Dr. T's security brief
dtau...@gmail.com
Researcher Uses 379-Year-Old Algorithm to Crack Crypto Keys in the Wild
Ars Technica
Dan Goodin
March 14, 2022
Researcher Hanno Böck said he used a 379-year-old algorithm described by French mathematician Pierre de Fermat to break a handful of weak cryptographic keys found in the wild. The keys were generated with older software owned by technology company Rambus, derived from a basic version of the SafeZone Crypto Libraries. Böck said the SafeZone library insufficiently randomized the two prime numbers it used to generate RSA keys, and Fermat's factorization method can crack such keys easily. The algorithm was based on the fact that any odd number can be expressed as the difference between two squares, and factors near that number's root are easily and quickly calculable. Böck thinks all the keys he found in the wild were generated using software or methods unaffiliated with the SafeZone library, which if true means the Fermat algorithm might easily break keys crafted by other software.
Linux Bug Gives Root on All Major Distros, Exploit Released
BleepingComputer
Lawrence Abrams
March 7, 2022
Security researcher Max Kellermann recently disclosed his discovery of the Dirty Pipe Linux bug, which lets local users obtain root privileges through publicly available exploits, and impacts Linux Kernel 5.8 and later iterations, even on Android devices. He released a proof-of-concept exploit that allows local users to inject their own data into sensitive read-only files, stripping restrictions or tweaking configurations to expand their access privileges. Kellermann alerted various Linux maintainers about Dirty Pipe beginning Feb. 20, and although it has been corrected in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers still are running outdated kernels.
Mozilla Fixes Two Critical Firefox Flaws that Are Being Actively Exploited
ZDNet
Liam Tung
March 7, 2022
Mozilla has released security fixes for two critical flaws in its Firefox browser that are being exploited. The company said both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws, and the latter also could result in an exploitable sandbox escape. "Removing an XSLT parameter during processing could have led to an exploitable use-after-free,” the organization said. “We have had reports of attacks in the wild abusing this flaw. An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape." The company credits researchers at the Chinese security firm Qihoo 360 ATA with identifying the bugs. The security fixes were released with Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0, and fixed in Thunderbird 91.6.2.
WARNING: Objects in Driverless Car Sensors May Be Closer Than They Appear
Duke University Pratt School of Engineering
Ken Kingery
March 14, 2022
Duke University researchers have identified an attack strategy that can trick industry-standard autonomous vehicle sensors into believing nearby objects are closer or further than they appear. This involves using a laser gun to strategically place 3D LiDAR data points within a certain area of the vehicle camera's 2D field of view. The researchers determined the vulnerable area extends out in front of the camera's lens in a frustum shape. "This so-called frustum attack can fool adaptive cruise control into thinking a vehicle is slowing down or speeding up," said Duke's Miroslav Pajic. Pajic suggested adding redundancy in the form of "stereo cameras" with overlapping fields of view to better estimate distances and detect LiDAR data that does not match their perception, or the developing systems that allow cars in close proximity to share some of their data.
Medical, IoT Devices Vulnerable to Attack
Dark Reading
Jai Vijayan
March 8, 2022
Researchers at Forescout's Vedere Labs cybersecurity intelligence team and CyberMDX cybersecurity service provider discovered seven vulnerabilities, known collectively as "Access:7," in more than 150 Internet of Things (IoT) devices made by more than 100 companies. Three of the bugs, rated critical, allow attackers to gain full control of devices by remotely executing malicious code. The remainder, rated moderate to high in severity, allow attackers to steal data or execute denial-of-service attacks. The flaws were found in multiple versions of PTC Axeda agent and PTC Desktop Server, which are used in many IoT devices to enable remote access and management. All versions of the Axeda technology below 6.9.3 are affected. PTC has released patches for the vulnerabilities.
Encryption Meant to Protect Against Quantum Hackers Is Easily Cracked
New Scientist
Matthew Sparkes
March 8, 2022
Ward Beullens at IBM Research Zurich in Switzerland easily cracked a cryptography algorithm touted as one of three contenders for a global standard against quantum hacking. Rainbow is a signature algorithm submitted to the U.S. National Institute of Standards and Technology (NIST)'s Post-Quantum Cryptography competition, and Beullens extracted Rainbow's secret key from a public key in just 53 hours on a standard laptop. He said this flaw would enable attackers to wrongfully "prove" they are someone else, rendering Rainbow "useless" for message verification. NIST's Dustin Moody said the Rainbow hack had been confirmed, and the algorithm will not likely be selected as the final signature algorithm.
CS Professor’s 'Hands-On' Approach to Smartphone Security
LSU College of Engineering
March 9, 2022
Louisiana State University computer science professor Chen Wang is working with Ph.D. student Long Huan on a smartphone security system that only displays sensitive content when it verifies the correct user is holding the device. The gripping-hand verification method employs an artificial intelligence (AI)-based algorithm that processes the notification tone recorded by the phone's mic, extracts biometric features to match with the user's recorded hand grip, and displays the notification preview if the verification is successful. Wang explained, "Because people have different hand sizes, finger lengths, holding strengths, and hand shapes, the impacts on sounds are different and can be learned and distinguished by AI. Along this way, we develop a system to use the notification tones to verify the gripping hand for notification privacy protection."
Second Israeli Company Exploited iPhone Security Flaw
Reuters 
(2/3, Bing, Satter) reports an Apple software flaw “exploited by Israeli surveillance firm NSO Group to break into iPhones in 2021 was simultaneously abused by a competing company, according to five people familiar with the matter.” QuaDream, the sources said, “is a smaller and lower profile Israeli firm that also develops smartphone hacking tools intended for government clients.” Experts analyzing intrusions engineered “by NSO Group and QuaDream since last year believe the two companies used very similar software exploits, known as ForcedEntry, to hijack iPhones.” The analysts believed NSO “and QuaDream’s exploits were similar because they leveraged many of the same vulnerabilities hidden deep inside Apple’s instant messaging platform and used a comparable approach to plant malicious software on targeted devices, according to three of the sources.”
Facebook’s Cryptocurrency Project Sold To Silvergate
Politico (1/31, Sutton, Guida) reports that the Diem Association, the group initiated by Facebook to launch the Diem stablecoin, “said Monday it will sell its intellectual property and assets to the California bank Silvergate, a go-to firm for the crypto industry.” Monday’s announcement “caps a nearly three-year odyssey on the part of Facebook and its partners to launch a digital currency, which was first dubbed Libra in 2019 until its rebranding as Diem in 2020.” Politico says US and European lawmakers and regulators “ultimately derailed Diem’s ambitions, stoked by fears around how such an offering on the scale of Facebook would impact the financial system and the control central banks assert over money. The so-called stablecoin...never launched.”
dtau...@gmail.com
Teen Suspected of Being Lapsus$ Mastermind
Bloomberg
William Turton; Jordan Robertson
March 23, 2022
Four cybersecurity researchers have traced a series of high-profile attacks against technology companies to a U.K. teenager, whom they think is the architect of the Lapsus$ ransomware group. The researchers tapped forensic evidence from the attacks, in addition to public information, to link this individual to Lapsus$; they also suspect an adolescent in Brazil of being a member of the group. Lapsus$ has publicly mocked targets like Microsoft and Nvidia, leaking their source code and internal documents. Microsoft blogged that the group has engaged in a "large-scale social engineering and extortion campaign against multiple organizations." One research participant said the U.K. teen is so skilled and fast at hacking that researchers initially mistook the activity they were observing as automated.
Inoculating Deep Neural Networks to Thwart Attacks
University of Michigan News
March 24, 2022
University of Michigan (U-M) scientists have developed the Robust Adversarial Immune-inspired Learning System (RAILS) to defend deep neural networks. "RAILS represents the very first approach to adversarial learning that is modeled after the adaptive immune system, which operates differently than the innate immune system," said U-M's Alfred Hero. RAILS was modeled after how adaptive immune systems in mice respond to an antigen, in order to emulate immune-system defenses to identify and address suspicious network inputs. The system achieved effective biomimicry, outperforming two of the most common machine learning countermeasures for adversarial attacks—Robust Deep k-Nearest Neighbor and convolutional neural networks. Using image identification as the test case, the researchers showed RAILS improved protection, including against the especially damaging Projected Gradient Descent attack.
Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems
The Hacker News
Ravie Lakshmanan
March 22, 2022
Five security vulnerabilities identified in Dell BIOS by researchers at the firmware security firm Binarly could allow code execution on affected systems. According to a report by the researchers, "The active exploitation of all the discovered vulnerabilities can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement. The remote device health attestation solutions will not detect the affected systems due to the design limitations in visibility of the firmware runtime." The security issues are associated with improper input validation vulnerabilities affecting the firmware's System Management Mode. The affected products include the Alienware, Inspiron, Vostro, and Edge Gateway 3000 Series systems. Dell is urging customers to upgrade their BIOS as soon as possible.
Corrupted Open Source Software Enters Russian Battlefield
ZDNet
Steven Vaughan-Nichols
March 21, 2022
JavaScript programmer Brandon Nozaki Miller's innocent attempt to protest Russia's invasion of Ukraine by crafting the peacenotwar open-source npm source-code package has been used to delete the file systems of Russian or Belorussian computers. Miller inserted code in the package to delete the hard drive, then added the module as a dependency to the node-ipc mode. Miller encoded his code revisions in base-64 to thwart detection via code reading. Developer security company Snyk has classified the software as malicious. Such "protestware" creates a dangerous precedent; as one GitHub programmer wrote, "What's going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open source software—all free and open source software—within their companies."
Beware of QR Code Scams
The Wall Street Journal
Heidi Mitchell
March 19, 2022
Security researchers warn of the growing threat of fraudulent quick response (QR) codes, including some affixed to parking meters in Texas cities that tricked drivers into entering their credit-card data at a bogus Website. Although the Better Business Bureau's Scam Tracker site lists just 46 QR code-related attacks in the U.S. since March 2020, link-management service Bit.ly has observed a 750% increase in QR-code downloads since then. Most smartphones "just read the code and open the link without ensuring that it is safe or that it is, in fact, what it says it is," said Justin Fier at artificial intelligence cybersecurity firm Darktrace. Skilled attackers also can use a QR code to send users to a spoof site, then hand over the information they enter to the genuine site. Symantec's Eric Chien suggests either avoiding QR codes that are stuck on devices or installing QR-code scanner applications.
*May Require Paid Registration
Unix Rootkit Used to Steal ATM Banking Data
BleepingComputer
Bill Toulas
March 17, 2022
Researchers at the cybersecurity firm Mandiant found that the LightBasin hacking group is using a previously unknown Unix rootkit to steal ATM banking data and make unauthorized cash withdrawals from ATM terminals at several banks. The rootkit, a Unix kernel module called "Caketap," affects servers running the Oracle Solaris operating system, hiding network connections, processes, and files while installing several hooks into system functions to receive remote commands and configurations. Caketap intercepts messages sent to the Payment Hardware Security Module (HSM), used by the banking industry to verify bank card information, to stop verification messages that match fraudulent bank cards and instead generate a valid response. It also internally saves valid messages that match non-fraudulent primary account numbers and sends them to the HSM to avoid impacting routine customer transactions and implant operations.
Computer Scientist Identifies JavaScript Vulnerability in Thousands of Websites
Johns Hopkins University Hub
Catherine Graham
March 14, 2022
Researchers at the Johns Hopkins Information Security Institute analyzed a million Websites with JavaScript vulnerabilities and found more than 2,700 featured multiple flaws that could expose them to prototype pollution. Prototype pollution allows attackers to modify a prototype (a built-in property of a JavaScript object) to manipulate a site's URL, steal a user's profile information, or engage in other malicious activity. Of the Websites found to have multiple flaws, 10 were among the top 1,000 most-visited Websites of the year, including Weebly.com, CNET.com, and McKinsey.com. Johns Hopkins' Yinzhi Cao said, "Our ProbeTheProto tool can automatically and accurately detect a wide range of potential attacks, and we've found that many developers are happy that we are helping them stay ahead of cybersecurity threats."
U.S., EU Sign Data Transfer Deal to Ease Privacy Concerns
Associated Press
Kelvin Chan; Chris Megerian
March 25, 2022
The U.S. and EU have signed a preliminary agreement that paves the way for the storage of Europeans' personal data in the U.S., easing concerns about privacy. "This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the U.S., and help companies—both small and large—compete in the digital economy," said President Biden. Alexandre Roure, an official with the tech trade group CCIA, said the data includes "any information that we voluntarily provide or generate when using services and products online." The U.S. and EU said the agreement addresses issues raised by Europe's top court, with the U.S. incorporating reforms to strengthen privacy and civil liberties safeguards "applicable to signals intelligence activities." The deal followed EU officials' agreement on new digital rules designed to check the power of technology giants.
Nearly All Websites May Breach GDPR Legislation around Data Usage
New Scientist
Chris Stokel-Walker
March 18, 2022
An analysis of nearly 29,398 websites by researchers at Switzerland's ETH Zurich found 94.7% potentially violated Europe's General Data Protection Regulation (GDPR). Since 2018, the GDPR has required sites to have cookie bars or banners that pop up when users first visit, explaining why cookies are collected, defining their usage, and requiring users to consent to their data's storage. Researchers evaluated whether the banner text accurately represented the cookies being collected and if user consent impacted the cookies saved. They developed a Web browser extension that uses machine learning to categorize cookies as either essential, functional, analytical, or ad-related. About 70% of the sites activated cookies before a user had consented to data storage, and about 20% activated cookies the user had declined.
dtau...@gmail.com
Technique Offers Faster Security for Non-Volatile Memory Tech
NC State University News
Matt Shipman
April 5, 2022
A technique developed by researchers at North Carolina State University (NC State) and the University of Central Florida enhances and accelerates file system security for next-generation non-volatile memories (NVMs). According to NC State's Kazi Abu Zubair, "Our technique allows for file-level encryption in fast NVM memories, while cutting the related execution time significantly." Zubair said the system's architecture incorporates certain aspects of the encryption/decryption process into hardware, which speeds secure storage and retrieval of file data. In simulations, the researchers found the encryption architecture decelerated NVM operations by 3.8% when running workloads representative of real-world applications; applying software techniques to secure the same workloads slowed operations by approximately 200%.
Brokenwire Hack Could Let Remote Attackers Disrupt Electric Vehicle Charging
The Hacker News
Ravie Lakshmanan
April 4, 2022
Researchers at the U.K.'s University of Oxford and Switzerland's Armasuisse S+T (the center of technology of the Swiss Department of Defense, Civil Protection, and Sports) identified a method for attacking the Combined Charging System (CCS) and interrupting electric vehicle charging sessions. The Brokenwire technique disrupts control communications between the vehicle and the charger, allowing hackers to stop charging sessions wirelessly from as far away as 151 feet (46 meters). The researchers did not release additional details, to prevent active exploitation of the vulnerability, but indicated such attacks could be perpetrated with a combination of off-the-shelf software-defined radios, power amplifiers, and dipole antennas. The researchers said, "The use of PLC [power-line communications] for charging communication is a serious design flaw that leaves millions of vehicles, some of which belong to critical infrastructure, vulnerable."
Monash Develops Algorithm for Stronger Blockchains
Digital Nation (Australia)
April 5, 2022
An international team of researchers has developed an algorithm to enable faster, stronger, more efficient blockchains. Researchers at Australia's Monash University, automation technology company ABB Zurich, and the U.K.’s University of Birmingham designed the Damysus Byzantine Fault Tolerance (BFT) consensus protocol to surmount faults and evade system failures in blockchain applications, adding more resilience as fault tolerance increases. Monash's Jiangshan Yu said the algorithm can be implemented simply for constructing scalable blockchains. He added that Damysus boosted the number of blockchain transactions per second by 87.5%, compared to the state-of-the-art HotStuff BFT consensus protocol. Said David Kozhaya at ABB Zurich, "Given the plethora of devices that inherently embed some form of trusted hardware nowadays, our results in Damysus, pragmatically speaking, make BFT protocols more appealing to use in real-world systems."
Pitt Prevents Potential Phone Password Plunder
University of Pittsburgh Swanson School of Engineering
April 1, 2022
Researchers at the University of Pittsburgh (Pitt) Swanson School of Engineering found the graphics processing units (GPUs) in certain Android smartphones could be used to intercept user credentials typed on the onscreen keyboard. The researchers were able to infer which letters or numbers were pressed on the smartphone keyboard more than 80% of the time based solely on how the GPU generates displayed keyboard animations. Pitt's Wei Gao said, "Our experimental version of this attack could successfully target usernames and passwords being entered in online banking, investment, and credit reporting apps and websites, and we have proved that the embedded malicious codes in the app cannot be correctly detected by the Google Play Store." The team alerted Google and Qualcomm to the vulnerability; Google said it will release an Android security patch later this year.
Hackers' Path Eased as 600,000 U.S. Cybersecurity Jobs Sit Empty
Bloomberg
Olivia Rockeman
March 30, 2022
Cybersecurity jobs search platform CyberSeek estimates roughly 600,000 vacant U.S. cybersecurity positions, including 560,000 private-sector jobs. The pandemic compounded a shortfall of cybersecurity professionals, while phishing and ransomware attacks escalated due to many employees using their home networks and computers. The Massachusetts Institute of Technology Sloan School of Management's Stuart Madnick cites a lack of qualified cybersecurity workers, while Bryan Palma at cybersecurity company Trellix said nations like Russia and China host better talent pipelines at the government level of people trained in cybersecurity. Max Shuftan at the SANS Institute cybersecurity training organization said the worker shortage especially impacts smaller organizations like civilian public agencies, most of which cannot match private companies' pay. As a result, Shuftan warned, "They're probably not going have the staff and that makes them more vulnerable to attacks."
Data-Harvesting Code in Mobile Apps Sends User Data to 'Russia's Google'
Ars Technica
Patrick McGee
March 29, 2022
As part of an app-auditing campaign for the non-profit Me2B Alliance, researcher Zach Edwards found that Yandex, known as "Russia's Google," has embedded code in apps for mobile devices running Apple's iOS and Google's Android systems that allows data to be sent to servers in Russia. The software has been found in 52,000 apps used by hundreds of millions of consumers. Said Edwards, "The AppMetrica SDK [software development kit] claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across Websites and apps." Games, messaging apps, location-sharing tools, and virtual private networks are among the apps in which AppMetrica has been found. Yandex said its SDK "operates in the same way as international peers" like Google Firebase, and collects data only "after the app receives users' consent" via Android and iOS apps.
Chrome, Edge Hit with V8 Type Confusion Vulnerability with in-the-wild Exploit
ZDNet
Chris Duckett
March 27, 2022
Google is calling on Windows, macOS, and Linux users to upgrade their Chrome browsers to version 99.0.4844.84, in order to patch a V8 Type Confusion vulnerability with an exploit in the wild. V8, Chrome's JavaScript engine also is used server-side in Node.js, but Google has not yet announced whether that is impacted. Google said bug details would be undisclosed until most users had updated their browsers. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," according to Google’s announcement. Microsoft published its own advisory, and said the issue has been corrected in the concurrently released Edge version 99.0.1150.55.
Climate Groups Say Change in Coding Can Reduce Bitcoin Energy Consumption by 99%
The Guardian (U.K.)
Dominic Rushe
March 29, 2022
Climate groups have launched a campaign urging bitcoin miners to change how they create the cryptocurrency, in order to reduce the energy requirements of the process. Bitcoin's "proof of work" software uses vast computer arrays to validate and secure transactions, while competing cryptocurrency ethereum is transitioning to a "proof of stake" system that the company thinks will slash its energy expenditure by 99%. The ethereum model requires miners to pledge their coins to confirm transactions, and exacts penalties for inaccurate information. Chris Larsen at crypto company Ripple warns bitcoin's code "incentivizes maximum energy use" in lieu of a basic change. The campaign's organizers are taking legal action against proposed mining sites, and using their memberships to urge bitcoin's top investors and influencers to demand a code change.
Researchers Protect Solar Technologies from Cyberattack
UGA Today
Mike Wooten
March 28, 2022
University of Georgia (UGA) researchers unveiled a sensor system that watches power electronic converters at solar energy farms for signs of cyberattack in real time. The system can detect anomalies in a converter's operations using just one voltage sensor and one current sensor, applying deep learning methods to differentiate between normal conditions, open-circuit faults, short-circuit faults, and cyberattacks. A passive sensor linked to the power converter gathers data on electrical waveforms and feeds it to a computer monitor, and unusual activity is detectable in the converter's electrical current, even if the firewall or security software misses an attack. The system also can diagnose the nature of a problem, and the researchers said it can identify cyberattacks in a solar farm model more proficiently than current techniques.
Security Tool Guarantees Privacy in Surveillance Footage
MIT News
Rachel Gordon
March 28, 2022
A multi-institutional group of researchers has developed a system that can better guarantee privacy in video footage from surveillance cameras. When analysts submit video data queries, the Privid system adds noise to the result to prevent identification of individuals. Instead of running code over the entire video, Privid parses the video and runs code over each segment; the segments are aggregated with noise added, while data about the result's error bound also is provided. Privid lets analysts use their own deep neural networks to analyze the video, and make queries that the system's designers did not expect. The system was found to be accurate within 79% to 99% of a non-private system across different videos and queries.
Cyberattacks Risk Escalating Conflict Into “Real War”
The AP (2/14, Bajak) reports President Joe Biden “couldn’t have been more blunt about the risks of cyberattacks spinning out of control. ‘If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence,’ he told his intelligence brain trust in July.” However, it is “unclear how grave a malicious cyber operation by a state actor would have to be to cross the threshold to an act of war.” The article adds, “A cluster of wholesale data pilfering in the mid-2010s attributed to China – from the U.S. Office of Personnel Management, United Airlines, Marriott hotels and the health insurer Anthem – inflicted a deep national security wound.”
Why Hackers Attack K-12 Schools Explained
Education Week (2/11, Klein) reports that “shadowy criminal gangs with sinister names like The Dark Overlord are terrorizing schools.” They “hack into district networks and then demand hundreds of thousands of dollars in ransom payments, making threats of terrible consequences if schools do not agree to hand over the money.” It’s a “growing problem that’s now tougher to tackle as districts lean further into the use of technology for teaching and learning and the management of schools and cyber criminals get craftier and more sophisticated.” K-12 schools “make tempting targets, in large part, because they have loads of data.” In “most cases these days, nearly every computer system that stores data – from gradebooks to door locks to salary information – relies on some sort of online network that is capable of being hacked.” To “complicate matters, districts became much more reliant on technology during the pandemic, when they handed out millions of digital devices for remote learning.”
Colleges Try Make Cybersecurity Courses More Engaging As Cyberattacks Increase
The Chronicle of Higher Education (2/10) reports that “the last two years of the pandemic...have been checkered with cyberattacks against American colleges.” At least 26 “were attacked with ransomware in 2021, the same number recorded by Emsisoft, a software company, in 2020.” While there “are hosts of tests and types of software every college should have in its arsenal, those tools may leave out the largest piece of the equation: people.” Verizon’s 2021 Data Breach Investigations Report “found 85% of breaches involved a human element.” Colleges “are trying to take” cybersecurity, which “can be at once confusing, dull, and intimidating, and make it engaging.” To reach “broader audiences, they’re offering bite-size media content on cyber-topics that apply to people’s lives.” They’re “gamifying their instruction, offering phishing challenges and cybersecurity-themed escape rooms that mimic the popular puzzle-based game.” To engage those “already specializing in cyber-related fields, some are offering courses that further hone career skills while benefiting campus security.”
dtau...@gmail.com
Improving Security of Two-Factor Authentication Systems
Texas A&M Engineering News
Stephanie Jones
April 14, 2022
An international team of researchers led by Texas A&M University's Nitesh Saxena created new techniques to enhance the security of push notification-based two-factor authentication systems. Saxena said the REPLICATE method better defends against concurrent login attacks. "If a user receives two notifications, the notification that corresponds to the browser's session of the attacker will differ," said Saxena, so "the user should be able to detect that something is amiss and not accept the wrong notification." REPLICATE requires users to approve login attempts by replicating a randomized interaction presenting on the browser session over on the login notification. This will block a concurrency attack, because the validating interaction will diverge from the interaction the attacker must perform.
U.S. Warns Newly Discovered Malware Could Sabotage Energy Plants
The Washington Post
Joseph Menn
April 13, 2022
U.S. officials warn of newly discovered malware that could infiltrate industrial facilities and cause explosions at energy plants. Investigators said the Pipedream malware can target virtually any power plant by manipulating common equipment found in nearly all complex industrial plants, such as the programmable logic controllers (PLCs) that link industrial operations. Private security experts who analyzed Pipedream in tandem with government agencies suspect it is Russian and targets liquefied natural gas plants; they said building effective countermeasures would take months or years. Federal agencies are advising the energy sector and others to deploy monitoring programs, and to impose multifactor authentication for remote logins.
Hospital Robot Vulnerabilities Promptly Caught, Killed
The Jerusalem Post (Israel)
Zachy Hennessey
April 13, 2022
Researchers at New York-based cybersecurity startup Cynerio have identified five zero-day vulnerabilities, known as JekyllBot:5, affecting Aethon TUG smart autonomous robots used in hospitals across the globe. The vulnerabilities could enable remote surveillance of patients and doctors through the robot, and disrupt medication or supply deliveries. Cynerio's Asher Brass said, "These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack. If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots." Aethon has released patches to fix the flaws.
Videoconferencing Apps May Listen Even When Mic is Off
University of Wisconsin-Madison News
Jason Daley
April 11, 2022
The University of Wisconsin-Madison's Kassem Fawaz and Yucheng Yang found many videoconferencing applications continue to listen when the microphone is supposedly muted. The researchers tested those apps on a variety of operating systems and learned that, for the most part, "when you mute yourself, these apps do not give up access to the microphone," said Fawaz. Along with Yang and colleagues at Loyola University Chicago, Fawaz traced raw audio in popular videoconferencing apps, and found they all occasionally collect data while muted; one app even continued to compile and deliver data to its server at the same rate, despite muting the microphone. The researchers trained an activity classifier using audio from YouTube videos representing six common background activities to identify background activity from the muted videoconferencing app's telemetry; it scored 82% accuracy on average.
Cloud Server Leasing Can Leave Sensitive Data Up for Grabs
Penn State News
A'ndrea Elyse Messer
April 11, 2022
Pennsylvania State University (Penn State) researchers warn that leasing space and Internet Protocol (IP) addresses on public servers can lead to cloud squatting, which can threaten private data. The team established cloud server rentals from Amazon Web Services (AWS), renting server space for 10-minute intervals; during those intervals, they received information intended for previous tenants. Researchers noted they "deployed over 3 million servers receiving 1.5 million unique IP addresses over 101 days," during which they identified potential security breaches in cloud servers, third-party services, and Domain Name Servers. Many of the 5 million pieces of data received contained sensitive information, and the team notified AWS, Microsoft, Google, and vulnerable federal agencies of the exploit.
Google Bans Apps With Hidden Data-Harvesting Software
The Wall Street Journal
Byron Tau; Robert McMillan
April 6, 2022
Google has pulled dozens of applications from its Google Play store amid researchers' findings that they contain software that secretly harvests data. Serge Egelman at the University of California, Berkeley and Joel Reardon of Canada's University of Calgary found links between the code's developer, Panama-based Measurement Systems, and a Virginia defense contractor that conducts cyberintelligence and other work for U.S. national security agencies. They learned the code ran on millions of Android devices and could be found within a number of consumer apps. The researchers said Measurement Systems had paid developers to embed its data-harvesting software development kit into their apps, which "continues to underscore the importance of not accepting candy from strangers," according to Egelman.
U.S. FBI Says It Disrupted Russian Hackers
Reuters
Sarah N. Lynch
April 6, 2022
U.S. officials said the Federal Bureau of Investigation (FBI) seized control of thousands of routers and firewall appliances from Russian hackers by appropriating the infrastructure used to communicate with the devices. An unsealed redacted affidavit said the operation attempted to prevent the hackers from networking the devices into a botnet with which they could assail other servers with rogue traffic. Said U.S. Attorney General Merrick Garland, "Fortunately, we were able to disrupt this botnet before it could be used.” The botnet was governed by Cyclops Blink malware, which U.S. and U.K. cyberdefense agencies had publicly attributed to Sandworm, a group associated with Russian military intelligence. FBI Director Chris Wray said, "We removed malware from devices used by thousands of mostly small businesses for network security all over the world. We shut the door the Russians had used to get into them."
Hackers Target Bridges Between Blockchains for Crypto Heists
The Wall Street Journal
David Uberti
April 5, 2022
Hackers pulled off a $540-million cryptocurrency heist by exploiting Ronin Network software that lets players of the online game "Axie Infinity" transfer digital assets across blockchains. Ronin developer Sky Mavis said the hackers used a social engineering exploit to acquire the five keys needed to access Axie Infinity's underlying bridge. Blockchain analytics firm Elliptic estimates that decentralized financial systems saw at least $10.5 billion in losses last year due to crime, including stolen funds and falling prices in cryptocurrency offered by hacked systems. Blockchain experts said with cross-chain projects attracting capital and energy, security tools are under pressure to keep up.