Dr. T's security brief
dtau...@gmail.com
Research Hack Reveals Call Security Risk in Smartphones
Texas A&M Engineering News
Nancy Luedke
August 17, 2023
A multi-institutional team of researchers developed malware to extract caller information by screening vibration data from ear speakers recorded by a smartphone's accelerometers. The researchers used two newer Android phones whose motion-sensor data is retrievable without users' consent. The models' larger speakers also provided more caller information than older models, allowing a machine learning algorithm to infer 45% to 90% of the word regions from their accelerometer data. The researchers learned their EarSpy malware could identify repeat callers with 91.6% accuracy, determine the speaker's gender with 98.6% accuracy, and identify spoken numbers from zero to nine with 56% accuracy. Texas A&M University's Ahmed Tanvir Mahdad said attackers would have to conceal EarSpy within a downloadable application to pull off the exploit.
Researchers Demo Fake Airplane Mode Exploit That Tricks iPhone Users
Computer Weekly
Alex Scroxton
August 17, 2023
Jamf Threat Labs researchers demonstrated an exploit chain that allows attackers to use an artificial ‘airplane mode’ to remain connected to exposed devices that users believe are offline. The researchers created a fake airplane mode by identifying a specific string in the device's console log, "#N User airplane mode preference changing from kFalse to KTrue," accessing the device's code, and replacing the function with an empty or ‘do nothing’ function. They also accessed the user interface to add a small piece of code to dim the mobile connectivity icon and highlight the airplane mode icon, then exploited the CommCentre to block mobile data access for certain apps so the user received a "turn off airplane mode" notification. The researchers believe the technique is most likely to be used in a targeted attack.
Cyberattack Shutters Major NSF-Funded Telescopes for More Than 2 Weeks
Science
Celina Zhao; Tanvi Dutta Gupta
August 18, 2023
Since the beginning of August, 10 telescopes in Hawaii and Chile run by the National Science Foundation's NOIRLab coordinating center for ground-based astronomy have been offline due to a cyberattack. Research groups have joined forces to identify alternatives to remote control of these telescopes to avoid missing critical observation windows. This includes sending graduate students to assist on-site staff at the V・・ctor M. Blanco and SOAR telescopes in Chile in making in-person observations. NOIRLab detected the cyberattack on its Gemini North telescope in Hawaii on Aug. 1 and acted quickly to prevent physical damage, but it has released few details about the incident. All operations at the International Gemini Observatory were halted as a result, and its computer network was disconnected from the Mid-Scale Observatories, preventing remote observations using its telescopes.
Over 100K Hacking Forums Accounts Exposed by Info-Stealing Malware
BleepingComputer
Ionut Ilascu
August 14, 2023
Researchers at threat intelligence firm Hudson Rock identified 120,000 infected systems containing more than 140,000 credentials for cybercrime forums. Using data from info-stealer logs, the researchers found that around 100,000 of those compromised computers belonged to hackers, most likely less-skilled ones. The info-stealer logs also detailed additional credentials (emails and usernames), auto-filled personal data (names, addresses, phone numbers), and system information (computer names and IP addresses). Of the compromised users, over 57,000 had accounts with the cybercrime community Nulled. The researchers found BreachForums users had the strongest passwords, and credentials for cybercrime forums were slightly stronger than government website logins. Three info-stealers, RedLine, Raccoon, and Azorult, accounted for a majority of infections.
US Warns Space Companies About Foreign Spying
The New York Times 
(8/18, Barnes) reported the National Counterintelligence and Security Center, the FBI, and the Air Force on Friday warned China and Russia have been “targeting American private space companies, attempting to steal critical technologies and preparing cyberattacks aimed at degrading U.S. satellite capabilities during a conflict or emergency.” The Times added their “broad warning to industry said that foreign intelligence services could be targeting space firms, their employees and the contractors that serve those companies.” Intelligence agencies are increasingly “dependent on the private-sector space industry, and U.S. officials are worried about the interest Chinese and Russian spy services have shown in those companies, based on recent F.B.I. investigations and intelligence collection on foreign intelligence plans.”
Bloomberg (8/18, Manson, Subscription Publication) reports the bulletin warned the companies are at risk of “cyberattacks, strategic investment (including joint ventures and acquisitions), the targeting of key supply chain nodes and other techniques to gain access to the space industry.” They warned foreign actors are “disrupting and degrading U.S. satellite communications, remote sensing and imaging capabilities,” and also warns about “unsolicited offers to establish joint ventures with companies tied to foreign governments or state-owned enterprises.”
Arizona Community College To Provide Hands-On Career Training With New Cybersecurity Program
The Arizona Republic (8/21, Hupka) reports that on Thursday, Glendale Community College professor Martin Bencic announced the launch of “a new center at GCC that will give students hands-on information technology experience while helping small Arizona cities up their cybersecurity game.” The Gaucho Security Operations Center, “named after GCC’s mascot, will be the ‘first of its kind’ in the state, said Bencic, who now serves as the director of the college’s cybersecurity program.” Funded by “about $1 million in state grant money, the center will offer free cybersecurity monitoring services to rural municipalities that lack funding to do such work themselves. When abnormalities and security concerns arise, the center’s staff and interns will inform local officials, who then can take steps to fix the issue.” Bencic hopes that “will help his students narrow the skill gap that exists between academia and the cybersecurity industry.”
Researchers Discover ChatGPT-Powered Botnet
Ars Technica (8/22) reports, “Researchers at Indiana University Bloomington discovered a botnet powered by ChatGPT operating on X—the social network formerly known as Twitter—in May of this year.” The Fox8 botnet “consisted of 1,140 accounts. Many of them seemed to use ChatGPT to craft social media posts and to reply to each other’s posts. The auto-generated content was apparently designed to lure unsuspecting humans into clicking links through to...crypto-hyping sites.” The botnet’s use of ChatGPT “certainly wasn’t sophisticated. The researchers discovered the botnet by searching the platform for the tell-tale phrase ‘As an AI language model …’, a response that ChatGPT sometimes uses for prompts on sensitive subjects. They then manually analyzed accounts to identify ones that appeared to be operated by bots.”
dtau...@gmail.com
U.S. Says It, Partners Have Taken Down 'Qakbot' Hacking Network
Reuters
Christopher Bing; David Ljunggren
August 29, 2023
The U.S. Department of Justice (DOJ) announced the "Qakbot" financial fraud malware platform has been taken down through an international law enforcement operation. DOJ said the U.S. Federal Bureau of Investigation (FBI) worked with officials in France, Germany, the Netherlands, the U.K., Romania, and Latvia in the "Duck Hunt" operation to disrupt the botnet, which security researchers think originates from Russia. U.S. attorney Martin Estrada said Qakbot malware had infiltrated more than 700,000 computers, deployed ransomware, and harmed businesses, healthcare providers, and government agencies to the tune of hundreds of millions of dollars. The FBI said it crippled Qakbot by rerouting its Internet traffic to bureau-controlled servers that removed malware from victim computers without viewing or collecting personal information. Said FBI director Christopher Wray, "The FBI neutralized this far-reaching criminal supply chain, cutting it off at the knees."
NIST to Standardize Encryption Algorithms That Can Resist Attack by Quantum Computers
NIST News
August 24, 2023
The National Institute of Standards and Technology (NIST) has released draft standards for three of four algorithms chosen last year for their resistance to attacks by quantum computers. The global cryptographic community has until Nov. 22 to submit comments on the draft standards. The three algorithms for which standards have been released are CRYSTALS-Kyber, an algorithm for general encryption purposes, and CRYSTALS-Dilithium and SPHINCS+, which are designed to protect digital signatures. A draft standard for the fourth algorithm, FALCON, which also is intended to protect digital signatures, is expected within a year. Meanwhile, NIST researchers continue to evaluate a second set of algorithms, with draft standards to be published next year if any are chosen for standardization.
Twelve Nations Urge Social Media Giants to Tackle Illegal Data Scraping
ZDNet
Eileen Yu
August 25, 2023
A joint statement from a dozen countries, including Australia, Canada, the U.K., Hong Kong, and Switzerland, called on social media platforms to address illegal data scraping, emphasizing that local laws require them to protect user information. The nations are seeking feedback from the parent companies of these platforms on how they will comply or plan to comply with the "expectations and principles" set forth in the statement, which in some jurisdictions are "explicit statutory requirements." The joint statement indicated that platforms including YouTube, TikTok, Facebook, Weibo, X, and LinkedIn should, among other things, limit the number of visits per hour or per day by a single account to other account profiles, develop teams or roles tasked with formulating and implementing measures to prevent scraping, and identify and take legal action against scrapers.
White House Sponsors Competition To Expose AI Bias At Hacking Convention
NPR (8/26, Shivaram) detailed the White House efforts to promote the mitigation of AI bias through “the largest-ever public red-teaming challenge during Def Con, an annual hacking convention in Las Vegas,” which featured “hundreds of hackers probing artificial intelligence technology for bias.” The Administration “encouraged top tech companies like Google and OpenAI...to have their models tested by independent hackers,” and “over the next several months, tech companies involved will be able to review the submissions and can engineer their product differently, so those biases don’t show up again.”
Legislation Would Make it Easier For Californians To Remove Personal Information From Web
The Los Angeles Times (8/29, Wong) reports that California “passed a digital privacy law in 2018, but one of the protections it granted has proved difficult for people to use.” The law “gives Californians the right to ask businesses to delete their personal information.” But “it requires making the request one at a time to potentially hundreds of companies.” New legislation “would make it easier by allowing consumers to make just one request to get every data broker to delete their personal information.” But the measure, known as the Delete Act, “has set off a debate between consumer groups and privacy advocates who argue that Californians deserve more control over their information online, and tech companies and other big businesses that contend the modern economy is built on the flow of data to personalize advertising and other services.”
University Of Michigan Internet Disrupted Due To “Significant” Cybersecurity Incident
CNN (8/29, Lyngaas) reports the University of Michigan has partially lacked Internet access “for two days after staff shut the school’s connections” down in response to a “significant [cyber]security concern.” The Internet shutdown affected “campus IT systems used for research and fundraising, and could delay financial aid reimbursements, the university said Monday.” The cause of the outage is unclear, but university statements “suggested malicious cyber activity was to blame.”
University Of Michigan Restores Internet Access To Three Campuses After Security Concern
The AP (8/30) reports the University of Michigan’s Internet access has been restored “after a security issue interrupted service last weekend, officials said Wednesday.” While the school year started Monday, the outage began Sunday afternoon “at the main Ann Arbor campus and smaller campuses in Dearborn and Flint.” President Santa Ono said. “The investigative work into the security issue continues, and we are not able to share any information that might compromise the investigation. We appreciate your understanding as we continue to move through the investigative process.” Inside Higher Ed (8/30, Coffey) reports the university “cut off internet access and online services across all three of its campuses” to ward off the potential cyberattack, “leaving students and faculty in digital limbo during the first week of classes.”
University Of Minnesota Faces Lawsuit Over Lack Of Action To Prevent Data Breach
The AP (8/30) reports a lawsuit filed “on behalf of a former student and former employee at the University of Minnesota accuses the university of not doing enough to protect personal information from a recent data breach.” The plaintiffs’ attorneys “said in the lawsuit filed in federal court Friday that the university ‘was fully capable of preventing’ the breach, the Minneapolis Star Tribune reported Wednesday.” After being questioned by the Star Tribune, “the university acknowledged last week that it learned July 21 ‘that an unauthorized party claimed to possess sensitive data allegedly taken from the University’s systems.’” On the same day, a news site focused on cybersecurity “posted a story about a hacker’s claims to have accessed about 7 million Social Security numbers dating to 1989.” The lawsuit “accuses the university of violating the Minnesota Government Data Practices Act.”
Twitter To Add Video And Audio Calls, Begin Collecting Users’ Biometric Data
Bloomberg (8/31, Hughes-Morgan, Subscription Publication) reports, “Users of X, the social network formerly known as Twitter, will be able to make video and audio calls through the platform without having to share their phone number, owner Elon Musk said in a post Thursday, in the latest expansion of services as he seeks to create an ‘everything app.’” Bloomberg says the announcement of the new feature “came after the platform updated its privacy policy to include the collection of biometric data.”
Fortune (8/31) reports X introduced a new privacy policy that, starting Sept. 29, casts a “wider net to scoop up” additional user data. Changes in the updated version “include clauses about X collecting users’ biometric data as well as information on their employment and educational backgrounds. It does not specify exactly what it means by ‘biometric information’ – but the term can refer to a range of biological characteristics like facial recognition, fingerprints, or voice recognition.” The new policy also “includes plans to use user data to train artificial intelligence systems.” The updates “add to the user information X already collects, such as location data, payment information, and how people interact with advertisements.” Experts warn that there are “major privacy concerns associated with ramping up access to user data.”
dtau...@gmail.com
Scammers Can Abuse Security Flaws in Email Forwarding to Impersonate High-Profile Domains
UC San Diego Today
Ioana Patringenaru
September 5, 2023
Researchers at the University of California, San Diego, Stanford University, and the University of Twente in the Netherlands found a way for scammers to masquerade as high-profile organizations by exploiting vulnerabilities in email forwarding. The researchers formulated four forwarding-based spoofing attacks; one involves the attacker creating a personal account for forwarding, then adding a spoofed address to the account's white list and forwarding the spoofed email to the target. Mass outsourcing of email infrastructure to Gmail and Outlook created this vulnerability, with tens of thousands of domains ranging from financial service companies to news organizations to U.S. government organizations at risk. The researchers alerted Microsoft, Apple, and Google of the flaw, which to their knowledge has not been fully corrected. They advise the disablement of open forwarding, which allows users to configure their account to forward messages to any designated email address without the destination's confirmation.
Wanted: Skilled Workers to Combat Rise in Cyber Crime
Financial Times
Hannah Murphy
September 4, 2023
The International Information System Security Certification Consortium (ISC2) estimated there were roughly 4.7 million people in the global cybersecurity workforce last year, but CEO Clar Rosso cited a shortfall of 3 million to 4 million. Cybersecurity job market website Cyberseek found just 69% of cyber roles are filled in the U.S., while a 2023 U.K. government report observed a basic cyber skills gap among half of U.K. businesses. Roy Zur at cybersecurity and digital skills provider ThriveDX called the shortage a "self-inflicted problem" as companies pursue applicants with a strict minimum level of expertise, compounded by a dearth of specialized and accelerated training programs.
*May Require Paid Registration
Carmakers Fail Privacy Test, Give Owners Little Control of Collected Personal Data
Associated Press
Frank Bajak
September 6, 2023
A survey by the nonprofit Mozilla Foundation found most automakers admitted to possibly selling car owners' personal data. Albert Fox Cahn at Harvard's Carr Center for Human Rights Policy warned, "The electronics that drivers pay more and more money to install are collecting more and more data on them and their passengers." Mozilla assigned cars the worst privacy score among more than a dozen product categories the organization has reviewed since 2017. None of the 25 car brands whose privacy notices Mozilla vetted this year met the nonprofit's minimum privacy standards, which include encrypting all personal information, compared to 37% of reviewed mental health applications. Nineteen car brands said they can sell owners' personal information, with half also willing to share it with the government or law enforcement without a court order.
Community Colleges Grapple With “Ghost Students” Amid Rising Cybersecurity Threats
The Chronicle of Higher Education (9/1, Hall) reported that community colleges are increasingly grappling with “ghost students,” as fraudsters are using bots “in an attempt to steal community colleges’ financial aid, gumming up their easy-to-enroll admissions systems and wasting human capital.” The trend started when courses moved online during the pandemic, and scammers “flooded community colleges with bots, or automated software applications, to fraudulently enroll in courses and interact with course materials and professors until the college issued a financial-aid check.” According to Nick Merrill, a University of California at Berkeley lecturer, “community colleges are now training their staffs to better detect fraud, and making changes to admissions. But with this could come increased barriers to enrollment, Merrill said.” Meanwhile, the Department of Education’s Office of Inspector General “said in a statement that they are investigating the phenomenon.”
Newsom Signs Executive Order Regulating AI
SFGate (CA) (9/6) reports the state of California “has entered the frenzied and at times confusing race among governments around the world to both regulate and harness the technology known as generative artificial intelligence.” On Wednesday morning, Gov. Gavin Newsom (D) “signed Executive Order N-12-23, a 2,500-word directive that instructs state agencies to examine how AI might threaten the security and privacy of California residents, while also authorizing state employees to experiment with AI tools and try integrating them into the state’s operations.” The executive order “comes as Washington and other governments struggle with how to regulate artificial intelligence.”
dtau...@gmail.com
Flaw Found in Apple Devices Led to Spyware Infection: Researchers
Reuters
Christopher Bing; Zeba Siddiqui
September 7, 2023
Researchers at Canada-based Citizen Lab found a vulnerability in Apple devices was used to spread spyware from Israeli cyber-intelligence group NSO. The digital watchdog said it determined the flaw had been exploited to infect the Apple device of an employee of a Washington-based civil society group with NSO's Pegasus spyware. Citizen Lab said the bug compromises iPhones running the latest iteration of iOS without any interaction from victims. Citizen Lab's John Scott-Railton said, "This shows that civil society is once again serving as the early warning system about really sophisticated attacks." The watchdog reported the flaw to Apple, which released updates on its devices.
Tool Skewers Socially Engineered Attack Ads
Georgia Tech Research
September 8, 2023
Trident, developed by researchers at Georgia Institute of Technology (Georgia Tech), is, a Google Chrome-compatible add-on that can block socially engineered online ads with what the researchers describe as nearly total efficacy. Georgia Tech's Zheng Yang said, "The goal is to identify suspicious ads that often take users to malicious websites or trigger unwanted software downloads. Trident operates within Chrome's developer tools and uses a sophisticated AI [artificial intelligence] to assess potential threats." The researchers built Trident using a dataset amassed from over 100,000 websites, which helped identify 1,479 attacks covering six common types of Web-based social engineering exploits. Trident realized a near-perfect detection rate of malicious ads over the course of a year, yielding a mere 2.57% false-positive rate.
Playing Hide and Seek with Malware
Georgia Tech Research
September 8, 2023
Scientists at the Georgia University of Technology (Georgia Tech) and the U.S. Military Academy have identified Web app-engaged (WAE) malware, a new type of malware whose use has risen 226% since 2020. Georgia Tech's Mingxuan Yao said WAE malware is engineered to exploit popular online applications offering services ranging from content delivery to data storage to social networking. WAE malware's approach diverges from that of typical malware by masking its traffic as benign in order to infect targeted systems without detection. The researchers created a tool called Marsea that enabled cybersecurity incident responders and Web app providers to coordinate and purge 79.8% of nearly 1,000 instances of WAE malware discovered in 29 apps. Marsea also discovered attackers are trying to avoid detection by switching their malicious command-and-control servers to these apps.
China Sows Disinformation About Hawaii Fires Using New Techniques
The New York Times
David E. Sanger; Steven Lee Myers
September 11, 2023
Researchers at Microsoft, the University of Maryland, and other organizations found China's government is utilizing new methods to promulgate disinformation about last month's wildfires on Maui, claiming they resulted from tests of a secret "weather weapon." Such content includes photos apparently produced by artificial intelligence to add plausibility to Beijing's false narrative. The campaign seems to indicate China has shifted tactics from intensifying state propaganda to actively spreading discord in the U.S. The researchers suggested China was amassing a network of accounts that could be leveraged in future information (or disinformation) campaigns for "amplifying conspiracy theories that are not directly related to some of their interests, like Taiwan," said Brian Liston at cybersecurity company Recorded Future.
Better Cybersecurity with New Material
Linkoping University (Sweden)
Anders Törneholm
September 4, 2023
Researchers at Sweden's Linköping University think their new Quantum Random Number Generator (QRNG) for encryption can support a new form of quantum communication. The researchers' QRNG uses perovskite light-emitting diodes (PeLEDs), potentially making their production more affordable and environmentally friendly than the production of non-perovskite LEDs. Linköping's Feng Gao said the PeLEDs consume less energy than the lasers traditionally used for QRNGs. Linköping's Guilherme B. Xavier said the new QRNG could be available for cybersecurity applications within five years.
Tribal Nations Face Less Accurate, More Limited 2020 Census Data Because of Privacy Methods
Associated Press
Mike Schneider; Morgan Lee
September 9, 2023
Methods deployed by the U.S. Census Bureau to protect participants' confidentiality by intentionally introducing errors has reduced the accuracy and availability of 2020 Census datasets for Native American tribes compared to the previous Census. The differential privacy process algorithmically creates errors by adding or subtracting people from the actual tally; the Census Bureau said it needs the algorithms to prevent hackers from identifying participants. New Mexico State Demographer Robert Rhatigan said the bureau never clearly communicated to tribes that this "noise" would make certain data unavailable. The Federal Reserve Bank of Minneapolis said differential privacy affects accuracy most when breaking down population counts by race, age, and sex, complicating the understanding of demographic changes in individual tribal areas. Such demographic data is critical in guiding tribal leaders' decisions, estimating future population growth, and funding social programs, education, roads, and senior care.
Back-to-School Season Marks “Prime Time” For Cyber Gang Attacks
The Seventy Four (9/14, Keierleber) reports the school district in Prince George’s County, Maryland, “is rolling out stringent security measures, including metal detectors and a clear backpack mandate, to keep danger from entering its buildings.” However, before the first class started, the district “faced an assault on its security” after threat actors “appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system – among the nation’s 20 largest – joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs.” The back-to-school season, “already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts,” as ransomware gangs in August alone “claimed new attacks on 11 K-12 school systems, according to an analysis by The 74 of the cyber group’s dark web leak sites.”
dtau...@gmail.com
NIST Face Analysis Program Helps to Find What’s Wrong with This Picture
NIST News
September 20, 2023
Scientists at the U.S. National Institute of Standards and Technology (NIST) evaluated facial recognition/analysis by state-of-the-art image-processing software. One evaluation rated face analysis algorithms' ability to detect whether defects constitute evidence of a spoofing attack, known as presentation attack detection. The researchers assessed 82 algorithms with nine types of presentation attacks that included masks and holding a photo of another person before the camera; they learned none of the programs could detect all spoof types. Another study tested seven algorithms designed to flag defects that make photos noncompliant with passport requirements, using 20 quality measures based on internationally accepted standards. NIST's Joyce Yang said the software's performance on some measures was better than on others, and the results will inform a new standard that sets guidelines for quality measures the algorithms should consider.
Ethereum's Successful Overhaul Sends Developers Scrambling for Another Fix
Bloomberg
Olga Kharif
September 16, 2023
Although last year's Merge overhaul of the Ethereum blockchain network made the transaction-ordering process more efficient, rising demand for the so-called staking feature could potentially swamp the network. The staking process involves "locking up" the network's underlying Ether tokens in digital wallets to help order transactions and earn returns. Data tracker Staking Rewards estimated roughly 20% of all circulating Ether has already been staked, and a study co-authored by Ethereum developer coordinator Tim Beiko concluded 100% could be staked by December 2024 if the current rate keeps up. Ethereum developers are scrambling to decelerate the staking influx by agreeing to cap the number of new staking wallet-operating validators permitted to join the network every six minutes as part of the next major software upgrade.
Smart Utility Meter Security Takes a Quantum Leap
IEEE Spectrum
Tammy Xu
September 14, 2023
The Quantinuum quantum computing venture formed by quantum technology developers Honeywell Quantum Solutions and Cambridge Quantum is constructing cryptographic keys to protect Honeywell's smart utility meters. The company's Quantum Origin service utilizes quantum computers to produce large random numbers for safeguarding private data or grid infrastructure. Quantinuum's Tony Uttley said on a randomness scale of zero to 1, Quantinuum generates random numbers at 1 plus or minus 2-128. Quantinuum's quantum computer outputs a random sequence of ones and zeros as a "seed," which is combined with classically generated random numbers from Honeywell. The resulting cryptographic key can help secure communication between utility firms and smart utility meters.
City-Wide Quantum Communication Network in China Is Most Advanced Yet
New Scientist
Karmela Padavic-Callaghan
September 14, 2023
Researchers at the University of Science and Technology of China have built what was described as the most advanced city-wide quantum communication network to date. Spanning the city of Hefei, it features a central server connected to three quantum devices, each with its own processor and quantum memory made from extremely cold rubidium atoms controlled by lasers. The devices can be used to encode information into photons and transmit them to the server, which can entangle or otherwise manipulate the photons and send them on. Enabling information to be encoded into the atoms' quantum state means the photons can retain the information if it is lost or corrupted on the way to the server. The researchers were able to entangle photons from two distant nodes, and also determined the network could facilitate multiple, simultaneous secure quantum chats.
TikTok Fined $370 Million By EU Regulators For Lack Of Data Security For Children
The New York Times (9/15, Satariano) reported TikTok “was fined roughly $370 million on Friday by European Union regulators for having weak safeguards to protect the personal information of children using the platform, a sign of increased scrutiny facing the social media service.” The Irish Data Protection Commission “issued the penalty on behalf of the” EU, as “TikTok’s default setting did not adequately protect children’s privacy, nor was the company transparent in explaining what it was doing with the data of users age 17 and younger.” However, TikTok “said the penalty was not relevant because the company had already changed policies related to children in 2021.”
Federal Cyber Operations Would “Face Significant Disruptions” If Government Shutdown Occurs, Experts Warn
NextGov (9/20, Riotta) reports, “Federal cyber operations will face significant disruptions as government agencies are left exposed to a wide range of emerging threats if lawmakers fail to avert a looming government shutdown, according to security experts. The shutdown contingency plans of Departments of Homeland Security, Health and Human Services and many other large agencies may be overdue for updates that address the evolving threat landscape and account for the post-COVID telework footprint.” According to one expert, updated contingency plans from certain agencies “leave ‘a lot to be desired.’”
University Of Minnesota Confirms Decades-long Data Breach Affected Applicants, Students, Employees
In continuing coverage, The Minneapolis Star Tribune (9/21, Navratil) reports that the University of Minnesota on Thursday confirmed that a hacker “likely gained unauthorized access” to “three decades’ worth of sensitive information pertaining to applicants, students and employees.” While the nature of the information accessed “varied depending on the person’s connection to the university,” the list of data obtained “included things like dates of birth, Social Security numbers and passport information, according to a U news release. The university said its investigation ‘showed no evidence that donation, medical treatment, password, or credit card information was in the database’ that was accessed.” The disclosure comes “two months after the Cyber Express, a news site focusing on cybersecurity issues, published a report outlining a hacker’s claims to have accessed some 7 million Social Security numbers dating to 1989.”
dtau...@gmail.com
Cyber Experts Set Out to Secure 2024 U.S. Election
ComputerWeekly.com
Alex Scroxton
September 22, 2023
A team of cybersecurity experts established through the U.S.-based nonprofit Information Technology–Information Sharing and Analysis Center will undertake a "clear and concerted approach" to create a protocol for collaborative election security enhancement. The Election Security Research Forum's proposal involves convening security experts, nonprofits, companies, and former state and local election officials to strengthen U.S. electoral infrastructure. The forum has recruited three researchers to assess the cyber-resilience of new technology slated for testing in 40 states next fall, including digital scanners, ballot-marking devices, and electronic pollbooks. They will mainly concentrate on technology that Americans will use to vote in the 2024 presidential election. Participating researchers and companies have pledged to comply with Coordinated Vulnerability Disclosure policies and best practice, with all sides cooperatively evaluating and addressing new vulnerabilities uncovered while researchers and manufacturers will strive to mitigate or remove the risk or severity of confirmed flaws.
Why NASA Is Sending National Secrets to the Moon
BBC Science Focus
Noa Leach
September 22, 2023
The U.S. National Aeronautics and Space Administration (NASA) will work with Florida-based computing startup Lonestar and the self-governing British Crown Dependency Isle of Man to send a data payload to the Moon next February to assess lunar-based backup storage as part of the Artemis program. The collaborators hope to ensure the data's security and protection from tampering using blockchain while also demonstrating the stored information's authenticity. After landing, the researchers intend to digitally "frank" the data cube's payload on Lonestar's datacenter to prove its lunar provenance, then have it transmitted back to Earth and compiled into a blockchain to signal its verification. The information to be digitalized and launched on the data cube is stamps chosen by the Isle of Man's post office.
Quantum Algorithm Offers Faster Way to Hack Internet Encryption
Science
Anna Kramer
September 19, 2023
New York University's Oded Regev has proposed a quantum algorithm designed to crack Internet encryption faster than Massachusetts Institute of Technology (MIT) mathematician Peter Shor's algorithm. Shor’s algorithm has endured as an example of the promise of quantum computers for 30 years. Regev's scheme can presumably factor very large numbers using significantly fewer gates, enabling a smaller quantum system to exfiltrate secret encryption keys or a larger system to decrypt them faster. Shor's algorithm looks for prime factors by elevating a single number to high powers, with results yielded only by multiplying big numbers together; Regev's model keeps these numbers from becoming as large before yielding results by multiplying several numbers in different dimensions. Regev found only n1.5 gates are needed to factor an n-bit integer, which MIT's Vinod Vaikuntanathan calls the first significant improvement on Shor's algorithm in three decades.
College Students Urged To Review Passwords, Credit Score Amid Data Breach
USA Today (9/26) reports the MOVEit data breach “affecting nearly 200 colleges and universities is causing some students to feel uneasy as the semester starts and experts urge them to safeguard their information and credit.” The National Student Clearinghouse “said on its website information from past and current students’ records could’ve been exposed,” while UnitedHealthcare Student Resources said in July that “a combination of students’ birthdays, ID numbers, Social Security numbers and insurance information may have been exposed.” The US Education Department “said all affected institutions were alerted about the incident more than two months ago. A spokesperson told USA TODAY the department monitors and tracks cybersecurity incidents but declined questions about how often the incidents occur.”
Roll Call Analysis: Privacy Legislation Emerges As Prerequisite To AI Regulation
In an analysis for Roll Call (9/26), Gopal Ratnam says that while “artificial intelligence appears to be a shiny new bauble full of promises and perils, lawmakers in both parties acknowledge that they must first resolve a less trendy but more fundamental problem: data privacy and protection.” Ratnam explains, “With dozens of hearings on data privacy held in the past five years, lawmakers in both chambers have proposed several bills, but Congress has enacted no federal standard as dickering over state-preemption has stymied any advances. ... Although the top tech companies thwarted an attempt to craft a federal privacy bill during the Obama administration in 2015, since then tech groups such as the Computer and Communications Industry Association, NetChoice and others have routinely called on Congress to enact privacy legislation.”
FDA Finalizes Cybersecurity Guidance For Medical Devices
MedTech Dive (9/27, Taylor) reports, “The Food and Drug Administration has finalized guidance intended to help device developers comply with recently enacted cybersecurity obligations for premarket submissions.” In its “guidance, the FDA outlines how to use a secure product development framework to manage cybersecurity risks, explaining how the model applies to risk management, security architecture and cybersecurity testing.” The FDA “could start refusing filings that lack cybersecurity information on Oct. 1.”
Tech Companies Face Pressure To Ramp Up Cloud Security
The Washington Post (9/28) reports that after a “recent theft of emails from top U.S. officials raised alarms about the country’s increasing dependence on the biggest cloud computing companies, Amazon, Google and Microsoft have begun to explain more of the work they do to secure the data of tens of millions of online customers.” Cybersecurity experts “in and out of government say that email, word processing and other software running on computer networks owned by those big companies remain more secure than the equivalent programs running on government-owned machines.” But federal officials and legislators “nevertheless have been stepping up their demands that the cloud giants do more, part of a strategy that also includes more cybersecurity rules for critical infrastructure.”
dtau...@gmail.com
RSA, Other Crypto Systems Vulnerable to Side-Channel Attack
Computer Weekly
Cliff Saran
October 3, 2023
Hubert Kario at open source solutions provider Red Hat found a flaw dating from 1998 that enables a "padding mode" side-channel attack targeting RSA encryption. The exploit cracks the Transport Layer Security (TLS) protocol's confidentiality when used with RSA encryption, and researchers in 2019 highlighted the continued vulnerability of many Internet servers to tweaks of the original attack. Kario said attackers can leverage the flaw to decrypt RSA ciphertexts and forge signatures, and record sessions on a TLS server that defaults to RSA encryption key exchanges for decryption later. He also said hackers can apply the exploit to other interfaces that automatically execute RSA decryption, including Secure/Multipurpose Internet Mail Extensions, JavaScript Object Notation web tokens, and hardware tokens. Said Kario," We have identified the vulnerability in multiple implementations and confirmed fixes in a few of them but believe that most cryptographic implementations are vulnerable in practice."
Chrome Zero-Day Sends the Internet into New Chapter of Groundhog Day
Ars Technica
Dan Goodin
September 28, 2023
A critical zero-day vulnerability reported on Sept. 27 by Google that affects its Chrome browser, as well as Mozilla's Firefox browser, is similar to one reported on Sept. 11. Both vulnerabilities reside in a code library for processing media files, particularly in the VP8 format. The most recent zero-day reported by Google was exploited in the code library libvpx and reportedly applies to video encoding. The previous zero-day was exploited in the code library libwebp and applied to encoding and decoding. Analygence's Will Dorman said, "The [vulnerability] is in VP8 encoding, so if something uses libvpx only for decoding, they have nothing to worry about." Dorman added that "Firefox, Chrome (and Chromium-based) browsers, plus other things that expose VP8 encoding capabilities from libvpx to JavaScript (i.e. Web browsers), seem to be at risk." Patches have been made available for Chrome and Firefox.
AI Deepfakes Spread Disinformation in Slovak Elections
Bloomberg
Olivia Solon
September 29, 2023
Disinformation was spread over social media in the run-up to the Slovak elections that took place over the weekend, with videos featuring artificial intelligence (AI)-produced deepfake voices. One video shows a conversation in which Slovakian progressive party leader Michal Simecka appears to discuss vote-buying from the Roma minority with a journalist, which experts deemed synthesized by an AI tool trained on samples of the speakers' voices. Technological democracy research group Reset's Rolf Fredheim said, "With the examples from the Slovak election, there's every reason to think that professional manipulators are looking at these tools to create effects and distribute them in a coordinated way."
Researchers Fail To Find Reliable AI Watermarking
Wired (10/3, Knibbs) reports University of Maryland computer science professor Soheil Feizi “is blunt when he sums up the current state of watermarking AI images.” He said, “We don’t have any reliable watermarking at this point. ... We broke all of them.” For one of “two types of AI watermarking he tested for a new study – ‘low perturbation’ watermarks, which are invisible to the naked eye – he’s even more direct: ‘There’s no hope.’” The professor “and his coauthors looked at how easy it is for bad actors to evade watermarking attempts.” Beyond “demonstrating how attackers might remove watermarks, the study shows how it’s possible to add watermarks to human-generated images, triggering false positives.”
dtau...@gmail.com
Israel Sees Cyber Incursions Across Digital Systems
WSJ Pro Cybersecurity
James Rundle; Kim S. Nash
October 12, 2023
Cyber aggression has escalated in Israel amid the conflict with Hamas. Check Point Software Technologies reported Israel's smart billboards were hacked to display pro-Hamas messages and images. Cyber firm Sepio reported an increase in attempts to access Israel's industrial systems. Distributed denial-of-service attacks also have impacted numerous municipal and consumer websites. Israel was already the Middle Eastern country most targeted in nation-state cyberattacks, according to Microsoft research published last week. In response, members of the country’s tech community formed the all-volunteer Israel Tech Guard to search for hostages and missing people using clues from online posts. Cyber volunteers are also working to protect key services, such as missile-alert apps, as well as databases and websites for aid coordination, applications for first responders, and location services for displaced civilians.
Cyber Algorithm Shuts Down Malicious Robotic Attack
University of South Australia
October 12, 2023
An algorithm developed by researchers at Australia’s Charles Sturt University and the University of South Australia (UniSA) was able to intercept and prevent a man-in-the-middle (MitM) eavesdropping cyberattack on an unmanned military robot within seconds. The researchers used deep learning neural networks to train the robot operating system (ROS) in a replica of a U.S. Army GVT-BOT ground vehicle to learn the signature of a MitM cyberattack. In real-time tests, the algorithm achieved a 99% success rate in preventing such attacks. UniSA's Anthony Finn said the algorithm outperforms existing cyberattack recognition techniques. Added Charles Sturt University's Fendy Santoso, "Owing to the benefits of deep learning, our intrusion detection framework is robust and highly accurate. The system can handle large datasets suitable to safeguard large-scale and real-time data-driven systems such as ROS."
Google, Amazon Confirm Largest Ever DDoS Attack
Reuters (10/11, Satter) reports Google, Amazon and Cloudflare say they have “weathered the internet’s largest-known denial of service attack and are sounding the alarm over a new technique they warn could easily cause widespread disruption.” In a blog post Tuesday, Google said its cloud services saw incoming traffic more than seven times the size of last year’s record-breaking attack, while Cloudflare said the attack was “three times larger than any previous attack we’ve observed.” Amazon’s web services division also confirmed being hit by “a new type of distributed denial of service (DDoS) event.” All three said the “attack began in late August; Google said it was ongoing.” The firms urged companies to “update their web servers to ensure that they do not remain vulnerable.”
Concerns Rise Over AI-Generated Misinformation On Social Media
Entrepreneur Magazine (10/12, Garfinkle) reports “AI-generated voices have been employed in videos to propagate disinformation, as exemplified by the fake Obama video identified by NewsGuard.” Social media platforms “are now grappling with the challenge of flagging and labeling AI-generated content.” On Wednesday, European regulator Thierry Breton “penned a letter to Mark Zuckerberg, CEO of Meta, urging him to be ‘vigilant’ in combating disinformation on his company’s platforms amidst the ongoing Israel-Hamas conflict.” A similar letter was sent to X “the day before, stating that there were ‘indications’ that groups were sharing misinformation and content of a ‘violent and terrorist’ nature concerning the Israel-Hamas conflict on the platform.”
Also reporting is the New York Times (10/12, Thompson, Maheshwari).
dtau...@gmail.com
Computer Scientists Develop System to Ensure File Systems' Integrity
The Daily Texan
Mara Ramazanoglu
October 18, 2023
University of Texas (UT) computer science researchers designed the open source Chipmunk tool to ensure the integrity and reliability of computer file systems. UT's Vijay Chidambaram said Chipmunk attempts to detect software bugs that would affect the data's security should a crash occur. The researchers based the system's framework on Chidambaram's CrashMonkey tool, which works with older file systems. Chipmunk focuses on persistent memory systems, which Chidambaram said are similar to flash drives but 1,000 times faster. "We think [the impact] it'll have is that Chipmunk can find a lot of bugs in these new file systems," he explained. "That's really why tools like Chipmunk are important, because you want your file system to be sophisticated, but you also want it to be correct."
IIIT-H Spots Data Leak in Apps' Use of Autofill
Deccan Chronicle (India)
October 17, 2023
Researchers at India's International Institute of Information Technology-Hyderabad (IIIT-H) won the best paper award at the ACM Conference on Data and Application Security and Privacy 2023 for discovering accidental leakage of login credentials by the "autofill" function in Android-based applications to certain webpage-hosting apps. The researchers observed whenever apps load a login page in WebView and an autofill request is produced, the password managers (PMs) and the mobile operating system get confused about the target page for filling in credentials. IIIT-H's Ankit Gangwal said, "Even without phishing, any malicious app that asks you to login via another site, like Google or Facebook, can automatically get access to sensitive information." Gangwal said the researchers alerted Google and the PMs.
Internet Companies Report Biggest-Ever Denial of Service Operation
Reuters
Raphael Satter
October 11, 2023
Technology companies last week reported the Internet's largest known denial of service (DoS) attack and are sounding the alarm over a new technique they say could easily cause widespread disruption. Google said in a blog post published Oct. 10 that its cloud services warded off rogue traffic more than seven times the size of the previous record-breaking attack thwarted last year. Internet protection company Cloudflare said the attack was "three times larger than any previous attack we've observed." Amazon's web services division confirmed being hit by "a new type of distributed DoS event." All three said the attack began in late August; Google said it was ongoing. The attacks are capable of generating hundreds of millions of requests per second. All three companies said the attacks were enabled by a weakness in the HTTP/2 network protocol that makes servers particularly vulnerable to rogue requests.
Louisiana State University Launches Student Operated Cybersecurity Center
States Newsroom (10/19) reports the “new student-run LSU Security Operations Center is beginning to bring other universities on board, with the goal of offering protection against cyberattacks for all of Louisiana higher education.” The university “established two centers, one in Baton Rouge and another Shreveport, with the dual purpose of protecting campuses from cyberattacks and training students for the cybersecurity workforce.” At a ribbon cutting “ceremony Thursday for the Baton Rouge Security Operations Center, Gov. John Bel Edwards (D) stressed the need to train students for the cyber workforce.” Edwards said, “If some of the brightest people in the world are working for the dark side, we want our brightest working for the light side.”
dtau...@gmail.com
Security Threats in AIs Revealed by Researchers
University of Sheffield (U.K.)
October 24, 2023
Scientists at the U.K.'s University of Sheffield, the North China University of Technology, and e-commerce giant Amazon found hackers can trick natural language processing tools like OpenAI's ChatGPT into generating malicious code for possible use in cyberattacks. The researchers discovered and successfully exploited security flaws in six commercial artificial intelligence (AI) tools, including ChatGPT, Chinese intelligent dialogue platform Baidu-UNIT, structured query language (SQL) generators AI2SQL, AIHelperBot, and Text2SQL, and online tool resource ToolSKE. They learned that asking these AIs specific questions caused them to produce malicious code that would leak confidential database information, or disrupt or even destroy database operation. The team also found AI language models are susceptible to simple backdoor attacks. Sheffield's Xutan Peng said the vulnerabilities are rooted in the fact that "more and more people are using [AIs like ChatGPT] as productivity tools, rather than a conversational bot."
The Race to Save Secrets from Future Computers
The New York Times
Zach Montague
October 22, 2023
China, Russia, and the U.S. are racing to find ways to prevent future quantum computers from cracking long-supported encryption protocols and endangering national security, the financial system, and critical infrastructure. Whereas the most powerful quantum device currently uses 433 quantum bits (qubits), tens of thousands or even millions of qubits would likely be necessary to break modern encryption systems. U.S. scientists are working to develop encryption systems that not even a powerful quantum computer can decipher, with the National Institute of Standards and Technology (NIST) expected to finalize its guidance for transitioning to the new systems next year. NIST said the federal government aims to migrate as much as possible to quantum-resistant algorithms developed through international academic collaboration by 2035. Many submitted algorithms—four of which NIST recommended for wider use—are lattice-based, which promise to complicate decryption exponentially as more dimensions are added.
Amazon Rolls Out Independent Cloud for Europe to Address Stricter Privacy Standards
Associated Press
Michelle Chapman
October 25, 2023
E-commerce giant Amazon is launching an independent cloud for the European Union (EU) to comply with the bloc's strict privacy rules. Amazon Web Services (AWS) said its AWS European Sovereign Cloud will match current AWS regions' security, availability, and performance while allowing customers to retain all metadata they produce in the EU. Amazon said AWS has partnered with European regulators and national cybersecurity agencies to design the EU cloud to fulfill additional European data residency, operational autonomy, and resiliency requirements. The independent cloud initially will be available in Germany, and only bloc-based EU-resident AWS employees can control its operations and support.
Low-Power Hardware Accelerator Offers Outsize Security
IEEE Spectrum
Michelle Hampson
October 20, 2023
A multi-institutional U.S. research team created RISE, which the University of Rochester's Zahra Azad described as an area- and energy-efficient hardware accelerator for performing homomorphic encryption (HE) on edge devices. The researchers integrated RISE onto a RISC-V (reduced instruction set computer) processor with the goals of sharing both encryption and decryption hardware, optimizing memory access patterns, and enhancing the chip's error-sampling capability. Azad said RISE outperformed state-of-the-art HE designs/solutions for edge devices, encrypting messages going to and from the cloud with up to 6,000 times the energy efficiency of a standard RISC-V chip.
Survey Sees Spike in Untested Code Leading to DevOps Crisis
DevOps.com
Mike Vizard
October 20, 2023
In a survey of 500 software developers by market research firm OnePoll, two-thirds of respondents said they pushed untested code into a production environment, with 28% doing so regularly. Sixty percent of respondents to the survey, commissioned by software testing platform Sauce Labs, acknowledged using untested code produced by the ChatGPT large language model, with 26% doing so regularly. Over 66% also acknowledged having merged their own pull requests without a review, with 28% admitting they do so often or very frequently. Fully three-quarters of respondents confessed to bypassing security protocols, with 70% circumventing restrictions for data and/or internal systems access with a coworker's credentials. Sauce Labs' Jason Baum attributed much of this behavior to developers looking for shortcuts because they take on extra work, in addition to citing a shortage of full stack developers able to manage the complete software development lifecycle.
Students, Professors Decry Sensors in Buildings
Nature
Anne Gulland; Fayth Tan
October 20, 2023
Officials at the U.K.'s Queen Mary University of London (QMUL) announced earlier this year that sensors would be installed in campus buildings to assess whether they were being used to their full potential. Although QMUL officials indicated images generated by the sensors would be converted into coordinates that provide real-time data on the number of people in various areas of the buildings so privacy would not be an issue, staff and students remain concerned that the sensors are intended for surveillance. Similar concerns arose in June at the University of California, San Diego, when researchers learned that sensors had been installed in their workplaces as part of the university's Live Density Program. Electronic Frontier Foundation's Jason Kelley said that nonprofit watchdog has found such sensor data "often ends up being used for disciplinary purposes."
Researchers Manipulate AI-Based Text-To-SQL Systems To Conduct Cyberattacks
New Scientist (10/26) reports, “Researchers manipulated ChatGPT and five other commercial AI tools to create malicious code that could leak sensitive information from online databases, delete critical data or disrupt database cloud services in a first-of-its-kind demonstration.” Xutan Peng and colleagues at the UK’s University of Sheffield examined six Text-to-SQL systems, whose AI-generated code “can be made to include instructions to leak database information, which could open the door to future cyberattacks. It could also purge system databases that store authorised user profiles, including names and passwords, and overwhelm the cloud servers hosting the databases through a denial-of-service attack. Peng and his colleagues presented their work at the 34th IEEE International Symposium on Software Reliability Engineering on 10 October in Florence, Italy.”
dtau...@gmail.com
Keeping Secrets in a Quantum World
Nature
Neil Savage
November 1, 2023
Cryptographers are working on data-encryption schemes strong enough to withstand attacks from future quantum computers. Current quantum computers contain a few hundred qubits at most, with plans from IBM to roll out a 1,121-qubit chip this year and a computer with more than 4,000 qubits by 2025. However, researchers at Google and the Swedish National Communications Security Authority said cracking an RSA key of 2,048 bits would require an estimated 20 million qubits. NIST released draft standards for three quantum-resistant algorithms for potential adoption in 2024, but put out a call for new submissions earlier this year. Tanja Lange of the Netherlands' Eindhoven University said, "They are sort of sending the message that they are not happy with the three that they have."
Apple Safari Browser Still Vulnerable to Spectre Attacks
Ruhr-Universität Bochum (Germany)
Julia Weiler
October 26, 2023
Researchers from Germany's Ruhr University, the Georgia Institute of Technology, and the University of Michigan found that Apple's Mac and iOS systems remain vulnerable to an attack like 2018's Spectre, which shed light on a hardware vulnerability that lets attackers exploit sensitive data. The researchers demonstrated the vulnerability could be leveraged to access passwords, emails, and location data through Apple's Safari browser. In the new "iLeakage" attack, users are directed to a website controlled by the attacker, which allows the attacker to open the user's email app and read the contents of their inbox, or open other websites and automatically use the login data stored in the LastPass password manager if auto-fill is enabled. The vulnerability allows attackers to extract sensitive memory data from processes discarded by the central processing unit.
Browser Extensions Could Grab Passwords, Sensitive Info
University of Wisconsin-Madison News
Jason Daley
October 27, 2023
The University of Wisconsin-Madison's Rishabh Khandelwal, Asmit Nayak, and Kassem Fawaz found browser extensions can extract user data like passwords on many popular websites. The researchers discovered about 15% of more than 7,000 reviewed sites store sensitive data as plain text in their HTML source code, and a malign browser extension could use code written in a common programming language to steal such information. They estimated 17,300 (12.5%) of available browser extensions possessed the necessary permissions to leverage this flaw, and developed and submitted their own extension to the Chrome Web Store, which approved it. Fawaz suggested browser security is configured in this manner so popular password manager extensions can access password information.
Online Games Use Dark Designs to Collect Player Data
Aalto University (Finland)
October 26, 2023
Scientists at Finland's Aalto University discovered online gaming providers are engaged in potentially dubious data-collection practices, while players harbor misconceptions and issues about privacy. The researchers highlighted cases of games using dark design, interface decisions that manipulate players into taking actions they would usually avoid. These could enable data gathering and persuade players to integrate their social media accounts or share data with third parties. The researchers learned participants often did not know their chat-based conversations might be reported to third parties, nor did the games alert them to data sharing during play. Aalto's Amel Bourdoucen said players use mitigation strategies like choosing text rather than voice chats for discussion. Proposed solutions include more transparent data-collection practices, and a commitment by games and gaming platforms to safeguarding all players.
Research Reveals Alarming Privacy, Security Threats in Smart Homes
IMDEA Networks (Spain)
October 26, 2023
A team led by researchers at Northeastern University and Spain's IMDEA Networks uncovered security and privacy issues within Internet of Things (IoT) devices in smart homes. Northeastern's David Choffnes said these appliances can "allow nearly any company to learn what devices are in your home, to know when you are home, and learn where your home is." The researchers investigated local network interactions between 93 IoT devices and mobile applications, highlighting the unintentional disclosure of personally identifiable information by devices within local networks using standard protocols like Universal Plug and Play or multicast Domain Name System. Vijay Prakash at New York University's Tandon School of Engineering said a smart home can be identified from a media access control address, a universally unique identifier, and a unique device name.
Device Promotes Efficient, Real-Time, Secure Wireless Access
Qualcomm Institute
Xochitl Rojas-Rocha
October 26, 2023
Researchers at the University of California, San Diego's Qualcomm Institute (QI) created a novel device called Crescendo to screen out interference from other radio signals in order to enhance wireless network access. QI's Dinesh Bharadia said, "Through meticulous analysis of spectrum usage, we can identify underutilized segments and hidden opportunities which, when leveraged, would lead to a cost-effective connectivity solution for users around the globe." Crescendo's adaptive software can sweep for traffic across a range of frequencies within an agency-controlled wideband spectrum, adjusting to and filtering out interference by dynamically tuning the signals it receives. Crescendo also provides a secure connection that enables real-time cyberattack detection through high signal fidelity.
AI Muddies Israel-Hamas War in Unexpected Way
The New York Times
Tiffany Hsu; Stuart A. Thompson
October 28, 2023
Disinformation researchers have found the use of artificial intelligence (AI) to spread falsehoods in the Israel-Hamas war is sowing doubt about the veracity of online content. The researchers discovered people on social media platforms and forums accusing political figures, media outlets, and others of attempts to influence public opinion through deepfakes, even when the content is authentic. Experts say bad actors are exploiting AI's availability to facilitate the so-called liar's dividend by convincing people genuine content is fake. Deepfake detection services like U.S.-based AI or Not also have been used to label content as fake, and synthetic media specialist Henry Ajder said such tools "provide a false solution to a much more complex and difficult-to-solve problem."
Most Websites Do Not Publish Privacy Policies
Penn State News
Mary Fetzer
October 25, 2023
Pennsylvania State University (Penn State) researchers reviewing millions of English-language websites found as many as two-thirds do not post privacy policies. The researchers estimated failure-mode frequencies and the general unavailability of privacy policies to determine most sites are non-compliant with mandates like the European Union's General Data Protection Regulation or the California Privacy Rights Act in the U.S. Said Penn State's Mukund Srinath, "For a user landing on a random website, there is only a 34% chance that a privacy policy exists. Among them, there is a 2% to 3% chance that the link is broken. And 5% of the links that do work will lead to a page that contains irrelevant information, such as placeholder text or documents in a language that doesn't match the website's landing page."
Stanford University Investigating Cyber Incident
Bloomberg (10/27, Tarabay, Subscription Publication) reported Stanford University said “it is investigating a cybersecurity incident that struck its Department of Public Safety.” Stanford said “the breach didn’t appear to ‘impact police response to emergencies,’ and that the affected system was now secure.” In addition, the university “said there isn’t any indication other parts of the university were affected.” Hacking group Akira “claimed credit for the attack and said it stole confidential and internal data from the university, according to a posting on its dark web page.”
dtau...@gmail.com
Russian Spies Behind Cyber Attack on Ukraine Power Grid in 2022, Say Researchers
Reuters
James Pearson
November 9, 2023
Russian cyber spies were behind a hack that disrupted part of Ukraine's power grid in late 2022, U.S. cybersecurity firm Mandiant, part of Google, said in a report, a rare instance of a successful hack against industrial control systems. A hacking group known as “Sandworm,” previously identified as a cyberwarfare unit of Russia’s GRU military intelligence agency, was able to cause a power cut in an unidentified area of Ukraine by tripping circuit breakers at an electrical substation. The group then deployed data-wiping malware in a bid to cover its tracks, the report stated. Sandworm gained attention in 2015 after a separate cyberattack against Ukraine’s power grid. “There have only been a handful of incidents similar to this, with the majority carried out by Sandworm,” Mandiant analyst Nathan Brubaker said.
Accelerating AI Tasks While Preserving Data Security
MIT News
Adam Zewe
October 30, 2023
A search engine developed by Massachusetts Institute of Technology researchers provides an efficient means of determining optimal designs for deep neural network accelerators. SecureLoop takes into account how an accelerator chip's performance and energy usage will be affected by the addition of data encryption and authentication measures. The goal is to identify the best design for maintaining data security while enhancing performance geared toward the specific neural network and machine learning task. SecureLoop generates an accelerator schedule that offers the most efficient speed and energy usage for the neural network in question, including the data tiling strategy and authentication block size. Simulations demonstrated the schedules identified by SecureLoop were as much as 33.2% faster and had a 50.2% better energy delay product than methods that do not take security into account.
Tool Automates Formal Verification of Systems Software
Columbia Engineering News
Bernadette Young
October 27, 2023
The Spoq tool developed by researchers in Columbia University's Software Systems Laboratory (SSL) simplifies formal systems software verification and enables confirmation of existing C systems code without modifications. Formal systems verification mathematically demonstrates the security of the software in all scenarios. Spoq is designed to reduce tedious manual proof efforts by automating many facets of formal verification. Columbia's Xupeng Li said, "Spoq can generate results in about an hour, compared to doing it manually, which can take months or years to formally verify a system." The SSL intends to open-source Spoq over the next few months to broadly implement formal verification.
Politicians Attempting To Crack Down On Deepfake Ads
The Wall Street Journal (11/6, Coffee, Subscription Publication) reports that some politicians are attempting to take issues regarding AI-generated deepfake ads involving celebrities such as Tom Hanks and Mr. Beast. The Journal says that in recent weeks, members of both houses of Congress have introduced bills that would create a national standard that prohibits unauthorized deepfakes in a commercial context. If passed into law, the bills’ sponsors say the legislation could help celebrities and others take action against scammers using their likeness. However, the Journal says it is unclear if these efforts can counter an upcoming wave of hostile deepfakes.
Opinion: AI’s Rise Emphasizes Need For National Data Privacy Standard To Be Passed
Rep. Cathy McMorris Rodgers (R-WA) and Rep. Jay Obernolte (R-CA) write, “Artificial intelligence is here to stay. This technology is both exciting and disruptive, offering advancements that could empower people, expand worker productivity, and grow the US economy,” in Bloomberg Law (11/6, Subscription Publication). They write “We need to ensure America leads in developing standards and deploying this emerging technology. A critical first step toward achieving AI leadership is passing a national data privacy standard.” They write, “Used nefariously, AI could enable cybercriminals to develop potent threats to our critical infrastructure, or create deepfake AI content to scam people out of their money or personal information – in addition to other harmful and illegal activities.”
Microsoft Briefly Blocks Employees From Using ChatGPT
CNBC (11/9, Novet) reports that despite Microsoft investing “billions of dollars in OpenAI,” for a brief period on Thursday, Microsoft employees “weren’t allowed to use the startup’s most famous product, ChatGPT.” Microsoft said on an internal website, “Due to security and data concerns a number of AI tools are no longer available for employees to use.” At first, Microsoft “said it was banning ChatGPT and design software Canva, but later removed a line in the advisory that included those products” and “reinstated access to ChatGPT.” A spokesperson said, “We were testing endpoint control systems for LLMs and inadvertently turned them on for all employees. ... We restored service shortly after we identified our error. As we have said previously, we encourage employees and customers to use services like Bing Chat Enterprise and ChatGPT Enterprise that come with greater levels of privacy and security protections.”
dtau...@gmail.com
CPU Vulnerability Makes Virtual Machine Environments Vulnerable
TU Graz News (Austria)
Falko Schoklitsch
November 14, 2023
Researchers at Austria's Graz University of Technology (TU Graz) and Germany's CISPA Helmholtz Centre for Information Security have uncovered a vulnerability that allows data on virtual machines with AMD processors to be compromised. The vulnerability allows attackers to penetrate virtual work environments based on the trusted computing technologies AMD SEV-ES and AMD SEV-SNP by resetting data changes in the buffer memory, giving intruders unrestricted access to the system. This CacheWarp software-based attack method can be used to undo data modifications in this working environment and fool the system into believing it has an outdated status.
Cryptographic Keys Protecting SSH Connections Exposed
Ars Technica
Dan Goodin
November 13, 2023
Researchers at the University of California, San Diego (UCSD) demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic is vulnerable, and were able to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans. The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined, translating to about 1 billion signatures, about one in a million of which exposed the private key of the host. Said UCSD's Keegan Ryan, “Our research reiterates the importance of defense in depth in cryptographic implementations and illustrates the need for protocol designs that are more robust against computational errors."
New Frontier in Online Security: Quantum-Safe Cryptography
Monash University (Australia)
November 14, 2023
A team led by researchers at Australia's Monash University, in collaboration with Australia’s national science agency CSIRO, created an algorithm that can help protect online transactions that use end-to-end encryption against attacks from quantum computers. The cryptography algorithm, called "LaV," has potential application across instant messaging services, data privacy, cryptocurrency, and blockchain systems. Said lead researcher Muhammed Esgin, “This new cryptographic tool can be applied to various mobile applications and online transactions that use end-to-end encryption and is the first practical algorithm that can be used to fortify existing systems against quantum computers.” The algorithm has been implemented into code by CSIRO’s Raymond Zhao and is available open source.
Cloud Data Storage Security Approach Taps Quantum Physics
AIP Publishing
November 14, 2023
Yong Zhao of Chinese quantum information technology company QuantumCTek and colleagues developed a secure cloud data storage method that uses quantum random numbers as encryption keys and disperses them via Shamir’s secret sharing algorithm. Shamir’s algorithm involves distributing private information to a group so “the secret” will be revealed only when a majority pools their knowledge. It’s common to combine quantum key distribution (QKD) and Shamir’s secret sharing algorithm for secure storage, but solutions can be costly, as they involve significant cloud storage space requirements. The method developed by Zhao's team uses quantum random numbers as encryption keys, dispersing the keys via Sharmir’s secret sharing algorithm, applying erasure coding within ciphertext, and securely transmitting the data through QKD-protected networks to distributed clouds. Said Zhao, “In essence, our solution is quantum-secure and serves as a practical application of the fusion between quantum and cryptography technologies."
FCC To Consider $200 Million Cybersecurity Pilot Program
K-12 Dive (11/16) reports the Federal Communications Commission this week proposed a three-year pilot program to study how the agency’s Universal Service Fund can help schools and libraries fight cybersecurity threats. The pilot program, “which would cost up to $200 million and is separate from the agency’s E-Rate program, was approved by the full commission and builds upon Chairwoman Jessica Rosenworcel’s Learn Without Limits initiative to ensure access to high-speed broadband connectivity in schools and libraries.” The FCC will “seek public comment on the proposal upon its publication in the Federal Register, which is expected soon.” Once that 30-day period ends, “the agency will review the comments, develop program requirements, and vote on whether to proceed with creating the Schools and Libraries Cybersecurity Pilot Program.”
Some College Presidents Are Using AI Voice Clones, Deepfakes As Engagement Tools
Inside Higher Ed (11/14, Coffey) reports that while delivering a cybersecurity PSA, the president of Utah Valley University “warns of perils such as phishing and phone scams” before revealing that her voice was actually “that of an artificial intelligence–enabled bot.” This comes after the university “spent seven months working with an external company to develop the digital president, which can address more than 1,000 questions from students, staff and faculty.” Similarly, Wells College’s president “used ChatGPT to write his commencement speech in June, and the University of Nevada at Las Vegas created an AI avatar of their president last year. While there are broad possibilities of increasing student engagement and retention by leaning into AI, experts warn to keep watch for potential risks.” For example, “there is broad agreement on transparency, so if universities do intend to use AI, they need to disclose that they are using it, whether the approach is creating an avatar or using voice capabilities.”
dtau...@gmail.com
Outdated Password Practices are Widespread
Georgia Tech Research
November 17, 2023
A majority of the world’s most popular websites are putting users and their data at risk by failing to meet minimum password requirement standards, according to researchers at the Georgia Institute of Technology (Georgia Tech). The researchers analyzed 20,000 randomly sampled websites from the Google Chrome User Experience Report, a database of 1 million websites and pages. Using a novel automated tool that can assess a website’s password creation policies, they found that many sites permit very short passwords, do not block common passwords, and use outdated requirements like complex characters. Georgia Tech’s Frank Li said security researchers have “identified and developed various solutions and best practices for improving Internet and Web security. It's crucial that we investigate whether those solutions or guidelines are actually adopted in practice to understand whether security is improving in reality."
Administration Urges Public School Districts To Take Advantage Of Cybersecurity Assistance Programs
The AP (11/19, Durkin Richer) reports that some K-12 public schools “are racing to improve protection against the threat of online attacks, but lax cybersecurity means thousands of others are vulnerable to ransomware gangs that can steal confidential data and disrupt operations.” Since “a White House conference in August on ransomware threats, dozens of school districts have signed up for free cybersecurity services, and federal officials have hosted exercises with schools to help them learn how to better secure their networks, said Anne Neuberger, the Biden’s administration’s deputy national security advisor for cyber and emerging technology.” Neuberger “said more districts need to take advantage of programs available that would better guard against online attackers who are increasingly targeting schools.”
dtau...@gmail.com
Digital Emblem for Humanitarian Law in Cyberspace
ETH Zurich (Switzerland)
Samuel Schlaefli
November 29, 2023
In partnership with the International Committee of the Red Cross, computer scientists at Switzerland's ETH Zurich developed a protective emblem that can be integrated easily and cost-effectively into existing digital systems to signify that a digital infrastructure is entitled to protection. The Authentic Digital EMblem (ADEM) is based on the Web Public Key Infrastructure and Certificate Transparency ecosystem. It is cryptographically secured using a digital signature, making it possible to retrieve information about the owner and the IP or domain worthy of protection, as well as the publisher of the emblem. Said ETH's Felix Linker. "Hacker software needs to automatically load and read the emblem, so it can recognize that it is accessing a system belonging to an organization that is protected by international humanitarian law."
Defending Your Voice Against Deepfakes
The Source (Washington University in St. Louis)
Shawn Ballard
November 27, 2023
A tool developed by Washington University in St. Louis' Ning Zhang is intended to protect a user's voice from being used to create deepfakes. By making it harder for artificial intelligence (AI) tools to read certain voice-recording characteristics, the AntiFake tool prevents unauthorized speech synthesis. Said Zhang, "The tool uses a technique of adversarial AI that was originally part of the cybercriminals' toolbox, but now we're using it to defend against them. We mess up the recorded audio signal just a little bit, distort or perturb it just enough that it still sounds right to human listeners, but it's completely different to AI." In tests against five state-of-the-art speech synthesizers, AntiFake was found to be 95% effective.
Researchers Find Vulnerabilities in Windows Hello Implementations
SiliconANGLE
Maria Deutscher
November 22, 2023
Researchers at cybersecurity company Blackwing Intelligence found vulnerabilities in several laptop makers’ implementations of Windows Hello, the biometric login feature built into Windows. The researchers uncovered the vulnerabilities as part of a project carried out on behalf of Microsoft Corp.’s offensive research and security engineering team to analyze laptops from Microsoft, Lenovo, and Dell. The flaws found relate to a Microsoft technology called the Secure Device Connection Protocol (SDCP), which many laptops rely on to power their Windows Hello implementations. “Microsoft did a good job designing Secure Device Connection Protocol (SDCP) to provide a secure channel between the host and biometric devices, but unfortunately device manufacturers seem to misunderstand some of the objectives,” the researchers said.
Modded Switches Secure Ukraine's Power Grid from Russian Cyberattacks
The Register (U.K.)
Connor Jones
November 22, 2023
Cisco-modified network switches were delivered to Ukrenergo, Ukraine's state-owned electrical grid operator, to help it withstand Russian cyberattacks. Russia has used GPS-jamming tactics to interfere with Ukraine's high-voltage electrical subsystems. When GPS signals are jammed, such subsystems are unable to synchronize time so they can't report the status of the grid to power dispatchers accurately, making it difficult to assess damage to electrical infrastructure caused by Russian attacks, and to balance power. Said a Cisco spokesperson, "Using the Cisco Industrial Ethernet switch with its internal crystal oscillator, we were able to create new, enhanced clock recovery algorithms and modified the switch code to provide an accurate time holdover when GPS was unavailable."
Protecting Critical Infrastructure from Cyber Attacks
RMIT University
November 22, 2023
A mathematical breakthrough by researchers at the Royal Melbourne Institute of Technology and tech startup Tide Foundation in Australia allows system access authority to be spread invisibly and securely across a network. Dubbed "ineffable cryptograph," the technology has been incorporated into a prototype access-control system specifically for critical infrastructure management, known as KeyleSSH, and successfully tested with multiple companies. It works by generating and operating keys across a decentralized network of servers, each operated by independent organizations. Each server in the network can only hold part of a key—no one can see the full keys, all the processes they are partially actioning, or the assets they are unlocking.
Researchers Break New MacBook Pro Weeks after Release
Georgia Tech Research
November 20, 2023
Georgia Institute of Technology Ph.D. student Jason Kim successfully evaded security measures on Apple’s latest MacBook Pro to capture his fictional target’s Facebook password and second-factor authentication text. The demonstration, coming only weeks after the new MacBook's release, showed how the recently discovered iLeakage side-channel exploit is still a threat to Apple devices. First co-discovered by Kim, the vulnerability affects products made by Apple since 2020. It allows attackers to see what’s happening on their target’s Safari browser. “A remote attacker can deploy iLeakage by hosting a malicious webpage they control, and a target just needs to visit that webpage,”explained Kim. “Because Safari does not properly isolate webpages from different origins, the attacker's webpage is able to coerce Safari to put the target webpage in the same address space. The attacker can use speculative execution to subsequently read arbitrary secrets from the target page.” The team disclosed its findings to Apple, which has since issued a fix.
How Meta Pixel Tracks Students’ College Prep Activity Online
USA Today (11/22, Lecher, Teixeira) reported the Meta Pixel is a tracking tool “that silently collects and transmits information to Facebook as users browse the web, according to testing by The Markup. Millions of invisible pixels are embedded on websites across the internet, allowing businesses and organizations to target their customers on Facebook with ads.” Businesses embed the pixel on their own websites “to gather enough information on their customers so they can advertise to them later on Meta’s social platforms, Facebook and Instagram.” This is “one of the reasons people see the same ad following them on Facebook and Instagram after they shopped on a different site.” An investigation by The Markup “found the pixel on dozens of popular websites targeting kids from kindergarten to college, including sites that students are all but required to use if they want to participate in school activities or apply to college.” For example, “after signing into their ACT account, if a student accepted cookies on the following page, Facebook received details on almost everything they clicked on – including scrambled but identifiable data like their first and last name, and whether they’re registering for the ACT.”
More Than 130 School Districts Have Applied For Cybersecurity Grants
Politico Weekly Cybersecurity (11/27, Gedeon) reports, “More than 130 K-12 schools in the United States are now implementing new, free private sector tools to secure their systems against cyberattacks following a multi-pronged cyber initiative at an August White House summit on keeping hackers away from the education sector, but enrollment has turned sluggish since the flagship program rolled out.” Politico says, “Right now, 137 schools and districts are signed up to Project CyberSafe Schools, a Cloudfare-focused service that offers Zero Trust cybersecurity tools to boost email security and safer internet browsing to K-12 public schools under 2,500 students.”
dtau...@gmail.com
Millions of Patient Scans, Health Records Spilling Online Due to Decades-Old Protocol Bug
Tech Crunch
Carly Page
December 6, 2023
Researchers at Germany's Aplite, a cybersecurity consultancy focused on digital healthcare, found security vulnerabilities in the decades-old Digital Imaging and Communications in Medicine (DICOM) standard that expose the private data and medical histories of around 16 million patients and more than 43 million health records online. DICOM is the internationally recognized file format for computed tomography (CT) scans and X-ray images. The researchers determined more than 3,800 servers in more than 110 countries have exposed data including patient names, addresses, phone numbers, and even Social Security numbers. Aplite's Sina Yazdanmehr said Amazon AWS, Microsoft Azure, and other cloud giants host more than 70% of the exposed DICOM servers, with the remainder in medical offices connected to the Internet.
Experts Warn of ‘Serious Threats’ from Election Equipment Software Breaches
Associated Press
Christina A. Cassidy
December 5, 2023
A letter sent Monday by nearly two dozen computer scientists, election security experts, and voter advocacy organizations to federal authorities called for a federal probe and a risk assessment of voting machines used throughout the U.S., saying software breaches have “urgent implications for the 2024 election and beyond.” According to the letter, the breaches involved efforts to access voting system software in several states and provide it to allies of former President Donald Trump as they sought to overturn the results of the 2020 election. The letter stressed that possession of voting system software could enable people to practice how to meddle in the 2024 election, allowing them to identify vulnerabilities and test potential attacks.
Personal Information Can Be Accessed Through ChatGPT Queries
Silicon Angle
James Farrell
November 29, 2023
Google researchers demonstrated that OpenAI's ChatGPT could be used to obtain personal information, like names, email addresses, and phone numbers, provided it is given the right prompts. Although the large language models that power such chatbots are trained to weed through online data to respond to queries without replicating that information, the researchers found they could force ChatGPT to provide answers that included text from its original language modeling by repeatedly using keywords. The researchers said, "Using only $200 USD worth of queries to ChatGPT, we are able to extract over 10,000 unique verbatim memorized training examples. Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data."
Bitcoin Mining Used More Water Than New York City Last Year
The Wall Street Journal
Eric Niiler
December 6, 2023
A study by Alex de Vries of the Netherlands' Vrije Universiteit Amsterdam found that water use by bitcoin miners hit 591 billion gallons so far this year, up from 415 billion gallons in 2021. de Vries found that bitcoin mining in the U.S. consumes the same amount of water used by 300,000 households per year, raising environmental concerns, particularly in areas plagued by drought or the lack of fresh water. Digital Power Network's Perianne Boring maintains most of the water used by bitcoin miners is recycled or returned to the environment. The Rocky Mountain Institute's Paolo Natali said changes to bitcoin software to reduce the number of calculations needed for mining would cut electricity and water requirements, but such changes would "require some consensus among all the holders of bitcoin, or for them to start trading different currencies."
EU Agrees on Rules to Protect Smart Devices from Cyber Threats
Reuters
Foo Yun Chee
November 30, 2023
European Union (EU) countries and lawmakers agreed to new rules to protect smart devices and other gadgets connected to the Internet from cyber threats. Proposed by the European Commission last year, the Cyber Resilience Act sets out cybersecurity requirements for the design, development, production, and sale of hardware and software products. Under the terms of the Act, manufacturers will have to assess the cybersecurity risks of their products, provide declarations of conformity, and take appropriate action to fix problems during the expected lifetime of the product (or for a period of at least five years).
Boosting Faith in the Authenticity of Open Source Software
MIT Computer Science and Artificial Intelligence Laboratory
Steve Nadis
November 30, 2023
A system developed by computer scientists at the Massachusetts Institute of Technology (MIT), Purdue University, and Chainguard Labs aims to ensure the security and legitimacy of open source software. The Speranza system expands on the OpenID Connect-based Sigstore system, which automates and streamlines the digital signing process, by altering its basic infrastructure to provide privacy guarantees. The process involves converting a software developer's email address into a "commitment" comprised of a large pseudo-random number and generating a "co-commitment" associated with a software package created or modified by the developer. The authorized developer would publish a zero-knowledge proof that establishes a link between the commitment representing their identity and the commitment associated with the software product. MIT's Karen Sollins said Speranza "simultaneously allows [software] users to have confidence that the maintainers are, in fact, legitimate maintainers and, furthermore, that the code being downloaded is, in fact, the correct code of that maintainer."
Louisiana School District Failed To Notify Thousands Of Stolen Information After Ransomware Attack
The Seventy Four (12/4) reports personal information was stolen in a ransomware attack against the St. Landry Parish School Board. An investigation by The 74 and The Acadiana Advocate included a data analysis “of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. The 12,000-student district...told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story.” The joint investigation found that thousands of students, teachers, and business owners “had their personal information exposed online.” Among the district’s breached documents “are thousands of health insurance records with the Social Security numbers of at least 13,500 people,” and a failure to “notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.”
West Virginia University Launches Cybersecurity Range With Federal Funding
WDTV-TV Bridgeport, WV (11/29) reports, “With the ongoing threat of cyberattacks becoming more sophisticated, West Virginia University is launching plans for a cybersecurity range.” That is “a specialized software and hardware facility for education, training and research with $750,000 in grant funding support from the U.S. Department of Education.” The range will be directed by Katerina Goseva-Popstojanova, professor of Computer Science and Electrical Engineering, in the College of Engineering and Mineral Resources, department chair Anurag Srivastava, Prof. Brian Woerner, Research Associate David Krovich, and Asst. Prof. Tom Devine, in collaboration with Amazon Web Services. The range will “act as a ‘sandbox’ environment.” Goseva-Popstojanova said, “For cybersecurity we must, even for regular classes, include hands-on experiences for students which will experiment with malware.” She added, “There is such a great need for cybersecurity experts in many industries,” and “Students who have hands-on experience with cutting-edge hardware and software are prepared for successful careers in industry.”
dtau...@gmail.com
Meta Starts Fully Encrypting Messages on Facebook, Messenger App
The Wall Street Journal
Jeff Horwitz; Katherine Blunt
December 6, 2023
Meta Platforms has begun shifting Facebook and Facebook Messenger users to end-to-end encryption, which shields messages from views by outsiders, by default. In the new year, sources say, Instagram will transition to default end-to-end encryption as well. Government officials and others have expressed concerns that the move could conceal illegal activity by child predators and other criminals from security officials and law enforcement. Encryption already has been offered as an option on Facebook and Instagram, but Meta said it could take time to update the feature for all Messenger users. In announcing the encryption changes in a Dec. 6 blog post, Meta wrote, "We worked closely with outside experts, academics, advocates, and governments to identify risks and build mitigations to ensure that privacy and safety go hand-in-hand."
Senate Confirms Coker As Second-Ever National Cyber Director
Reuters (12/12, Bing) reports that on Tuesday, the Senate “confirmed Harry Coker Jr. as the second-ever national cyber director, who advises the president on cybersecurity policy and strategy.” Reuters explains the National Cyber Director role “was created through the 2021 National Defense Authorization Act, the military’s annual budget bill, following a massive hack of government systems known as Solarburst. It replaced a prior position known as the White House cyber coordinator, which served a similar purpose but had less federal authorities. The first National Cyber Director, Chris Inglis, stepped down from the position in February.” Coker will bring “four decades of experience in government,” including time at the Central Intelligence Agency, the National Security Agency, and the Navy, to role.
However, Politico (12/12, Sakellariadis) says Coker also “comes to the role amid mounting conservative backlash to the Biden administration’s cybersecurity and disinformation efforts – which a growing number of Republicans allege has become a smokescreen to censor conservative voices online. That was a key reason why six of seven Republicans on the Homeland Security Committee declined to throw their support behind Coker’s nomination last month, and the same dynamic appears to have played out Tuesday,” with 40 Republicans voting against his confirmation. By contrast, two years ago, the Senate “unanimously backed Inglis.”
dtau...@gmail.com
FBI Takes Down BlackCat Ransomware, Releases Decryption Tool
The Hacker News
December 19, 2023
The U.S. Justice Department announced the disruption of the BlackCat ransomware operation and released a free decryption tool that its more than 500 victims can use to regain access to their encrypted files. The multinational effort involved the U.S. Federal Bureau of Investigation (FBI) using a human source to gain access to a Web panel used for managing the gang's victims. The FBI said it also collected 946 public/private key pairs used to host TOR sites operated by the group, and dismantled them. BlackCat is estimated to have compromised more than 1,000 victims around the world, at a cost to them of nearly $300 million.
Researchers to Study Computer Code for Clues to Hackersʼ Identities
WSJ Pro Cybersecurity
Catherine Stupp
December 15, 2023
The U.S. Defense Departmentʼs Intelligence Advanced Research Projects Activity (IARPA), the lead research agency for the U.S. intelligence community, is accepting proposals from researchers on technologies that could speed investigations to identify perpetrators of cyberattacks. Tools developed as part of the planned 30-month research project will not replace human analysts, but the analysis of code used in cyberattacks by artificial intelligence will make investigations more efficient, said IARPAʼs Kristopher Reese.
U.S., China Race to Shield Secrets from Quantum Computers
Reuters
David Lague
December 14, 2023
When Q-day, the day quantum computers are able to defeat current encryption methods, will occur is up for debate, given that quantum computing is still in its early days. In the meantime, nations including the U.S. and China reportedly are harvesting vast amounts of encrypted data in hopes of decrypting it later. Meanwhile, the U.S. and its allies are working on post-quantum cryptography, and China is working on a theoretically hack-proof quantum communications network. The World Economic Forum predicts that 20 billion devices will need to be upgraded or replaced over the next 20 years to meet quantum security standards.
U.S. Regulators Propose New Online Privacy Safeguards for Children
The New York Times
Natasha Singer
December 21, 2023
The U.S. Federal Trade Commission (FTC) proposed major changes to the Children’s Online Privacy Protection Act of 1998, which restricts the online tracking of minors. The changes would “shift the burden” of online safety from parents to digital services, while curbing how platforms may use and monetize children’s data. The new rules would, among other things, prohibit online services from using personal details to induce youngsters to stay on their platforms longer. The updates also would limit the collection of student data by education tech providers.
Deepfakes Disrupting Bangladesh's Election
Financial Times
Benjamin Parkin; Jyotsna Singh
December 12, 2023
The use of AI-generated deepfakes and disinformation has proven problematic ahead of Bangladesh's elections in January. In one video posted on X in September by online news outlet BD Politico, an avatar news anchor for “World News” accused U.S. diplomats of interfering in Bangladeshi elections and blamed them for political violence. In response to issues with deepfakes, Google and Meta announced policies to require campaigns to disclose whether political advertisements have been digitally altered.
Study Reveals Hidden Fortunes, Surprising Overestimations in Cybercrime Revenue
IMDEA Software Institute News (Spain)
December 18, 2023
Researchers at Spain's IMDEA Software Institute analyzed more than 30,000 payment addresses used by different cybercriminal groups to develop a better estimate of cybercrime revenue. For example, they found revenue associated with DeadBolt ransomware totaled $2.47 million, which was 39 times greater than prior estimates. The researchers also found that some estimation methodologies significantly overestimate cybercrime revenues. In response, they developed an estimation tool to help avoid such errors.
AI Causing Dramatic Increase In Online Misinformation
The Washington Post (12/17, A1) reports artificial intelligence “is automating the creation of fake news, spurring an explosion of web content mimicking factual articles that instead disseminate false information about elections, wars and natural disasters.” Since May, “websites hosting AI-created false articles have increased by more than 1,000 percent, ballooning from 49 sites to more than 600, according to NewsGuard, a nonprofit that tracks misinformation.” The heightened churn “of polarizing and misleading content may make it difficult to know what is true — harming political candidates, military leaders and aid efforts.” Misinformation experts “said the rapid growth of these sites is particularly worrisome in the run-up to the 2024 elections.” Generative artificial intelligence “has ushered in an era in which chatbots, image makers and voice cloners can produce content that seems human-made.”
FTC Announces Plan To Expand Children’s Data Privacy Protections
The Washington Post (12/20, Lima) reports the FTC “unveiled a major proposal to expand protections for children’s personal data and to limit what information companies can collect from kids online, marking one of the U.S. government’s most aggressive efforts to create digital safeguards for children.” Under the proposal released Wednesday, “digital platforms would be required to turn off targeted ads to children under 13 by default and prohibited from using certain data to send kids push notifications, or ‘nudges,’ to encourage them to keep using their products.” The Post says the plan “marks one of the most significant attempts by U.S. regulators to broaden their oversight over children’s online privacy.”
The New York Times (12/20, Singer) says the changes “are intended to fortify the rules underlying the Children’s Online Privacy Protection Act of 1998.” Regulators “said the moves would ‘shift the burden’ of online safety from parents to apps and other digital services while curbing how platforms may use and monetize children’s data.” The AP (12/20, Ortutay) reports, “Children’s online safety advocates applauded the announcement.”
Reuters (12/20, Bartz) reports, “Under the proposed changes, companies would have to get ‘separate verifiable parental consent’ to share most information about children with advertisers and other third parties.” The FTC “said that it would accept comments on the rule for 60 days.”