that just about anyone with an account has reason to fear for the security of their accounts – even members of the Senate, the company’s former chief security officer told lawmakers Tuesday.” It is “not far-fetched to say that employees inside the company could take over the accounts of all of the senators in this room,” Zatko testified.
Durbin, Grassley Ask Twitter CEO To Answer Questions About Whistleblower. Reuters (9/13, Shepardson) reports Senate Judiciary Chair Dick Durbin (D-IL) and Sen. Chuck Grassley (R-IA) “on Monday asked Twitter Inc Chief Executive Parag Agrawal to answer questions about” Zatko. The two lawmakers “on Tuesday asked Agrawal to answer questions by Sept. 26 including on Zatko’s allegations [that] Twitter ‘turned a blind eye to foreign intelligence infiltration, does not adequately protect user data and has provided misleading or inaccurate information about its security practices to government agencies.’” Durbin and Grassley “said they had invited Agrawal to testify on Tuesday, but he had declined.”
Google Completes $5.4B Mandiant Acquisition
TechCrunch (9/12, Sawers) reports, “Google has announced that its proposed $5.4 billion bid to buy cybersecurity firm Mandiant is now complete.” Mandiant will now “operate under the auspices of Google Cloud, though the Mandiant brand will live on.” Google Cloud CEO Thomas Kurian wrote in a blog post, “We will retain the Mandiant brand and continue Mandiant’s mission to make every organization secure from cyber threats and confident in their readiness. ... Combining Google Cloud’s existing security portfolio with Mandiant’s leading cyber threat intelligence will allow us to deliver a security operations suite to help enterprises globally stay protected at every stage of the security lifecycle.”
Meta Fined $400M For Breaking EU Data Privacy Laws
The New York Times (9/5, Satariano) reports Meta was fined nearly $400 million for breaking EU data privacy laws for its “treatment of children’s data on Instagram, the latest in a series of steps by authorities in Europe and the United States to crack down on what information is collected and shared by companies about young people online.” Ireland’s Data Protection Commission “said it decided on Sept. 2 to impose what would be one of the largest fines to date under the General Data Protection Regulation... the four-year-old European data privacy law that has been criticized for being weakly enforced.” Meta said it disagreed with the decision and planned to appeal, “setting up what could be a lengthy legal process.”
dtau...@gmail.com
Chinese Researchers Claim to Break Encryption Using Quantum Computers
Financial Times
Richard Waters
January 4, 2023
Scientists in China are claiming they have found a way for current-generation quantum computers to crack the RSA algorithm underlying the most common form of online encryption. The researchers said the encryption could be broken with a 372-quantum-bit (qubit) system using hybrid quantum-classical methods to overcome scaling limitations . They said their algorithm factored a number with 48 bits on a quantum system with 10 qubits. However, the Massachusetts Institute of Technology's Peter Shor pointed out that the team had "failed to address how fast the algorithm will run," as it could "still take millions of years."
Google Home Speakers Could Have Been Hijacked to Spy on You
TechRadar
Sead Fadilpašic
December 31, 2022
Cybersecurity researcher Matt Kunze discovered an exploit that could have enabled the hijacking of Google Home smart speakers to eavesdrop on conversations. Attackers must first be within wireless proximity of the device and monitor media access control addresses with Google-associated prefixes. They can transmit deauthentication packets to sever the device from the network and trigger the setup mode to request device information, then employ that data to link their account to the device and spy on device owners online. Kunze also was able to exploit the "call phone number" command so the device calls the hacker at a specified time and feeds live audio. Kunze reported the bug to Google, which had it patched by April 2022.
Linux Malware Uses 30 Plugin Exploits to Backdoor WordPress Sites
BleepingComputer
Bill Toulas
December 30, 2022
Antivirus vendor Dr. Web disclosed a new Linux malware that exploits 30 flaws in multiple outdated WordPress plugins and themes to inject malicious JavaScript and give attackers remote command capabilities. The vendor said the trojan targets 32-bit and 64-bit Linux systems; it is mainly designed to penetrate WordPress websites via a series of hardcoded exploits that run successively until one breaks through. If the sites run outdated or vulnerable plugins, the malware automatically injects malicious JavaScript from its command-and-control server. The exploit is most effective on abandoned sites, because infected pages can redirect visitors to a location of the hacker's choosing. Dr. Web advised WordPress website admins to update to the latest available version of the themes and plugins running on the site, and to replace those that are no longer developed with alternatives now being supported.
More Colleges Are Blocking TikTok On School Devices And Networks
Diverse Issues in Higher Education (1/5, Kyaw) reports that an increasing number of universities “are scrutinizing or blocking usage of the social media platform TikTok on school devices and networks amid cybersecurity concerns surrounding the video-sharing app.” Its Chinese parent company, ByteDance, “has been gaining attention for connections with Chinese state media and potential influence from the Chinese government. The company was even reported to have been tracking and spying on journalists.” The University of Oklahoma “said in a statement that it will be reviewing potential security concerns related to TikTok.” In response to a ban instituted by Alabama Gov. Kay Ivey (R), “Auburn University has begun work to block and remove TikTok on university-owned devices, at the same time clarifying that there is no general campus ban on the app.”
Higher Ed Dive (1/5) adds that “at least 19 states have banned TikTok in some fashion from government-issued devices. This prohibition has trickled down to public colleges, some of which have restricted the app – like blocking access to it on their wireless networks.” The University System of Georgia, “a collection of 26 public institutions, banned TikTok from all of its computers and mobile devices.” Several Idaho public colleges “began blocking access to TikTok on their networks” after Gov. Brad Idaho (R) “issued an executive order Dec. 14 that barred TikTok on state devices and networks.” Meanwhile, several “Texas public institutions, among them Texas A&M University, the University of Houston and Texas Tech University, have scrubbed TikTok from campus devices and stopped posting on accounts.”
In an opinion piece for Wired (1/5, Maddox), Jessica Maddox, an assistant professor of digital media technology at the University of Alabama, writes that the “panic about TikTok” and its Chinese ownership are “overblown. While some data concerns exist – though none more extreme than those over any US-based social media platforms – policies and discourse around TikTok in politics amount to a modern-day Red Scare.” She points out “social media research and teaching have become staples in academia and higher education curriculums. The app has fundamentally changed the nature of modern communication with its aesthetics, practices, storytelling, and information-sharing.” Beyond the academic concerns of restricting access to TikTok, Maddox says that “without a federal ban on TikTok throughout the United States (which remains staunchly unlikely), it is impossible to put the app back in the proverbial Pandora’s box. And when it comes to educating good media citizens in college classrooms, these TikTok bans will do more harm than good.”
Hackers Leak Records, Email Addresses Of 235M Twitter Accounts
The Washington Post (1/4) reports the records of 235 million Twitter accounts and the “email addresses used to register them have been posted to an online hacking forum, setting the stage for anonymous handles to be linked to real-world identities.” That poses threats of exposure, “arrest or violence against people who used Twitter to criticize governments or powerful individuals, and it could open up others to extortion, security experts said.” The records were likely “compiled in late 2021, using a flaw in Twitter’s system that allowed outsiders who already had an email address or phone number to find any account that had shared that information with Twitter.”
Twitter Hacked, 200M User Email Addresses Exposed
Reuters (1/5, Satter) reports hackers stole the email addresses “of more than 200 million Twitter users and posted them on an online hacking forum, a security researcher said Wednesday.” Alon Gal, co-founder of Israeli cybersecurity-monitoring firm Hudson Rock, called it “one of the most significant leaks I’ve seen.” Twitter has not commented “on the report, which Gal first posted about on social media on Dec. 24, nor responded to inquiries about the breach since that date,” and it was not clear “what action, if any, Twitter has taken to investigate or remediate the issue.”
Teachers, District Leaders Perceive Threat Of Cyberattacks Differently
Education Week (1/5, Klein) reports that “teachers and district leaders perceive the threat of cyberattacks very differently, according to a survey from Clever, a K-12 digital learning platform,” and that perception gap “could be a big problem.” 66 percent of district leaders “think it is ‘very’ or ‘somewhat’ likely that a school near them will be impacted by a cybersecurity incident in the next year, compared with 42 percent of teachers, according to the survey of more than 800 district leaders and 3,000 teachers conducted in October.” As schools “increase their use of technology, it’s even more important for them to protect their data,” with one way being “providing more training and education to every student and staff, according to cybersecurity experts.”
Judge Sets Bankman-Fried Trial For October After Crypto Exec Pleads Not Guilty To Fraud
The Wall Street Journal (1/3, Ramey, Subscription Publication) reports FTX Group founder Sam Bankman-Fried appeared before US District Judge Lewis Kaplan in Manhattan on Tuesday and pleaded not guilty to eight criminal counts, including fraud. The New York Times (1/3, Weiser, Yaffe-Bellany, Goldstein) explains Bankman-Fried faces allegations of carrying out “a multiyear scheme that defrauded customers and lenders” and violating “federal campaign finance laws.” The Times says prosecutors have “accused him of misappropriating billions to buy real estate in the Bahamas, trade digital currencies, invest in other crypto companies and make tens of millions of dollars in campaign donations.” The Times adds that Tuesday’s “hearing was the latest step in an unusually fast-moving investigation. ... Bankman-Fried was arrested on Dec. 12 at his luxury apartment in the Bahamas, where FTX was based until it filed for bankruptcy in November.”
The CBS Evening News (1/3) reported Judge Kaplan scheduled Bankman-Fried’s trial for October 2 and ordered him “to keep his hands off any funds tied to...FTX or his hedge fund trading firm, Alameda Research.” Reuters (1/3, Queen, Cohen) reports the new bail condition came after federal prosecutor Danielle Sassoon “accused Bankman-Fried of seeking to transfer assets to an unnamed foreign country that he thought would be ‘more lenient.’ She said prosecutors were also probing reports late last month that funds were transferred out of Alameda cryptocurrency wallets, though she said there was not evidence Bankman-Fried executed those transactions.”
The Washington Post (1/3, Jacobs) reports the judge also “granted anonymity to two parties who are slated to join Bankman-Fried’s parents” – Stanford University law professor Joseph Bankman and Barbara Fried – in endorsing his $250 million bond. The Post adds that typically, “bond sureties are identified in court and their names are a matter of public record.” However, on Tuesday morning, “Bankman-Fried’s attorneys submitted a letter to Kaplan requesting anonymity for the remaining two bond guarantors, citing safety concerns and noting that Bankman-Fried’s parents...have received alarming communications.” And prosecutors did not oppose the request.
Meanwhile, USA Today (1/3, McCoy, Abdollah) reports that on the same day of Bankman-Fried’s arraignment, US Attorney Damian Williams “announced in a news release that he was launching a task force to investigate matters related to FTX’s collapse. The task force will also try to trace and recover victims’ assets, Williams said. ‘The Southern District of New York is working around the clock to respond to the implosion of FTX,’ Williams said. ‘It is an all-hands-on-deck moment ... to ensure that this urgent work continues, powered by all of SDNY’s resources and expertise, until justice is done.’”
dtau...@gmail.com
GitHub Code Scanning Tech Should Make It Easier to Spot Security Flaws
TechRadar
Sead Fadilpašic
January 10, 2023
A new feature on GitHub allows software developers to scan code for the "default setup" repository to detect incipient security vulnerabilities. The information technology service management company says developers will be able to format the repository automatically, with a minimum of effort. During its beta testing stage, the tool scanned more than 12,000 repositories 1.4 million times and spotted more than 20,000 security flaws; among them were high-severity bugs, including remote code execution, SQL injection, and cross-site scripting. The code scanner is powered by GitHub's CodeQL engine, which is currently available exclusively for Python, JavaScript, and Ruby. GitHub's Walker Chabbott said the company aims to support additional languages by summer.
Hackers Can Trick Wi-Fi Devices into Draining Their Batteries
New Scientist
Matthew Sparkes
January 9, 2023
Security experts at Stanford University, the University of California, Los Angeles, and Canada's University of Waterloo found hackers can fool Wi-Fi-using devices into draining their own batteries by exploiting a unique aspect of wireless network operations. The exploit targets "polite Wi-Fi," in which devices acknowledge and reply to messages from any other wireless devices, even those lacking passwords or permission to be on the same network. The researchers found a $10 device can transmit fake data packets to continuously ping battery-operated Wi-Fi devices and keep them from entering sleep mode, draining their power. Tests on 5,000 devices from 186 manufacturers revealed they were all vulnerable to this exploit.
ChatGPT Is Enabling Script Kiddies to Write Functional Malware
Ars Technica
Dan Goodin
January 6, 2023
Participants in cybercrime forums, some with little or no coding experience, are using ChatGPT, an artificial-intelligent (AI) chatbot launched in November in beta form, to write potential malware, according to a report from security firm Check Point Research. One participant, for example, credited ChatGPT with providing a “nice [helping] hand” to what was claimed to be the first script that person had written. The script, Check Point researchers found, could "easily be modified to encrypt someone's machine completely without any user interaction." Check Point researchers themselves developed malware with full infection flow with the help of ChatGPT; they wrote, "The hard work was done by the AIs, and all that's left for us to do is to execute the attack."
Security Researchers Say They Hacked California's Digital License Plates
Gizmodo
Lucas Ropek
January 9, 2023
Security researcher Sam Curry and colleagues identified a vulnerability in the app and website of Reviver, a company that sells digital license plates in California, Arizona, and Michigan. Taking advantage of the vulnerability, Curry gained "full super administrative access" to "all user accounts and for all Reviver connected vehicles." With such access, the researchers could track registered users' GPS locations, manipulate RPlate data, and report vehicles as stolen. Said Curry, "An actual attacker could remotely update, track, or delete anyone's Reviver plate. We could additionally access any dealer (e.g. Mercedes-Benz dealerships will often package Reviver plates) and update the default image used by the dealer when the newly purchased vehicle still had dealer tags."
Quantum Money Using Mathematics of Knots Could Be Unforgeable
New Scientist
Karmela Padavic-Callaghan
January 7, 2023
Scientists at computing and cryptography startup NTT Research, the University of Texas at Austin (UT Austin), and the Linux Foundation tapped knot theory to propose forging-immune quantum money. The researchers analyzed a quantum monetary system in which calculating invariants — two equivalent knots assigned identical value — for knots and similar classification problems forms the basis for authenticating money. Each unit of currency in the system features a collection of quantum bits (qubits), each with a corresponding knot and a list of invariants present. The check involves analyzing whether the qubits and their invariants match, but determining another list of matching knots is effectively impossible, which renders currency unforgeable. UT Austin's Scott Aaronson said a ledger of who owns what would be unnecessary with quantum money, as everyone could confirm currency themselves by running a calculation on a quantum computer.
Fear Can Inspire Remote Workers to Protect IT Resources
Washington State University
Will Ferguson
January 11, 2023
A study by researchers at Washington State University (WSU), the University of North Texas, and Oklahoma State University found that remote workers are most motivated to protect their employer's IT security when they fear the consequences of a security breach and understand the seriousness of potential security threats. The study compared protection motivation theory, which involves encouraging secure behaviors using fear appeals and threat messages; stewardship theory, which involves motivating employee behavior through moral responsibility; and a combination of the two. In a survey of 339 workers, the researchers found an approach that focused on fear and threats was more effective than a stewardship-based approach, but that promoting the stewardship theory's sense of collectivism increased the efficacy of protection motivation-based methods.
China Turns Its Focus to Deepfakes
The Wall Street Journal
Karen Hao
January 8, 2023
The Cyberspace Administration of China Tuesday began enforcement of its "deep synthesis" technology regulations in an effort to prevent the production of "deepfakes." The regulations ban the use of artificial intelligence-generated content for disseminating "fake news" or information disruptive to the economy or national security. Additionally, providers of such technology must use prominent labels to indicate the images, video, and text it generates are synthetically generated or edited. Stanford University's Graham Webster said, "China is learning with the world as to the potential impacts of these things, but it's moving forward with mandatory rules and enforcement more quickly. People around the world should observe what happens."
North Carolina, Wisconsin Governors Ban TikTok From State Devices
The AP (1/12, Bauer) reports North Carolina and Wisconsin on Thursday became the “latest states to ban the use of TikTok on state phones and other devices, a move that comes after nearly half of the states nationwide have blocked the popular social media app owned by a Chinese company.” Gov. Tony Evers (D-WI) ordered the ban, “which also includes WeChat, after he said he consulted with the FBI and emergency management officials” and he also “cited potential risks to privacy, safety and security.” Evers’ order applies to “most state agencies, with some exceptions like criminal investigators who may be using the app to track certain people.” Gov. Roy Cooper (D-NC), who “like Evers was under pressure from Republicans to enact a ban, cited similar concerns.” Cooper said it is important “to protect state information technology from foreign countries that have actively participated in cyberattacks against the United States.”
Bankman-Fried Launches Newsletter In Response To Criminal Charges
The Washington Post (1/12, Zeitchik) reports FTX Group founder Sam Bankman-Fried on Thursday launched “a newsletter” on the platform Substack “offering an elaborate defense of his actions” related to his cryptocurrency exchange’s collapse. The New York Times (1/12, Yaffe-Bellany, Goldstein) says the newsletter marks Bankman-Fried’s “first detailed response to the criminal charges filed against him last month.” He argued “millions of customers of his collapsed exchange, FTX, could still get their money back.” He wrote, “I didn’t steal funds, and I certainly didn’t stash billions away. ... Nearly all of my assets were and still are utilizable to backstop FTX customers.” The Times points out, “His statement came a day after the lawyers overseeing FTX’s bankruptcy said in court that they had recovered at least $5 billion in funds.”
According to Reuters (1/12, Cohen), “Bankman-Fried did not directly address many of the other charges brought against him by federal prosecutors in Manhattan last month, namely that he misled investors and lenders about the financial conditions of FTX.” However, he “wrote that he had ‘a lot more to say.’” In addition, Bloomberg (1/12, Benny-Morrison) points out Bankman-Fried’s newsletter appears to ignore “widespread advice about speaking publicly in the face of criminal charges.” Bloomberg adds that he has taken similar actions in the past: “As FTX crumbled and filed for bankruptcy late last year, Bankman-Fried embarked on an apology tour, participating in several media interviews and using Twitter to explain his version of events. Legal experts have warned that his public statements would be heavily scrutinized by prosecutors and possibly used in the case against him.”
Meltdown Of Crypto Industry Sharpens Regulatory Debates
Bloomberg (1/7) reported, “It’s harder to argue that your parents should leave you alone when you’ve just smashed up the car. As digital assets lost more than $2 trillion in value and a string of prominent ventures blew up in 2022, most notably the FTX exchange, the debate over cryptocurrency regulation shifted sharply.” Bloomberg adds that the volatility also aggravated “the stakes in a battle that had already been brewing in Congress over which of the nation’s top market regulators, the Securities and Exchange Commission or the Commodity Futures Trading Commission, should take the lead on crypto oversight.” The battle is complicated by the SEC’s declaration that “most digital assets [are] securities, a designation that brings with it an extensive set of requirements.” While regulators have concluded that “crypto’s woes had not destabilized traditional financial markets,” they have also been embarrassed and face “criticism for not having taken actions to head off the industry’s worst abuses.”
Reports Finds New Bills Are Insufficient In Addressing K-12 Cybersecurity Challenges
Education Week (1/6, Langreo) reported that more state policymakers are “recognizing the serious consequences that cyberattacks can have on K-12 schools, but the policy response is ‘still insufficient,’ according to the Consortium for School Networking’s analysis of school-related cybersecurity bills introduced in 2022.” Legislators in 36 states “introduced 232 school-related cybersecurity bills, the report found,” which is “62 more than were introduced in 2021 and more than twice the number of bills introduced in 2020.” Of the bills introduced in 2022, 27 focused on “cybersecurity training requirements” and “provide funding for training, establish a liaison program to assist districts, and develop a cyber assessment and an online database of training resources.” However, the consortium’s report “argued that the new laws are not comprehensive enough to address the cybersecurity challenges school districts face.”
dtau...@gmail.com
Mathematical Trick Lets Hackers Shame People into Fixing Software Bugs
New Scientist
Matthew Sparkes
January 17, 2023
Researchers at the Galois software company have developed a zero-knowledge proof (ZKP) method of using math to verify vulnerabilities in a particular software program, without releasing details of how an exploit works. The idea is to generate public pressure to force a company to release a fix while preventing hackers from exploiting the flaw. Said Galois' Santiago Cuéllar, "There are a lot of frustrated people trying to disclose vulnerabilities, or saying ‘I found this vulnerability, I’m talking to this company and they’re doing nothing’." However, bug bounty hunter Rotem Bar is concerned that ZKPs could generate a "ransom effect" that gives power to the attacker.
Widespread Logic Controller Flaw Raises the Specter of Stuxnet
Ars Technica
Lily Hay Newman
January 11, 2023
Siemens has disclosed that a vulnerability in its SIMATIC S7-1500 series of programmable logic controllers could allow attackers to install malicious firmware and assume full control of the devices. Red Balloon Security researchers discovered the vulnerability, which is the result of a basic error in the cryptography's implementation. However, because the scheme is physically burned onto a dedicated ATECC CryptoAuthentication chip, a software patch cannot fix the vulnerability. Siemens recommended customers assess "the risk of physical access to the device in the target deployment" and implement "measures to make sure that only trusted personnel have access to the physical hardware."
How the Netherlands Is Taming Big Tech
The New York Times
Natasha Singer
January 19, 2023
In the Netherlands, government and educational institutions have pushed big tech companies to make significant privacy changes using a carrot-and-stick approach that involves negotiating their compliance with European data privacy standards. After the Dutch Data Protection Authority said schools would have to discontinue use of Google's education apps if privacy risks were not addressed, Google responded with new privacy measures and transparency tools that will be rolled out in the Netherlands and elsewhere later this year. Zoom also announced substantial changes to its data protection practices and policies after talks with a Dutch cooperative, SURF, that negotiates tech vendor contracts on behalf of the nation's universities and research institutions. Now other nations are looking to the Dutch approach as they seek to regulate big tech.
Canada Launches National Quantum Strategy to Create Jobs, Advance Quantum Technologies
Government of Canada
January 13, 2023
On Jan. 13, Canadian Minister of Innovation, Science, and Industry François-Philippe Champagne announced the launch of Canada's National Quantum Strategy to enhance and expand the country's global quantum technology leadership. With a commitment of C$360 million (about US$268 million), the strategy aims to make Canada an international leader in continued development, implementation, and use of quantum technologies; establish a national secure quantum communications network and post-quantum cryptography support; and support domestic developers and early adopters of new quantum sensing technologies. In addition, the National Research Council of Canada will expand its Internet of Things: Quantum Sensors Challenge program and launch an Applied Quantum Computing Challenge program to turn quantum science and research into economically beneficial commercial innovations adopted by Canadian businesses.
More Public Colleges Are Banning TikTok On Their Networks
The Chronicle of Higher Education (1/19) reports an increasing number of public colleges and universities “are barring TikTok from their internet systems as a slew of states ban the popular video app from state-owned devices. In the last two months, more than two dozen states have issued such bans, prompting many public colleges to tell students they’ll have to log out of the campus Wi-Fi if they want to use the app.” Many governors cited FBI Director Christopher Wray, “who in early December told an audience at the University of Michigan at Ann Arbor that the app raised national-security concerns.” This is because the app’s algorithm “could be used to flood the United States with misinformation, Wray said, and its user data could be harvested for espionage. TikTok is owned by ByteDance Ltd., a Chinese technology company.”
ABC News (1/18) reports several major Texas universities recently announced “they have banned TikTok from government-issued devices and restricted access to the social media app on their internet networks.” The action “aims to bring the campus into compliance with a directive from Texas Gov. Greg Abbott last month that called on state agencies to eliminate the cybersecurity risks posed by TikTok.”
The Conversation (1/18) reports the University of Oklahoma, Auburn University, “and 26 public universities and colleges in Georgia have banned the app from campus Wi-Fi networks. Montana’s governor has asked the state’s university system to ban it.” In addition, some K-12 districts have “blocked the app. Public schools in Virginia’s Stafford, Prince William and Loudoun counties have banned TikTok on school-issued devices and schools’ Wi-Fi networks. Louisiana’s state superintendent of education recommended that schools in the state remove the app from public devices and block it on school-issued devices.”
Apple Faces $5M Class Action Suit In New York Over Deceptive Privacy Policies
Gizmodo (1/18, Germain) says that while it is no surprise “that Apple collects analytics data about how you use your iPhone...a lot of people were surprised to learn that Apple collects that data even when the company’s own privacy settings promise not to.” Apple is now “facing a third class-action lawsuit over the issue, this time in New York state, marking the third legal action against the company over this data dilemma.” The suit seeks “$5 million in damages.” Gizmodo reports, “Paul Whalen, the attorney suing Apple in the New York suit, told Gizmodo he’s worked on a number of high-profile data breach cases over the last 20 years, matters that often involve unintentional errors.” Whalen said, “Those data breaches happened in large part because someone made a mistake that shouldn’t have occurred. ... In this case, with Apple, there doesn’t appear to be a mistake. Apple knowingly promised one thing and did exactly the opposite. That is what makes this case feel so very different.”
dtau...@gmail.com
Hackers Can Make Computers Destroy Their Own Chips with Electricity
New Scientist
Matthew Sparkes
January 19, 2023
Zitai Chen and David Oswald at the U.K.'s University of Birmingham uncovered a bug in the control systems of server motherboards that could be exploited to compromise sensitive information or to destroy their central processing units (CPUs). The researchers found a feature in the Supermicro X11SSL-CF motherboard often used in servers that they could tap to upload their own control software. Chen and Oswald discovered a flash memory chip in the motherboard's baseboard management controller that they could remotely command to send excessive electrical current through the CPU, destroying it in seconds. After the researchers disclosed the flaw to Supermicro, the company said it has rated its severity as "high" and has patched the bug in its existing motherboards.
Improving Data Security for a Hybrid Society
Tokyo University of Science (Japan)
January 23, 2023
Researchers from Japan's Tokyo University of Science (TUS) developed a secure computation method for encrypted data in which all computations are performed on a single server without incurring substantial computational costs. The system features a trusted third party (TTP) that generates random numbers for use in encrypting the data, while four players each use those random numbers to perform a computation and generate secret inputs. The shares, secret inputs, and new values generated by the TTP then are used by a single server to perform a serious of computations, with a final player using these results to reconstruct the computation result. Said TUS's Keiichi Iwamura, "We realize the advantage of homomorphic encryption without the significant computational cost incurred by homomorphic encryption, thereby devising a way to securely handle data."
As Deepfakes Flourish, Countries Struggle with Response
The New York Times
Tiffany Hsu
January 22, 2023
Most countries do not have laws to prevent or respond to deepfake technology, and doing so would be difficult regardless because creators generally operate anonymously, adapt quickly, and share their creations through borderless online platforms. However, new Chinese rules aim to curb the spread of deepfakes by requiring manipulated images to have the subject's consent and feature digital signatures or watermarks. The implementation of such rules could prompt other governments to follow suit. University of Pittsburgh's Ravit Dotan said, "We know that laws are coming, but we don't know what they are yet, so there's a lot of unpredictability."
Report: ChatGPT’s Generated Malware Code Imperfect, But Could Be Future Attack Vector
The Washington Post ’s (1/26) “Cybersecurity 202” newsletter reports ChatGPT users have used “the artificial intelligence chatbot for a wide-ranging array of tasks,” but ChatGPT’s “potential impact in areas such as writing malware is real but limited, concludes a report from Recorded Future out this morning.” Within days of its launch “nearly two months ago, Recorded Future’s report found examples on the dark web” of cybercriminals advertising “buggy, but functional, malware, social engineering tutorials, scams and moneymaking schemes, and more,” all enabled by ChatGPT. Recorded Future found that “while none of these activities have risen to the seriousness of impact of ransomware, data extortion, denial-of-service, cyberterrorism, and so on – these attack vectors remain future possibilities,” it also “said the malicious material they examined falls short of the caliber of malware that nation-backed hackers would use, pointing to additional limitations for the time being.”
FBI Disrupts Major Ransomware Operation That Attacked Hospitals, School Districts
The Washington Post (1/26, Menn, Stein, Schaffer) reports, “The FBI and law enforcement in Europe have shut down a major ransomware operation accused of extorting more than $100 million from organizations across the world by encrypting victims’ computer systems and demanding payments to provide a key to unlock them, U.S. officials said Thursday.” Attorney General Merrick Garland “said the ransomware group called Hive attacked hospitals, school districts, financial firms and others, stealing and sometimes publishing their data.” The AP (1/26, Tucker, Bajak) reports Garland “said the infiltration, led by the FBI’s Tampa office, allowed agents in one instance to disrupt a Hive attack against a Texas school district, stopping it from making a $5 million payment.”
USA Today (1/26, Johnson) reports the FBI “seized a cache of computer servers in Los Angeles supporting the group known as Hive, while foreign law enforcement partners took control of a similar network in Europe to take down the operation which had targeted 1,500 victims in 80 countries.” FBI Director Christopher Wray “said agents were able to secretly infiltrate the Hive networks for seven months where they identified the group’s targets and provided decryption keys to 1,300 victims, averting $130 million in ransom payments.” As of Thursday, no arrests were made, but “the investigation was continuing in the U.S. and across Europe.”
The New York Times (1/26, Qiu) reports Hive affiliates have operated a “so-called double data extortion scheme” since July 2021 “in which hackers encrypt the victims’ data, threaten to leak it online and demand a ransom payment, often worth millions of dollars, to return access and a promise to not publish the stolen information. Through these attacks, the group successfully extorted over $100 million in payments and targeted over 1,500 schools, hospitals, companies and other institutions that officials have deemed critical infrastructure.”
“Catastrophic” Cyberattack Likely Within The Next Two Years, Report Says
The Wall Street Journal (1/24, Breg, Subscription Publication) reports that, according to the World Economic Forum’s Global Cybersecurity Outlook 2023 released at Davos, a catastrophic cyber event is expected within the next two years. The Journal cites attacks on FedEx, A.P. Moller-Maersk, Merck & Co., Sony Pictures Entertainment, and Saudi Aramco as examples.
State Bans Unlikely To Deter College Students From Accessing TikTok
The Washington Post (1/20, A1) reported state officials “have offered no evidence” so far for banning TikTok on government-owned devices, despite claiming it poses a “clear and present danger.” It is “not exactly clear whether the largely symbolic bans are anything more than political grandstanding,” and suggests “officials are trying to pull TikTok into the center of a culture war over what has become one of the most popular and influential social media platforms in America.” Nevertheless, some public university systems, “including in Texas, Georgia and Alabama, have banned the app on campus WiFi networks.” Milton Mueller, a Georgia Institute of Technology professor and co-founder of the Internet Governance Project, researched “the app’s possible risks and came away feeling the panic was overblown.” He said, “We kept asking people: Give us a scenario in how you use TikTok data to threaten our country.”
Inside Higher Ed (1/20) reported many government leaders show concern “about the app’s ability to push propaganda and censor videos that are critical of China. But if the goal is to discourage students from using the app, banning it from campus devices and Wi-Fi is unlikely to have any effect. Not only are students able to access TikTok in other ways; they also don’t see using it – or any app that collects their information – as truly risky.” Rather, cybersecurity experts interviewed for the article “believe the bans are primarily political in nature, focused more on influencing public opinion of the universities than on mitigating any real risk. The bans can help universities appear to be making efforts to protect student data, which is significant as cyberattacks against institutions of higher education become more prevalent.”
Insider (1/22, Hart) reports that as “the ban begins go into effect on college campuses, students are taking to social media to express their frustrations with Texas universities. However, most have chosen to circumvent the ban using their own data and virtual private networks, or VPNs, to access TikTok.”
WPost Calls For Reforming US Privacy Laws Rather Than Banning TikTok. A Washington Post (1/21) editorial conceded some “concerns that TikTok might collect U.S. citizens’ information have some justification” “which is why Congress was right to ban installation of the app on federally issued devices.” However, “the data TikTok collects on the average user...is hardly secret” and would be better addressed by revising the US’ privacy act rather than banning the app. The Post recommended approaching TikTok like “all foreign investment,” promoting “the dynamism and prosperity that result from international exchange, curtailing it only in cases of glaring need.”
dtau...@gmail.com
Stable Diffusion 'Memorizes' Some Images, Sparking Privacy Concerns
Ars Technica
Benj Edwards
February 1, 2023
An international team of artificial intelligence (AI) researchers has formulated an adversarial attack that can exfiltrate a small number of training images from latent diffusion AI image synthesis models such as Stable Diffusion. The researchers estimated an approximately 0.03% memorization rate out of 350,000 high-probability images from the Stable Diffusion training dataset. They also pointed out that this "memorization" is approximate, because the AI model cannot generate identical byte-for-byte duplicates of the training images. One AI authority suggested this research could impact potential image synthesis regulations if the AI models are designated "lossy databases" that can replicate training data.
Continued Mass Shootings Raise Interest In AI-Enhanced Security
ABC News (2/2, Zahn) reports that the use of “artificial intelligence-enhanced security” has increasingly “drawn interest for its promise of apprehending shooters before a shot is fired.” While the AI security industry “touts cameras that identify suspects loitering outside of a school with weapons, high-tech metal detectors that spot hidden guns, and predictive algorithms that analyze information to flag a potential mass shooter,” critics “question the effectiveness of the products, saying companies have failed to provide independently verified data about accuracy” and provide safeguards against violations of privacy and discrimination.
Democratic Senator Urges Google, Apple To Ban TikTok App
CNBC (2/2, Feiner) reports on its website that in a letter sent Thursday, Sen. Michael Bennet (D-CO) “urged the CEOs of Apple and Google to remove TikTok from their mobile app stores immediately...citing widespread concerns that the Chinese government could access information on Americans using the app.” According to CNBC, “The request from Bennet, who sits on the Senate Select Committee on Intelligence, highlights both the growing concern over TikTok’s potential national security risks and the power of Apple and Google have to decide the sort of apps to which Americans can access.” Bennet wrote, “These obvious risks render TikTok, in its current form, an unacceptable threat to the national security of the United States.”
Reuters (2/2, Bartz) reports that Bennet wrote to Alphabet CEO Sundar Pichai and Apple CEO Tim Cook, “No company subject to CCP (Chinese Communist Party) dictates should have the power to accumulate such extensive data on the American people or curate content to nearly a third of our population.”
Apple Hit With Several Legal Actions Pertaining To Assertions Regarding “Surreptitious iPhone Data Collection”
Gizmodo (1/30, Germain) reports Apple “was just hit with a fourth class-action lawsuit over accusations [of] surreptitious iPhone data collection.” Of those legal actions, three were filed during January. Gizmodo adds, “In November, Gizmodo exclusively reported on research demonstrating that your iPhone collects hyper-detailed data about what you do on its apps, like the App Store, Apple Stocks, Apple Music, Apple News, and more – even when you turn off the iPhone Analytics privacy setting, which explicitly promises to stop the snooping.” The aforementioned lawsuits subsequently began to materialize, the first being filed in California, the second being filed by a Pennsylvanian, and third being filed by a New Yorker. The fourth legal action is “from yet another disgruntled Californian, spotted in a new report by the Register.”
dtau...@gmail.com
NIST Selects 'Lightweight Cryptography' Algorithms to Protect Small Devices
NIST News
February 7, 2023
Security experts at the U.S. National Institute of Standards and Technology (NIST) have chosen the Ascon family of cryptographic algorithms to be named as the agency's lightweight cryptography standard later this year. An international team of researchers devised the algorithms to shield information produced and transmitted by the Internet of Things (IoT). NIST's Kerry McKay said the programs should be suitable for most small devices. Some or all of the seven algorithms within the Ascon family may become part of NIST's lightweight cryptography standard. The tasks they perform include authenticated encryption with associated data and hashing, which McKay said are among the most critical in lightweight cryptography.
The People Onscreen Are Fake. The Disinformation Is Real.
The New York Times
Adam Satariano; Paul Mozur
February 7, 2023
Two news anchors for an outlet called Wolf News that were featured in videos posted last year by social media bot accounts were computer-generated avatars used for a pro-China disinformation campaign, according to Graphika, a research firm that studies disinformation. Graphika's Jack Stubbs said, "This is the first time we've seen this in the wild." Stubbs said the availability of easy-to-use and inexpensive artificial intelligence (AI) software "makes it easier to produce content at scale." The fake anchors were created using Synthesia's AI software, which generates "digital twins" primarily used for human resources and training videos. Synthesia's Victor Riparbelli said it is increasingly difficult to detect disinformation and that deepfake technology eventually will be advanced enough to "build a Hollywood film on a laptop."
Americans Flunked Test on Online Privacy
The New York Times
Natasha Singer; Jason Karaian
February 7, 2023
Researchers at the University of Pennsylvania (UPenn), the University of New Hampshire, and Northeastern University analyzing the results of a poll of more than 2,000 American adults found most could not pass a test about online privacy. Few respondents said they trusted how online services managed their personal data, while many seemed unaware of the limitations of federal safeguards for online data collection. The report adds to a growing body of research suggesting the notice-and-consent framework that has long served as the basis for online privacy regulation in the U.S. has become obsolete. “The big takeaway here is that consent is broken, totally broken,” said UPenn's Joseph Turow.
Britcoin? U.K. Closer to Launching Digital Currency
Associated Press
Danica Kirka
February 6, 2023
U.K. authorities, in announcing British businesses and consumers will likely require a digital pound, solicited public comment on the introduction of a central bank-endorsed digital currency. The U.K. Treasury's Jeremy Hunt suggested, "A digital pound issued and backed by the Bank of England (BOE) could be a new way to pay that's trusted, accessible, and easy to use." The BOE says on its website the digital tender would be "reliable and retain its value over time" compared to cryptocurrencies that can waver abruptly and jeopardize investors' assets. The currency would be held in a digital wallet and used to pay for goods and services electronically.
System Prevents Personal Metadata Leakage in Online Behavior for Privacy Protection
City University of Hong Kong
February 6, 2023
The Vizard metadata-protected data collection and analytical platform developed by researchers at City University of Hong Kong and China's Wuhan University ensures data owners can securely define data authorization and control data usage. The researchers based Vizard on a distributed point function tool designed as a generic building block to enable secure/encrypted computations for anonymously retrieving data during computation. They built the platform with stream-specific pre-processing, encryption, and throughput augmentation methods. Vizard also utilizes an owner-centric control model so owners can produce customized data-use requirements by inserting operating keys like "AND," "OR," and "NOT." Vizard can handle a data-access query in just 4.6 seconds, assuming it has stored 10,000 owner data ciphertexts and each owner has specified a policy dictating who can use their data.
dtau...@gmail.com
Securing Supply Chains with Quantum Computing
Sandia Labs News
February 14, 2023
Researchers at Sandia National Laboratories developed a new framework for programming quantum computers that could solve massive optimization problems and help secure the global supply chain. With the new framework, called FALQON (Feedback-based Algorithm for Quantum Optimization), optimization is performed by a quantum computer rather than a classical computer. The idea is that the quantum computer will adapt its structure repeatedly as it completes a calculation. Said Sandia's Alicia Magann, "After I run the first layer of the algorithm, I measure the qubits and get some information from them. I feed that information back to my algorithm and use that to define the second layer. I then run the second layer, measure the qubits again, feed that information back for the third layer, and so on and so forth." Currently, the framework can be tested only on problems that can be solved by classical computers.
Critical Infrastructure at Risk from Vulnerabilities in Wireless IIoT Devices
The Hacker News
Ravie Lakshmanan
February 9, 2023
Researchers at Israeli industrial cybersecurity company Otorio found 38 new security vulnerabilities that could threaten critical infrastructure in wireless industrial Internet of things devices from four vendors. The bugs create a remote entry point for infiltration, allowing unauthenticated parties to gain access and proliferate to other hosts. Otorio's Roni Gavrilov said some of the vulnerabilities could be linked together to enable malefactors to directly access thousands of internal operational technology networks online. Exploits can run the gamut from targeting weak encryption schemes to coexistence attacks focused on combination chips used in many electronic devices. The researchers recommend disabling insecure encryption schemes, concealing Wi-Fi network names, deactivating unused cloud management services, and blocking public access to devices.
Warren Building Bipartisan Support For Her Anti-Crypto Efforts
Politico (2/14, Warmbrodt) reports Sen. Elizabeth Warren (D-MA) “is starting to recruit conservative Senate Republicans to her anti-crypto cause and getting some early positive vibes from bank lobbyists, who also want to rein in digital asset startups.” Warren “has emerged as a lead lawmaker on crypto oversight and is trying to build support behind a bill that would have sweeping implications for the industry via tougher anti-money laundering restrictions, including requirements that more crypto service providers verify customer identities.” Although “crypto advocates are resisting Warren’s push, and some dismiss her as an outlier,” her “budding partnership with GOP lawmakers reflects broader forces that are poised to unite progressives and conservatives, watchdog groups and bankers, who share common cause in wanting to derail the unfettered growth of crypto.”
The Los Angeles Times (2/14, McCaskill) reports the Senate Banking, Housing and Urban Affairs Committee “met Tuesday morning to hear from a trio of expert witnesses about what the federal government can do to create safeguards for digital assets such as cryptocurrency.” The Times says Warren “used the hearing to promote her bipartisan anti-money laundering crypto legislation with Sen. Roger Marshall (R-Kan.).” Warren said, “Big-time financial criminals love crypto. ... Just last year – just in one year – crypto was the payment method of choice for international drug traffickers, who raked in over a billion dollars through crypto; North Korean hackers, who stole $1.7 billion and funneled that money into their nuclear program; and ransomware attackers, who took in almost $500 million. The crypto market took in $20 billion last year in illicit transactions.”
TikTok Takes Action Against Joe Rogan Deepfake Advertisement
Mashable (2/15, Binder) reports TikTok has removed “a video advertisement featuring Joe Rogan and one of his guests on his immensely popular podcast” which “is a likely deepfake, an AI creation with the intent to make it appear as if Rogan endorsed the product in order to boost sales.” A company spokesperson “confirmed to Mashable that the company ‘removed these videos under our harmful misinformation policy’” and “also banned the account.” Mashable notes that “deepfakes aren’t new and have been worrying ethicists and disinformation experts for years now,” but “there is a renewed interest in all things AI since OpenAI’s impressive ChatGPT AI chatbot burst onto the scene.”
Education Groups Say They Want More Federal Funding For Internet Security
Education Week (2/16, Klein) reports that the Federal Communications Commission “put a question to educators late last year: Should the E-rate program, which primarily helps schools and libraries connect to the internet, start allowing districts to use the money for more advanced internet security firewalls?” Eleven education organizations, including the Council of Chief State School Officers, the State Education Technology Directors Association, the Consortium for School Networking, “which represents ed-tech leaders,” and the Council of the Great City Schools, “which represents the leaders of large urban districts,” responded with “an emphatic yes.” They wrote in response to the FCC’s query, “This needed program update serves a vital educational purpose, and will help to ensure continuous, uninterrupted broadband connectivity.”
dtau...@gmail.com
Hackers Could Try to Take Over Military Aircraft; Can Cyber Shuffle Stop Them?
Sandia LabNews
Troy Rummler
February 23, 2023
Researchers at Sandia National Laboratories and Purdue University tested a cyber-shuffling method to thwart attackers attempting to commandeer a military aircraft, and found implementing a moving target defense can shield military standard 1553 onboard computer networks from attacks by a machine learning algorithm. The method constantly shuffles the network addresses of each networked device. The researchers were uncertain it would work because the small 1553 address space complicates randomization, but the tests demonstrated the effectiveness of the moving target defense, provided the defenses designed by cybersecurity engineers are able to counter increasingly refined algorithms. Sandia’s Chris Jenkins said the work “showed that given the right type of technology and innovation, you can take a constrained problem and still apply moving target defense to it.”
How Digital Twins Could Protect Manufacturers from Cyberattacks
NIST News
February 23, 2023
At the U.S. National Institute of Standards and Technology and the University of Michigan, researchers have combined digital twin technology, machine learning, and human expertise into a cybersecurity framework for manufacturers. The researchers constructed a digital twin to mimic a three-dimensional (3D)-printing process, supplemented with information from a real 3D printer. Pattern-recognizing models monitored and analyzed continuous data streams computed by the digital twin as the printer created a part, then the researchers introduced various anomalies. The programs handed each detected irregularity to another computer model to check against known issues, for classification as expected anomalies or potential cyberthreats; a human expert made the final determination. The team found the framework could correctly differentiate cyberattacks from normal anomalies.
U.S. Census Data Vulnerable to Attack Without Enhanced Privacy Measures
Penn Engineering Today
Devorah Fischler
February 21, 2023
A team of researchers led by University of Pennsylvania (Penn) computer scientists confirmed the existence of vulnerabilities that leave U.S. Census data open to exposure and theft. Using a commercial laptop and a basic machine learning algorithm, the researchers were able to reverse-engineer aggregated data released by the U.S. Census Bureau to reveal individual respondents' protected information. Penn's Michael Kearns said, "What's novel about our approach is that we show that it's possible to identify which reconstructed records are most likely to match the answers of a real person. Others have already demonstrated it's possible generate real records, but we are the first to establish a hierarchy that would allow attackers to, for example, prioritize candidates for identity theft by the likelihood their records are correct."
Reporter Able To “Hack” Bank’s Automated Line Using Synthetic Clone Of His Own Voice
Joseph Cox for Vice (2/23, Cox) details how he was able to “hack” a bank’s automated service line by using a synthetic clone of his voice using AI technology, rather than speak himself. Cox was able to access account information such as balances and a list of recent transactions and transfers through this process. According to Cox, “some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank” but says his experiment “shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost.”
Los Angeles Unified Announces Around 2,000 Student Records Were Posted On Dark Web
The Los Angeles Times (2/22, Blume) reports that the Los Angeles Unified School District “disclosed Wednesday that ‘approximately 2,000 student assessment records’ were posted on the dark web as a result of a recent cyberattack, including those for 60 who are currently enrolled.” The posted records “also included an unspecified number of driver’s license numbers and Social Security numbers.” The district statement “did not say to whom those numbers belonged, but the school system does not routinely collect Social Security numbers from students.” The acknowledgment came “in the wake of an article by the 74 website asserting that detailed and sensitive mental health records of ‘hundreds – and likely thousands – of former Los Angeles students’ were published on the dark web.”
The Seventy Four (2/22, Keierleber) reports that the “student psychological evaluations” were published to a “‘dark web’ leak site by the Russian-speaking ransomware gang Vice Society.” People are “likely unaware their sensitive information is readily available online” because the LAUSD “hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists.” Cybersecurity experts “said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws.”
The Los Angeles Daily News (2/22, Harter) reports that the “disturbing new information was provided to the Los Angeles Daily News by Jack Kelanic, senior administrator of IT infrastructure for LAUSD.” The evaluations contain “intimate details about students’ medications, diagnoses, incidents of sexual abuse, home lives, past traumas and behavioral challenges.”
Ransomware Attacks, Payments Declined In 2022 As Defenses Improved
The Wall Street Journal (2/21, McMillan, Volz, Viswanatha, Subscription Publication) reports that ransomware payments fell significantly last year, according to the federal officials and cybersecurity analysts. Mandiant saw 15% percent fewer ransomware intrusions in 2022, while CrowdStrike says the average ransom demand dropped from $5.7 million in 2021 to $4.1 million in 2022, and Chainalysis tracked a drop in ransom payments to just 40% of 2021 totals. Deputy Attorney General Lisa Monaco, speaking Friday at the Munich Cyber Security Conference, said, “We needed to change our orientation…to one where we are putting prevention first, disruption first, and putting victims at the center of our approach,” adding, “we are trying to break the business model of ransomware actors.”
FCC Chairwoman Proposes New Measures To Block Scam Texts
Engadget (2/22) reports FCC Chairwoman Jessica Rosenworcel “has proposed new rules to tackle the scourge of text message scams.” The proposal would require that providers “block robotexts that are ‘highly likely to be illegal,’ chair Jessica Rosenworcel said in a statement.” The proposal, if adopted, “will force providers to block text messages that appear to be from numbers on a do-not-originate list,” which includes “unused, invalid and unallocated numbers, as well as those that government agencies and ‘other well-known entities’ say they don’t send texts from.”
CNET News (2/22, Avery) reports Rosenworcel’s proposed measures “would also extend Do Not Call Registry protections to text messaging and require wireless companies to provide a single point of contact for all text senders.” Rosenworcel said, “We are going to keep at it and develop more ways to take on this growing consumer threat.”
dtau...@gmail.com
Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity
The Wall Street Journal
Dustin Volz
March 2, 2023
The Biden administration said it would work to enable laws to make software companies liable for products lacking cybersecurity protections. The national cybersecurity strategy drafted by the office of the national cyber director also supports establishing a broader framework of cybersecurity regulations to shield critical infrastructure. It states that any White House-backed legislation should prevent software makers from evading liability by contract and develop higher standards for software in high-risk scenarios; the administration also would strive to protect firms from liability through a safe harbor model. The plan calls for greater collaboration and threat-intelligence sharing between public and private sectors, international alliances to formulate cyber norms, and modernizing federal technology.
Hacker Tool Can Pinpoint a DJI Drone Operator's Exact Location
Wired
Andy Greenberg
March 2, 2023
Researchers at Germany's Ruhr University Bochum and the CISPA Helmholtz Center for Information Security were able to determine the GPS location of drones sold by manufacturer DJI, as well as the GPS coordinates of their operators, by reverse-engineering the drones' radio signals. Deconstructing those signals allowed the researchers to decode the DroneID radio protocol, which allows drones to be monitored by governments, regulators, and law enforcement. The researchers released a prototype tool to receive and decode DroneID data. Their tool was tested on a DJI drone within 15 to 25 feet; the researchers said additional engineering could extend that range.
Are Our Pets Leaking Information About Us?
Newcastle University (U.K.)
February 28, 2023
Computer scientists at the U.K.'s Newcastle University and Royal Holloway, University of London found security and privacy vulnerabilities among 40 Android applications for pets and farm animals such as wearable global positioning system trackers, automatic feeders, and pet cameras. Analysis revealed several apps leak owners' login or location details, including three that exposed login credentials in plain text within non-secure HTTP traffic. Thirty-six apps use tracking software, but the researchers said the apps do not notify users of their privacy policy very well. Advised Newcastle's Scott Harper, "We would urge anyone using these apps to take the time to ensure they are using a unique password, check the settings, and ensure that they consider how much data they are sharing or willing to share."
Researchers Find New Bug 'Class' in Apple Devices
Computer Weekly
Alex Scroxton
February 22, 2023
Researchers at cybersecurity company Trellix say they have discovered a new class of privilege escalation vulnerability in Apple devices, rooted in Israeli spyware maker NSO Group's ForcedEntry exploit. ForcedEntry enabled NSO's government clients to monitor activists, journalists, and political adversaries; Trellix claims iOS and macOS contain bugs that circumvent the upgraded code-signing mitigations Apple deployed to counter the exploit. If uncorrected, the bugs could grant attackers access to sensitive information on target devices, including but not restricted to messages, location data, call history, and photos. Trellix's Austin Emmitt said the vulnerabilities involve the NSPredicate code-filtering tool, whose restrictions Apple fortified with the NSPredicateVisitor protocol.
At Least One Open Source Vulnerability Found in 84% of Code Bases
CSO Online
Apurva Venkat
February 23, 2023
Researchers at application security company Synopsys found 84% of 1,481 analyzed commercial and proprietary code bases contained at least one known open source vulnerability, while 48% contained high-risk vulnerabilities. The researchers observed a 4% increase in the number of known open source vulnerabilities between 2021 and 2022. They also found 91% of the code bases had outdated versions of open source elements, meaning available patches had not been implemented. The researchers explained, "With many teams already stretched to the limit building and testing new code, updates to existing software can become a lower priority except for the most critical issues." They recommended organizations use a software bill of materials to prevent vulnerability exploits and keep open source code up to date.
TREBUCHET: A High-Powered Processor for Cutting-Edge Encryption
USC Viterbi School of Engineering
Julia Cohen
February 23, 2023
University of Southern California researchers were part of a team that developed a co-processor that can speed Fully Homomorphic Encryption (FHE) processing while using significantly less computing power. FHE enables algorithms to perform direct computations on encrypted data, making it more secure, but it requires around 100,000 times more computation than traditional methods. The researchers developed the co-processor, called TREBUCHET, for the Defense Advanced Research Projects Agency's DRIVE Program (Data Protection in Virtual Environments). The tile-based chip features highly parallel Arithmetic Logic Units, which they customized to support wider data words. The researchers also added fast modulo arithmetic circuits, widened the on-chip networks, and redesigned the memory architecture and management.
Registration For Space Systems Command’s Hack-A-Sat Competition Begins
ExecutiveGov (3/2, Bennet) reports, US Space Systems Command has begun the “registration period for Hack-A-Sat, an annual satellite-hacking competition challenging security researchers to address cybersecurity obstacles in space technologies.” Hack-A-Sat is in its fourth year “and will take place in both on-orbit and digital twin environments for the first time, SSC said Tuesday.” The competition was conceptualized “by the U.S. Air Force, Space Force, and the security research community, and was previously held either in a physical laboratory hardware or in a digital twin platform.” For Hack-A-Sat 4, participants “will experiment on the on-orbit satellite Moonlighter, which is targeted for launch in early summer.”
dtau...@gmail.com
Breakthrough Enables Perfectly Secure Digital Communications
University of Oxford Department of Engineering Science (U.K.)
March 7, 2023
An algorithm developed by researchers at the U.K.'s University of Oxford and Carnegie Mellon University hides sensitive information in a way that makes it impossible to detect anything has been concealed. Based on steganography, the algorithm uses minimum entropy coupling, in which two distributions of data are combined to maximize their mutual information while preserving the individual distributions. Oxford's Christian Schroeder de Witt said, "Our method can be applied to any software that automatically generates content, for instance probabilistic video filters, or meme generators. This could be very valuable, for instance, for journalists and aid workers in countries where the act of encryption is illegal."
Detection Stays Ahead of Deepfakes — for Now
IEEE Spectrum
Matthew Hutson
March 6, 2023
Computer scientists are developing more advanced algorithms for generating synthetic content, at the same time they are creating counter-algorithms to detect such content. Intel's Real-Time Deepfake Detector, slated for release this spring, will include FakeCatcher, which can identify facial changes due to blood flow. Developed by researchers at Intel and Binghamton University, FakeCatcher cannot be reverse-engineered easily to train a generation algorithm to get better at fooling it. Among other detection tools, researchers at the University of Florida developed a system that models the human vocal tract and can determine if an audio recording is biologically plausible. When it comes to detecting synthetic text, the University of Maryland's Tom Goldstein said the diversity in how people use language and a dearth of signal means it likely will lag other forms of detection.
Quantum Computers That Use 'Cat Qubits' May Make Fewer Errors
New Scientist
Karmela Padavic-Callaghan
March 5, 2023
Researchers in France found so-called "cat qubits” (quantum bits) could reduce errors by quantum computers and accelerate the cracking of common encryption algorithms. Named after Erwin Schrödinger's thought experiment, cat qubits combine two quantum states while describing two different ways in which light within a small hole in a superconducting circuit can shuttle back and forth. The researchers analyzed a quantum computer comprised of such circuits and estimated 126,133 cat qubits and nine hours of computation would be sufficient to break bitcoin encryption. Jérémie Guillaud at French quantum computing company Alice&Bob said this value is roughly 160 times smaller than the previous lowest estimate of 20 million necessary qubits, because cat qubits are programmed to generate few or no bit flip errors.
EV Charging Infrastructure Offers Cyberattack Opportunity
Dark Reading
Robert Lemos
March 3, 2023
Scientists have uncovered multiple cyberattack vulnerabilities in electric vehicle (EV) charging infrastructure. Researchers at energy-network cybersecurity firm Saiflow found two bugs in the Open Charge Point Protocol that could be exploited in distributed denial-of-service attacks and to steal data, while the Idaho National Laboratory exposed flaws in Electric Vehicle Supply Equipment. "Most EV chargers can be considered an Internet of Things technology, but they are one of the first that has control over such a significant amount of electrical load," said Phil Tonkin at industrial cybersecurity provider Dragos. "The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care." Experts at Sandia National Laboratories recommend the U.S. government enhance EV owner authentication and authorization, strengthen the charging infrastructure's cloud security, and make charging units tamper-proof.
CrowdStrike: Cyberattacks On Cloud Systems Boomed In 2022
Axios (3/7, Sabin) reports hackers are “quickly finding” exploits and flaws in “cloud infrastructure despite perceptions that the technology is ironclad against cyberattacks.” Despite the “billions of dollars” organizations have invested “in recent years to move their digital data from traditional, on-premise enterprise storage solutions to the cloud,” that “high price of relocating data” is yielding diminishing returns when it comes to protection against hackers. According to CrowdStrike, cyberattacks “exploiting cloud systems nearly doubled in 2022, and the number of hacking groups that can target the cloud tripled last year.” CrowdStrike Senior Vice President of Intelligence Adam Meyers says, “As more organizations are moving into the cloud, it becomes a much more attractive target for these threat actors, and they’re spending more time and resources trying to get into that environment.”
PayPal Ventures Invests In Cybersecurity Company Deep Instinct
PYMNTS (3/7) reports, “Cybersecurity company Deep Instinct has added PayPal Ventures to its existing investor base.” Deep Instinct will use the new funding to “accelerate the growth of the company and its threat prevention technology powered by deep learning.” PayPal Ventures Partner Alan Du said in a press release, “Deep Instinct has developed an industry-leading threat prevention platform, allowing enterprises to get ahead of cybercriminals and malicious threats...We’re thrilled to invest in Deep Instinct and believe the company will help move the cybersecurity industry beyond its current detection and remediation focus to a prevention-first model.”
EPA Requiring Water Systems To Report Cybersecurity Threats
The AP (3/3, Naishadham) reported that the EPA on Friday announced it would start requiring water utilities to report cybersecurity threats to the agency. EPA Assistant Administrator Radhika Fox “said the EPA would assist states and water systems in building out cybersecurity programs, adding that states could begin using EPA’s guidance in their audits right away.” Attention was first called to water infrastructure cybersecurity in 2021 when a hacker attempted to increase the sodium hydroxide levels in a Florida town’s water supply by a factor of 100. “Biden administration officials said recent surveys show that states are inconsistent in their efforts to protect drinking water systems from cyberattacks – mainly on the operational technology used for safe drinking water.” The new mandate comes “a day after the White House released a wide-ranging cybersecurity plan to counter rising threats to government agencies, private industry, schools, hospitals and other key infrastructure that are often breached.”
Also reporting are Bloomberg (3/3, Turton) and The Hill (3/3)