Dr. T's security brief
Daniel Tauritz
U.S. Cracked $3.4-Billion Crypto Heist, Bitcoin's Anonymity
The Wall Street Journal
Robert McMillan
April 12, 2023
U.S. authorities cracked bitcoin's anonymity and unraveled a $3.4-billion cryptocurrency heist by exploiting permanent and transactional evidence in the blockchain's online ledger. The authorities used this strategy to unmask James Zhong's crypto theft, stolen via a software bug that enabled fraudulent bitcoin withdrawals on the Silk Road online marketplace. Since then, government officials and private companies have essentially aggregated a blockchain address book from earlier investigations to help federal, state, and local authorities probing cybercrimes. Blockchain analytics firm Chainalysis said it has surveyed more than 1 billion wallet addresses, filtering out legitimate and dubious assets and identifying crypto exchanges. Blockchain analytics charts the flow of cryptocurrency owned by individuals and groups; the Internal Revenue Service says the U.S. has recovered more than $10 billion in stolen digital currency through prosecutions in the past two years.
ACM Prize in Computing Recognizes Yael Tauman Kalai for Fundamental Contributions to Cryptography
ACM
April 12, 2023
ACM has named Yael Tauman Kalai to receive the 2022 ACM Prize in Computing for fundamental contributions to cryptography that have influenced modern practices. Kalai created techniques for generating succinct proofs that certify the correctness of any computation, allowing weak devices to offload any computation to stronger devices while upholding efficient correctness checks. Her research spearheaded the study of "doubly efficient" interactive proofs, which guarantee small computational overhead on strong devices, making verifiable delegation practical. Kalai's cryptographic development of certificates of computation tapped quantum informational "non-signaling" strategies to erect a one-round delegation scheme for any computation. ACM President Yannis Ioannidis described Kalai as “a true star all around,” adding, “she has also established herself as a respected mentor, inspiring and cultivating the next generation of cryptographers.”
OpenAI Will Pay People to Report Vulnerabilities in ChatGPT
Bloomberg
Rachel Metz
April 11, 2023
OpenAI announced a new bug bounty program that will offer people $200 to $20,000 to find and report vulnerabilities in the ChatGPT chatbot. The artificial intelligence (AI) company is opening the program in association with bug bounty platform Bugcrowd. OpenAI said it established the program partly because it thinks "transparency and collaboration" are critical to uncovering flaws in its technology, while OpenAI head of security Matthew Knight blogged that the effort "is an essential part of our commitment to developing safe and advanced AI." The Bugcrowd page for the bounty program indicates certain safety issues related to the models are disqualified from rewards, including jailbreak prompts or queries that prompt the writing of malicious code, or questions that cause the model to say bad things to users.
Company Debuts 'World's First Smart Gun' with Fingerprint Unlocking System
CBS News
Annie Gimbel
April 13, 2023
U.S.-based Biofire Technologies says it has developed what it is calling the world's first biometric smart gun, a 9-mm firearm secured by fingerprint and three-dimensional infrared (IR) facial recognition. IR sensors in the grip keep the gun armed while an authorized user is holding it, making continuous biometrics authentication unnecessary. A rechargeable lithium-ion battery powers the gun; Biofire said the battery lasts for several months with average use and can maintain continuous fire for several hours. Biofire founder Kai Kloepfer said, "We've applied high-precision engineering principles to make a meaningful impact on preventable firearm deaths among children."
Simulating a Secure Future
KAUST Computer, Electrical and Mathematical Sciences and Engineering (Saudi Arabia)
April 2, 2023
Researchers at Saudi Arabia's King Abdullah University of Science and Technology (KAUST) have designed multifunctional logic gates that can enhance the security of semiconductors. The researchers investigated polymorphic gates fabricated from magnetic tunnel junctions (MTJs), which are easily switched by reversing the relative orientation of their ferromagnetic layers' magnetic spins. The team proved the gates' circuit- and layout-level symmetry can thwart tampering and intellectual property theft by complicating reverse-engineering. Hard drives employ MTJs, creating the potential for integrated memory and processing, which could reduce power consumption and interconnect delays. KAUST's Yehia Massoud expects spintronic devices will contribute significantly to hardware security as they "are energy efficient and nonvolatile and are easily integrated with conventional silicon substrates."
Purdue Researchers Uncover Vulnerabilities in Smart TVs
Purdue University Elmore Family School of Electrical and Computer Engineering
March 31, 2023
Purdue University researchers have found bugs in Smart TVs through which attackers can hijack the devices using a phone as a remote. Purdue's Saurabh Bagchi and colleagues found the bug in the Wi-Fi remote protocol of Smart TV, demonstrating the exploit targets four of the most popular Over The Top digital streaming platforms. They created malware called Spook bundled in an Android smartphone to commandeer an Android TV, then designed and deployed defensive measures using ARM TrustZone to ensure a human is initiating the pairing between the phone and the TV. Google has acknowledged and addressed the vulnerability in the Android TV platform through software modification.
Ransomware Crooks Exploit IBM File-Exchange Bug with 9.8 Severity
Ars Technica
Dan Goodin
March 28, 2023
Security researchers warn that ransomware purveyors are targeting servers by leveraging a flaw in the IBM Aspera Faspex centralized file-exchange application that was assigned a severity rating of 9.8. Aspera employs IBM's Fast, Adaptive, and Secure Protocol to better allocate available network bandwidth, and to ease file transfer to recipients in distribution lists or shared inboxes or workgroups. In January, IBM cited a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier that allows remote code execution by unauthenticated threat actors; the company urged users to correct it with an update. Rapid7 analysts highlighted an incident in which a customer was breached using the exploit, despite IBM having patched the vulnerability in January.
Microsoft Uses Court Order To Go After Tool Used To Attack Health Organizations
“Microsoft used a federal court order to try to cut off cybercriminals’ access to a hacking tool that has been used in nearly 70 ransomware attacks on health organizations in more than 19 countries, the tech giant said Thursday,” CNN 
(4/6, Lyngaas) reports. The move is one of the biggest “yet by tech firms and hospitals to combat ransomware attacks that have hobbled US health care providers for years by forcing ambulances to be diverted or chemotherapy appointments to be canceled.” The Eastern District of New York’s court order “allows Microsoft to seize internet infrastructure that predominantly Russian-speaking hackers were using to communicate with infected computer networks in hospitals and other health care organizations in the US and around the world.”
Cyberattacks Against Louisiana Colleges May Not Have Been Cyberattacks, Some Say
Inside Higher Ed (3/31, D'Agostino) reported the Louisiana State Police Cyber Crime Unit last week “tipped off five institutions – the University of New Orleans, River Parishes Community College, Nunez Community College, Southern University at Shreveport and Louisiana State University Agricultural Center – that their networks had possibly been compromised.” The colleges immediately set to work “performing restorative activities on their respective computer networks, according to Meg Casper Sunstrom, deputy commissioner for strategic communications at the Louisiana Board of Regents.” Throughout, “several of the colleges relied on social media to communicate with their respective communities.” The word “cyberattack” was “conspicuously absent when referencing the incident, even if the Louisiana State Police Cyber Crime Unit joined the investigation. That may be because the incident was not a cyberattack, according to some experts.” For example, VMware strategist Karen Worstell said, “A vulnerability doesn’t take out email. There is something going on.”
dtau...@gmail.com
Apple's Macs May No Longer Escape Ransomware
Ars Technica
Lily Hay Newman
April 18, 2023
Security researchers are analyzing newly discovered Mac ransomware samples from the Russia-based LockBit gang, the first known instance of a major ransomware group tinkering with macOS versions of its malware. The samples seem to have first appeared in the VirusTotal malware analysis repository in November/December 2022, but were only noticed on April 17. One sample appears to be a version of the encryptor targeting newer Macs running Apple processors and older Macs driven by PowerPC chips. The Objective-See Foundation's Patrick Wardle said, “In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks. However, well-funded ransomware groups will continue to evolve their malicious creations.”
OpenAI Considers Bug Bounty Program
Bloomberg (4/8) reported, “A small but growing number of people” including “swathes of anonymous Reddit users, tech workers and university professors” are “coming up with methods to poke and prod (and expose potential security holes) in popular AI tools.” Bloomberg explained that “while their tactics may yield dangerous information, hate speech or simply falsehoods, the prompts also serve to highlight the capacity and limitations of AI models,” and “it’s clear that OpenAI is paying attention.” OpenAI President Greg Brockman recently “wrote that OpenAI is ‘considering starting a bounty program’ or network of ‘red teamers’ to detect weak spots.”
Google Engineers Present “Workload Security Rings” As A Solution To The Shortcomings Of Machine Isolation
The New Stack (4/7, Wachtel) reports, “There’s a delicate balance between isolating workloads based on security requirements while still optimizing for compute and resource efficiency.” Google is looking into machine isolation as a solution, although it “has had its limitations. Google Senior Staff Reliability Engineer Michal Czapiński and Google Site Reliability Engineering Manager Rainer Wolafka are investigating the way to overcome ‘the limitations of machine isolation.’” In a Usenix report, “they present a new isolation method that they call ‘Workload Security Rings.’”
Campaign Officials “Unsettled” By Meta’s Response To AI-Generated Fake Images
The Washington Post (4/7) reports that late last month, political campaign operatives wrote to Facebook owner Meta to ask how the social media giant “planned to address AI-generated fake images on its platforms.” According to people familiar with the exchange, a Meta employee “replied to the operatives saying that such images, rather than being treated as manipulated media and removed under certain conditions, were being reviewed by independent fact-checkers who work with the company to examine misinformation and apply warning labels to dubious content.” That approach “unsettled the campaign officials, who said fact-checkers react slowly to viral falsehoods and miss content that is rapidly duplicated, coursing across the online platform.” The Post says that AI-generated images “introduce a new dynamic in the fraught debate over political speech that has roiled the technology giants in recent years.”
ED Hosts Panel On Cybersecurity Career Pathways
Education Week (4/11) reports the Education Department and the White House National Security Council on Tuesday hosted a “roughly hour-long panel...that essentially served as a public service announcement for cybersecurity education.” Students from DC and Baltimore County schools “who are enrolled in cybersecurity classes sat in the audience, listening to the cybersecurity professionals talk about their work experiences and career advice.” The event “included professionals who have worked on cybersecurity in a wide range of settings.” Deputy Education Secretary Cindy Marten moderated the panel and “underscored that K-12 schools – which have increasingly been targeted by cyberattacks – also need protection.” She said, “We know we not only need cybersecurity experts working in companies, but we also need them in government and in our schools. There are critical data to protect in these places. And I think you can lead the way.” EdWeek says the panel did not “announce new resources, but there are existing federal dollars available for cybersecurity education.”
Report: 2021 Marked Biggest Year For Education Data Breaches
Higher Ed Dive (4/13, Merod) reports that since 2005, “schools and colleges in the U.S. have incurred 2,691 data breaches, leading to leaks of at least 32 million individual records, according to an April report by Comparitech, a website that reviews and analyzes products improving cybersecurity and online privacy.” To date, 2021 has marked “the biggest year for data breaches in education, impacting 771 institutions and nearly 2.6 million records, Comparitech said.” The Illuminate Education data breach “affecting at least 605 institutions made up a significant portion of the share.” 2022 brought 96 breaches “that exposed almost 1.4 million records, and so far 2023 has seen 11 breaches with over 3,500 impacted records.” The breaches since 2005 “were almost evenly split between the two education sectors, with 51% happening in K-12 schools, Comparitech found.”
Crypto Traders Will Soon Be Assisted By ChatGPT-Powered Bot Named Satoshi
Forbes (4/13, Ehrlich) reports Chicago-based prime broker FalconX “plans to put a chatbot in the co-pilot’s seat for investors.” Using technology created by OpenAI, FalconX clients “will be able pose questions like ‘What are the three biggest differences between two blockchain platforms?’ or ‘What is the delta between Sharpe ratios for a Bitcoin basis strategy or a Bitcoin hold strategy over a two-week period?’ to a bot called Satoshi.” Named for Bitcon’s founder Satoshi Namakmoto, the chatbot “will also be able to generate investment ideas for users based on their historical trading activity, portfolios and interests, says FalconX CEO Raghu Yarlagadda.” Though the technology is “very much in its early stages – the current prototype primarily allows users to get customized news summaries akin to traditional ChatGPT responses to user queries, and trading backtesting has only been available for a few weeks – advancement is likely to come quickly.”
North Dakota Becomes First State To Offer Cybersecurity Classes As Option To Fulfill High School Graduation Requirement
Education Week (4/17) reports North Dakota is “requiring all students master either cybersecurity or computer science content to graduate. Though at least five other states have made computer science a graduation requirement, the Peace Garden State is the first to add cybersecurity as an option, according to Code.org.” The state is also calling for all K-12 schools to “some instruction in both subjects. The move has been in the works for eight years, said Kirsten Baesler, North Dakota’s superintendent of public instruction.” In an interview with EdWeek, Baesler said, “My goal isn’t to say, ‘hey, I want to be the first. I want it to be truly about preparing our young people for the world that they live in now.”
Bipartisan Congressional Effort Seeks To Strengthen Cybersecurity In Schools
Education Week (4/20, Langreo) reports that “a bipartisan group of federal lawmakers reintroduced legislation that they argue would strengthen cybersecurity in schools.” The Enhancing K-12 Cybersecurity Act “would give schools and districts better access to cybersecurity resources and improve tracking of K-12 cyberattacks nationally.” The bill is sponsored by Reps. Doris Matsui (D-CA) and Zach Nunn (R-IA), and Sens. Marsha Blackburn (R-TN) and Mark Warner (D-VA). The proposal “comes as cyberattacks targeting schools are becoming more common and more sophisticated.” There “have been 1,619 publicly disclosed cyber incidents between 2016 and 2022, according to K12 Security Information Exchange (K12 SIX), a nonprofit focused on helping schools prevent cyberattacks.” Hackers “have targeted districts of all sizes, including Los Angeles Unified, the nation’s second largest.”
Report Shows More Malware Attacks, Less Ransomware In Higher Education
Inside Higher Ed (4/21, D'Agostino) reports that “cybercriminals are humans, and as such, their whims, preferences and practices are subject to change.” In 2020 and 2021, “across sectors and regions, they appeared to prefer ransomware over other kinds of malware attacks, and government was their top malware target, according to new report from SonicWall.” But in 2022, cybercriminals “altered their patterns.” In this “new threat landscape across industries and regions, ransomware attacks decreased (by 21 percent), though malware attacks over all increased (by 2 percent, after three years of decline), according to the report.” Also, educational institutions “were their top malware target.”
dtau...@gmail.com
Used Routers Often Loaded with Corporate Secrets
Ars Technica
Lily Hay Newman
April 19, 2023
Scientists from Slovak security firm ESET will present research at this week's RSA security conference indicating more than half of used routers its researchers purchased for testing were loaded with sensitive corporate information. The researchers bought 18 secondhand routers manufactured by Cisco, Fortinet, and Juniper Networks; nine were fully intact and accessible, but just five had been properly wiped of data. All nine intact routers carried credentials for the organization's virtual private network, credentials for another secure network communication service, or hashed root administrator passwords. This and other information on the devices could be exploited by cybercriminals, as well as state-supported hackers. The ESET team warned contracting with third-party companies to wipe enterprise devices for resale offers no assurance such firms actually do so.
How NFTs Can Be Used to Manage Health Data
Computer Weekly
Aaron Tan
April 25, 2023
Clinicians in Singapore public healthcare group SingHealth say non-fungible tokens (NFTs) can be used to help patients manage their own health data. The researchers believe NFTs will grant patients greater control over their health data's storage and use, making individuals responsible for owning and sharing the data. Such NFTs can be generated, shared, and stored in a health data ledger with blockchain technology, ensuring security and privacy. The blockchain's traceable and unalterable state means sharing health data as NFTs will ensure the authenticity of health research data. Said SingHealth's Teo Zhen Ling, "Using NFTs and blockchain technology to build a secure healthcare data exchange platform will greatly impact the way data is handled in both healthcare research and clinical pathways."
dtau...@gmail.com
Hackers Can Target Smart Meters to Destabilize Electricity Grid
Oregon State University News
May 3, 2023
Oregon State University (OSU) researchers demonstrated that hackers can destabilize a power transmission grid by manipulating smart meters to produce an oscillation in electricity demand. The researchers used a time-domain grid protection simulator to demonstrate a load oscillation attack caused by a hack of advanced metering infrastructure. Said OSU's Eduardo Cotilla-Sanchez, "We juxtaposed our work with related recent grid studies and found that a well-crafted attack can cause grid instability while involving less than 2% of the system's load." The researchers said a grid's vulnerabilities must be understood so grid operators can enact countermeasures, which could include intentionally ‘islanding’ the affected area or altering the generation portfolio to minimize the impact of such an attack.
Apple, Google Partner to Combat Creepy Tracking Tactics
Associated Press
May 2, 2023
Apple and Google have jointly proposed to the Internet Engineering Steering Group new standards for combatting clandestine surveillance through Bluetooth object-tracking devices like Apple's AirTag. Apple and AirTag hope to have a plan to foil stealth tracking ready by year's end, with the solution to be circulated via iPhone and Android phone updates. Erica Olsen at the National Network to End Domestic Violence's Safety Net Project said she believes the initiative will help protect abuse survivors and others targeted by stealth technology. Olsen said the new standards “will minimize opportunities for abuse of this technology and decrease the burden on survivors in detecting unwanted trackers."
Energy-Efficient Bitcoin Mining Through Light
Optica
Edwin Cartlidge
May 3, 2023
Researchers in the U.S. and Italy used integrated photonic circuits to deploy a modified proof-of-work blockchain to reduce the energy consumption of bitcoin mining while preserving network security. The framework substitutes bitcoin's SHA-256 hash function with LightHash, a function optimized for analog photonic chips built from Mach-Zehnder interferometers. The interferometers' arrangement helps to process hash functions by providing answers to specific matrix multiplications when laser light passes through the circuit and is measured at the device's output. LightHash averages the trade-off between circuit size and accuracy by comparing outputs from multiple circuit copies. Experiments using an interferometer network that could process matrices with up to four rows and columns raised error susceptibility but could reduce the error rate in hashing by up to four orders of magnitude.
Light-Based Computing Scheme Reduces Power Needed to Mine Cryptocurrencies
Optica
April 27, 2023
A research team at Stanford University developed a light-based computing approach that could reduce the energy necessary to mine cryptocurrencies by using a photonic integrated circuit to create a photonic blockchain. LightHash features a silicon photonic chip with a 6x6 network of programmable interferometers to allow for low-energy optical processing of matrix multiplications. Said PsiQuantum's Sunil Pai, formerly of Stanford, "Essentially, we have devised a way to use analog optical circuits to perform multiplications at near-zero power dissipation, yet precisely enough for use in a digital encryption scheme." Pai noted LightHash could have other applications, such as secure data transfer for medical records, smart contracts, and voting. The researchers said a large-scale implementation of their approach, with additional development, could improve energy use about 10-fold compared to the best modern digital processors.
Using Quantum Physics to Secure Wireless Devices
UIC Today
April 27, 2023
Quantum physics inspired computer engineers at the University of Illinois Chicago (UIC) and Michigan Technological University to formulate a method for enhancing wireless device identification and protecting device-to-device communication. The technique uses a genuinely random and unique digital fingerprint to provide virtually impenetrable hardware encryption. UIC's Pai-Yen Chen and colleagues mathematically identified a "divergent exceptional point" in a radio frequency identification (RFID) system using quantum physics, producing new RFID lock-and-tag hardware that creates secure signals via the resulting algorithm. Each device generates a novel digital signature due to variations in its manufacture. The researchers failed to find two identical digital fingerprints after thousands of simulations, passing U.S. National Institute of Standards and Technology randomness tests and withstanding machine learning-based attacks.
Federal Officials Voice Concern Over AI Cybersecurity Threats, Seek Preemptive Measures
The Washington Post (5/2, Starks) reports, “U.S. officials say AI will be a big cyberthreat” but “how it’ll materialize is less clear.” Federal officials express concern over potential cybersecurity threats posed by artificial intelligence (AI), although they are unsure of the exact nature of these threats. As AI continues to advance without proper safeguards, lawmakers are looking into ways to address and mitigate potential cyber risks. The Post adds, “Rob Joyce, director of cybersecurity for the National Security Agency, called AI a ‘game-changing technology that’s emerging.’” The Post also reports “Joyce said he doesn’t expect to have many examples of how adversaries are exploiting AI until next year.” Joyce said, “I won’t say it’s delivered yet. … In the near term, I don’t expect some magical technical capability that is AI generated that will exploit all the things.”
AI Expected To Help Cyberdefenders, Not Cybercriminals. Axios (5/2, Sabin) reports that worries about cybercriminals “incorporating artificial intelligence into their schemes anytime soon is vastly overblown,” as it would take time and money, which opportunistic cybercriminals don’t usually have. Instead, AI is expected to help cyberdefenses to block “run-of-the-mill security holes that criminals keep exploiting.”
Meta Discovers Malware Using ChatGPT To Lure Victims
Reuters (5/3, Paul) reports Meta issued a report examining “malware purveyors leveraging public interest in ChatGPT to lure users into downloading malicious apps and browser extensions, likening the phenomenon to cryptocurrency scams.” Meta has uncovered “around 10 malware families and more than 1,000 malicious links that were promoted as tools featuring the popular artificial intelligence-powered chatbot” since March of this year.
Google Expands Career Certificates Program With Cybersecurity Course For Entry-Level Workers
The Wall Street Journal (5/4, Rundle, Stupp, Subscription Publication) reports Google is adding a course to its Career Certificates program that will teach entry-level workers the basic skills required to become a cybersecurity analyst. According to Google Cloud’s chief information security officer, Phil Venables, the course will teach students how to work in a security-operations center as well as identify risks and vulnerabilities, among other things. He said the intensive course will provide core skills to help students gain employment and specialize.
dtau...@gmail.com
U.S. Says It Dismantled Russia's 'Most Sophisticated' Malware Network
The New York Times
Charlie Savage
May 9, 2023
The U.S. Department of Justice said the U.S. and its allies have dismantled a major cyberespionage operation that Russian intelligence had long used to surveil computers worldwide. The Cybersecurity and Infrastructure Security Agency described the "Snake" malware network as "the most sophisticated cyberespionage tool" used by Russia's Federal Security Service. Its purported activities included stealing international relations documents and other diplomatic communications from a NATO country, and infiltrating computers across more than 50 nations and within various American institutions. Cybersecurity agent Taylor Forry explained in a newly unsealed court filing how the Federal Bureau of Investigation used a U.S.-based malware-infected computer to penetrate and "permanently disable" the Snake network by overriding the code on all of its compromised computers.
*May Require Paid Registration
Mass Event Will Let Hackers Test Limits of AI Technology
Associated Press
Matt O'Brien
May 10, 2023
Major artificial intelligence (AI) providers are working with the White House to offer thousands of hackers the opportunity to "jailbreak" their AI language models and uncover vulnerabilities. Rumman Chowdhury, who is coordinating a mass hacking event for this summer's DEF CON hacker convention, explained, "We need a lot of people with a wide range of lived experiences, subject matter expertise, and backgrounds hacking at these models and trying to find problems that can then go be fixed." Chowdhury described hackathons like the White House-associated exercise as "a direct pipeline to give feedback to companies," with participants compiling reports and detailing common flaws and patterns.
Shared Irresponsibility
Ruhr-Universität Bochum Horst Görtz Institute for IT Security (Germany)
Julia Weiler
May 8, 2023
Ghassan Karame at Germany's Ruhr University Bochum found cryptocurrencies are susceptible to security breaches. Karame and collaborators have previously identified serious bugs that Bitcoin swiftly corrected, but other cryptocurrencies can be launched using bitcoin's freely available source code. The decentralized nature of cryptocurrency also complicates breach disclosure. Karame's team developed a tool to approximate the time of security updates for forked source code, based on an archive service that monitors all events on GitHub's public repositories. They calculated the timestamp of security patches and found modified bitcoin variants could take years to correct bugs. While Bitcoin fixed the vulnerability in just seven days, it took, for example, Litecoin 114 days, Dogecoin 185 days and Digibyte almost three years.
Data Class-Specific Image Encryption Using Optical Diffraction
UCLA Samueli Newsroom
May 3, 2023
University of California, Los Angeles researchers have developed diffractive deep neural networks that can perform class-specific all-optical image encryption at both near-infrared and terahertz wavelengths using no external computing power aside from the illumination light. After training the networks using deep learning, the researchers used three-dimensional printing to physically fabricate the networks, transform the input images, and produce encrypted, uninterpretable output patterns. The encrypted images can be restored only by applying the correct decryption keys. The transformations performed by the diffractive encryption network are pre-determined and specifically and exclusively assigned to a single data class, which makes it difficult to use reverse-engineering to decipher the original images belonging to the target data classes. Additionally, different decryption keys can be distributed to multiple end-users based on their data access permission, allowing only the appropriate portion of the input data to be shared.
Report: Ransomware Attacks Targeted Higher Ed Above Other Industries Last Year
Higher Ed Dive (5/10, Schwartz) reports, “Ransomware attacks targeted the education sector more than any other industry in the last year, with 79% of surveyed higher education institutions across the world reporting being hit, according to an annual report from Sophos, a U.K.-based cybersecurity firm.” Of the higher ed institutions “that reported ransomware attacks, 59% said it resulted in them losing ‘a lot of’ business and revenue.” Hackers exploited system vulnerabilities “in 4 in 10 higher education ransomware attacks, making them the sector’s most common root issue. Compromised credentials caused another 37% of attacks, while malicious emails led to 12% of reported incidents.”
Growing Use Of AI Poses Next Generation Of Cybersecurity Threat
The Washington Post (5/11, A1) reports on the growing use of AI in cybersecurity attacks, saying scammers “are automating more personalized texts and scripted voice recordings while dodging alarms by going through such unmonitored channels as encrypted WhatsApp messages on personal cellphones. ... That is just the beginning, experts, executives and government officials fear, as attackers use artificial intelligence to write software that can break into corporate networks in novel ways, change appearance and functionality to beat detection, and smuggle data back out through processes that appear normal.” Speaking at the RSA cybersecurity conference in San Francisco, National Security Agency cybersecurity chief Rob Joyce said, “It is going to help rewrite code. Adversaries who put in work now will outperform those who don’t.”
dtau...@gmail.com
Dark Web ChatGPT Unleashed: Meet DarkBERT
Tom's Hardware
Francisco Pires
May 16, 2023
Researchers at South Korea's Korea Advanced Institute of Science and Technology (KAIST) and data intelligence company S2W have created a large language model (LLM) trained on Dark Web data. The researchers fed the RoBERTa framework a database they compiled from the Dark Web via the Tor network to create the DarkBERT LLM, which can analyze and extract useful information from a new piece of Dark Web content composed in its own dialects and heavily-coded messages. They demonstrated DarkBERT's superior performance to other LLMs, which should enable security researchers and law enforcement to delve deeper into the Dark Web.
TSA Tests Facial Recognition Technology to Boost Airport Security
Associated Press
Rebecca Santana; Rick Gentilo
May 15, 2023
The U.S. Transportation Security Administration (TSA) is testing facial recognition technology to authenticate travelers' identities at 16 airports. Travelers have their driver's license or passport read by a reader, then look at a camera on a screen that records and compares their image to their ID to confirm their identity matches and is authentic. TSA says the test is voluntary and accurate, but critics have raised issues about bias in facial recognition algorithms and the possible ramifications for passengers who want to opt out. Although the agency claims it is not storing the biometric data it collects, Meg Foster at Georgetown University's Center on Privacy and Technology raised concerns of that policy changing.
AP Report Warns Of Generative AI Being Used For Election Interference
The AP (5/14, Knickmeyer) reports experts “have warned for years that cheap, powerful artificial intelligence tools would soon allow anyone to create fake images, video and audio that was realistic enough to fool voters and perhaps sway an election,” with the AP writing that the recent AI boom has given some credence to such worries. The outlet adds that “when strapped to powerful social media algorithms, this fake and digitally created content can spread far and fast and target highly specific audiences, potentially taking campaign dirty tricks to a new low,” and “the implications for the 2024 campaigns and elections are as large as they are troubling.”
AI Boom Creates Demand For Businesses That Can Identify AI-Generated Content
The New York Times (5/18, Hsu, Myers) reports, “Generative A.I. is now available to anyone, and it’s increasingly capable of fooling people with text, audio, images and videos that seem to be conceived and captured by humans.” This has led to demand for services that can identify AI-generated content, and over “a dozen companies now offer tools to identify whether something was made with artificial intelligence, with names like Sensity AI (deepfake detection), Fictitious. AI (plagiarism detection) and Originality. AI (also plagiarism).” Andrey Doronichev, founder of synthetic content detecting company Optic, said, “Content authenticity is going to become a major problem for society as a whole...We’re entering the age of cheap fakes.”
dtau...@gmail.com
UCLA Computer Grad Constructs “Crown Jewel of Cryptography”
ACM
May 24, 2023
ACM named Aayush Jain from Carnegie Mellon University to receive the 2022 ACM Doctoral Dissertation Award for his dissertation proving the feasibility of mathematically rigorous software obfuscation from thoroughly reviewed hardness postulations. Jain's dissertation constructs indistinguishability obfuscation, a mathematical object considered a theoretical "master tool" in terms of realizing cryptographic goals like functional encryption, as well as widening the field of cryptography itself. For example, indistinguishability obfuscation helps to reach software security goals that only software engineering could previously achieve. Jain, a graduate of the University of California, Los Angeles, also received the Best Paper Award at the ACM Symposium on Theory of Computing 2021 for his dissertation.
Ethereum Closes Security Hole with Energy-Saving Update
New Scientist
Matthew Sparkes
May 23, 2023
An update rolled out by the Ethereum cryptocurrency reduced the energy needed to produce it by 99.99% by transitioning from "proof of work" to "proof of stake," and also fixed a security flaw in the Go Ethereum software used to run Ethereum nodes.. Massimiliano Taverna at ETH Zurich in Switzerland explained that combining the attacks would have reduced the required computing resources to launch the attacks to only 5 graphics processing units. Ethereum Classic developers patched the vulnerability after being notified by the researchers, but the researchers said the EthereumPOW cryptocurrency has not been updated.
Chip-Based QKD Achieves Higher Transmission Speeds
Optica
May 25, 2023
Researchers at Switzerland's University of Geneva (UOG), Swiss cybersecurity company ID Quantique, Italy's CNR Institute for Photonics and Nanotechnology, and German optical products manufacturer Sicoya based a quantum key distribution (QKD) system on integrated photonics to transmit keys at higher speeds. The researchers combined a photonic integrated circuit with an external diode laser into a silicon photonics transmitter. They also fabricated a silica QKD receiver from a photonic integrated circuit and two external single-photon detectors. UOG's Rebecka Sax said, "Connecting these two components with a standard single-mode fiber enabled high-speed production of secret keys." Sax said the QKD system also yielded secret key production and quantum bit error rates similar to those generated by fiber-based components, but more practically and simply than in previous experimental frameworks.
Small Change Leads to Big Results for Computer Security
UC San Diego Today
May 23, 2023
Researchers at the University of California, San Diego (UCSD) and Purdue University found that they could strengthen computer security by reverse-engineering the conditional branch predictor in Intel's flagship processors through a methodology called Half&Half. Serious vulnerabilities are rooted in modern processors sharing the branch predictor between all executing threads and processes. The researchers found they could split Intel's branch predictor into two parts by varying a single bit of the branch address. UCSD's Hosein Yavarzadeh said, "With a small change in how we generate code we can now run two threads together on the same processor core, and it is impossible to leak data through the branch predictor, or to induce mispredicts to launch a Spectre attack."
'Attacker' Device to Improve Autonomous Car Safety
UC San Diego Today
Xochitl Rojas-Rocha
May 23, 2023
Researchers at the University of California, San Diego (UCSD) and Northeastern University have created an "attacker" algorithm for use in helping to enhance the safety of autonomous vehicles. The mmSpoof algorithm mimics spoofing attacks by devices that target millimeter-wave radars used by vehicles to enable self-driving or assisted-driving features. The method weaponizes the target vehicle's radar by altering the received signal's parameters at "lightspeed" before reflecting it back. This allows attackers to conceal the sabotage and to thwart the vehicle's ability to screen out malicious behavior, in real time. UCSD's Rohith Reddy Vennam suggested researchers can block this exploit by using high-resolution radar that captures multiple reflections from vehicles to identify the actual reflection.
Apps for Older Adults Contain Security Vulnerabilities
Concordia University (Canada)
Patrick Lejtenyi
May 23, 2023
Researchers at Canada's Concordia University found security bugs in 95 of 146 popular Android applications designed for older adults. The researchers discovered that many apps failed to properly authenticate server application programming interface endpoints, which attackers could exploit to access sensitive personal data. Other apps had easily penetrable accounts, with some sending unencrypted information to either client-side servers or third-party domains. The researchers found multiple other flaws in dozens of other apps. Only seven of the 35 app developers the team contacted about the bugs responded, while Concordia's Pranay Kapoor said the vulnerabilities could be remedied by following best practices for basic security.
How Fake AI Photo of a Pentagon Blast Went Viral, Briefly Spooked Stocks
Bloomberg
Davey Alba
May 22, 2023
On the morning of May 22, the S&P 500 fell around 0.3% after a falsified photo of an explosion near the Pentagon went viral. This could be the first time the market has been moved by an artificial intelligence (AI)-generated image. Before the photo was discredited by officials, researchers like Nick Waters of the open source intelligence group Bellingcat took to social media to warn that it may have been an AI creation. Waters wrote on Twitter, "Check out the frontage of the building, and the way the fence melds into the crowd barriers. There's also no other images, videos, or people posting as first-hand witnesses." The image's origin has not been determined, but the original post on Facebook was given a "false information" label and later was blocked by the platform.
AI-Generated Deepfake Briefly Rattles Stock Market
The New York Times (5/23, Sorkin, Warner, Kessler, de la Merced, Hirsch, Livni) reports, “For a few minutes on Monday, an ominous image of black smoke billowing from what appeared to be a government building near the Pentagon set off investor fears, sending stocks tumbling.” The picture was “quickly dismissed...as a fake, most likely cobbled together with artificial intelligence, and markets swiftly recovered. But it illustrated one of the big fears behind the government’s zeal to regulate A.I.: that the technology could be used to stoke panic and sow disinformation, with potentially disastrous consequences.” The incident, which “may have been the first time an A.I.-generated image moved markets, according to Bloomberg,” underscores “how even unsophisticated spoofs can spread misinformation quickly, especially via trusted social-media channels.”
Google Questioned Over Retaining Location History Post-Roe
“Senate Democrats are demanding answers from Google after an investigation by Washington Post columnist Geoffrey A. Fowler found that the tech giant is at times still retaining location history for users after they visit sensitive locations, like abortion clinics and hospitals, in conflict with its promise to scrub that information,” the Washington Post (5/24, Lima) reports. The information, “the lawmakers wrote in a letter to Google CEO Sundar Pichai on Monday, raise concerns that the company ‘is not upholding its commitment to delete sensitive location data, particularly when it can reveal private health care decisions.’”