Dr. T's security brief

[dtau...@gmail.com]

Computer Scientists' Tool Fools Hackers into Sharing Keys for Better Cybersecurity
UT Dallas News Center
Kim Horner
February 27, 2020

University of Texas at Dallas (UT Dallas) computer scientists, in collaboration with researchers at IBM's Thomas J. Watson Research Center and the Jordan University of Science and Technology in Jordan, have developed a method of luring hackers to a decoy site to probe their tactics, in order to train computers to identify and thwart future intrusions. The DEEP-Dig (DEcEPtion DIGging) technique is designed to surmount a shortage of data needed to train computers to detect hackers, yielding insights into intruders' strategies as they break into decoy sites filled with disinformation. The method also could potentially help cybersecurity defense systems keep pace with shifting hacker tactics. UT Dallas' Kevin Hamlen said, "When an attacker tries to [deceive the program], the defense system just learns how hackers try to hide their tracks."

Full Article

 

 

'Surfing Attack' Hacks Siri, Google with Ultrasonic Waves
The Source (Washington University in St. Louis)
Brandie Jefferson
February 27, 2020

A multi-institutional collaboration led by Washington University in St. Louis (WUSL) researchers has demonstrated a "surfing attack" that uses ultrasonic waves to hijack voice-recognition systems on cellphones, including those used by Siri and Google. Such waves can propagate through solid surfaces to activate these systems, and allow hackers to hear the phone's response with additional equipment. WUSL's Ning Zhang and colleagues sent voice commands to cellphones on a table near the owner, using a microphone to communicate back and forth with the phone and control it remotely. A piezoelectric transducer converted electricity into ultrasonic waves, while a waveform generator produced the correct signals to command the phone. Tests on 17 cellphone models showed that all but two were exploitable, and that the waves could propagate through metal, wood, glass, and plastic.

Full Article

 

 

Sandboxing Approach Increases Browser Security
UT News
Marc Airhart
February 25, 2020

Researchers at the University of Texas at Austin (UT Austin), the University of California, San Diego, Stanford University, and Mozilla have developed a new Web browser security scheme. Initially deployed in the Firefox browser for the Linux operating system, the WebAssembly mechanism was created to accelerate Web apps that run within a browser, while keeping those apps within "secure sandboxes" to prevent hijacking by malware. The new RLBox framework relocates browser components that decode media files to these sandboxes. UT Austin's Hovav Shacham said, "The hope is that at some point, bugs in all of those libraries become useless for hacking Firefox. And if that happens, then user security would be greatly improved."

Full Article

 

 

Attackers Can Impersonate Other Mobile Phone Users
Ruhr-University Bochum
Julia Weiler
February 17, 2020

Researchers at Ruhr-University Bochum (RUB) in Germany exploited a bug in the LTE (4G) mobile communication standard to impersonate mobile phone users, to the extent of being able to open subscriber accounts or publish sensitive documents using someone else's identity. Although data packets are sent encrypted between the mobile phone and the base station, the packets are modifiable, which allowed the researchers to convert the encrypted data traffic into plain text and route commands to the phone to be encrypted and forwarded to the provider. The vulnerability extends to all devices that communicate with LTE. The researchers are attempting to correct this bug in the 5G standard, but as RUB’s David Rupprecht observed, “Mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission.”

Full Article

 

 

Protecting Sensitive Metadata So It Can't be Used for Surveillance
MIT News
Rob Matheson
February 26, 2020

Massachusetts Institute of Technology (MIT) researchers have developed a scalable metadata-protection scheme to shield the information of millions of users of communications networks against possible state-level surveillance. In the Crossroads (XRD) scheme, users send encrypted messages to multiple server chains, with each chain mathematically ensured to have at least one hacker-free server. Each server decrypts and randomly shuffles the messages before sending them to the next server down the line; the final server decrypts the last encryption layer and transmits the message to the target recipient. XRD also uses aggregate hybrid shuffle, a type of cryptographic proof that guarantees servers are properly receiving and shuffling messages to identify malicious activity. MIT's Albert Kwon said, "We want to get to the point where we're sending metadata-protected messages in near-real-time."

Full Article

 

 

Mixed-Signal Hardware Security Thwarts Electromagnetic Attacks
Purdue University News
Chris Adam
February 19, 2020

Researchers at Purdue University have developed technology that addresses physical-layer vulnerabilities in Internet-connected devices with physical-layer solutions. The researchers developed the system to use mixed signal circuits to embed the crypto core within signature attenuation hardware with lower-level metal routing. This means the critical signature is suppressed even before it reaches the higher-level metal layers and the supply pin, significantly reducing electromagnetic and power information leakage. Purdue's Debayan Das said side-channel attacks "are becoming a significant threat to resource-constrained edge devices that use symmetric key encryption with a relatively static secret key like smart cards.” She added, “Our protection mechanism is generic enough that it can be applied to any cryptographic engine to improve side-channel security."

Full Article

 

 

Rice University Boosts 'Internet of Things' Security—Again
Rice University
Mike Williams
February 18, 2020

Researchers at Rice University have developed a technique to improve security for Internet of Things (IoT) devices significantly, while using far less energy. The new technique is a hardware solution based on the power management circuitry found in most central processing chips. The method leverages power regulators to muddle information leaked by the power consumption of encryption circuits. A breakthrough last year by the team generated paired security keys based on fingerprint-like defects unique to every computer chip. “This year, the story is similar, but we are not generating keys,” said Rice's Kaiyuan Yang. “We are looking at defending against a new type of attack that is specifically for IoT and mobile systems."

Full Article

 

 

Mobile Phishing Scam Targeted Bank App Users; Thousands Clicked Through
ZDNet
Danny Palmer
February 14, 2020

Researchers at cybersecurity company Lookout uncovered a phishing campaign that attempts to fool mobile banking app users into disclosing their login information. Nearly 4,000 smartphone users fell for the scam. The attackers designed a message to trick targets into visiting websites masquerading as major U.S. and Canadian banks, claiming to have detected unusual activity on the user's account. By spamming out enough messages with the names of different banks to sufficient users, some attacks will match the correct bank with the correct customer—and some victims will click to a bogus site. The site attempts to pry enough personal credentials from victims to steal their account details. Lookout's Apurva Kumar said the campaign demonstrates "how easy it is for a less-computer-savvy person to get into the phishing business by buying an 'off-the-shelf' phishing kit."

Full Article

 

 

Google Moves U.K. User Data to U.S. to Avert Brexit Risks
Financial Times
Madhumita Murgia
February 20, 2020

Google will move all data related to U.K.-based users of its services—including Gmail, YouTube, and the Android Play store—from Ireland to the U.S. as it aims to avoid legal issues following Brexit. If the U.K. and the EU fail to agree on a data-sharing deal by the end of this year, it will be illegal to transfer and process data between Britain and the European bloc. Google is likely skeptical of the U.K.'s ability to retain its "adequacy" status with the EU, which would allow free flow of data. Said Michael Veale at University College London Faculty of Laws, “Google would be exposed to considerable risk of illegality in relation to data transfers between Ireland and the U.K., as it would have to find another way to legalize the processing—and these ways are fast disappearing.”

Full Article

*May Require Paid Registration

 

Department Of Defense To Adopt AI Ethics Principles

The AP  (2/24) reports that DoD “is adopting new ethics principles as it prepares to accelerate its use of artificial intelligence technology on the battlefield.” The new principles call for “people to ‘exercise appropriate levels of judgment and care’ when deploying and using AI systems, such as systems that scan aerial imagery to look for targets.” Additionally, decisions made by AI “should be ‘traceable’ and ‘governable,’ which means ‘there has to be a way to disengage or deactivate’ them if they are demonstrating unintended behavior, said Air Force Lt. Gen. Jack Shanahan, director of the Pentagon’s Joint Artificial Intelligence Center.” University of Richmond Assistant Professor of Law Rebecca Crootof “said that adopting principles is a good first step, but that the military will need to show it can critically evaluate the huge data troves used by AI systems, as well as their cybersecurity risks.” The new guidelines follow recommendations made last year by the Defense Innovation Board.

 

Cryptographic 'Tag of Everything' Could Protect Supply Chain MIT News Rob Matheson February 20, 2020 Massachusetts Institute of Technology (MIT) researchers have created a cryptographic identity tag that can be attached to virtually any product in order to verify its authenticity. The millimeter-sized "tag of everything" operates on low levels of power from photovoltaic diodes, and transmits data via a power-free backscatter technique. The tag employs algorithm optimization to run an elliptic curve cryptography scheme to ensure secure communications that requires little power. MIT's Mohamed I. Ibrahim said, "We think we can have a reader as a central hub that doesn't have to come close to the tag, and all these chips can beam-steer their signals to talk to that one reader." Full Article

 

Reliability of Pricey New Voting Machines Questioned
Associated Press
Frank Bajak
February 23, 2020

Computer security experts continue to express doubts that expensive new voting machines are reliable, considering them almost as risky as earlier discredited electronic systems. Called ballot-marking devices, the machines have touchscreens for registering voter choices and print out paper records scanned by optical readers. South Carolina voters will use the systems, which are at least twice as expensive as the hand-marked paper ballot option, in Saturday's primary. Daniel Lopresti, a computer scientist at Lehigh University and a South Carolina election commissioner, said, "What we worry is, what happens the next time if there's a programming bug, or a hack or whatever, and it's done in a way that's not obvious?" Said University of South Carolina’s Duncan Buell, "I don't know that we've ever seen an election computer, a voting computer, whose software was done to a high standard."

Full Article